Re: ip access-group in not work on nexus swith

ratha chum · ‎04-20-2020

I just have PO nexus switch for network environment and have go in GNS3 and EVE-NG to lab and get the following error.

On switch I configure inter-vlan routing. Configure access-list to filter traffic between LAN. The problem is when I tried to filter traffic in interface is not working(mean ACL doesn't take effect on traffic coming in interface)

Example: the follow access list

ip access-group Block_2_LAN_10

10 deny icmp any any

20 permit ip any any

interface vlan10

ip access-group Block_2_LAN_10 in

This is not work.

but if I Apply the access list to Traffic out is working.

Example:

ip access-group Block_2_LAN_10 out

10 deny icmp any any

20 permit ip any any

interface vlan10

ip access-group Block_2_LAN_10 out

this is working.

What I am wrong here?

thanks for respond

paul driver · ‎04-20-2020

Hello
You may have the acl applied in the wrong direction, see the below ACL logic on a L3 switch.
IN = Traffic orignating from within the vlan
OUT= Traffic orignating from outside the vlan

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

ratha chum · ‎04-20-2020

HI, thanks for respond.
I understood IN/Out option. could you pls show me where I am wrong.

paul driver · ‎04-20-2020

Hello

Where are you initicating the ping from when it fails?

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

ratha chum · ‎04-20-2020

Ping ping from host inside VLAN 10, But ping still work.

Sergiu.Daniluk · ‎04-20-2020

I am not sure why ingress RACL do not work. Can you try adding "statistics per-entry" to your ACL and see if anything matches on the deny entry? You will see the statistics in the "show ip access-list" output.

Can you try to add the ACL on the L2 interfaces, using command "ip port access-group <ACL name>", and see if the deny entry works?

Regards,

Sergiu

ratha chum · ‎04-20-2020

Thanks for reply.
here out.
switch# show run aclmgr

!Command: show running-config aclmgr
!Time: Mon Apr 20 09:40:05 2020

version 7.0(3)I7(4)
ip access-list Block_2_LAN_10
statistics per-entry
1 deny icmp any any
11 permit ip any any

interface Vlan10
ip access-group Block_2_LAN_10 in

switch# show ip access-lists

IP access list Block_2_LAN_10
statistics per-entry
1 deny icmp any any
11 permit ip any any

Sergiu.Daniluk · ‎04-20-2020

Do you send traffic through your switch/SVI 10?

ratha chum · ‎04-20-2020

yes

Sergiu.Daniluk · ‎04-20-2020

Hmm maybe there is a problem with the NXOSv.

The expectations would be to:

Block routed ICMP traffic ingressing on SVI10
Keep and show all statistics about packets hitting the ACL entries

What version of NXOS are you running?

Cheers,

Sergiu

ratha chum · ‎04-20-2020

interface Ethernet1/1
ip port access-group Block_2_LAN_10 in
switchport access vlan 10

Here I tried to apply on L2 interface also not work.

Sergiu.Daniluk · ‎04-20-2020

Just to confirm, ICMP is still allowed with port ACL?

Thanks,

Sergiu

ratha chum · ‎04-20-2020

yes

paul driver · ‎04-20-2020

Hello

@ratha chum wrote:
Ping ping from host inside VLAN 10, But ping still work.

Just to confirm, you wish to allow ICMP between hosts within the same vlan and to deny icmp between hosts in vlan 10 to any host in other vlans and you say the acl you’ve applied ingress on svi 10 to block icmp traffic from another vlan doesn’t work, if so and the ACL applied in OUT direction does work then as I stated earlier thats due to the acl logic being applied on the switch logical SVI.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Sergiu.Daniluk · ‎04-20-2020

Hi @paul driver

I am making a presumption now that the author of this thread is using ping to confirm if ICMP is actually dropped in one direction, regardless which one is.

Having this presumption in mind, with "deny icmp any any" entry in your ACL, regardless of how the ACL is configured on SVI 10, for ingress or egress (excluding hw specific limitations), routed ICMP traffic should not work bidirectionally, meaning ping will fail - that is because either the request or reply.should be dropped.

Now question is: @ratha chum how do you verify that ICMP is actually dropped or not by ACL?

Can you give us more details about exact details about your setup (IP addresses of endpoints) and what actions you are doing? (what and where are you pinging, using tcpdump etc)

Cheers,

Sergiu