Re: Nexus 9300 // ACL on Nexus 9300 is not working

TDSNetwork7416 · ‎01-06-2022

I have problem to apply ACL on Nexus 9000.

My Goal in my ACL is to make one ip source to some server, other that can’t access that server, but the server can still access the internet and access some destination like as other server in different vlan).

10.63.61.36/32 --> 10.63.31.100/32 (Permit)

10.63.61.10/32 --> 10.63.31.100/32 (Permit)

Any --> 10.63.31.100/32 (Deny)

10.63.31.100/32 --> Any (Permit)

Note:

10.63.61.0/24 is vlan 61

10.63.31.0/24 is vlan 31

10.66.1.110 is dns local server for internet

And I try to make the ACL like this :

ip access-list VMWARE_SERVER_out

10 permit ip 10.63.61.36/32 10.63.31.100/32

11 permit ip 10.63.61.10/32 10.63.31.100/32

20 deny ip any 10.63.31.100/32

30 permit ip any any

!

ip access-list VMWARE_SERVER_in

10 permit ip 10.63.31.100/32 any

!

int vlan 31

ip access-group VMWARE_SERVER_in in

ip access-group VMWARE_SERVER_out out

If I do that ACL, just ip 10.63.61.36 & 10.63.31.10 can access server 10.63.31.100 (Done)

but the issue is 10.63.31.100 can access anything (just can ping gateway all vlan and ip 10.63.61.36 & 10.63.61.10, can't access internet as well).

Please your help.

Georg Pauwen · ‎01-06-2022

Hello,

this is tricky. Your current access list denies access from the server to anything else but the two hosts you have specified.

Try the access list below (I think you need only one). I haven't tested this, but give it a try:

ip access-list VMWARE_SERVER_in
10 permit ip 10.63.61.36/32 10.63.31.100/32
11 permit ip 10.63.61.10/32 10.63.31.100/32
20 deny ip 10.63.61.0/24 10.63.31.100/32
30 deny ip 10.63.63.0/24 10.63.31.100/32
40 permit 10.63.31.100/32 any
!
interface Vlan 31
ip access-group VMWARE_SERVER_in in

This access list would permit hosts 10.63.61.36 and 10.63.61.10 to access server 10.63.31.100, deny access from anything else in Vlan 61 to the server, and allow the server to access the Internet as well as other Vlans.

TDSNetwork7416 · ‎01-06-2022

Thanks for your response Georg Pauwen,

I will try your ACL, but i don't undestand with acl rule no.30 (30 deny ip 10.63.63.0/24 10.63.31.100/32), i don't have network 10.63.63.0/24. This type or something ?

Regards,

Ardhy

Jerome BERTHIER · ‎01-06-2022

Hi

I'm not sure to understand what you are expecting.

Do you want to limit ingress traffic to the server 10.63.31.100 except from 10.63.61.36 and 10.63.61.10 but leave the server itself to contact any host from any network ? Do you have other server on the vlan 31 which need to be reachable ?

If I'm right, I think you should allow established TCP traffic and UDP traffic back for what fit your needs. For example, il you expect the server to use on from well-known ports on outside servers. If so, your access-list might look like this :

ip access-list VMWARE_SERVER_out

! let TCP established traffic back to your server
1 permit tcp any 10.63.31.100/32 established

! let well-known UDP ports traffic back to your server. Adapt it as you need.
2 permit udp any lt 1024 host 10.63.31.100/32 gt 1023
10 permit ip 10.63.61.36/32 10.63.31.100/32

11 permit ip 10.63.61.10/32 10.63.31.100/32

! you might add log to the next entry to see what you drop

20 deny ip any 10.63.31.100/32

! the last permit entry is not useful if there is no other server. So I put a comment in front of it

! 30 permit ip any any
!

ip access-list VMWARE_SERVER_in

10 permit ip 10.63.31.100/32 any

!

int vlan 31

ip access-group VMWARE_SERVER_in in

ip access-group VMWARE_SERVER_out out

Hope this helps.

Jérôme

TDSNetwork7416 · ‎01-07-2022

Hi Jerome, Thanks for your response, i will answer your question about this, "Do you have other server on the vlan 31 which need to be reachable ?" Answer is Yes. vlan 31 have many server other that 10.63.31.100.

the goal is in order to ip 10.63.61.36 & 10.63.61.10 from vlan 61 can access server 10.63.31.100 only (other that is blocked), but 10.63.61.36 and 10.63.61.10 can access any network also, likewise server 10.63.31.100 can access any network (include internet access).

If I see rule no 1 and 2 that will be allow any (tcp) to server 10.63.31.100, right ?

Jerome BERTHIER · ‎01-07-2022

HI

Rule 1 will allow traffic TCP established by server 10.63.31.100 flowing back to it.

Rule 2 try to do the same with UDP but no state exist for that. So, you have to set it best.

Since you have others servers on vlan 31, please find another ACL configuration below :

ip access-list VMWARE_SERVER_out

! let TCP established traffic back to your server
1 permit tcp any 10.63.31.100/32 established

! let well-known UDP ports traffic back to your server. Adapt it as you need.
2 permit udp any lt 1024 host 10.63.31.100/32 gt 1023
10 permit ip 10.63.61.36/32 10.63.31.100/32

11 permit ip 10.63.61.10/32 10.63.31.100/32

! drop all other traffic to server 10.63.31.100

20 deny ip any 10.63.31.100/32 log

! permit all IP traffic to vlan 31 subnet

30 permit ip any 10.63.31.0/24
!

ip access-list VMWARE_SERVER_in

! permit all IP traffic from vlan 31 subnet

10 permit ip 10.63.31.0/24 any

!

int vlan 31

ip access-group VMWARE_SERVER_in in

ip access-group VMWARE_SERVER_out out

Jérôme

TDSNetwork7416 · ‎01-08-2022

Hi Jerome,

Ok, I got it now means of rule no.1 and no.2.

I will try add that's rule tomorrow and i will update to you soon.

Thanks Jerome.

TDSNetwork7416 · ‎01-09-2022

Hi Jerome,

I have tested your suggestion to add rule no.1 and no.2, and the result is working.

ip server (10.63.31.100) can access internet and other network.

Note :

* In order to server 10.63.31.100 can access other network, you have to make spesifict rule to allowed spesifict host or vlan from server vlan (10.63.31.100). For example is 10.63.31.100 can't access dns server (10.66.1.110), so I have to add rule like this : 16 permit ip 10.66.1.110/32 10.63.31.100/32. and if you want to access network vlan, you can add this rule : 19 permit ip 10.66.2.0/24 10.63.31.100/32.

This is ACL that I make in my environment :

IP access list VMWARE_TEST_03
statistics per-entry
1 permit tcp any 10.63.31.100/32 established [match=1661]
2 permit udp any lt 1024 10.63.31.100/32 gt 1023 [match=226]
10 permit ip 10.63.63.18/32 10.63.31.100/32 [match=4]
15 permit ip 10.63.61.36/32 10.63.31.100/32 [match=0]
16 permit ip 10.66.1.110/32 10.63.31.100/32 [match=274]
17 permit ip 172.20.1.24/32 10.63.31.100/32 [match=5]
18 permit ip 10.66.2.0/24 10.63.31.100/32 [match=16]
20 deny ip any 10.63.31.100/32 [match=871]
30 permit ip any 10.63.31.0/24 [match=561]
40 permit ip any any [match=0]