Showing results for 
Search instead for 
Did you mean: 

ACL Nexus 7000 on port blocks everything

Level 1
Level 1

Hi Guys,
I'm trying configure access-list on port-channel in N7K.
Ports connected to ESXi host with ~50 VMs
I want to filter access for only 1 VM (with IP A.B.C.D), with no impact to other VMs.



IP access list TEST
10 permit ip X.X.X.1/32 10.A.B.C.D/32 
20 permit ip X.X.X.2/32 10.A.B.C.D/32 
30 permit ip X.X.X.3/32 10.A.B.C.D/32 

40 permit ip X.X.X.4/32 10.A.B.C.D/32 

50 deny ip any any



interface port-channel23
description VM1
switchport mode trunk
spanning-tree port type edge trunk
ip port access-group TEST in



This is what I applied. And it's block everything, all VMs become unreachable.

Any idea?
What I'm missing ( 



1 Accepted Solution

Accepted Solutions

Level 1
Level 1

ACL in Nexus is applies  to VLAN interface not on port interface

View solution in original post

11 Replies 11



 - But then the ACL , will do exactly what you want, and will not allow traffic to the other VM's.


-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Problem that it blocks even traffic to VM1 ( 

Oh, I also tried this one. Also not work


10 permit ip X.X.X.1/32 A.B.C.D/32 
20 permit ip X.X.X.2/32 A.B.C.D/32 
30 permit ip X.X.X.3/32 A.B.C.D/32 

40 permit ip X.X.X.4/32 A.B.C.D/32 

50 deny ip any A.B.C.D/32

Try adding this:


60 permit ip any any


100 permit ip any any

When I use permit any any it allows all traffic, but I need restrict access to VM1. with no impact on VM2


Well, it proves the access list is working, but for some reason the packet which should be blocked doesn't match with the source or destination IP in the first lines.


Are you using NAT?

Nope. NAT is not configured

Level 1
Level 1

If your plan is to block one VM and allow all traffic to the other ones, then your ACL is wrong. Change 'permit' by 'deny' from 10 to 40, and then change 'deny' by 'permit' in sequence 50.

aim is:
Allow access to VM1 only for X.X.X.1, X.X.X.2, X.X.X.3, X.X.X.4
And block other users

Level 1
Level 1

This is killing me!!!

for test I configured 

IP access list TEST2
10 permit ip any


Where is my PC.

Logically it should allow traffic from my PC to all VMs. But in practice it blocks everything



Level 1
Level 1

ACL in Nexus is applies  to VLAN interface not on port interface

Review Cisco Networking for a $25 gift card