Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
228
Views
0
Helpful
2
Replies

ACL on interface BVI98

Go to solution
mahesh18
Level 6
Level 6

‎04-19-2014 09:55 AM - edited ‎03-07-2019 07:09 PM

 

Hi Everyone,

 

Router 1811w is configured as Wi fi.

Interface

interface BVI98
 ip address 192.168.98.1 255.255.255.0
 ip virtual-reassembly
 ip tcp adjust-mss 1452

 

ip dhcp pool WIRELESS
   import all
   network 192.168.98.0 255.255.255.0
   default-router 192.168.98.1
   dns-server 64.59.144.19
   lease 3
!

 

User 1 is getting IP 192.168.98.6 from DHCP pool.

User 2 is getting IP 192.168.98.7 from DHCP pool.

I config ACL

ip access-list extended test
 deny   ip host 192.168.98.7 any log
 permit ip any any log

 

I Apply this to Interface interface BVI98

ip access-group test in

After this ACL if i ping from Router to IP 192.168.98.7 it does not work this is expected behaviour.

But when from PC with IP 192.168.98.6 i ping 192.168.98.7 it works.

Need to know how this ping is working?

Is this ping working because when i ping from PC with IP 192.168.98.6 then that traffic does not hit the int bvi98?

 

Regards

MAhesh

 

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
luckymike33
Level 1
Level 1

‎04-19-2014 10:32 AM

Hi,

 

This is working because the ping traffic not going to your bvi interface, and that is because these two devices are in the same broadcast domain, i.e. they are in the same vlan. However the bvi interface is used to route traffic off that vlan and so the ACl applied to that interface will see traffic despite it belonging to the same vlan.

Do you need more information on bvi interfaces? They should be thought of as very similar to svi interfaces, and used by APs mainly to allow a layer 2 device to participate in routing (i.e. to allow an AP to be managed), Keith Barker has also got a good explanation for them here:

https://learningnetwork.cisco.com/thread/52706

Ask if you need any more info

HTH

 

Mike

 

 

View solution in original post

0 Helpful
2 Replies 2

Go to solution
luckymike33
Level 1
Level 1

‎04-19-2014 10:32 AM

Hi,

 

This is working because the ping traffic not going to your bvi interface, and that is because these two devices are in the same broadcast domain, i.e. they are in the same vlan. However the bvi interface is used to route traffic off that vlan and so the ACl applied to that interface will see traffic despite it belonging to the same vlan.

Do you need more information on bvi interfaces? They should be thought of as very similar to svi interfaces, and used by APs mainly to allow a layer 2 device to participate in routing (i.e. to allow an AP to be managed), Keith Barker has also got a good explanation for them here:

https://learningnetwork.cisco.com/thread/52706

Ask if you need any more info

HTH

 

Mike

 

 

0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to luckymike33

‎04-19-2014 08:05 PM

 

Thanks Mike for Reply

Mahesh

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card