12-03-2013 05:32 PM - edited 03-10-2019 12:09 AM
Dear expert,
I have problem when try to implement access-map on my nexus 5500.
I have 2 nexus with VPC, and with some Vlan,
VLAN 2 with 192.168.2.x/24
VLAN 3 with 192.168.3.x/24
VLAN 4 with 192.168.4.x/24
VLAN 5 with 192.168.5.x/24
I want member of vlan 2 and 3 can't acceess each other with telnet and ssh, other traffic is forward.
this my configuration:
#########################################################
ip access-list VLAN2_DROP
permit tcp 192.168.2.0 0.0.255.255 192.168.2.0 0.0.0.255 eq 23
permit tcp 192.168.2.0 0.0.255.255 192.168.2.0 0.0.0.255 eq 22
permit tcp 192.168.3.0 0.0.255.255 192.168.2.0 0.0.0.255 eq 23
permit tcp 192.168.3.0 0.0.255.255 192.168.2.0 0.0.0.255 eq 22
vlan access-map VLAN2_FILTER
match ip address VLAN2_DROP
action drop
vlan access-map VLAN2_FILTER
action forward
vlan filter VLAN2_FILTER vlan-list 2
ip access-list VLAN3_DROP
permit tcp 192.168.3.0 0.0.255.255 192.168.3.0 0.0.0.255 eq 23
permit tcp 192.168.3.0 0.0.255.255 192.168.3.0 0.0.0.255 eq 22
permit tcp 192.168.2.0 0.0.255.255 192.168.3.0 0.0.0.255 eq 23
permit tcp 192.168.2.0 0.0.255.255 192.168.3.0 0.0.0.255 eq 22
vlan access-map VLAN3_FILTER
match ip address VLAN3_DROP
action drop
vlan access-map VLAN3_FILTER
action forward
vlan filter VLAN3_FILTER vlan-list 3
#########################################################
But the problem, The connection to vlan 2 and vlan 3 is drop (connection lost, rto) and
Other vlan (vlan 4 and 5) cant access the vlan 2 and 3 to (connection lost, rto).
when i try to show run on my nexus,
I find the result is like this.
#
vlan access-map VLAN2_FILTER
action forward
vlan access-map VLAN3_FILTER
action forward
#
based on result from show run, the traffic should be fine and connection still up, because DROP policy has been replace by FORWARD
but the fact is the traffic is down.
anyone can help me?
Thanks!!
12-25-2013 06:32 PM
I will answer my question..
the right configuration is:
ip access-list VLAN2_DROP
deny tcp 192.168.2.0 0.0.255.255 192.168.2.0 0.0.0.255 eq 23
deny tcp 192.168.2.0 0.0.255.255 192.168.2.0 0.0.0.255 eq 22
deny tcp 192.168.3.0 0.0.255.255 192.168.2.0 0.0.0.255 eq 23
deny tcp 192.168.3.0 0.0.255.255 192.168.2.0 0.0.0.255 eq 22
permit ip any any
vlan access-map VLAN2_FILTER
match ip address VLAN2_DROP
action forward
exit
vlan filter VLAN2_FILTER vlan-list 2
ip access-list VLAN3_DROP
deny tcp 192.168.3.0 0.0.255.255 192.168.3.0 0.0.0.255 eq 23
deny tcp 192.168.3.0 0.0.255.255 192.168.3.0 0.0.0.255 eq 22
deny tcp 192.168.2.0 0.0.255.255 192.168.3.0 0.0.0.255 eq 23
deny tcp 192.168.2.0 0.0.255.255 192.168.3.0 0.0.0.255 eq 22
permit ip any any
vlan access-map VLAN3_FILTER
match ip address VLAN3_DROP
action forward
exit
vlan filter VLAN3_FILTER vlan-list 3
i hope this help!!
Thanks,
04-23-2018 09:46 PM
You can create or change a VACL. Creating a VACL includes creating an access map that associates an IP ACL or MAC ACL with an action to be applied to the matching traffic.
To create or change a VACL, perform this task:
SUMMARY STEPS
1. switch# configure terminal
2. switch(config)# vlan access-map map-name
3. switch(config-access-map)# match ip address ip-access-list
4. switch(config-access-map)# match mac address mac-access-list
5. switch(config-access-map)# action {drop | forward}
6. (Optional) switch(config-access-map)# [no] statistics
7. (Optional) switch(config-access-map)# show running-config
8. (Optional) switch(config-access-map)# copy running-config startup-config
DETAILED STEPS
Command or Action Purpose
Step 1 switch# configure terminal
Enters configuration mode.
Step 2 switch(config)# vlan access-map map-name
Enters access map configuration mode for the access map specified.
Step 3 switch(config-access-map)# match ip address ip-access-list
Specifies an IPv4 and IPV6 ACL for the map.
Step 4 switch(config-access-map)# match mac address mac-access-list
Specifies a MAC ACL for the map.
Step 5 switch(config-access-map)# action {drop | forward}
Specifies the action that the switch applies to traffic that matches the ACL.
Step 6 switch(config-access-map)# [no] statistics
(Optional)
Specifies that the switch maintains global statistics for packets matching the rules in the VACL.
The no option stops the switch from maintaining global statistics for the VACL.
Step 7 switch(config-access-map)# show running-config
(Optional)
Displays ACL configuration.
Step 8 switch(config-access-map)# copy running-config startup-config
(Optional)
Copies the running configuration to the startup configuration.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide