Question

Access-list for SVI not suported?


Hello,
Access-list for SVI doesn't seem to work well.
I have two switches connected directly, Switch A sets the IP address 30.0.0.100/16, and switch B sets the IP address 30.0.0.150/16 for SVI 100.
I try to deny SSH access from switch A to B by configuring the following commands in switch B, but somehow switch A succeed to SSH to B.
-----
net add acl ipv4 copptest drop tcp source-ip 30.0.0.100/16 source-port any dest-ip 30.0.0.150/16 dest-port any
net add int swp3 acl ipv4 copptest inbound
net add vlan 100 acl ipv4 copptest inbound
net add control-plane acl ipv4 copptest inbound
net pending
net commit
cl-acltool -i
-----
I found that access-list worked properly with packets that switch B transmit to another switch.
It doesn't work with packets toward Switch B itself.
It also worked when I set the IP address in physical switch port, not SVI.
Does anyone have any idea to apply access-list to SVI?
Regards,
Yosuke

1 reply

Userlevel 4
Hi @yosuke you may be hitting an issue that we cover in release note 1062, where the input chain ACL drop action doesn't drop packets if the traffic is destined to the CPU on an SVI.

Is your switch a non-RIOT platform?

Reply