IP ACL on VLAN interface Nexus 5K

roger perkin · ‎11-03-2017

Can anyone provide any advice on applying an IP ACL to a L3 vlan interface on a Nexus 5K

My assumption is that the IP ACL will only filter traffic inbound on a Port ACL, which can be applied to a physical interface or a port channel.

Customer wants to apply traffic filtering both in and outbound on a VLAN interface which I don't think is possible.

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5000/sw/configuration/guide/cli/CLIConfigurationGuide/sec_ipacls.html#pgfId-1273904

Thanks

Roger

chrihussey · ‎11-03-2017

Hello,

You should be able to apply an ACL to a VLAN interface. In this instance the term would be a router ACL. The link you reference is pretty narrowly focused. Please see check the following link as it provides a broader scope :

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5000/sw/security/521_n1_1/b_5k_Security_Config_521N11/b_5k_Security_Config_521N11_chapter_01000.html

Hope this is of some help.

roger perkin · ‎11-03-2017

Thanks, after doing some research I found out it's classed as a Router ACL

The Nexus is a 5600 series

I also need to consider HSRP as applying an ACL to the layer 3 interface it can stop HSRP working

chrihussey · ‎11-03-2017

Glad you found what you needed.

Yes, now that you mention it I do recall HSRP requires consideration as well as any routing protocol that may be running on the interface.

However, keep in mind that depending on the requirements and how you configure the ACL, you may be able avoid having to make these allowances. For example, by restricting the unwanted traffic first and then permitting all else as opposed to permitting the desired traffic and then letting the default deny all being the last line in the ACL.

Not sure if it is possible in your situation, but just a thought.

Regards