Solved: Re: Nexus switches access list question - Page 2

tinhnho123 · ‎03-08-2024

Hi Guys,

I have 2 pairs of Nexus switches, each pair at each location. They connect between 2 locations with 2 x layer 3 links, as shown in the diagram.

I configured EIGRP routing for both sites for these 2 pairs. The EIGRP routing works; my question is, how do I allow VLAN 2 (Site 1) to talk to VLAN 3 (Site 2) only and vice versa, and no other VLANs can talk to them?

I did the below, and it doesn't work. I created an ACL below and applied it to interface vlan 2 on both switches of site 1 and interface vlan 3 of both switches of site 2.

Site 1's switch A and B:

ip access-list 2and3
5 permit ip 192.168.2.0 0.0.0.255 any
10 permit ip 192.168.3.0 0.0.0.255 any
15 deny ip any any log

int vlan 2

ip access-group 2and3 in

Site 2's switch A and B:

ip access-list 2and3
5 permit ip 192.168.2.0 0.0.0.255 any
10 permit ip 192.168.3.0 0.0.0.255 any
15 deny ip any any log

int vlan 3

ip access-group 2and3 in

Any suggestions?

Thanks.

paul driver · ‎03-16-2024

Hello

@tinhnho123 wrote:

Site1's A & B use vPC, Site 2's A & B use vPC. These switches are running vPC between them.

So its L3 between the sites correct, if so you need to apply a eigrp filter?

Site1
access-list 2 permit 192.168.5.0 0.0.0.255
access-list 2 permit 192.168.7.0 0.0.0.255

router eigrp 50
distance 255 <eigrp RID site2> 0.0.0.0 2

Site2
access-list 1 permit 192.168.4.0 0.0.0.255
access-list 1 permit 192.168.6.0 0.0.0.255

router eigrp 50
distance 255 <eigrp RID site1> 0.0.0.0 1

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

tinhnho123 · ‎03-16-2024

Yes, this are 2 x layer 3 links between 2 sites.

1st layer 3 link is between Site1-sw-A and Site 2-sw-A.

1st layer 3 link is between Site1-sw-B and Site 2-sw-B.

What do these commands 'distance 255 <eigrp RID site1> 0.0.0.0 2' and 'distance 255 <eigrp RID site2> 0.0.0.0 3' do?

paul driver · ‎03-17-2024

Hello

@tinhnho123 wrote:

Yes, this are 2 x layer 3 links between 2 sites.
1st layer 3 link is between Site1-sw-A and Site 2-sw-A.
1st layer 3 link is between Site1-sw-B and Site 2-sw-B.
What do these commands 'distance 255 <eigrp RID site1> 0.0.0.0 2' and 'distance 255 <eigrp RID site2> 0.0.0.0 3' do?

The router id (RID) is the ip address identifying the adjacent eigrp router, so with this filtering you are specifying the eigrp RID and then filtering the subnets you wish not to communicate between sites.

The distance command will append a administrative distance to the whatever prefix(s)/subnet(s) are being called upon by the access-list and a distance of 255 means its unreachable so do not advertise

Please be aware as/when you apply the eigrp filter to the router process adjacency(s) WILL flap

Additionally you will apply a RACL at each site locally to the SVI interface from communicating locally to it local subnets.

See attached file.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul