Nexus 7010 to Nexus 9508 ACL workaround

thomuff · ‎05-07-2018

We plan on replacing our Nexus 7010 with a Nexus 9508

One challenge is that the Nexus 9508 does not support IPv4 ACL on Egress of the SVI

One solution is remove the VLAN interface and route to the traffic to a Firewall .

We are looking for other solutions

The purpose of the ACL is to limit traffic destined to the VLAN devices.

A restrictive vlan.

Thanks

Reza Sharifi · ‎05-07-2018

The purpose of the ACL is to limit traffic destined to the VLAN devices.

How do you limit the traffic today using 7010?

If it is qos, firewalls may have more limited functionalities when it comes to QOS.

HTH

thomuff · ‎05-07-2018

We limit the traffic to day with an IPv4 ACL applies to the VLAN interface

Ie

Int vlan 23

ip access-group LIMITACCESSOUT out

This command is not supported on the Catalyst 9508

Another suggestion was a VACL.

Reza Sharifi · ‎05-07-2018

Another suggestion was a VACL.

VACL is used for blocking and forwarding within a vlan and not inbound or outbound to a vlan.

ip access-group LIMITACCESSOUT out

You did not post the ACL statement but if you have a deny statement, this will block all traffic and not limit traffic. Is that what you are trying to do?

HTH

thomuff · ‎05-15-2018

by removing the logging option in the acl, we were able to apply the ACL

The posts were very helpful.