×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

vacl needs svi or not

Answered Question
Jul 23rd, 2012
User Badges:
  • Bronze, 100 points or more

Hi everybody


From our previous discussion, I learned:


VACL requires an active svi according to the following link:


http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/15.0SY/configuration/guide/vlan_acls.pdf


I quoted from the above link:


VACLs applied to VLANs are active only for VLANs with a Layer 3 VLAN interface configured.


Applying a VLAN access map to a VLAN without a Layer 3 VLAN interface creates an


administratively down Layer 3 VLAN interface to support the VLAN access map.


Now according to the following link, we don't need an active svi for vacl to work.  Look at the end of the article where the instructor answered on of the question. I quoted that discussion from the link below:




http://blog.ine.com/2009/08/10/vlan-access-control-lists-vacls-tiers-1/



Hello,

Thanks for your post.

I have some questions:

as I understand SVI is not required on switches to be configured and VACL can be done on SW1 instead of SW2 with the same final result, do you agree? and also we need L3 switches to configure VACL.

Thanks again,


Alex



Reply   


    INE Instructor

    August 12, 2009 at 12:27 am   


    Hi Alexander!


    Yes – these switches in the scenario are in default configurations other than what you see in the topology. No SVI interfaces were created. Also – very good – SW1 could have been chosen as well.


    I never thought about it…but yes, I think you are right. I have never seen this capability on a Layer 2 switch. Notice I did not enable ip routing on these devices, however.

    Reply   



=================================================================================================================



I am confused. do we need active svi or we don't need it ?





thanks and  have a nice week.

Correct Answer by Peter Paluch about 5 years 4 weeks ago

Hello Giuseppe,


I can confirm that on 3560 Catalysts, absolutely no SVI is necessary for VACLs to work. You just configure the VACLs and apply them to selected VLANs, and that's it. No need to configure a SVI whatsoever. This must indeed be an implementation quirk for 6500 series Catalysts.


Best regards,

Peter

Correct Answer by Giuseppe Larosa about 5 years 4 weeks ago

Hello Sarah,

I think you are entering the grey zone of implementation details.


The configuration guide refers to C6500 and the same constraint is stated also in 12.2SX config. guide:

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/vacl.html#wp1097462


The INE blog refers to other platforms C3550 or C3560 as it is focused on CCIE lab.


C6500 might need an SVI for the way the PFC works, but the VACL concept applies to the L2 object that is the broadcast domain. The PFC may use the SVI just as a pointer this is my guess, because it says that an SVI will be created if not existing and left in shutdown state. So the PFC needs that the SVI exists even not configured. In other words the SVI provides the point of application of the VACL feature.


According to the blog low end switches are able to use VACLs without SVIs and with ip routing disabled.


Hope to help

Giuseppe

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.
Correct Answer
Giuseppe Larosa Tue, 07/24/2012 - 01:49
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Sarah,

I think you are entering the grey zone of implementation details.


The configuration guide refers to C6500 and the same constraint is stated also in 12.2SX config. guide:

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/vacl.html#wp1097462


The INE blog refers to other platforms C3550 or C3560 as it is focused on CCIE lab.


C6500 might need an SVI for the way the PFC works, but the VACL concept applies to the L2 object that is the broadcast domain. The PFC may use the SVI just as a pointer this is my guess, because it says that an SVI will be created if not existing and left in shutdown state. So the PFC needs that the SVI exists even not configured. In other words the SVI provides the point of application of the VACL feature.


According to the blog low end switches are able to use VACLs without SVIs and with ip routing disabled.


Hope to help

Giuseppe

Correct Answer
Peter Paluch Tue, 07/24/2012 - 05:44
User Badges:
  • Cisco Employee,

Hello Giuseppe,


I can confirm that on 3560 Catalysts, absolutely no SVI is necessary for VACLs to work. You just configure the VACLs and apply them to selected VLANs, and that's it. No need to configure a SVI whatsoever. This must indeed be an implementation quirk for 6500 series Catalysts.


Best regards,

Peter

Actions

This Discussion