ip access-group in not work on nexus swith - Page 2

ratha chum · ‎04-20-2020

I just have PO nexus switch for network environment and have go in GNS3 and EVE-NG to lab and get the following error.

On switch I configure inter-vlan routing. Configure access-list to filter traffic between LAN. The problem is when I tried to filter traffic in interface is not working(mean ACL doesn't take effect on traffic coming in interface)

Example: the follow access list

ip access-group Block_2_LAN_10

10 deny icmp any any

20 permit ip any any

interface vlan10

ip access-group Block_2_LAN_10 in

This is not work.

but if I Apply the access list to Traffic out is working.

Example:

ip access-group Block_2_LAN_10 out

10 deny icmp any any

20 permit ip any any

interface vlan10

ip access-group Block_2_LAN_10 out

this is working.

What I am wrong here?

thanks for respond

ratha chum · ‎04-20-2020

I want to block all icmp from vlan 10 to other vlan. Then I applied in to
block, but host from VLAN 10 still can ping other VLANs.##- Please type
your reply above this line -##

paul driver · ‎04-20-2020

Hello

@ratha chum wrote:
I want to block all icmp from vlan 10 to other vlan. Then I applied in to
block, but host from VLAN 10 still can ping other VLANs.##- Please type
your reply above this line -##

Then apply the acl in OUT direction to the logical svi interface of vlan 10.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

ratha chum · ‎04-20-2020

Yes, when I applied to out the ACL is working. Traffic have been

Sergiu.Daniluk · ‎04-20-2020

@paul driver wrote:
Hello
@ratha chum wrote:
I want to block all icmp from vlan 10 to other vlan. Then I applied in to
block, but host from VLAN 10 still can ping other VLANs.##- Please type
your reply above this line -##
Then apply the acl in OUT direction to the logical svi interface of vlan 10.

Well, that actually is incorrect. The logic of ACLs, at least on Nexus switches is the following:

The ingress RACL applied on VLAN 10, will apply on all traffic ingressing on SVI 10, having destination MAC SVI 10.

The egress RACL applied on VLAN 10, will apply on all traffic egressing on SVI 10, having destination MAC of endpoints or next hop.

Same logic as the one on Layer 3 physical interfaces.

Cheers,

Sergiu

paul driver · ‎04-20-2020

@Sergiu.Daniluk

maybe the wording differs but svi acl logic is the same which as i understand it is:

IN = traffic originating from within the vlan -

Out =traffic originating outside vlan

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Sergiu.Daniluk · ‎04-20-2020

Happy to hear that we are on the same page ^_^

But I am still confused why you suggested the OUT options, when the author wants to filter traffic in the direction "from vlan 10 to other vlan".

Regards,

Sergiu

paul driver · ‎04-20-2020

Hello

@Sergiu.Daniluk wrote:

Happy to hear that we are on the same page ^_^

But I am still confused why you suggested the OUT options, when the author wants to filter traffic in the direction "from vlan 10 to other vlan".

The reason is that the OP confirmed the acl applied egress is working to deny icmp as it isn't working ingress which I suspect is possibly due to some software issue with the simulation software they are using.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

ratha chum · ‎04-20-2020

Host the same vlan 10 allow ping each other, but block different vlan.##-
Please type your reply above this line -##