Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
627
Views
0
Helpful
5
Replies

Cisco Nexus ACL

cloudops
Level 1
Level 1

‎12-22-2017 11:16 AM - edited ‎03-08-2019 01:12 PM

Hi,

Thanks in advance!

 

I am running a Nexus 3k switch.  At the moment I havea VLAN 50 with a single ACL on it - Inbound.  From my understanding this controlls all inbound connections.

If I want to control outbound connections then I need to create another ACL on the same VLAN but just have it OUTBOUND?

 

Thanks,

 

Labels:
0 Helpful
5 Replies 5

Georg Pauwen
VIP
VIP

‎12-22-2017 11:30 AM

Hello,

 

keep in mind that in/out has nothing to do with the direction of the traffic. In simply means that the access list is applied to the inside of the interface, that is, traffic is allowed/blocked before traversing the interface. Out means just the opposite, traffic already has traversed the interface and is being allowed/blocked there.

 

Post the ACL you already have, and indicate which traffic you want to allow and which traffic you want to block.

0 Helpful

cloudops
Level 1
Level 1
In response to Georg Pauwen

‎12-22-2017 11:37 AM

ok so

Vlan 5 - 192.168.6.x/24

vlan4 - 192.168.1.x/24

 

Right now I have (acl status command):

ACL ISOLATED-VM
Vlan5 - ingress (Router ACL)
Active on interfaces:
Vlan5 - ingress (Router ACL)

 

What I want is to block vlan5 from talking to vlan 4 (but not the other way - to be more specific RDP)

 

I tried:

IPV4 ACL ISOLATED-VM
10 permit ip 172.60.0.0/24 192.168.6.0/24
20 permit ip 192.168.6.0/24 172.60.0.0/24
21 deny tcp 192.168.6.0/24 192.168.1.0/24 eq 3389
22 deny udp 192.168.6.0/24 192.168.1.0/24 eq 3389

170 permit icmp any any
180 permit ip any any


and i tried this as well:

 

deny IP 192.168.6.14/32 any

 

 

and seems to have no impact.

0 Helpful

Georg Pauwen
VIP
VIP
In response to cloudops

‎12-22-2017 12:26 PM

Hello,

 

try the below:

 

interface VLAN5
192.168.6.1 255.255.255.0
ip access-group 101 in

 

interface VLAN4
172.60.0.0 255.255.255.0

 

access-list 101 permit tcp 172.60.0.0 0.0.0.255 192.168.6.0 0.0.0.255 eq 3389 ack
access-list 101 deny tcp 172.60.0.0 0.0.0.255 192.168.6.0 0.0.0.255 eq 3389 syn
access-list 101 permit ip any any

0 Helpful

cloudops
Level 1
Level 1
In response to Georg Pauwen

‎12-22-2017 01:19 PM

so if i get the right, the outbound traffic 

 

192.168.6.x/24 ->172.60.0.0/16 and my ACL is applied on vlan 5 (192.168.6.x)

 

my source traffic is 192.168.6.x?

so if i want to block outbound from 192 to 172

 

access-list 101 permit tcp  192.168.6.0 0.0.0.255 172.60.0.0 0.0.0.255 3389 ack
access-list 101 deny tcp  192.168.6.0 0.0.0.255 172.60.0.0 0.0.0.255eq 3389 syn
access-list 101 permit ip any any

 

 

 

 

0 Helpful

Georg Pauwen
VIP
VIP
In response to cloudops

‎12-22-2017 01:40 PM

Hello,

 

as per your initial request, the ACL blocks VLAN5 (192.168.6.0/24) from talking to VLAN4 (172.60.0.0/24), but allows traffic from VLAN4 to VLAN5. The access list is applied inbound on the VLAN5 interface.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card