Solved: Nexus switches access list question

tinhnho123 · ‎03-08-2024

Hi Guys,

I have 2 pairs of Nexus switches, each pair at each location. They connect between 2 locations with 2 x layer 3 links, as shown in the diagram.

I configured EIGRP routing for both sites for these 2 pairs. The EIGRP routing works; my question is, how do I allow VLAN 2 (Site 1) to talk to VLAN 3 (Site 2) only and vice versa, and no other VLANs can talk to them?

I did the below, and it doesn't work. I created an ACL below and applied it to interface vlan 2 on both switches of site 1 and interface vlan 3 of both switches of site 2.

Site 1's switch A and B:

ip access-list 2and3
5 permit ip 192.168.2.0 0.0.0.255 any
10 permit ip 192.168.3.0 0.0.0.255 any
15 deny ip any any log

int vlan 2

ip access-group 2and3 in

Site 2's switch A and B:

ip access-list 2and3
5 permit ip 192.168.2.0 0.0.0.255 any
10 permit ip 192.168.3.0 0.0.0.255 any
15 deny ip any any log

int vlan 3

ip access-group 2and3 in

Any suggestions?

Thanks.

Giuseppe Larosa · ‎03-09-2024

Hello @tinhnho123 ,

>> how do I allow VLAN 2 (Site 1) to talk to VLAN 3 (Site 2) only and vice versa, and no other VLANs can talk to them?

your extended ACLs have to describe this

access-list 102 remark to be applied inbound on SVI Vlan 2

access-list 102 permit ip 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255

access-iist 102 deny ip any ny

int vlan 2

ip access-group 102 in

In the same way on SVI vlan3 on second site using

access-list 103 remark to be applied inbound on SVI Vlan 3

access-list 103 permit ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255

access-iist 103 deny ip any ny

int vlan 3

ip access-group 103 in

ACL 103 permit statement is reversed .

Hope to help

Giuseppe

View solution in original post

paul driver · ‎03-16-2024

Hello

@tinhnho123 wrote:

Site1's A & B use vPC, Site 2's A & B use vPC. These switches are running vPC between them.

So its L3 between the sites correct, if so you need to apply a eigrp filter?

Site1
access-list 2 permit 192.168.5.0 0.0.0.255
access-list 2 permit 192.168.7.0 0.0.0.255

router eigrp 50
distance 255 <eigrp RID site2> 0.0.0.0 2

Site2
access-list 1 permit 192.168.4.0 0.0.0.255
access-list 1 permit 192.168.6.0 0.0.0.255

router eigrp 50
distance 255 <eigrp RID site1> 0.0.0.0 1

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

Giuseppe Larosa · ‎03-09-2024

Hello @tinhnho123 ,

>> how do I allow VLAN 2 (Site 1) to talk to VLAN 3 (Site 2) only and vice versa, and no other VLANs can talk to them?

your extended ACLs have to describe this

access-list 102 remark to be applied inbound on SVI Vlan 2

access-list 102 permit ip 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255

access-iist 102 deny ip any ny

int vlan 2

ip access-group 102 in

In the same way on SVI vlan3 on second site using

access-list 103 remark to be applied inbound on SVI Vlan 3

access-list 103 permit ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255

access-iist 103 deny ip any ny

int vlan 3

ip access-group 103 in

ACL 103 permit statement is reversed .

Hope to help

Giuseppe

tinhnho123 · ‎03-10-2024

Thanks. I tried your concept and I can still ping vlan 2 and vlan 3 from other network.

Site 1: Switch A and B

ip access-list 102
5 permit ip 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255
10 deny ip any any log

interface Vlan2
ip access-group 102 in

Site 2: Switch A and B

ip access-list 103
5 permit ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255
10 deny ip any any log

interface Vlan3
ip access-group 103 in

Any thought?

Giuseppe Larosa · ‎03-11-2024

Hello @tinhnho123 ,

are the Nexus switches the only devices that are connected to both VLANs or there are L3 capable devices in your network ?

the two subnets should not be pingable from other VLANs with the proposed configuration.

Hope to help

Giuseppe

paul driver · ‎03-11-2024

Hello
SVI Logic
IN= from withIN vlan
OUT = from OUTside vlan

Option 1
SITE 1 & 2
ip access-list extended vlan2-vlan3
Deny ip any 192.168.4.0 0.0.0.255
Deny ip any 192.168.5.0 0.0.0.255
Deny ip any 192.168.6.0 0.0.0.255
Deny ip any 192.168.7.0 0.0.0.255
permit ip any any

int vlan 2 & 3
ip access-group vlan2-vlan3 IN

Option 2
SITE 1
ip access-list extended vlan2-vlan3
Permit ip any 192.168.3.0 0.0.0.255

int vlan 2
ip access-group vlan2-vlan3 IN

SITE 2
ip access-list extended vlan3-vlan2
Permit ip any 192.168.2.0 0.0.0.255

int vlan 3
ip access-group vlan3-vlan2 IN

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

tinhnho123 · ‎03-11-2024

Thanks. I tried option 2 and it still can ping vlan 2 and vlan 3 from other network. so it doesn't work for me.

I am hesitant to try option 1, because now i have more new SVIs on these 4 switches of 2 both sites.

Giuseppe Larosa · ‎03-12-2024

Hello @tinhnho123 ,

how are you doing the tests ?

You should test from a PC in VLAN x to ping hosts in subnets 192.168.2.0/24 and 192.168.3.0/24. Testing on the Nexus switch itself may lead to different results.

Hope to help

Giuseppe

tinhnho123 · ‎03-14-2024

Hi Giuseppe, I tested from a PC that is on vlan 6.

MHM Cisco World · ‎03-13-2024

the ACL my colleague share is OK but
I think you apply it in only one NSK,

if the two NSK form VPC you need to apply ACL to both NSK SVI otherwise the traffic will pass

MHM

paul driver · ‎03-12-2024

Hello

@tinhnho123 wrote:

Thanks. I tried option 2 and it still can ping vlan 2 and vlan 3 from other network.

You mean you can ping vlan 2/3 for the other vlans correct

Can you post the acls you have presently applied?

sh run int vlan 2 / 3
sh ip access-list xx

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

tinhnho123 · ‎03-14-2024

Please see below:

Site 1: switch A
interface Vlan2
no shutdown
ip access-group vlan2-vlan3 in
no ip redirects
ip address 192.168.2.2/24
hsrp 2
preempt
priority 120
timers 5 15
ip 192.168.2.1

ip access-list vlan2-vlan3
10 permit ip any 192.168.3.0 0.0.0.255

Site 1: switch B
interface Vlan2
no shutdown
ip access-group vlan2-vlan3 in
no ip redirects
ip address 192.168.2.3/24
hsrp 2
preempt
priority 120
timers 5 15
ip 192.168.2.1

ip access-list vlan2-vlan3
10 permit ip any 192.168.3.0 0.0.0.255

Site 2: Switch A
interface Vlan3
no shutdown
ip access-group vlan3-vlan2 in
no ip redirects
ip address 192.168.3.2/24

IP access-list vlan3-vlan2
10 permit ip any 192.168.2.0 0.0.0.255

Site 2 : Switch B
interface Vlan3
no shutdown
ip access-group vlan3-vlan2 in
no ip redirects
ip address 192.168.3.3/24

IP access-list vlan3-vlan2
10 permit ip any 192.168.2.0 0.0.0.255

Site1's A & B use vPC, Site 2's A & B use vPC. These switches are running vPC between them.

MHM Cisco World · ‎03-14-2024

hardware access-list update atomic

can you run this command and check again the ACL

MHM

tinhnho123 · ‎03-14-2024

What does this command below do? Will it change other existing ACLs? I'm a bit worried that by running this command would affect other existing ACLs. Thanks.

hardware access-list update atomic

MHM Cisco World · ‎03-16-2024

Hi Friend I wait until I add NSK-9K to my LAB to follow your Q
NOW the atomic is sync the ACL from Software into TCAM hardware,
no need to run it now let do some check first

switch# show consistency-checker racl module x <<- do this the result must pass
switch# show system internal access-list globals <<- share this

thanks

MHM

MHM Cisco World · ‎03-21-2024

the atomic is enable by default