ACL with single host can't work

L122770547 · ‎09-08-2010

I encounter a question about ACL. I want use ACL to control only some host touch VSM.

When I apply ACL with single host . It can't work.

My config like :

permit ip host 192.168.1.1 host 192.168.1.5

deny ip any any

It will work when I use class C. but, the scope will increase.

My config like

permit ip 192.168.1.1/24 192.168.1.5/24

deny ip any any

After test and test.

I notice ACL will work if mask smaller than 25.

Have anyone know what is happen.

Thank you

Robert Burns · ‎09-08-2010

Can you provide your running config.

I can create a simple access list on my VSM to block traffic from my laptop to a particular VM - which works fine.

Looks like this:

<snip>

ip access-list deny-rob-access-to-VM
10 deny ip 10.1.1.1/32 10.2.2.2/32
20 permit ip any any

...

<snip>

....

interface Vethernet13
ip port access-group deny-access-to-VM out
inherit port-profile dvs_25
description Win2k3-VM1, Network Adapter 1
vmware dvport 480

If you're trying to lockdown access to the Management interfaces of the VSM, you have to apply the ACL to the physical upstream switchport. It's currently not possible to apply an ACL to the management interface of the 1000v VSM.

Robert

L122770547 · ‎09-08-2010

Hi Robert,

Thank your response.

If any offical docuement say any about ACL with VSM management interface?

I just find some information about ACL with VSM in release note, fllow is detail:

Access Lists

ACLs have the following limitations and restrictions:

Limitations:

•IPV6 ACL rules are not supported.

•VLAN-based ACLs (VACLs) are not supported.

•ACLs are not supported on port channels.

Restrictions:

•IP ACL rules do not support the following:

–fragments option

–addressgroup option

–portgroup option

–interface ranges

•Control VLAN traffic between the VSM and VEM does not go through ACL processing.

Because my customer need some document to prove. Please help me to find some offical document.

Thank you