Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1636
Views
2
Helpful
5
Replies

DCNM / NDFC - Create ACL for VLAN in VXLAN Fabric

paul1202
Level 1
Level 1

‎07-01-2023 03:57 AM

Hi Folks,

What is the best way to create an ACL for a VLAN to restrict some host connectivity in a VXLAN Fabric please using DCNM?

DCNM has been used to create the Fabric and uses / applies profiles for the various VLANs.

Do I have to use the switch freeform template? If so, do I have to un-apply the specific profile before I add the new access-group?

Is there a way to provision a new Fabric without using profiles?

Thanks in advance.

 

5 Replies 5

M02@rt37
VIP
VIP

‎07-01-2023 04:10 AM - edited ‎07-01-2023 04:11 AM

Hello @paul1202,

Two possible approaches:

Approach 1: Using DCNM Profiles and the Switch Freeform Template.

--Determine the VLAN you want to apply the ACL to within the fabric.

--Using the switch freeform template, create an ACL that defines the desired access restrictions. You can specify source and destination IP addresses, protocols, ports, and any other desired criteria.

--If the VLAN you want to modify already has a profile applied, you'll need to unapply it first. This step is necessary because the freeform template approach requires you to work directly with the switch configuration, bypassing the profile-based configuration. Locate the VLAN in the fabric and remove the profile.

--In the switch freeform template, add the access-group command to apply the ACL to the VLAN. Specify the direction (inbound or outbound) and the ACL name or number you defined in previous step.

--Review your configuration and make sure it aligns with your requirements. Finally, deploy the configuration to the fabric to apply the ACL.

Approach 2: Provisioning a Fabric without Using Profiles

If you prefer not to use profiles at all and want to configure the fabric and ACLs without them, you can:

--Use DCNM's fabric provisioning features to create the VXLAN Fabric. Specify the required parameters such as fabric name, switches, VLANs, and VRFs.

--Once the fabric is provisioned, navigate to the ACL configuration section within the fabric. Create the desired ACLs based on your requirements. Define the access restrictions using source and destination IP addresses, protocols, ports, etc...

--Associate the appropriate ACLs with the VLANs you want to restrict. Specify the direction (inbound or outbound) and the ACL name or number for each VLAN.

--Review your configuration to ensure it meets your needs, and then deploy the configuration to the fabric to apply the ACLs.

N.B:Depending on the specific version and features of DCNM, the steps may vary.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.
0 Helpful

paul1202
Level 1
Level 1
In response to M02@rt37

‎07-01-2023 05:24 AM

Thanks for your quick response.

To un-apply a profile, is it simply no apply profile XXXX ?

For example, the switch freeform configuration will look something like this - (Actual ACL FUEL-DENY omitted in the example)

no apply profile PRODUCTION-VL321
configure profile PRODUCTION-VL321
interface Vlan321
 ip access-group FUEL-DENY IN

apply profile PRODUCTION-VL321

I assume applying this in non-disruptive to any other traffic within the VLAN.
You mention navigate to the ACL section in the Fabric. Do you mean there is an ACL creation section somewhere in one of the Fabric templates or create one using the switch_freeform?

Lastly, when using the Fabric builder template, is there a tick box or whatever so specifically say whether or not to use Profiles?

Thanks again.

 

 

M02@rt37
VIP
VIP
In response to paul1202

‎07-01-2023 06:27 AM

@paul1202,

In fact, DCNM does not have a specific ACL creation section within the Fabric view. The creation of ACLs is typically done at the VLAN level or at the device level. You can create ACLs using the switch freeform configuration or by directly configuring ACLs on the devices within the fabric.

When using the Fabric Builder template in DCNM, there is no specific tick box or option to choose whether or not to use profiles. The use of profiles is a fundamental aspect of DCNM's fabric management approach. If you choose to use the Fabric Builder template, the VLAN configurations will be automatically managed using profiles. However, you have the flexibility to modify or create additional configurations using the switch freeform approach alongside the profiles.

 

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.
0 Helpful

paul1202
Level 1
Level 1

‎07-02-2023 04:05 AM

Thanks for your replies.

So I have no choice but to use configuration profiles and if I need to add the access-group to the VLAN, the following switch freeform configuration with just the addition of the ACL should work, leaving all current configuration on the VLAN and not disrupt any traffic. Is that your understanding?

no apply profile PRODUCTION-VL321
configure profile PRODUCTION-VL321
interface Vlan321
 ip access-group FUEL-DENY IN

apply profile PRODUCTION-VL321

0 Helpful

M02@rt37
VIP
VIP
In response to paul1202

‎07-02-2023 07:16 AM

Hello @paul1202

Yes! The switch freeform configuration you provided will un-apply the profile from the VLAN, add the ACL ("FUEL-DENY") to the VLAN's ingress traffic, and then re-apply the profile to the VLAN. This approach should retain the existing configuration on the VLAN while adding the ACL rules. It should not disrupt any traffic, as long as the ACL rules are configured correctly and do not block necessary traffic.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.
0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card