Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Dual core and Multilayer switching?

Hi,

I recently observed a network where there was a fairly typical design of 2 core switches linked via port channel, the switches are configured with SVI's in the same vlan, and vrrp configured.

Access lists applied inbound on the SVIs seem to make allowances for traffic from the local vlan originating both inside and outside of the network. eg.

assuming 192.169.0.0/25 is the local vlan trying to reach a remote vlan of 10.0.0.0/25

Extended ip access list Data_Vlan_Out

10 permit ip 192.168.0.0 0.0.0.255 10.0.0.0 0.0.0.255

20 permit ip 10.0.0.255 0.0.0.255 192.168.0.0 0.0.0.255

30 deny ip any any

will be applied to the SVI on both switches.

I assume this is being done due to the way SVIs view traffic which passes between the two switches, but it doesnt seem best practice. I was wondering if anyone could shed any light on what is actually going on here and how the design may be improved?

1 REPLY
Super Bronze

Re: Dual core and Multilayer switching?

Disclaimer

The  Author of this posting offers the information contained within this  posting without consideration and with the reader's understanding that  there's no implied or expressed suitability or fitness for any purpose.  Information provided is for informational purposes only and should not  be construed as rendering professional advice of any kind. Usage of this  posting's information is solely at reader's own risk.

Liability Disclaimer

In  no event shall Author be liable for any damages whatsoever (including,  without limitation, damages for loss of use, data or profit) arising out  of the use or inability to use the posting's information even if Author  has been advised of the possibility of such damage.


Posting

No, ACL wouldn't impact traffic just moving between the two switches as L2.  It will only impact the SVI which is used when traffic enters or leaves the VLAN via L3.

The ACL should be applied on both switches SVIs, both because both SVI interfaces might be used concurrently for entering the VLAN and even if one is the "hot" gateway for leaving the VLAN, it could fail then traffic would shift to the other SVI.

As to why it allows for traffic in either direction - from its (currently) described usage - that's unnecessary.  Perhaps when it was defined it was also intended to be used as both an IN and OUT ACL.

140
Views
0
Helpful
1
Replies