IP Interface ACLS, and CEF "receive" adjacencies

tbowlby1980 · ‎10-02-2009

Hello,

In regards to configuring an SVI with ip address 10.10.10.1 and applying the following ACL inbound:

"permit ip 10.10.10.0 255.255.255.0 any"

Would ICMP packets destined to the SVI be forwarded for an ACL lookup or since this is a "receive" adjacency in CEF and its traffic destined to the control plane than would only rACL's or cOPP be needed for protection.

Please let me know and I can clarify further.

Thank you

Giuseppe Larosa · ‎10-03-2009

Hello Thomas,

the ACL will process ICMP packets destined to the SVI and it will allow them.

but you need to write it using wildcard mask:

permit ip 10.10.10.0 0.0.0.255 any

you can test using a modified version of the ACL

access-list 111 permit icmp 10.10.10.0 0.0.0.255 host 10.10.10.1

access-list 111 permit ip 10.10.10.0 0.0.0.255 any

int vlan 10

ip address 10.10.10.1

no shut

ip access-group 111 in

!

attempting to ping 10.10.10.1 should work and you should see counters increasing in first line of ACL 111

with

sh ip access-list 111

CoPP is more smart and it can introduce a rate-limiting action to protect CPU.

Hope to help

Giuseppe

tbowlby1980 · ‎10-03-2009

Hello Giuseppe,

I'm in the process of testing this today and really appreciate the feedback.

Thank you