I'm trying configure access-list on port-channel in N7K.
Ports connected to ESXi host with ~50 VMs
I want to filter access for only 1 VM (with IP A.B.C.D), with no impact to other VMs.
IP access list TEST
10 permit ip X.X.X.1/32 10.A.B.C.D/32
20 permit ip X.X.X.2/32 10.A.B.C.D/32
30 permit ip X.X.X.3/32 10.A.B.C.D/32
40 permit ip X.X.X.4/32 10.A.B.C.D/32
50 deny ip any any
switchport mode trunk
spanning-tree port type edge trunk
ip port access-group TEST in
This is what I applied. And it's block everything, all VMs become unreachable.
What I'm missing (
Solved! Go to Solution.
Oh, I also tried this one. Also not work
10 permit ip X.X.X.1/32 A.B.C.D/32
20 permit ip X.X.X.2/32 A.B.C.D/32
30 permit ip X.X.X.3/32 A.B.C.D/32
40 permit ip X.X.X.4/32 A.B.C.D/32
50 deny ip any A.B.C.D/32
100 permit ip any any
When I use permit any any it allows all traffic, but I need restrict access to VM1. with no impact on VM2
Well, it proves the access list is working, but for some reason the packet which should be blocked doesn't match with the source or destination IP in the first lines.
Are you using NAT?
If your plan is to block one VM and allow all traffic to the other ones, then your ACL is wrong. Change 'permit' by 'deny' from 10 to 40, and then change 'deny' by 'permit' in sequence 50.
This is killing me!!!
for test I configured
IP access list TEST2
10 permit ip 10.189.129.45/32 any
Where 10.189.129.45 is my PC.
Logically it should allow traffic from my PC to all VMs. But in practice it blocks everything