cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1584
Views
6
Helpful
20
Replies

Nexus 3k route ACL on L3 interface

YFZH
Level 1
Level 1

I'm testing ACL on nexus 3k switches. Very simple setup. Two switches, R1 and R2. Linked with each other over their layer3 interfaces Eth1/1.
r1r2.png

 

 

 

Trying to use ACL r1r2 to block the traffic from R1 loopback1 to R2 loopback2 without any luck. No hit showing on the ACL counter. Any ideas are appreciated!


Config as follows:
R1:

ip route 0.0.0.0/0 12.12.12.2
interface Ethernet1/1
  no switchport
  ip address 12.12.12.1/24
  no shutdown
!
interface loopback1
  ip address 1.1.1.1/32

R2:

interface Ethernet1/1
  no switchport
  ip access-group r1r2 in
  ip address 12.12.12.2/24
  no shutdown
!
interface loopback2
  ip address 2.2.2.2/32
!
ip route 0.0.0.0/0 12.12.12.1
!
ip access-list r1r2
  statistics per-entry
  10 deny ip 1.1.1.1/32 2.2.2.2/32
  100 permit ip any any
!

Tried reboot and attching log to the ACL entry. Not seeing any changes. R1 loop1 can still ping R2 loop2, ACL on R2 has no hit, no log.

R1# ping 2.2.2.2 source 1.1.1.1
PING 2.2.2.2 (2.2.2.2) from 1.1.1.1: 56 data bytes
64 bytes from 2.2.2.2: icmp_seq=0 ttl=254 time=3.382 ms
64 bytes from 2.2.2.2: icmp_seq=1 ttl=254 time=2.666 ms
64 bytes from 2.2.2.2: icmp_seq=2 ttl=254 time=2.639 ms
64 bytes from 2.2.2.2: icmp_seq=3 ttl=254 time=2.494 ms
64 bytes from 2.2.2.2: icmp_seq=4 ttl=254 time=2.526 ms

--- 2.2.2.2 ping statistics ---
5 packets transmitted, 5 packets received, 0.00% packet loss
round-trip min/avg/max = 2.494/2.741/3.382 ms
R1# 

 

20 Replies 20

Hi Peter, thanks for checking this.
The information above was in CML, so it is virtual. Used
N9Kv
in the LAB. Tried attached the ACL to SVI and it doesn't do anything either which makes me thinking it could be some issue with the virtual LAB itself.This is all about fix the ACL problem in our production. Tested this again on our real physical environment, a bit different compare with the LAB, we saw some hits, but it didn't block the traffic.
N3K-C3048TP-1GE, Version 7.0(3)I7(7).
The command
show hardware access-list tcam
region isn't supported on the switch.
And
show hardware access-list interface ex/x
input entries detail gives the details of the ACL with some hits. Sorry I had to replaced the real IP for security reason. But as you can see the second deny entry got 8 hits.
R2# show hardware access-list interface e1/47 input entries detail

slot  1
=======


Flags: F - Fragment entry  E - Port Expansion
       D - DSCP Expansion  M - ACL Expansion
       T - Cross Feature Merge Expansion
       N - NS Transit  B - BCM Expansion  C - COPP


INSTANCE 0x0
---------------

  Tcam 2 resource usage:
  ----------------------
  LBL C = 0x1
   Bank 0
   ------
     IPv4 Class
       Policies: RACL(ACL_V4_INTERNET_IN) 
       Netflow profile: 0
       Netflow deny profile: 0
       Entries: 
         [Index] Entry [Stats]
         ---------------------
  [0x0000:0x0014:0x0014] deny ip $ipaddr $ipaddr   [0]
  [0x0001:0x0015:0x0015] deny ip $ipaddr $ipaddr   [8]
  [0x0002:0x0016:0x0016] permit ip $ipaddr $ipaddr   [0]
  [0x0003:0x0017:0x0017] permit ip $ipaddr $ipaddr   [0]
  [0x0004:0x0018:0x0018] permit ip $ipaddr $ipaddr   [0]
  [0x0005:0x0019:0x0019] permit ip $ipaddr $ipaddr   [0]
  [0x0006:0x001a:0x001a] permit ip $ipaddr $ipaddr   [0]


 

R2# show hardware access-list

slot  1
=======

                VDC-1 Ethernet1/47 :
                ====================
Policies in ingress direction:
         Policy type              Policy Id      Policy name
------------------------------------------------------------
    RACL                               6          ACL_V4_INTERNET_IN

No Netflow profiles in ingress direction


INSTANCE 0x0
---------------

  Tcam 2 resource usage:
  ----------------------
   LBL C = 0x1
   Bank 0
   ------
     IPv4 Class
       Policies:  RACL(ACL_V4_INTERNET_IN)
       Netflow profile: 0
       Netflow deny profile: 0
       214 tcam entries

   0 l4 protocol cam entries
   0 mac etype/proto cam entries
   0 lous
   0 tcp flags table entries
   0 adjacency entries

No egress policies
No Netflow profiles in egress direction

Firstly let we divide issue into two 

Lab I already mentioned this not work in my lab  also 

For real network NSK-3 acl' I see same issue previously' send excat NSK platform you have let me check.

https://www.cisco.com/c/dam/en/us/td/docs/Website/datacenter/platform/platform.html

N3K-C3048TP-1GE, Version 7.0(3)I7(7).

this platform dont support some ACL check matrix 

Thanks. Unfortunately our hardware is N3K, seems don't have the option of hardware

access-list tcam

Hello
you don’t seem to have applied the acl to the routed interface of R2

Also when you do  apply the acl outbound

test again 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
Review Cisco Networking for a $25 gift card