12-25-2020 12:58 AM
Hello,
i have a n3k-c3064pq-10gx with version 7.0(3)I7(9) Bios:version 4.5.0 version and i have 2x 10G SFP+ (LACP) from my carrier and here is my switch config :
SWT(config-acl)# show ip access-lists uplink-acl IP access list uplink-acl statistics per-entry 10 permit ip x.x.x.x/32 any [match=0] 20 permit ip y.y.y.y/28 any [match=0] 30 permit ip z.z.z.z/32 any [match=0] 40 deny tcp any any eq bgp [match=8] 70 deny udp any any eq ntp [match=3] 80 permit ip any any [match=2401] SWT(config-acl)# sh run int po110 !Command: show running-config interface port-channel110 !Running configuration last done at: Fri Dec 25 12:00:34 2020 !Time: Fri Dec 25 12:02:15 2020 version 7.0(3)I7(9) Bios:version 4.5.0 interface port-channel110 description UPLINK no switchport ip access-group uplink-acl in no ip redirects ip address 1.2.3.4/29
when i telnet to TCP 179 from outside of my network it shows the packets has been matched with rule id 40 but from the internet it shows TCP 179 is open, also i have add ip access-list match-local-traffic in global config, any idea or help? Thanky ou.
12-25-2020 01:22 AM
Hello,
try and apply the access list to the outside of the interface:
ip access-group uplink-acl out
and check if it is still open from the Internet.
12-25-2020 01:24 AM
i did it, but still problem exist,
here is my new config :
interface port-channel110
description UPLINK
no switchport
ip access-group uplink-acl in
ip access-group uplink-acl out
no ip redirects
ip address x.x.x.x/29
12-25-2020 01:40 AM
Hello,
try and add sequence 50 to your access list
10 permit ip x.x.x.x/32 any [match=0]
20 permit ip y.y.y.y/28 any [match=0]
30 permit ip z.z.z.z/32 any [match=0]
40 deny tcp any any eq bgp [match=8]
50 deny tcp any eq 179 any
70 deny udp any any eq ntp [match=3]
80 permit ip any any [match=2401]
12-25-2020 01:38 AM
i have set 1.2.3.4/29 on int po110 and its also strange when i add "5 deny ip any 1.2.3.4/32" still i can telnet to tcp 179 from the internet! with this rule i have blocked everything totally! i do not want why does it work! any idea?
12-25-2020 01:44 AM
it did not work ,
here is hte po config
interface port-channel110
description AminIDC-UPLINK
no switchport
ip access-group uplink-acl in
ip access-group uplink-acl out
no ip redirects
ip address 1.2.3.4/29
here is the access list config
IP access list uplink-acl
statistics per-entry
10 permit ip 185.x.x.x/32 any [match=0]
20 permit ip 5.x.x.x/28 any [match=2]
30 permit ip 185.x.x.x/32 any [match=0]
40 deny tcp any any eq bgp [match=77]
50 deny tcp any eq bgp any [match=15]
70 deny udp any any eq ntp [match=142]
80 permit ip any any [match=97302]
i have set 1.2.3.4/29 on int po110 and its also strange when i add "5 deny ip any 1.2.3.4/32" still i can telnet to tcp 179 from the internet! with this rule i have blocked everything totally! i do not want why does it work!
12-25-2020 04:19 AM
"5 deny ip any 1.2.3.4/32" still i can telnet to tcp 179 - is this directly connected with ISP public IP address?
any source from the internet you can telnet to that ports? or they belong to any one of the below range?
0 permit ip 185.x.x.x/32 any [match=0]
20 permit ip 5.x.x.x/28 any [match=2]
30 permit ip 185.x.x.x/32 any [match=0]
can you post the screenshot for us to understand - what you can see when you telnet ?
50 deny tcp any eq bgp any [match=15] - as per this output we do see there is drops here ?
12-25-2020 04:24 AM
it seems it was realted to CoPP and i have do this
no ip access-list copp-system-acl-routingproto1
ip access-list copp-system-acl-routingproto1
10 permit tcp x.x.139.32/29 gt 1024 any eq bgp
20 permit tcp any eq bgp x.x.139.32/29 gt 1024
30 permit tcp x.x.17.0/24 gt 1024 any eq bgp
40 permit tcp any eq bgp x.x.17.0/24 gt 1024
50 permit tcp x.x.18.0/24 gt 1024 any eq bgp
60 permit tcp any eq bgp x.x.18.0/24 gt 1024
70 permit udp any 224.0.0.0/24 eq rip
80 permit tcp any gt 1024 any eq 639
90 permit tcp any eq 639 any gt 1024
100 permit ospf any any
110 permit ospf any 224.0.0.5/32
120 permit ospf any 224.0.0.6/32
ip access-list deny-bgp-acl
10 permit tcp any gt 1024 any eq bgp
class-map type control-plane match-any deny-bgp
match access-group name deny-bgp-acl
policy-map type control-plane copp-system-policy
class deny-bgp
police pps 0
i have replace copp-system-acl-routingproto1 which is copp default rule with my own rule that i sent in the above then add a acl to police tcp 179 to 0 pps , its working, would you confirm this does not cause any issue for me?
i have permitted my trusted source address in copp-system-acl-routingproto1 so then can establish bgp and their police rule is 1000 pps
thanks
12-25-2020 04:50 AM
yes i was about to suggest and ask for CoPP, glad you able to find solution and fixed.
12-25-2020 04:54 AM
1. i have applied acl on port-channel , in nxos when enable ip access-list matched-local-traffic , it does not check local traffic ?
2. would you review my previosu post config and confirm my trusted network can connect and establish bgp with no issue and left of the network can not ?(i have test it myself and everything was ok but iw ant to know another engineer idea)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide