Need Help to configure VACL in Nexus C5672UP Switch

sharma.amit11 · ‎06-26-2018

Hi All,

I am Amit Sharma, I need to configure VACL in Cisco nexus Switch C5672UP. Please share the command example for Block Inter VLAN routing.

Thanks

Amit

Reza Sharifi · ‎06-26-2018

Hi,

Have a look at this config guide. It includes an example:

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5000/sw/security/b_Cisco_Nexus_5000_Series_NX-OS_Security_Configuration_Guide/Cisco_Nexus_5000_Series_NX-OS_Security_Configuration_Guide_chapter7.html#con_7387655506561597461

HTH

sbhadrav@cisco.com · ‎07-03-2018

You can create or change a VACL. Creating a VACL includes creating an access map that associates an IP ACL or MAC ACL with an action to be applied to the matching traffic.

To create or change a VACL, perform this task:

Command
Purpose
Step 1
switch# configure terminal
Enters global configuration mode.

Step 2
switch(config)# vlan access-map map-name
Enters access map configuration mode for the access map specified.

Step 3
switch(config-access-map)# match ip address ip-access-list
Specifies a IPv4, and IPV6 ACL for the map.
switch(config-access-map)# match mac address mac-access-list
Specifies a MAC ACL for the map.

Step 4
switch(config-access-map)# action { drop | forward }
Specifies the action that the switch applies to traffic that matches the ACL.

Step 5
switch(config-access-map)# [ no ] statistics
(Optional) Specifies that the switch maintains global statistics for packets matching the rules in the VACL.
The no option stops the switch from maintaining global statistics for the VACL.

Step 6
switch(config-access-map)# show running-config
(Optional) Displays ACL configuration.

Step 7
switch(config-access-map)# copy running-config startup-config
(Optional) Copies the running configuration to the startup configuration.

sharma.amit11 · ‎07-10-2018

Hi Saurav,

Thanks for your email..

First we have create a IP access list or we can configure direct IP access-map for blocking Inter vlan routing between two VLANs.

I have 4 VLANs in our test environment and 1 is users vlan, I need to block inter vlan communication between

Mgmt VLAN : 172.20.0.0/16

Server VLAN : 172.21.0.0/16

Database VLAN : 172.22.0.0/16

IT Users VLAN : 172.24.15.0/24

Finance Users VLAN : 172.24.10.0/24

Task to block : inter vlan communication between IT users VLAN and Finance Users VLAN and all three VLAN ( Server Mgmt and DB).

2. all three vlan ( Mgmt, Server and DB) are communicate with IT and Finance Users VLAN