Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
2217
Views
0
Helpful
11
Replies

ACL Nexus 7000 on port blocks everything

Go to solution
uzbayev.marat1
Level 1
Level 1

ā€Ž12-06-2017 09:25 PM - edited ā€Ž03-08-2019 01:01 PM

Hi Guys,
I'm trying configure access-list on port-channel in N7K.
Ports connected to ESXi host with ~50 VMs
I want to filter access for only 1 VM (with IP A.B.C.D), with no impact to other VMs.

 

 

IP access list TEST
10 permit ip X.X.X.1/32 10.A.B.C.D/32 
20 permit ip X.X.X.2/32 10.A.B.C.D/32 
30 permit ip X.X.X.3/32 10.A.B.C.D/32 

40 permit ip X.X.X.4/32 10.A.B.C.D/32 

50 deny ip any any

 

 

interface port-channel23
description VM1
switchport
switchport mode trunk
spanning-tree port type edge trunk
ip port access-group TEST in

 

 

This is what I applied. And it's block everything, all VMs become unreachable.

Any idea?
What I'm missing ( 

 

 

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
uzbayev.marat1
Level 1
Level 1

ā€Ž04-19-2018 05:19 AM

ACL in Nexus is applies  to VLAN interface not on port interface

View solution in original post

0 Helpful
11 Replies 11

Go to solution
marce1000
VIP
VIP

ā€Ž12-06-2017 10:28 PM

 

 - But then the ACL , will do exactly what you want, and will not allow traffic to the other VM's.

M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '
0 Helpful

Go to solution
uzbayev.marat1
Level 1
Level 1
In response to marce1000

ā€Ž12-07-2017 10:08 PM

Problem that it blocks even traffic to VM1 ( 

0 Helpful

Go to solution
uzbayev.marat1
Level 1
Level 1
In response to marce1000

ā€Ž12-07-2017 10:16 PM

Oh, I also tried this one. Also not work

 

10 permit ip X.X.X.1/32 A.B.C.D/32 
20 permit ip X.X.X.2/32 A.B.C.D/32 
30 permit ip X.X.X.3/32 A.B.C.D/32 

40 permit ip X.X.X.4/32 A.B.C.D/32 

50 deny ip any A.B.C.D/32

0 Helpful

Go to solution
Yachay
Level 1
Level 1
In response to uzbayev.marat1

ā€Ž12-08-2017 06:13 AM

Try adding this:

 

60 permit ip any any

 

0 Helpful

Go to solution
uzbayev.marat1
Level 1
Level 1
In response to Yachay

ā€Ž12-10-2017 11:08 PM

100 permit ip any any

When I use permit any any it allows all traffic, but I need restrict access to VM1. with no impact on VM2

 

0 Helpful

Go to solution
Yachay
Level 1
Level 1
In response to uzbayev.marat1

ā€Ž12-11-2017 06:27 AM

Well, it proves the access list is working, but for some reason the packet which should be blocked doesn't match with the source or destination IP in the first lines.

 

Are you using NAT?

0 Helpful

Go to solution
uzbayev.marat1
Level 1
Level 1
In response to Yachay

ā€Ž12-11-2017 10:58 PM

Nope. NAT is not configured

0 Helpful

Go to solution
Yachay
Level 1
Level 1

ā€Ž12-07-2017 06:08 AM

If your plan is to block one VM and allow all traffic to the other ones, then your ACL is wrong. Change 'permit' by 'deny' from 10 to 40, and then change 'deny' by 'permit' in sequence 50.

0 Helpful

Go to solution
uzbayev.marat1
Level 1
Level 1
In response to Yachay

ā€Ž12-07-2017 10:10 PM

aim is:
Allow access to VM1 only for X.X.X.1, X.X.X.2, X.X.X.3, X.X.X.4
And block other users

0 Helpful

Go to solution
uzbayev.marat1
Level 1
Level 1

ā€Ž12-10-2017 11:18 PM

This is killing me!!!

for test I configured 

IP access list TEST2
10 permit ip 10.189.129.45/32 any

 

Where 10.189.129.45 is my PC.

Logically it should allow traffic from my PC to all VMs. But in practice it blocks everything

 

 

0 Helpful

Go to solution
uzbayev.marat1
Level 1
Level 1

ā€Ž04-19-2018 05:19 AM

ACL in Nexus is applies  to VLAN interface not on port interface

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card