04-20-2020 12:57 AM - edited 04-20-2020 02:31 AM
I just have PO nexus switch for network environment and have go in GNS3 and EVE-NG to lab and get the following error.
On switch I configure inter-vlan routing. Configure access-list to filter traffic between LAN. The problem is when I tried to filter traffic in interface is not working(mean ACL doesn't take effect on traffic coming in interface)
Example: the follow access list
ip access-group Block_2_LAN_10
10 deny icmp any any
20 permit ip any any
interface vlan10
ip access-group Block_2_LAN_10 in
This is not work.
but if I Apply the access list to Traffic out is working.
Example:
ip access-group Block_2_LAN_10 out
10 deny icmp any any
20 permit ip any any
interface vlan10
ip access-group Block_2_LAN_10 out
this is working.
What I am wrong here?
thanks for respond
04-20-2020 01:51 AM - edited 04-20-2020 01:51 AM
Hello
You may have the acl applied in the wrong direction, see the below ACL logic on a L3 switch.
IN = Traffic orignating from within the vlan
OUT= Traffic orignating from outside the vlan
04-20-2020 02:33 AM
04-20-2020 02:46 AM
Hello
Where are you initicating the ping from when it fails?
04-20-2020 03:08 AM
04-20-2020 02:28 AM
I am not sure why ingress RACL do not work. Can you try adding "statistics per-entry" to your ACL and see if anything matches on the deny entry? You will see the statistics in the "show ip access-list" output.
Can you try to add the ACL on the L2 interfaces, using command "ip port access-group <ACL name>", and see if the deny entry works?
Regards,
Sergiu
04-20-2020 02:41 AM
04-20-2020 03:04 AM
Do you send traffic through your switch/SVI 10?
04-20-2020 03:26 AM
04-20-2020 03:30 AM
Hmm maybe there is a problem with the NXOSv.
The expectations would be to:
What version of NXOS are you running?
Cheers,
Sergiu
04-20-2020 02:44 AM
04-20-2020 03:10 AM
Just to confirm, ICMP is still allowed with port ACL?
Thanks,
Sergiu
04-20-2020 03:25 AM
04-20-2020 05:16 AM - edited 04-20-2020 05:36 AM
Hello
@ratha chum wrote:
Ping ping from host inside VLAN 10, But ping still work.
Just to confirm, you wish to allow ICMP between hosts within the same vlan and to deny icmp between hosts in vlan 10 to any host in other vlans and you say the acl you’ve applied ingress on svi 10 to block icmp traffic from another vlan doesn’t work, if so and the ACL applied in OUT direction does work then as I stated earlier thats due to the acl logic being applied on the switch logical SVI.
04-20-2020 05:35 AM
Hi @paul driver
I am making a presumption now that the author of this thread is using ping to confirm if ICMP is actually dropped in one direction, regardless which one is.
Having this presumption in mind, with "deny icmp any any" entry in your ACL, regardless of how the ACL is configured on SVI 10, for ingress or egress (excluding hw specific limitations), routed ICMP traffic should not work bidirectionally, meaning ping will fail - that is because either the request or reply.should be dropped.
Now question is: @ratha chum how do you verify that ICMP is actually dropped or not by ACL?
Can you give us more details about exact details about your setup (IP addresses of endpoints) and what actions you are doing? (what and where are you pinging, using tcpdump etc)
Cheers,
Sergiu
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide