Re: problem with acl on n3k

blackmetal · ‎12-25-2020

Hello,

i have a n3k-c3064pq-10gx with version 7.0(3)I7(9) Bios:version 4.5.0 version and i have 2x 10G SFP+ (LACP) from my carrier and here is my switch config :

SWT(config-acl)# show ip access-lists uplink-acl

IP access list uplink-acl
statistics per-entry
10 permit ip x.x.x.x/32 any [match=0]
20 permit ip y.y.y.y/28 any [match=0]
30 permit ip z.z.z.z/32 any [match=0]
40 deny tcp any any eq bgp [match=8]
70 deny udp any any eq ntp [match=3]
80 permit ip any any [match=2401]
SWT(config-acl)# sh run int po110

!Command: show running-config interface port-channel110
!Running configuration last done at: Fri Dec 25 12:00:34 2020
!Time: Fri Dec 25 12:02:15 2020

version 7.0(3)I7(9) Bios:version 4.5.0

interface port-channel110
description UPLINK
no switchport
ip access-group uplink-acl in
no ip redirects
ip address 1.2.3.4/29

when i telnet to TCP 179 from outside of my network it shows the packets has been matched with rule id 40 but from the internet it shows TCP 179 is open, also i have add ip access-list match-local-traffic in global config, any idea or help? Thanky ou.

Georg Pauwen · ‎12-25-2020

Hello,

try and apply the access list to the outside of the interface:

ip access-group uplink-acl out

and check if it is still open from the Internet.

blackmetal · ‎12-25-2020

i did it, but still problem exist,

here is my new config :

interface port-channel110
description UPLINK
no switchport
ip access-group uplink-acl in
ip access-group uplink-acl out
no ip redirects
ip address x.x.x.x/29

Georg Pauwen · ‎12-25-2020

Hello,

try and add sequence 50 to your access list

10 permit ip x.x.x.x/32 any [match=0]
20 permit ip y.y.y.y/28 any [match=0]
30 permit ip z.z.z.z/32 any [match=0]
40 deny tcp any any eq bgp [match=8]

50 deny tcp any eq 179 any
70 deny udp any any eq ntp [match=3]
80 permit ip any any [match=2401]

blackmetal · ‎12-25-2020

i have set 1.2.3.4/29 on int po110 and its also strange when i add "5 deny ip any 1.2.3.4/32" still i can telnet to tcp 179 from the internet! with this rule i have blocked everything totally! i do not want why does it work! any idea?

blackmetal · ‎12-25-2020

@Georg Pauwen

it did not work ,

here is hte po config

interface port-channel110
description AminIDC-UPLINK
no switchport
ip access-group uplink-acl in
ip access-group uplink-acl out
no ip redirects
ip address 1.2.3.4/29

here is the access list config

IP access list uplink-acl
statistics per-entry
10 permit ip 185.x.x.x/32 any [match=0]
20 permit ip 5.x.x.x/28 any [match=2]
30 permit ip 185.x.x.x/32 any [match=0]
40 deny tcp any any eq bgp [match=77]
50 deny tcp any eq bgp any [match=15]
70 deny udp any any eq ntp [match=142]
80 permit ip any any [match=97302]

i have set 1.2.3.4/29 on int po110 and its also strange when i add "5 deny ip any 1.2.3.4/32" still i can telnet to tcp 179 from the internet! with this rule i have blocked everything totally! i do not want why does it work!

balaji.bandi · ‎12-25-2020

"5 deny ip any 1.2.3.4/32" still i can telnet to tcp 179 - is this directly connected with ISP public IP address?

any source from the internet you can telnet to that ports? or they belong to any one of the below range?

0 permit ip 185.x.x.x/32 any [match=0]
20 permit ip 5.x.x.x/28 any [match=2]
30 permit ip 185.x.x.x/32 any [match=0]

can you post the screenshot for us to understand - what you can see when you telnet ?

50 deny tcp any eq bgp any [match=15] - as per this output we do see there is drops here ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

blackmetal · ‎12-25-2020

it seems it was realted to CoPP and i have do this

no ip access-list copp-system-acl-routingproto1
ip access-list copp-system-acl-routingproto1
10 permit tcp x.x.139.32/29 gt 1024 any eq bgp
20 permit tcp any eq bgp x.x.139.32/29 gt 1024
30 permit tcp x.x.17.0/24 gt 1024 any eq bgp
40 permit tcp any eq bgp x.x.17.0/24 gt 1024
50 permit tcp x.x.18.0/24 gt 1024 any eq bgp
60 permit tcp any eq bgp x.x.18.0/24 gt 1024
70 permit udp any 224.0.0.0/24 eq rip
80 permit tcp any gt 1024 any eq 639
90 permit tcp any eq 639 any gt 1024
100 permit ospf any any
110 permit ospf any 224.0.0.5/32
120 permit ospf any 224.0.0.6/32

ip access-list deny-bgp-acl
10 permit tcp any gt 1024 any eq bgp
class-map type control-plane match-any deny-bgp
match access-group name deny-bgp-acl
policy-map type control-plane copp-system-policy
class deny-bgp
police pps 0

i have replace copp-system-acl-routingproto1 which is copp default rule with my own rule that i sent in the above then add a acl to police tcp 179 to 0 pps , its working, would you confirm this does not cause any issue for me?

i have permitted my trusted source address in copp-system-acl-routingproto1 so then can establish bgp and their police rule is 1000 pps

thanks

balaji.bandi · ‎12-25-2020

yes i was about to suggest and ask for CoPP, glad you able to find solution and fixed.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

blackmetal · ‎12-25-2020

@balaji.bandi

1. i have applied acl on port-channel , in nxos when enable ip access-list matched-local-traffic , it does not check local traffic ?

2. would you review my previosu post config and confirm my trusted network can connect and establish bgp with no issue and left of the network can not ?(i have test it myself and everything was ok but iw ant to know another engineer idea)