10-02-2009 08:49 PM - edited 03-06-2019 07:58 AM
Hello,
In regards to configuring an SVI with ip address 10.10.10.1 and applying the following ACL inbound:
"permit ip 10.10.10.0 255.255.255.0 any"
Would ICMP packets destined to the SVI be forwarded for an ACL lookup or since this is a "receive" adjacency in CEF and its traffic destined to the control plane than would only rACL's or cOPP be needed for protection.
Please let me know and I can clarify further.
Thank you
10-03-2009 01:45 AM
Hello Thomas,
the ACL will process ICMP packets destined to the SVI and it will allow them.
but you need to write it using wildcard mask:
permit ip 10.10.10.0 0.0.0.255 any
you can test using a modified version of the ACL
access-list 111 permit icmp 10.10.10.0 0.0.0.255 host 10.10.10.1
access-list 111 permit ip 10.10.10.0 0.0.0.255 any
int vlan 10
ip address 10.10.10.1
no shut
ip access-group 111 in
!
attempting to ping 10.10.10.1 should work and you should see counters increasing in first line of ACL 111
with
sh ip access-list 111
CoPP is more smart and it can introduce a rate-limiting action to protect CPU.
Hope to help
Giuseppe
10-03-2009 09:59 AM
Hello Giuseppe,
I'm in the process of testing this today and really appreciate the feedback.
Thank you
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide