cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2162
Views
5
Helpful
2
Replies

VACLs (access-map) on Nexus 5000

arikawahyono
Beginner
Beginner

Dear expert,

I have problem when try to implement access-map on my nexus 5500.

I have 2 nexus with VPC, and with some Vlan,

VLAN 2 with 192.168.2.x/24

VLAN 3 with 192.168.3.x/24

VLAN 4 with 192.168.4.x/24

VLAN 5 with 192.168.5.x/24

I want member of vlan 2 and 3 can't acceess each other with telnet and ssh, other traffic is forward.

this my configuration:

#########################################################

ip access-list VLAN2_DROP

permit tcp 192.168.2.0 0.0.255.255 192.168.2.0 0.0.0.255 eq 23

permit tcp 192.168.2.0 0.0.255.255 192.168.2.0 0.0.0.255 eq 22

permit tcp 192.168.3.0 0.0.255.255 192.168.2.0 0.0.0.255 eq 23

permit tcp 192.168.3.0 0.0.255.255 192.168.2.0 0.0.0.255 eq 22

vlan access-map VLAN2_FILTER

match ip address VLAN2_DROP

action drop

vlan access-map VLAN2_FILTER

action forward

vlan filter VLAN2_FILTER vlan-list 2

ip access-list VLAN3_DROP

permit tcp 192.168.3.0 0.0.255.255 192.168.3.0 0.0.0.255 eq 23

permit tcp 192.168.3.0 0.0.255.255 192.168.3.0 0.0.0.255 eq 22

permit tcp 192.168.2.0 0.0.255.255 192.168.3.0 0.0.0.255 eq 23

permit tcp 192.168.2.0 0.0.255.255 192.168.3.0 0.0.0.255 eq 22

vlan access-map VLAN3_FILTER

match ip address VLAN3_DROP

action drop

vlan access-map VLAN3_FILTER

action forward

vlan filter VLAN3_FILTER vlan-list 3

#########################################################

But the problem, The connection to vlan 2 and vlan 3 is drop (connection lost, rto) and

Other vlan (vlan 4 and 5) cant access the vlan 2 and 3 to (connection lost, rto).

when i try to show run on my nexus,

I find the result is like this.

#

vlan access-map VLAN2_FILTER

action forward

vlan access-map VLAN3_FILTER

action forward

#

based  on result from show run, the traffic should be fine and connection  still up, because DROP policy has been replace by FORWARD

but the fact is the traffic is down.

anyone can help me?

Thanks!!

2 Replies 2

arikawahyono
Beginner
Beginner

I will answer my question..

the right configuration is:

ip access-list VLAN2_DROP

deny tcp 192.168.2.0 0.0.255.255 192.168.2.0 0.0.0.255 eq 23

deny tcp 192.168.2.0 0.0.255.255 192.168.2.0 0.0.0.255 eq 22

deny tcp 192.168.3.0 0.0.255.255 192.168.2.0 0.0.0.255 eq 23

deny tcp 192.168.3.0 0.0.255.255 192.168.2.0 0.0.0.255 eq 22

permit ip any any

vlan access-map VLAN2_FILTER

  match ip address VLAN2_DROP

  action forward

exit

vlan filter VLAN2_FILTER vlan-list 2

ip access-list VLAN3_DROP

deny tcp 192.168.3.0 0.0.255.255 192.168.3.0 0.0.0.255 eq 23

deny tcp 192.168.3.0 0.0.255.255 192.168.3.0 0.0.0.255 eq 22

deny tcp 192.168.2.0 0.0.255.255 192.168.3.0 0.0.0.255 eq 23

deny tcp 192.168.2.0 0.0.255.255 192.168.3.0 0.0.0.255 eq 22

permit ip any any

vlan access-map VLAN3_FILTER

match ip address VLAN3_DROP

action forward

exit

vlan filter VLAN3_FILTER vlan-list 3

i hope this help!!

Thanks,

sbhadrav@cisco.com
Contributor
Contributor

You can create or change a VACL. Creating a VACL includes creating an access map that associates an IP ACL or MAC ACL with an action to be applied to the matching traffic.

To create or change a VACL, perform this task:

SUMMARY STEPS
1.    switch# configure terminal

2.    switch(config)# vlan access-map map-name

3.    switch(config-access-map)# match ip address ip-access-list

4.    switch(config-access-map)# match mac address mac-access-list

5.    switch(config-access-map)# action {drop | forward}

6.    (Optional) switch(config-access-map)# [no] statistics

7.    (Optional) switch(config-access-map)# show running-config

8.    (Optional) switch(config-access-map)# copy running-config startup-config


DETAILED STEPS
     Command or Action    Purpose
Step 1    switch# configure terminal
    
Enters configuration mode.

 
Step 2    switch(config)# vlan access-map map-name
    
Enters access map configuration mode for the access map specified.

 
Step 3    switch(config-access-map)# match ip address ip-access-list
    
Specifies an IPv4 and IPV6 ACL for the map.

 
Step 4    switch(config-access-map)# match mac address mac-access-list
    
Specifies a MAC ACL for the map.

 
Step 5    switch(config-access-map)# action {drop | forward}
    
Specifies the action that the switch applies to traffic that matches the ACL.

 
Step 6    switch(config-access-map)# [no] statistics
     (Optional)
Specifies that the switch maintains global statistics for packets matching the rules in the VACL.

The no option stops the switch from maintaining global statistics for the VACL.

 
Step 7    switch(config-access-map)# show running-config
     (Optional)
Displays ACL configuration.

 
Step 8    switch(config-access-map)# copy running-config startup-config
     (Optional)
Copies the running configuration to the startup configuration.