Ip access-list on Nexus

19782401a · ‎12-11-2018

Hi all,

on a switch Nexus 31108PCV I have applied this configuration:

interface Ethernet1/1
switchport access vlan 12
ip port access-group Customer_1_Client_4 in

interface Ethernet1/5
ip port access-group Customer_3_Client_1 in
switchport access vlan 12

ip access-list Customer_1_Client_4
10 permit udp 192.168.0.140/32 192.168.0.130/32 eq 319
20 permit udp 192.168.0.140/32 192.168.0.130/32 eq 320

ip access-list Customer_3_Client_1
10 permit udp 192.168.0.152/32 192.168.0.130/32 eq 319
20 permit udp 192.168.0.152/32 192.168.0.130/32 eq 320

On pcap file collected on server connected to eth 1/5 I see some DHCPv6 packets received from the server with the mac-address of eth 1/1 port.

Why this happen? The acl configured on eth 1/1 couldn't filter all inbound traffic except ptp to 192.168.0.130? The server on eth 1/5 has ip 192.168.0.152

Thanks

Gian Luca

paul driver · ‎12-11-2018

Hello

As these are L2 access ports and a filter between hosts in the same vlan try to apply a VACL filter for vlan 12

ip access-list allow-host-host
permit udp host 192.168.0.140 host 192.168.0.132 eq 319
permit udp host 192.168.0.132 host 192.168.0.140 eq 319
permit udp host 192.168.0.150 host 192.168.0.132 eq 319
permit udp host 192.168.0.132 host 192.168.0.150 eq 319
permit udp host 192.168.0.140 host 192.168.0.132 eq 320
permit udp host 192.168.0.132 host 192.168.0.140 eq 320
permit udp host 192.168.0.150 host 192.168.0.132 eq 320
permit udp host 192.168.0.132 host 192.168.0.150 eq 320

ip access-list deny-host-host
permit ip host 192.168.0.140 host 192.168.0.132
permit ip host 192.168.0.132 host 192.168.0.140
permit ip host 192.168.0.150 host 192.168.0.132
permit ip host 192.168.0.132 host 192.168.0.150

vlan access-map host2host 10
match ip address allow-host-host
action permit
vlan access-map host2host 20
match ip address deny-host-host
action drop

vlan access-map host2host 99

vlan filter host2host vlan-list 12

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

19782401a · ‎01-14-2019

Hi Paul,

to be sure that all IPV6 packets are dropped can I add ( in bold in the below example) also a IPV6 access-list to the vlan access-map?

ip access-list allow-host-host
permit udp host 192.168.0.140 host 192.168.0.132 eq 319
permit udp host 192.168.0.132 host 192.168.0.140 eq 319
permit udp host 192.168.0.150 host 192.168.0.132 eq 319
permit udp host 192.168.0.132 host 192.168.0.150 eq 319

Thanks

Gian Luca
permit udp host 192.168.0.140 host 192.168.0.132 eq 320
permit udp host 192.168.0.132 host 192.168.0.140 eq 320
permit udp host 192.168.0.150 host 192.168.0.132 eq 320
permit udp host 192.168.0.132 host 192.168.0.150 eq 320

ip access-list deny-host-host
permit ip host 192.168.0.140 host 192.168.0.132
permit ip host 192.168.0.132 host 192.168.0.140
permit ip host 192.168.0.150 host 192.168.0.132
permit ip host 192.168.0.132 host 192.168.0.150

ipv6 access-list deny_ipv6_all
permit ipv6 any any

vlan access-map host2host 10
match ip address allow-host-host
action permit
vlan access-map host2host 20
match ip address deny-host-host
action drop

vlan access-map host2host 30

match ipv6 access-list deny_ipv6_all
action drop

vlan access-map host2host 99

vlan filter host2host vlan-list 12

What is vlan access-map host2host 99 for?

If I have another ACL, can I apply the same access-map to another vlan or I have to create a new access-map?

To apply VACL, have I to modify TCAM region and reebot the switch?

Thanks

Gian Luca

Georg Pauwen · ‎01-14-2019

Hello,

IPv4 access lists apply to IPv4 traffic only, so in order to block IPv6 traffic, an IPv6 access list indeed is needed. The one you configured and added to your VACL looks good.

19782401a · ‎01-14-2019

Hi Paul,

thanks very much for your precious feedback.

A last question: I have still need the the port ACL applied on eth port or I can remove them?

If I can leave them, which one match first?

Thanks

GIan Luca

19782401a · ‎01-15-2019

Hi Paul,

I found my answer here:

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/configuration/guide/book/vacl.html

For bridged packets the ACLs are applied in the following order:

1- PACL for the ingress port

2 - VACL for the ingress VLAN

3- VACL for the egress VLAN

So in my scenario I can leave actual PACLs for IPV4 packets and set a VACL to drop all IPV6 packets.

What do you think about?

Thanks

GIan Luca