Question

ACL on SVI (vlan)


Hi guys,
I'm pretty new to Cumulus and networking stuff, so be patient with me ;-)

I'm trying to apply some ACLs to an SVI and apparently this is not working.
If I apply the same ACLs to a physical port or a bond interface it works.

Here the procedure I've used:
net add acl ipv4 TEST-ACL drop source-ip 192.168.3.32 dest-ip any
net add vlan 453 acl ipv4 TEST-ACL inbound
net commit

The interface/vlan/SVI configuration is:
auto vlan453
iface vlan453
address 192.168.106.2/24
vlan-id 453
vlan-raw-device bridge

Here the output of iptables:
root@sn2100a:mgmt-vrf:~# iptables -L FORWARD -n -v
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP all -- vlan453 * 192.168.3.32 0.0.0.0/0

Looking at the iptables counter the rules is never hit.
Probably I'm missing some basic concept on how ACLs works with SVI.

For completeness of information, the switch a Mellanox 2100 machine
root@sn2100a:mgmt-vrf:~# net show version
NCLU_VERSION=1.0
DISTRIB_ID="Cumulus Linux"
DISTRIB_RELEASE=3.5.2
DISTRIB_DESCRIPTION="Cumulus Linux 3.5.2"

Any suggestion?
Cheers
Nicola

2 replies

Userlevel 4
Hi @nbianchi sorry for the late reply but I'm asking around engineering to see if we can get you an answer here.
Userlevel 4
Hi @nbianchi, since the rule seems to be installed, is your traffic is all bridged? Mellanox distinguishes between routed and bridged traffic, and the SVI only matches routed traffic.

Reply