Nexus 3548 RACL on SVI interface not working with tcp flag

rciowang · ‎07-31-2019

Hi All,

I'm working on Nexus 3548 version 7.0(3)I7(3), want to deny tcp syn packages send out from a vlan,

ip access-lists deny-syn

10 deny tcp any any syn

20 permit ip any any

and apply access list to SVI interface's in direction:

ip access-group deny-syn in

but can still make tcp connections, if I remove the syn flag:

10 deny tcp any any

all the tcp flow are blocked. So it seams like tcp flag access list not support on Nexus switch? Or I just mad something wrong.

balaji.bandi · ‎07-31-2019

Can you able to post full configuration .

how about below syntax :

Example: Filtering Packets That Contain TCP Flags

The following access list allows TCP packets only if the TCP flags ACK and SYN are set and the FIN flag is not set:


ip access-list extended aaa
 permit tcp any any match-all +ack +syn -fin
 end

The show access-list command has been entered to display the ACL:


Device# show access-list aaa

Extended IP access list aaa
 10 permit tcp any any match-all +ack +syn -fin

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

rciowang · ‎07-31-2019

Hi balaji,

Sorry for that, I thought it's been really sample configuration, here is full command line output you asked:

# show ip access-lists deny-syn

IP access list deny-syn
        10 deny tcp any any syn
        20 permit ip any any

# show run interface vlan 2041

!Command: show running-config interface Vlan2041
!Time: Wed Jul 31 14:45:57 2019

version 7.0(3)I7(3)

interface Vlan2041
  no shutdown
  no autostate
  ip access-group deny-syn in
  no ip redirects
  ip address 10.41.20.3/24
  ip router ospf 1 area 0.0.0.2
  hsrp 0
    preempt
    priority 105
    ip 10.41.20.1
  hsrp 1
    preempt
    ip 10.41.20.2