Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1753
Views
0
Helpful
3
Replies

Nexus 5K and ACL

Go to solution
Oleg Volkov
Spotlight
Spotlight

‎04-06-2015 07:32 AM - edited ‎03-07-2019 11:24 PM

Dear Sirs!

I have some segment of my network (segment "A"), which need to be accessible from other segment (segment "B"), but reverse traffic must be flow only for sessions, which was be initialized from segment "B".
If the TCP traffic, I can use key - "established" in the ACL row.
But what can I do, if the UDP?
Reflexive ACL on the Nexus 5K is not available.
All this configuration, must be implemented on the Nexus 5596 with L3 card.
-----------------
In the ASA terminology, I want make security level SVI interface for vlan segment "A" lower. Best will be use state full firewall, but Nexus 5500 is not a firewall :-(

Thank!

--------------------------------------------------------------------------

Helping seriously ill children, all together. All information about this, is posted on my blog
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎04-06-2015 07:58 AM

The short answer is you can't.

Unless you have reflexive acls which you say Nexus switches don't support then it's not possible because acls are not stateful so they check each packet in isolation.

The "established" keyword only works for TCP because of the connection flags which UDP doesn't have.

Sorry but you need a firewall if you want to control which side can initiate the connection.

Jon

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎04-06-2015 07:58 AM

The short answer is you can't.

Unless you have reflexive acls which you say Nexus switches don't support then it's not possible because acls are not stateful so they check each packet in isolation.

The "established" keyword only works for TCP because of the connection flags which UDP doesn't have.

Sorry but you need a firewall if you want to control which side can initiate the connection.

Jon

0 Helpful

Go to solution
Ashok Kumar
Cisco Employee
Cisco Employee

‎04-06-2015 08:08 AM

Hi Oleg Volkov,

Jon said correctly, you gonna need a firewall for such configuration.

A piece of suggestion, if you have any IOS device connecting to nexus & you're controlling access between them; & don't want to waste the firewall hardware just for this thing; You can use zone based firewall configuration on the IOS device & you would be able to achieve the same what you would have with a firewall.

Zone-Based Policy Firewall Design and Application Guide

http://www.cisco.com/c/en/us/support/docs/security/ios-firewall/98628-zone-design-guide.html


- Ashok

************************************************************************************************************

Please rate the useful post or mark as correct answer as it will help others looking for similar information

************************************************************************************************************

0 Helpful

Go to solution
Oleg Volkov
Spotlight
Spotlight
In response to Ashok Kumar

‎04-06-2015 08:37 AM

Hi!
Thanks for answer. But I in this VLAN, I have high traffic and my other devices very slow for this.
I try to determine UDP port range and allow only this range and TCP established.

--------------------------------------------------------------------------

Helping seriously ill children, all together. All information about this, is posted on my blog
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card