This document provides a sample ACL (access control list) configuration, for GSS appliance, to allow inter-GSS communication within a cluster.
The packet filtering tools on the GSS instruct each device to permit or refuse specific packets based on a combination of criteria.Access lists are collections of filtering rules that you create using the access-list CLI command. The GSS examines each packet to determine whether to forward or drop the packet based on the criteria specified within the access lists. When the GSS decides whether to forward or block a packet, it tests the packet against each criteria statement in the order that the statements were created. After a match is found, the GSS does not check any additional criteria statements.
GSS appliances in a cluster use following TCP ports for Inter-GSS communication:
200, 2001-2005 and 3002-3008.
Each GSS appliance in a cluster can be configured with an ACL that would allow only these appliances to communicate with each other by blocking rest of the traffic on an inside ethernet interface of an appliance.
Consider an example where there are two GSS appliances in a cluster. Both appliances communicate with each other over ethernet interface eth0.
Primary GSSM eth0 interface is configured with IP address 10.10.10.1.
Standby GSSM eth0 interface is configured with IP address 10.10.10.2.
Given that, you can configure following access control lists (ACLs) to allow Inter-GSS communication over ethernet interface eth0.
Note: Additional entries can be added to these ACLs to accommodate some other type of traffic such as telnet or SSH access to GSS.
Primary GSSM (IP address for interface eth0 10.10.10.1) :
Hi, The ACI Multi-pod white paper explains how remote endpoints belonging to different pods are associated to the spines Anycast VTEP address (Proxy), minimising the number of MP-BGP EVPN updates between pods when the endpoint performs local movement...
Hello Friends, I am trying to digest concept of L4-L7 feature in ACI if i understood correct, if we use ASAv in L4-l7, then we dont need physical ASA in network to filter port traffic and ACI l4-l7 ASAv will do port based filtering ? Is it?If we...
Hello Guys,My Cisco ACI fabric have 1 APIC server-M2 (Fimware 2.2(2e)), 1 Spine N9K-9336PQ, 2 Leaf N9K-9396PX using fimware 12.2(2e). can i upgrade my apic fimware to 4.2(3i), spine and leaf fimware to 14.2(3i) ?
Got a fabric module that refused to boot up on a new switch. Upon inspecting the log I've come across this. 2020 Mar 26 17:14:17 N9K-C9504 %$ VDC-1 %$ %MODULE-2-MOD_DIAG_FAIL: Module 22 (Serial number: ) reported failure due to fatal error in device ...