Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1354
Views
10
Helpful
10
Replies

Cisco Modeling Labs 2 - ACL Bug?

Go to solution
jduty
Level 1
Level 1

‎12-13-2022 06:53 AM - edited ‎12-13-2022 06:58 AM

I am a recently new user of Cisco Modeling Labs and for the most part love it. That being said, I'm not sure if I have something incorrectly configured or if this is a true bug in the software. I am using two NXOS 9000 as cores that are configured as peer switches (similar to our live environment), however the ACLs appear to be sort of working/not working at all. 

I have a simply network created (10.1.99.x/24) and the gateway as 10.1.99.254 with a ip access-list created that simply is deny ip any any and applied to both VLAN 99's interfaces on both core switches. The odd thing is I can still ping it from one of the desktops in the lab but I can't from one of the switches. The desktop and switch are on different LANs, but that shouldn't matter as the access-list is to be blocking everything. (I also applied it both in and out to make sure I didn't have the wrong direction)

Conversely, there are several VLAN interfaces my switches should be able to ping as well but they can't but the desktop can ping them all. I am a bit puzzled by this one. 

Preview file
41 KB
1 Accepted Solution

Accepted Solutions

Go to solution
bigevilbeard
VIP
VIP
In response to jduty

‎12-14-2022 03:38 AM

@jduty you might want to raise your issues/note over at the official CML community if you are using the personal edition HERE 

Hope this helps.

Please mark this as helpful or solution accepted to help others
Connect with me https://bigevilbeard.github.io

View solution in original post

0 Helpful
10 Replies 10

Go to solution
MHM Cisco World
VIP
VIP

‎12-13-2022 06:55 AM

are these N9K run vPC ?

0 Helpful

Go to solution
jduty
Level 1
Level 1
In response to MHM Cisco World

‎12-13-2022 07:14 AM - edited ‎12-13-2022 07:14 AM

Yep.. sure are.

They are the NX-OS 9000 running vPC

Go to solution
MHM Cisco World
VIP
VIP
In response to jduty

‎12-13-2022 07:24 AM

I have idea what happened here I will lab it and share result here .

0 Helpful

Go to solution
jduty
Level 1
Level 1
In response to MHM Cisco World

‎12-13-2022 07:32 AM

Awesome! Thanks for the help!

0 Helpful

Go to solution
jduty
Level 1
Level 1
In response to MHM Cisco World

‎12-13-2022 08:17 AM - edited ‎12-13-2022 08:51 AM

I thought I figured out the issue. I am using the iosvl2-switches as my other switches, and although they are "Layer 2" switches, they have IP Routing turned on by default, which in my mind doesn't make much sense since they are to be Layer 2. That appears to have solved the issues for switches that are directly connected to the 9Ks, but not those in a vPC or any switch downstream of it. Not sure what's going on there. Have to do a bit more digging. 

0 Helpful

Go to solution
jduty
Level 1
Level 1
In response to jduty

‎12-13-2022 09:00 AM

So, I am fairly confident the issue is related to the fact that I was trying to use a vPC connection from the IOSvL2 switches and not another Nexus Platform. I opted for that since they didn't have Nexus 5ks, but I will boot up two more 9ks and test that theory. 

0 Helpful

Go to solution
jduty
Level 1
Level 1

‎12-13-2022 10:06 AM

So it was a combination of two things... 

1) IOSvL2 switches actually are capable of Layer 3 traffic, however, it is enabled by default, so I had to turn that off the switch stopped using its own routing tables. That solved it for most. However I noticed that switches with a vPC connection and switches downstream of them still couldn't ping. This leads me to the second issue...

2) I was trying to use IOSvL2 switches in the places where I (in my real environment) have two Nexus 5Ks. Since IOS doesn't support that same spanning-tree commands (i.e "spanning-tree port type xxxxx" doesn't exist), I had to replace those switches at my distribution layer in the lab with 2 more N9K's. After replaced and reprogrammed with port-channels and proper spanning, everything  appears to be humming along as it should minus 1 thing. Which leads me to another point.....

The ACL I originally listed this under still is not working as expected. The common I am expecting it to get flagged by is: "deny ip any 10.1.0.0 0.0.255.55" there are a few allowed statements before, but they are only a specific port that is allowed (i.e DHCP properties) and are specifically for a destination ip. I'm a bit flummoxed about this issue. 

0 Helpful

Go to solution
jduty
Level 1
Level 1

‎12-13-2022 11:19 AM

So I have all but confirmed that either I don't know how acls work, or CML is not accurately using them. I basically told all traffic to be blocked to a specific VLAN interface and traffic is still allowed through. In addition to that, it appears that it isn't logging anything for acls even though I have all that enabled. 

0 Helpful

Go to solution
bigevilbeard
VIP
VIP
In response to jduty

‎12-14-2022 03:38 AM

@jduty you might want to raise your issues/note over at the official CML community if you are using the personal edition HERE 

Hope this helps.

Please mark this as helpful or solution accepted to help others
Connect with me https://bigevilbeard.github.io
0 Helpful

Go to solution
jduty
Level 1
Level 1
In response to bigevilbeard

‎12-15-2022 05:02 AM

Thanks for the suggestion, I will bring it up over there.

0 Helpful
Customers Also Viewed These Support Documents