This document provides a sample ACL (access control list) configuration, for GSS appliance, to allow inter-GSS communication within a cluster.
The packet filtering tools on the GSS instruct each device to permit or refuse specific packets based on a combination of criteria.Access lists are collections of filtering rules that you create using the access-list CLI command. The GSS examines each packet to determine whether to forward or drop the packet based on the criteria specified within the access lists. When the GSS decides whether to forward or block a packet, it tests the packet against each criteria statement in the order that the statements were created. After a match is found, the GSS does not check any additional criteria statements.
GSS appliances in a cluster use following TCP ports for Inter-GSS communication:
200, 2001-2005 and 3002-3008.
Each GSS appliance in a cluster can be configured with an ACL that would allow only these appliances to communicate with each other by blocking rest of the traffic on an inside ethernet interface of an appliance.
Consider an example where there are two GSS appliances in a cluster. Both appliances communicate with each other over ethernet interface eth0.
Primary GSSM eth0 interface is configured with IP address 10.10.10.1.
Standby GSSM eth0 interface is configured with IP address 10.10.10.2.
Given that, you can configure following access control lists (ACLs) to allow Inter-GSS communication over ethernet interface eth0.
Note: Additional entries can be added to these ACLs to accommodate some other type of traffic such as telnet or SSH access to GSS.
Primary GSSM (IP address for interface eth0 10.10.10.1) :
Could someone explain what seems to be a paradox in this document to me:https://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/1-x/Operating_ACI/guide/b_Cisco_Operating_ACI/b_Cisco_Operating_ACI_chapter_01000.html If a filter allows tr...
Hi all, We are a university campus that has two sites. On the first site we have a VPC cluster of two N9K 93180YC-EX switches. On the second site we have only one N9K 93180YC-EX. The two sites are interconnected via a direct 10G link and they also ca...
HI ACI pro's,According to the REST API guide, there are two ways to delete an object in ACI:- HTTP DELETE operation (no examples given)- HTTP POST operation, referencing the object DN with the attribute "status":"deleted" What is the most common and ...
Hi!I am trying to find out how to determine the tail drops on a host interface of a 2232pp fex. When you run the following commands:attach fex xxxfex-xxx# show platform software woodside intsyou get output like:...| SS0 : ssx_int_norm_td ||--+---------+--...
Spoiler (Highlight to read) I have Cisco Nexus 9396PX and configure for IPv4 with IPv4 RACL on SVI to block some basic traffic. Now i have configured IPv6 and trying to configure access-list but its saying you don't have TCAM space so i started...