NX7K ACL Configuration

zekebashi · ‎05-02-2017

Hello,

We have a NX7K with two connections(e5/9 and e6/9) to our ISP. We use eBGP peering the two interfaces with the ISP. We tried to implement an iACL to deny ssh and snmp ingress traffic from out ISP to the NX7K but after implementing the iACL we experienced an Internet outage. It seems that the implementation of this iACLs broke the BGP peering for some reason. Here's the iACL we implemented:

IP access list DENY_ACCESS

statistics per-entry

10 deny tcp any any eq 22 log

15 deny udp any any eq snmp log

20 permit tcp any any

interface Ethernet5/9

ip access-group DENY_ACCESS in

exit

interface Ethernet6/9

ip access-group DENY_ACCESS in

exit

Can anyone see why this iACL would cause the bgp peering to break?

Thanks in advance.

~zK

Spooster IT Services · ‎05-03-2017

Hi zekebashi,

Is there any specific reason to add "20 permit tcp any any" in the last of the ACL instead of permit ip any any ?

It may be happened that BGP peering was good at that time but other traffic like udp (DNS etc) was dropped by this ACL due to which you were facing an issue to access internet.

Spooster IT Services Team

Collin Clark · ‎05-04-2017

I would specifically allow BGP first, then block, then permit.

object-group network BGP_LOCAL_IP 
 host 198.51.100.130
 !
object-group network BGP_NEIGHBOR_IP 
 host 198.51.100.129
 !
ip access-list extended iACL
 remark Allow BGP 
 permit tcp object-group BGP_NEIGHBOR_IP eq bgp object-group BGP_LOCAL_IP
 permit tcp object-group BGP_NEIGHBOR_IP object-group BGP_LOCAL_IP eq bgp
 deny tcp any object-group BGP_LOCAL_IP eq 22 log
 deny udp any object-group BGP_LOCAL_IP eq 161 log
 permit ip any any