Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
882
Views
0
Helpful
4
Replies

Does switched traffic go through SVI?

Go to solution
CSCO10662744_2
Level 1
Level 1

‎05-15-2017 12:49 PM - edited ‎03-08-2019 10:35 AM

I'm trying to apply an ACL to the SVI to block certain ports as temporary security measure.

Does traffic in the same VLAN go through the SVI, and be subject to the applied ACL, assuming the flows have to go through the L3 switch because it's in the middle of the physical path?

I'm guessing no, because traffic would enter SVI only if it's destined for a different VLAN/subnet, but wanted to confirm.

Thx

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Georg Pauwen
VIP
VIP

‎05-15-2017 01:05 PM

Hello,

the short answer is: no. ACLs apply only to routed traffic, not intra-Vlan traffic. To accomplish hosts in the same Vlan to communicate with each other, you need to use VACLs:

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/15-0SY/configuration/guide/15_0_sy_swcg/vlan_acls.html#pgfId-1055968

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Georg Pauwen
VIP
VIP

‎05-15-2017 01:05 PM

Hello,

the short answer is: no. ACLs apply only to routed traffic, not intra-Vlan traffic. To accomplish hosts in the same Vlan to communicate with each other, you need to use VACLs:

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/15-0SY/configuration/guide/15_0_sy_swcg/vlan_acls.html#pgfId-1055968

0 Helpful

Go to solution
CSCO10662744_2
Level 1
Level 1
In response to Georg Pauwen

‎05-15-2017 01:14 PM

Thank you so much for the quick response.

Unfortunately our N9K's are not configured to support VACL, so we'll need to look elsewhere to implement this block. (due to TCAM resource regions...we didn't think we'd need to do VACLs)

0 Helpful

Go to solution
Georg Pauwen
VIP
VIP
In response to CSCO10662744_2

‎05-15-2017 01:38 PM

Hello,

not sure if this is what you are referring to, but on the Nexus 9K, "TCAM resources are not shared when a VACL is applied to multiple VLANs." You should be fine if you apply the VACL to a single Vlan.

http://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus9000/sw/6-x/security/configuration/guide/b_Cisco_Nexus_9000_Series_NX-OS_Security_Configuration_Guide/b_Cisco_Nexus_9000_Series_NX-OS_Security_Configuration_Guide_chapter_01100.html

0 Helpful

Go to solution
CSCO10662744_2
Level 1
Level 1
In response to Georg Pauwen

‎05-15-2017 01:44 PM

Thank you for the follow-up.

The switch has no TCAM carved to do VACL, so I anticipate if we try to apply a VACL to a VLAN, the N9K would complain there's no memory for it.

When I do "show system internal access-list globals" VACL has no memory reserved...

http://www.cisco.com/c/en/us/support/docs/switches/nexus-9000-series-switches/119032-nexus9k-tcam-00.html

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card