07-25-2023 08:41 PM
I'm testing ACL on nexus 3k switches. Very simple setup. Two switches, R1 and R2. Linked with each other over their layer3 interfaces Eth1/1.
Trying to use ACL r1r2 to block the traffic from R1 loopback1 to R2 loopback2 without any luck. No hit showing on the ACL counter. Any ideas are appreciated!
Config as follows:
R1:
ip route 0.0.0.0/0 12.12.12.2 interface Ethernet1/1 no switchport ip address 12.12.12.1/24 no shutdown ! interface loopback1 ip address 1.1.1.1/32
R2:
interface Ethernet1/1 no switchport ip access-group r1r2 in ip address 12.12.12.2/24 no shutdown ! interface loopback2 ip address 2.2.2.2/32 ! ip route 0.0.0.0/0 12.12.12.1 ! ip access-list r1r2 statistics per-entry 10 deny ip 1.1.1.1/32 2.2.2.2/32 100 permit ip any any !
Tried reboot and attching log to the ACL entry. Not seeing any changes. R1 loop1 can still ping R2 loop2, ACL on R2 has no hit, no log.
R1# ping 2.2.2.2 source 1.1.1.1 PING 2.2.2.2 (2.2.2.2) from 1.1.1.1: 56 data bytes 64 bytes from 2.2.2.2: icmp_seq=0 ttl=254 time=3.382 ms 64 bytes from 2.2.2.2: icmp_seq=1 ttl=254 time=2.666 ms 64 bytes from 2.2.2.2: icmp_seq=2 ttl=254 time=2.639 ms 64 bytes from 2.2.2.2: icmp_seq=3 ttl=254 time=2.494 ms 64 bytes from 2.2.2.2: icmp_seq=4 ttl=254 time=2.526 ms --- 2.2.2.2 ping statistics --- 5 packets transmitted, 5 packets received, 0.00% packet loss round-trip min/avg/max = 2.494/2.741/3.382 ms R1#
Solved! Go to Solution.
07-26-2023 08:26 PM - last edited on 08-07-2023 10:48 PM by Translator
N9Kvin the LAB. Tried attached the ACL to SVI and it doesn't do anything either which makes me thinking it could be some issue with the virtual LAB itself.This is all about fix the ACL problem in our production. Tested this again on our real physical environment, a bit different compare with the LAB, we saw some hits, but it didn't block the traffic.
show hardware access-list tcamregion isn't supported on the switch.
show hardware access-list interface ex/xinput entries detail gives the details of the ACL with some hits. Sorry I had to replaced the real IP for security reason. But as you can see the second deny entry got 8 hits.
R2# show hardware access-list interface e1/47 input entries detail slot 1 ======= Flags: F - Fragment entry E - Port Expansion D - DSCP Expansion M - ACL Expansion T - Cross Feature Merge Expansion N - NS Transit B - BCM Expansion C - COPP INSTANCE 0x0 --------------- Tcam 2 resource usage: ---------------------- LBL C = 0x1 Bank 0 ------ IPv4 Class Policies: RACL(ACL_V4_INTERNET_IN) Netflow profile: 0 Netflow deny profile: 0 Entries: [Index] Entry [Stats] --------------------- [0x0000:0x0014:0x0014] deny ip $ipaddr $ipaddr [0] [0x0001:0x0015:0x0015] deny ip $ipaddr $ipaddr [8] [0x0002:0x0016:0x0016] permit ip $ipaddr $ipaddr [0] [0x0003:0x0017:0x0017] permit ip $ipaddr $ipaddr [0] [0x0004:0x0018:0x0018] permit ip $ipaddr $ipaddr [0] [0x0005:0x0019:0x0019] permit ip $ipaddr $ipaddr [0] [0x0006:0x001a:0x001a] permit ip $ipaddr $ipaddr [0]
R2# show hardware access-list slot 1 ======= VDC-1 Ethernet1/47 : ==================== Policies in ingress direction: Policy type Policy Id Policy name ------------------------------------------------------------ RACL 6 ACL_V4_INTERNET_IN No Netflow profiles in ingress direction INSTANCE 0x0 --------------- Tcam 2 resource usage: ---------------------- LBL C = 0x1 Bank 0 ------ IPv4 Class Policies: RACL(ACL_V4_INTERNET_IN) Netflow profile: 0 Netflow deny profile: 0 214 tcam entries 0 l4 protocol cam entries 0 mac etype/proto cam entries 0 lous 0 tcp flags table entries 0 adjacency entries No egress policies No Netflow profiles in egress direction
07-27-2023 05:58 AM
Firstly let we divide issue into two
Lab I already mentioned this not work in my lab also
For real network NSK-3 acl' I see same issue previously' send excat NSK platform you have let me check.
07-27-2023 10:29 AM
https://www.cisco.com/c/dam/en/us/td/docs/Website/datacenter/platform/platform.html
N3K-C3048TP-1GE, Version 7.0(3)I7(7).
this platform dont support some ACL check matrix
07-26-2023 02:13 AM
07-26-2023 08:29 PM - last edited on 08-07-2023 10:49 PM by Translator
Thanks. Unfortunately our hardware is N3K, seems don't have the option of hardware
access-list tcam
07-26-2023 10:44 PM
Hello
you don’t seem to have applied the acl to the routed interface of R2
Also when you do apply the acl outbound
test again
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide