- Bronze, 100 points or more
From our previous discussion, I learned:
VACL requires an active svi according to the following link:
I quoted from the above link:
VACLs applied to VLANs are active only for VLANs with a Layer 3 VLAN interface configured.
Applying a VLAN access map to a VLAN without a Layer 3 VLAN interface creates an
administratively down Layer 3 VLAN interface to support the VLAN access map.
Now according to the following link, we don't need an active svi for vacl to work. Look at the end of the article where the instructor answered on of the question. I quoted that discussion from the link below:
Thanks for your post.
I have some questions:
as I understand SVI is not required on switches to be configured and VACL can be done on SW1 instead of SW2 with the same final result, do you agree? and also we need L3 switches to configure VACL.
August 12, 2009 at 12:27 am
Yes – these switches in the scenario are in default configurations other than what you see in the topology. No SVI interfaces were created. Also – very good – SW1 could have been chosen as well.
I never thought about it…but yes, I think you are right. I have never seen this capability on a Layer 2 switch. Notice I did not enable ip routing on these devices, however.
I am confused. do we need active svi or we don't need it ?
thanks and have a nice week.
I can confirm that on 3560 Catalysts, absolutely no SVI is necessary for VACLs to work. You just configure the VACLs and apply them to selected VLANs, and that's it. No need to configure a SVI whatsoever. This must indeed be an implementation quirk for 6500 series Catalysts.
I think you are entering the grey zone of implementation details.
The configuration guide refers to C6500 and the same constraint is stated also in 12.2SX config. guide:
The INE blog refers to other platforms C3550 or C3560 as it is focused on CCIE lab.
C6500 might need an SVI for the way the PFC works, but the VACL concept applies to the L2 object that is the broadcast domain. The PFC may use the SVI just as a pointer this is my guess, because it says that an SVI will be created if not existing and left in shutdown state. So the PFC needs that the SVI exists even not configured. In other words the SVI provides the point of application of the VACL feature.
According to the blog low end switches are able to use VACLs without SVIs and with ip routing disabled.
Hope to help