Port ip ACL seems to be ignored on Nexus 3500 port channel?

tgardiner_wesley · ‎01-08-2025

Good day everyone!

I've been having trouble with a port ip ACL on a Nexus 3500 - but only when applied to a port channel. The ACL works when applied to the physical port (E1/1) but not the port channel (Po3000).

Mod Ports             Module-Type                      Model           Status
--- ----- ------------------------------------- --------------------- ---------
1    48   48x10GE Supervisor                    N3K-C3548P-XL         active *

Mod  Sw                       Hw    Slot
---  ----------------------- ------ ----
1    9.3(13)                  1.0    NA

We've been following this guide on back-to-back Nexi with dual-active HSRP, which was written with 9k hardware in mind.

We have 93180YC-FX3s in production but wanted to test on the old 3Ks.

The documentation suggests that the port ip ACL should work.

When the ACL is applied on E1/1 we can see the statistics in the access-list increment away happily but as soon as we apply it to a port channel it seems to be ignored.

Has anyone had any experience with this? Is there likely something I'm missing? Config excerpt and command outputs below.

WORKS:

dc-ben-a# clear ip access-list counter
dc-ben-a# show ip access-list DHI

IP access list DHI
        statistics per-entry
        10 deny udp any 224.0.0.2/32 eq 1985 [match=0]
        20 deny udp any 224.0.0.102/32 eq 1985 [match=0]
        30 permit ip any any [match=0]
dc-ben-a# conf t
Enter configuration commands, one per line. End with CNTL/Z.
dc-ben-a(config)# int e1/1-2
dc-ben-a(config-if-range)#  ip port access-group DHI in
dc-ben-a(config-if-range)# end

!!!!!!!! WAIT A COUPLE OF SECONDS !!!!!!!!

dc-ben-a# show ip access-list DHI

IP access list DHI
        statistics per-entry
        10 deny udp any 224.0.0.2/32 eq 1985 [match=0]
        20 deny udp any 224.0.0.102/32 eq 1985 [match=11]
        30 permit ip any any [match=0]

dc-ben-a# show run int e1/1-2

!Command: show running-config interface Ethernet1/1-2
!Running configuration last done at: Thu Jan  9 01:45:03 2025
!Time: Thu Jan  9 01:46:00 2025

version 9.3(13) Bios:version 5.6.0

interface Ethernet1/1
  description DCI-CENA
  switchport mode trunk
  switchport trunk allowed vlan 10,20,30,40
  ip port access-group DHI in

interface Ethernet1/2
  description DCI-CENA
  switchport mode trunk
  switchport trunk allowed vlan 10,20,30,40
  ip port access-group DHI in

DOESN'T WORK

dc-ben-a# conf t
Enter configuration commands, one per line. End with CNTL/Z.
dc-ben-a(config)# int e1/1-2
dc-ben-a(config-if-range)#   no ip port access-group DHI in
dc-ben-a(config-if-range)# end
dc-ben-a# clear ip access-list counter
dc-ben-a# show ip access-list DHI

IP access list DHI
        statistics per-entry
        10 deny udp any 224.0.0.2/32 eq 1985
        20 deny udp any 224.0.0.102/32 eq 1985
        30 permit ip any any
dc-ben-a# conf t
Enter configuration commands, one per line. End with CNTL/Z.
dc-ben-a(config)# int po3000
dc-ben-a(config-if)#   ip port access-group DHI in
dc-ben-a(config-if)# int e1/1-2
dc-ben-a(config-if-range)#   channel-group 3000 mode active
dc-ben-a(config-if-range)# end

!!!!!!!! WAIT A COUPLE OF MINUTES !!!!!!!!

dc-cen-a# show ip access-list DHI

IP access list DHI
        statistics per-entry
        10 deny udp any 224.0.0.2/32 eq 1985 [match=0]
        20 deny udp any 224.0.0.102/32 eq 1985 [match=0]
        30 permit ip any any [match=0]
dc-ben-a# show run int e1/1-2

!Command: show running-config interface Ethernet1/1-2
!Running configuration last done at: Thu Jan  9 01:49:22 2025
!Time: Thu Jan  9 01:50:10 2025

version 9.3(13) Bios:version 5.6.0

interface Ethernet1/1
  description DCI-CENA
  switchport mode trunk
  switchport trunk allowed vlan 10,20,30,40
  channel-group 3000 mode active

interface Ethernet1/2
  description DCI-CENA
  switchport mode trunk
  switchport trunk allowed vlan 10,20,30,40
  channel-group 3000 mode active

dc-ben-a# show run int po3000

!Command: show running-config interface port-channel3000
!Running configuration last done at: Thu Jan  9 01:49:22 2025
!Time: Thu Jan  9 01:50:14 2025

version 9.3(13) Bios:version 5.6.0

interface port-channel3000
  switchport mode trunk
  switchport trunk allowed vlan 10,20,30,40
  ip port access-group DHI in
  spanning-tree port type network
  vpc 3000

dc-ben-a#

M02@rt37 · ‎01-08-2025

Hello @tgardiner_wesley

Do you test VACL in order to see if you have the same symptom:

vlan access-map DHI_VACL 10
match ip address DHI
action drop
vlan filter DHI_VACL vlan-list 10-40

It should be a limitation as concerned PACL. Apply ACLs to port channels processes traffic at the aggregate logical interface rather than individual member interfaces, and specific hardware limitations on the Nexus 3548 could contribute to the ACL being bypassed or ignored.

VACLs operate at the VLAN level and apply to all interfaces (physical or logical) carrying traffic for that VLAN.

If it works, then it could be a limitation on your nexus (old model). Pacl are processed in hardware on switches to ensure high performance. When applied to physical interfaces, the switch can map the ACL rules directly to the hardware TCAM, which is responsible for high-speed packet filtering. However, applying a PACL to a Po interface, which is a logical interface aggregating multiple physical links, might introduce challenges in hardware resource allocation or support...

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

tgardiner_wesley · ‎01-13-2025

Morning,

Thanks for the feedback M02@rt37 .

I've been pulled off onto another job for a bit so sorry for the tardy reply. Looks like we'll have to try it on the running kit to find out.

Will post back when I have an answer!