cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1415
Views
0
Helpful
1
Replies

port-group ip access-list and group

Kyujin Choi
Level 1
Level 1

Good morning. I do understand the direction of acl in/out. Here is the example. I am doing on Nexus 1k which is same rule applied. 

ACL in/out direction and interface

When you apply an ACL "in", the router examines all traffic it RECEIVES on the interface against the ACL.
When you apply an ACL "out" on an interface the router examines any traffic attempting to leave that interface against the ACL.

 !!!!!  This is what I want to do. I like to allow only traffic from 10.200.213.25 and 10.201.250.0/24 and block all private IP range to the port-profile 218vlan !!!!!

(1000v port-profile)

port-profile type vethernet 218Vlan
switchport mode access
switchport access vlan 218
ip port access-group med-02 in
no shutdown
state enabled
vmware port-group



IPV4 ACL med-02
10 permit ip  10.200.213.25/32  any
20 permit ip  10.201.250.0/24 any
30 deny ip 10.0.0.0/8 any
40 deny ip 172.16.0.0/12  any
50 deny ip 192.168.0.0/16  any
60 permit ip any any log

When I applied this access-group, it blocked all traffic including 10.200.213.25. Am I missing something? 

1 Reply 1

Kyujin Choi
Level 1
Level 1

It works. thanks. I was confused. 

port-profile type vethernet 218Vlan
switchport mode access
switchport access vlan 218
ip port access-group test2 in
no shutdown
state enabled
vmware port-group


ip access-list test2
permit ip 10.200.218.0/24 host 10.200.213.25
permit ip 10.200.218.0/24 10.201.250.0/24
deny ip 10.200.218.0/24 10.0.0.0/8
deny ip 10.200.218.0/24 172.16.0.0/16
deny ip 10.200.218.0/24 192.168.0.0/16
permit ip any any