cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
835
Views
5
Helpful
2
Replies

vacl needs svi or not

sarahr202
Level 5
Level 5

Hi everybody

From our previous discussion, I learned:

VACL requires an active svi according to the following link:

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/15.0SY/configuration/guide/vlan_acls.pdf

I quoted from the above link:

VACLs applied to VLANs are active only for VLANs with a Layer 3 VLAN interface configured.

Applying a VLAN access map to a VLAN without a Layer 3 VLAN interface creates an

administratively down Layer 3 VLAN interface to support the VLAN access map.

Now according to the following link, we don't need an active svi for vacl to work.  Look at the end of the article where the instructor answered on of the question. I quoted that discussion from the link below:

http://blog.ine.com/2009/08/10/vlan-access-control-lists-vacls-tiers-1/

Hello,

Thanks for your post.

I have some questions:

as I understand SVI is not required on switches to be configured and VACL can be done on SW1 instead of SW2 with the same final result, do you agree? and also we need L3 switches to configure VACL.

Thanks again,

Alex

Reply   

    INE Instructor

    August 12, 2009 at 12:27 am   

    Hi Alexander!

    Yes – these switches in the scenario are in default configurations other than what you see in the topology. No SVI interfaces were created. Also – very good – SW1 could have been chosen as well.

    I never thought about it…but yes, I think you are right. I have never seen this capability on a Layer 2 switch. Notice I did not enable ip routing on these devices, however.

    Reply   

=================================================================================================================

I am confused. do we need active svi or we don't need it ?

thanks and  have a nice week.

2 Accepted Solutions

Accepted Solutions

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello Sarah,

I think you are entering the grey zone of implementation details.

The configuration guide refers to C6500 and the same constraint is stated also in 12.2SX config. guide:

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/vacl.html#wp1097462

The INE blog refers to other platforms C3550 or C3560 as it is focused on CCIE lab.

C6500 might need an SVI for the way the PFC works, but the VACL concept applies to the L2 object that is the broadcast domain. The PFC may use the SVI just as a pointer this is my guess, because it says that an SVI will be created if not existing and left in shutdown state. So the PFC needs that the SVI exists even not configured. In other words the SVI provides the point of application of the VACL feature.

According to the blog low end switches are able to use VACLs without SVIs and with ip routing disabled.

Hope to help

Giuseppe

View solution in original post

Hello Giuseppe,

I can confirm that on 3560 Catalysts, absolutely no SVI is necessary for VACLs to work. You just configure the VACLs and apply them to selected VLANs, and that's it. No need to configure a SVI whatsoever. This must indeed be an implementation quirk for 6500 series Catalysts.

Best regards,

Peter

View solution in original post

2 Replies 2

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello Sarah,

I think you are entering the grey zone of implementation details.

The configuration guide refers to C6500 and the same constraint is stated also in 12.2SX config. guide:

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/vacl.html#wp1097462

The INE blog refers to other platforms C3550 or C3560 as it is focused on CCIE lab.

C6500 might need an SVI for the way the PFC works, but the VACL concept applies to the L2 object that is the broadcast domain. The PFC may use the SVI just as a pointer this is my guess, because it says that an SVI will be created if not existing and left in shutdown state. So the PFC needs that the SVI exists even not configured. In other words the SVI provides the point of application of the VACL feature.

According to the blog low end switches are able to use VACLs without SVIs and with ip routing disabled.

Hope to help

Giuseppe

Hello Giuseppe,

I can confirm that on 3560 Catalysts, absolutely no SVI is necessary for VACLs to work. You just configure the VACLs and apply them to selected VLANs, and that's it. No need to configure a SVI whatsoever. This must indeed be an implementation quirk for 6500 series Catalysts.

Best regards,

Peter

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco