Not sure what is the Virtual image you are using to test this :

 

look at the features support and not support for now :

 

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus9000/sw/7-x/nx-osv/configuration/guide/b_NX-OSv_9000/b_NX-OSv_chapter_01.html

 

Edited: i will spin up the later week and let you know if i find the same issue. (physical kit not seen this issue)

 

Thanks. Please let me know your test results.

Below are the configs I used, including again in case if that helps:

*NX-OS - (Server Microsegmentation Project)*


*#Any specific traffic that needs to be allowed on the same VLAN, for
example default gateway, DHCP etc*

IP access-list acl-100 permit ip 172.24.51.1 0.0.0.0 172.24.51.0 0.0.0.255

IP access-list acl-100 permit ip 172.24.51.0 0.0.0.255 172.24.51.1 0.0.0.0



*#first deny only intra-VLAN icmp traffic*

Ip access-list acl-101 permit icmp 172.24.51.0 0.0.0.255 172.24.51.0
0.0.0.255 echo

Ip access-list asl-101 permit icmp 172.24.51.0 0.0.0.255 172.24.51.0
0.0.0.255 echo-reply


# then deny all intra-VLAN traffic

Ip access-list acl-101 permit ip 172.24.51.0 0.0.0.255 172.24.51.0 0.0.0.255

Ip access-list acl-101 permit udp 172.24.51.0 0.0.0.255 172.24.51.0
0.0.0.255


*# default permit*

Ip access-list acl-102 permit ip any any


*# vlan access-map vacl-microseg*

vlan access-map vacl-microseg 10

match ip address acl-100

action forward

vlan access-map vacl-microseg 20

match ip address acl-101

action drop

vlan access-map vacl-microseg 30

match ip address acl-102

action forward


*# Apply VACL to VLAN 351*

*vlan filter vacl-microseg vlan-list 351*

Helo

Your OP seems a bit convuluted, can you clarify what excalty you wish to deny or allow?

Sure. Basically goal is to deny any traffic to/from hosts on the same
subnet/VLAN (connected on the same switch or different switch) and allow
all other traffic.

Any inter- VLAN restrictions is applied at layer 3 SVI on the firewall so
not the focus in this VACL. Basically 2 hosts on the same VLAN/subnet
should nor be able to communicate. This is for Lateral movement
restrictions project.

Hello
Thanks for the clarification ,So basically you would possibly require something like the below example, which should deny access between hosts in the same vlan be allow access but allow thes hosts in the vlan to reach its own default-gateway.

 

ip access-list acl-100 permit ip 172.24.51.0 0.0.0.255 host 172.24.51.x (default gateway)
ip access-list acl-100 permit ip host 172.24.51.x 172.24.51.0 0.0.0.255
ip access-list acl-101 permit ip 172.24.51.0 0.0.0.255 172.24.51.0 0.0.0.255

vlan acess-map V2V 10
match ip address 100
action forward

vlan acess-map V2V 20
match ip address 101
action drop

vlan access-map V2V 99

vlan filter V2V vlan-list X

Thanks. So what does vlan access map sequence 99 do?

Also don't I need an acl to permit any any for any incoming or outgoing
traffic from hosts external to this VLAN?

Hello

---

@raazans01 wrote:
Thanks. So what does vlan access map sequence 99 do?

Also don't I need an acl to permit any any for any incoming or outgoing
traffic from hosts external to this VLAN?

---

I would envisage youll need comunication to/from your default gateway, As for sequence 99 that is indeed a permit any any  so if you dont need it then dont apply it and if you don’t need sew 99 that then you also don’t require seq 20 so you can that remove that also.

 

Thanks, Paul. So I tested using the config you provided and it still
doesn't work on NX-OS. I wonder if something in my VIRL lab isn't setup
correctly. Same configurations worked for me when I use a IOS switch in
VIRL.

In this test, I can ssh from one host to another host on the same VLAN.
Below are the configs I currently have on NX-OS access-switch and followed
by router config (using it to get dhcp on both of my servers in VLAN 351 :

ip access-list acl-100 permit ip 172.24.51.0 0.0.0.255 host 172.24.51.1

ip access-list acl-100 permit ip host 172.24.51.1 172.24.51.0 0.0.0.255

ip access-list acl-101 permit ip 172.24.51.0 0.0.0.255 172.24.51.0 0.0.0.255



vlan acess-map V2V 10

match ip address 100

action forward


vlan acess-map V2V 20

match ip address 101

action drop


vlan access-map V2V 99


vlan filter V2V vlan-list 351


vlan 351

name infosec



interface mgmt0

description OOB Management

duplex full

vrf member management

ip address 10.255.0.4/16


interface Ethernet2/1

description trunk-to-router

switchport

switchport mode trunk

switchport trunk allowed vlan 351

no shutdown


interface Ethernet2/2

description to server-1

switchport

switchport access vlan 351

no shutdown


interface Ethernet2/3

description to server-2

switchport

switchport access vlan 351

no shutdown



On Router:


ip dhcp excluded-address 172.24.51.1 172.24.51.2

!

ip dhcp pool infosec

network 172.24.51.0 255.255.255.0

default-router 172.24.51.1


interface GigabitEthernet0/1

description to nx-osv-1

no ip address

ip ospf cost 1

duplex auto

speed auto

media-type rj45

ipv6 address 2001:DB8:A:0:1:1:0:6/126

ipv6 ospf 1 area 0

ipv6 ospf cost 1

!

interface GigabitEthernet0/1.1

description infosec vlan

encapsulation dot1Q 351

ip address 172.24.51.1 255.255.255.0

!

It might be the NX-OS in VIRL. On the older IOSv2 switches, VACLs don't work either. Can you post the full configs so we can lab this in GNS3 (or post the zipped GNS3 project file)...

Hello

Just to confirm you are applying it to the router where the L3 interface for vlan 351 resides? and that L3 interface is up?

Hi Paul,

It is being applied using vlan-filter command and not at L3 interface on
the router. As the idea is to block intra-VLAN traffic.

Will the traffic from the source host flow through L3 interface on the
router to get to the host on the same VLAN? I would assume it stays
within switch (NX-OS) where VACL has been applied?

Hello

I think you mid-understood my question - I was asking was the vacl applied to the rtr that runs the L3 interface for the vlan not is it appended to the L3 interface.

Hi Paul,

Sorry about that. No it is not applied on router to L3 interface.It is
applied on the switch. Below are the configs from N7K. I can share router
config as well if needed. Please let me know.

Thanks


!Command: show running-config

!Time: Fri Nov 8 20:14:45 2019


version 7.3(0)D1(1)

power redundancy-mode redundant

license grace-period


hostname nx-osv-1

vdc nx-osv-1 id 1

limit-resource module-type m1 m1xl m2xl f2e

allocate interface Ethernet2/1-48

allocate interface Ethernet3/1-48

allocate interface Ethernet4/1-48

limit-resource vlan minimum 16 maximum 4094

limit-resource vrf minimum 2 maximum 4096

limit-resource port-channel minimum 0 maximum 768

limit-resource u4route-mem minimum 96 maximum 96

limit-resource u6route-mem minimum 24 maximum 24

limit-resource m4route-mem minimum 58 maximum 58

limit-resource m6route-mem minimum 8 maximum 8


feature telnet

feature ospf

feature bgp

feature ospfv3


username admin password 5 $1$KuOSBsvW$Cy0TSD..gEBGBPjzpDgf51 role
network-admin

username adminbackup password 5 ! role network-operator

username adminbackup passphrase lifetime 99999 warntime 14 gracetime 3

username cisco password 5 $1$Nk7ZkwH0$fyiRmMMfIheqE3BqvcL0C1 role
network-opera

tor

username cisco role network-admin

username cisco passphrase lifetime 99999 warntime 14 gracetime 3

username lab password 5 $1$buoy/oqy$.EXQz8rCn72ii8qtdldj00 role
network-admin

username lab passphrase lifetime 99999 warntime 14 gracetime 3

no password strength-check

ip domain-lookup

vlan dot1Q tag native

system default switchport

system jumbomtu 0

no logging event trunk-status enable

ip access-list acl-100

10 permit ip 172.24.51.0/24 172.24.51.1/32

20 permit ip 172.24.51.1/32 172.24.51.0/24

ip access-list acl-101

10 permit ip 172.24.51.0/24 172.24.51.0/24

vlan access-map V2V 10

match ip address acl-100

action forward

vlan access-map V2V 20

match ip address acl-101

action drop

vlan filter V2V vlan-list 351

copp profile strict

snmp-server user lab network-admin auth md5
0x5ceb414591539ee35159fca86fdfa101 p

riv 0x5ceb414591539ee35159fca86fdfa101 localizedkey

snmp-server user admin network-admin auth md5
0x328945d53e05e8e7207f8c20b142f0b7

priv 0x328945d53e05e8e7207f8c20b142f0b7 localizedkey

snmp-server user cisco network-admin auth md5
0x55b3c64a53fb95518e75358ee75e82e9

priv 0x55b3c64a53fb95518e75358ee75e82e9 localizedkey

snmp-server user cisco network-operator

snmp-server user admin auth md5 0x328945d53e05e8e7207f8c20b142f0b7 priv
0x328945

d53e05e8e7207f8c20b142f0b7 localizedkey engineID 128:0:0:9:3:0:0:0:0:0:0

rmon event 1 log trap public description FATAL(1) owner PMON@FATAL

rmon event 2 log trap public description CRITICAL(2) owner PMON@CRITICAL

rmon event 3 log trap public description ERROR(3) owner PMON@ERROR

rmon event 4 log trap public description WARNING(4) owner PMON@WARNING

rmon event 5 log trap public description INFORMATION(5) owner PMON@INFO

snmp-server enable traps link

snmp-server enable traps link cisco-xcvr-mon-status-chg


vlan 1,351

vlan 351

name infosec


vrf context management

hardware forwarding unicast trace



interface mgmt0

description OOB Management

duplex full

vrf member management

ip address 10.255.0.3/16


interface Ethernet2/1

description trunk-to-router

switchport

switchport mode trunk

switchport trunk allowed vlan 351

no shutdown


interface Ethernet2/2

description to server-1

switchport

switchport access vlan 351

no shutdown


interface Ethernet2/3

description to server-2

switchport

switchport access vlan 351

no shutdown


interface Ethernet2/4

shutdown

no switchport

mac-address 0000.0000.002f


interface Ethernet2/5

shutdown

no switchport

mac-address 0000.0000.002f


interface Ethernet2/6

shutdown

no switchport

mac-address 0000.0000.002f


interface Ethernet2/7

shutdown

no switchport

mac-address 0000.0000.002f


interface Ethernet2/8

shutdown

no switchport

mac-address 0000.0000.002f


interface Ethernet2/9

shutdown

no switchport

mac-address 0000.0000.002f


interface Ethernet2/10

shutdown

no switchport

mac-address 0000.0000.002f


interface Ethernet2/11

shutdown

no switchport

mac-address 0000.0000.002f


interface Ethernet2/12

shutdown

no switchport

mac-address 0000.0000.002f


interface Ethernet2/13

shutdown

no switchport

mac-address 0000.0000.002f


interface Ethernet2/14

…..rest of the interface list…..


interface loopback0

description Loopback

ip address 192.168.0.3/32

ipv6 address 2001:db8:b:0:1::3/128

ip router ospf 1 area 0.0.0.0

ipv6 router ospfv3 1 area 0.0.0.0

line console

line vty

boot kickstart bootflash:/titanium-d1-kickstart.7.3.0.D1.1.bin

boot system bootflash:/titanium-d1.7.3.0.D1.1.bin

router ospf 1

router-id 192.168.0.3

router ospfv3 1

address-family ipv6 unicast

ip access-list match-local-traffic

router bgp 1

router-id 192.168.0.3

address-family ipv4 unicast

network 192.168.0.3/32

address-family ipv6 unicast

network 2001:db8:b:0:1::3/128

neighbor 2001:db8:b:0:1::2 remote-as 1

description iBGP peer iosv-1

update-source loopback0

address-family ipv6 unicast

neighbor 192.168.0.1 remote-as 1

description iBGP peer iosv-1

update-source loopback0

address-family ipv4 unicast