cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1940
Views
0
Helpful
11
Replies

ACL Nexus 7000 on port blocks everything

uzbayev.marat1
Level 1
Level 1

Hi Guys,
I'm trying configure access-list on port-channel in N7K.
Ports connected to ESXi host with ~50 VMs
I want to filter access for only 1 VM (with IP A.B.C.D), with no impact to other VMs.

 

 

IP access list TEST
10 permit ip X.X.X.1/32 10.A.B.C.D/32 
20 permit ip X.X.X.2/32 10.A.B.C.D/32 
30 permit ip X.X.X.3/32 10.A.B.C.D/32 

40 permit ip X.X.X.4/32 10.A.B.C.D/32 

50 deny ip any any

 

 

interface port-channel23
description VM1
switchport
switchport mode trunk
spanning-tree port type edge trunk
ip port access-group TEST in

 

 

This is what I applied. And it's block everything, all VMs become unreachable.

Any idea?
What I'm missing ( 

 

 

1 Accepted Solution

Accepted Solutions

uzbayev.marat1
Level 1
Level 1

ACL in Nexus is applies  to VLAN interface not on port interface

View solution in original post

11 Replies 11

marce1000
VIP
VIP

 

 - But then the ACL , will do exactly what you want, and will not allow traffic to the other VM's.

M.



-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !

Problem that it blocks even traffic to VM1 ( 

Oh, I also tried this one. Also not work

 

10 permit ip X.X.X.1/32 A.B.C.D/32 
20 permit ip X.X.X.2/32 A.B.C.D/32 
30 permit ip X.X.X.3/32 A.B.C.D/32 

40 permit ip X.X.X.4/32 A.B.C.D/32 

50 deny ip any A.B.C.D/32

Try adding this:

 

60 permit ip any any

 

100 permit ip any any

When I use permit any any it allows all traffic, but I need restrict access to VM1. with no impact on VM2

 

Well, it proves the access list is working, but for some reason the packet which should be blocked doesn't match with the source or destination IP in the first lines.

 

Are you using NAT?

Nope. NAT is not configured

Yachay
Level 1
Level 1

If your plan is to block one VM and allow all traffic to the other ones, then your ACL is wrong. Change 'permit' by 'deny' from 10 to 40, and then change 'deny' by 'permit' in sequence 50.

aim is:
Allow access to VM1 only for X.X.X.1, X.X.X.2, X.X.X.3, X.X.X.4
And block other users

uzbayev.marat1
Level 1
Level 1

This is killing me!!!

for test I configured 

IP access list TEST2
10 permit ip 10.189.129.45/32 any

 

Where 10.189.129.45 is my PC.

Logically it should allow traffic from my PC to all VMs. But in practice it blocks everything

 

 

uzbayev.marat1
Level 1
Level 1

ACL in Nexus is applies  to VLAN interface not on port interface

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: