Solved: Re: VACL on NX-OS (Nexus 7k) to block/filter traffic between hosts on the same VLAN (on same or diff... - Page 2

raazans01 · ‎11-05-2019

I am working on a solution to block traffic between hosts on the same subnet/VLAN to prevent lateral workstation communications. In my virtual lab (VIRL), I tested configurations using access-list and vlan access-map on IOS switch and it worked fine. When I tested the same exact configuration on a Nx-os (nexus 7K), it didn't appear to be working. When I tested connectivity between 2 hosts connected to the same N7k switch and on same VLAN 351, traffic was still passing and no hits were seen on the ACL.

Both hosts on n7k are connected to a switchport (no ip on the interface) and the switch is trunked to a router (Ios) and has a subinterface for VLAN 351 and has a dhcp pool for VLAN351 for the hosts on VLAN351.

On n7k, switch, created acls, vlan access-map and used vlan filter vacl-name vlan-list 351 to apply the VACL.

Am I missing something in my configurations?

raazans01 · ‎11-08-2019

Below are router configs

Current configuration : 4477 bytes

!

version 15.7

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname iosv-1

!

boot-start-marker

boot-end-marker

!

vrf definition Mgmt-intf

!

address-family ipv4

exit-address-family

!

address-family ipv6

exit-address-family

!

enable password cisco

!

no aaa new-model

!

mmi polling-interval 60

no mmi auto-configure

no mmi pvc

mmi snmp-timeout 180

!

ip dhcp excluded-address 172.24.51.1 172.24.51.2

!

ip dhcp pool infosec

network 172.24.51.0 255.255.255.0

default-router 172.24.51.1

!

no ip domain lookup

ip domain name virl.info

ip cef

ipv6 unicast-routing

ipv6 cef

!

multilink bundle-name authenticated

!

username cisco privilege 15 secret 5 $1$ML2/$/EXoxHR/.pQ9qObMRCHs/0

!

redundancy

!

interface Loopback0

description Loopback

ip address 192.168.0.1 255.255.255.255

ipv6 address 2001:DB8:B:0:1::2/128

ipv6 ospf 1 area 0

ipv6 ospf cost 1

!

interface GigabitEthernet0/0

description OOB Management

vrf forwarding Mgmt-intf

ip address 10.255.0.2 255.255.0.0

duplex full

speed auto

media-type rj45

!

interface GigabitEthernet0/1

description to nx-osv-1

no ip address

ip ospf cost 1

duplex auto

speed auto

media-type rj45

ipv6 address 2001:DB8:A:0:1:1:0:6/126

ipv6 ospf 1 area 0

ipv6 ospf cost 1

!

interface GigabitEthernet0/1.1

description infosec vlan

encapsulation dot1Q 351

ip address 172.24.51.1 255.255.255.0

!

router ospfv3 1

router-id 192.168.0.1

!

address-family ipv6 unicast

exit-address-family

!

router ospf 1

passive-interface Loopback0

network 10.0.0.4 0.0.0.3 area 0

network 192.168.0.1 0.0.0.0 area 0

!

router bgp 1

bgp router-id 192.168.0.1

bgp log-neighbor-changes

neighbor 2001:DB8:B:0:1::3 remote-as 1

neighbor 2001:DB8:B:0:1::3 description iBGP peer nx-osv-1

neighbor 2001:DB8:B:0:1::3 update-source Loopback0

neighbor 192.168.0.3 remote-as 1

neighbor 192.168.0.3 description iBGP peer nx-osv-1

neighbor 192.168.0.3 update-source Loopback0

!

address-family ipv4

network 192.168.0.1 mask 255.255.255.255

no neighbor 2001:DB8:B:0:1::3 activate

neighbor 192.168.0.3 activate

exit-address-family

!

address-family ipv6

network 2001:DB8:B:0:1::2/128

neighbor 2001:DB8:B:0:1::3 activate

exit-address-family

!

ip forward-protocol nd

!

no ip http server

no ip http secure-server

ip ssh server algorithm authentication password

!

ipv6 ioam timestamp

!

control-plane

!

banner exec ^C

**************************************************************************

* IOSv is strictly limited to use for evaluation, demonstration and IOS *

* education. IOSv is provided as-is and is not supported by Cisco's *

* Technical Advisory Center. Any use or disclosure, in whole or in part, *

* of the IOSv Software or Documentation to any third party for any *

* purposes is expressly prohibited except as otherwise authorized by *

* Cisco in writing. *

**************************************************************************^C

banner incoming ^C

**************************************************************************

* IOSv is strictly limited to use for evaluation, demonstration and IOS *

* education. IOSv is provided as-is and is not supported by Cisco's *

* Technical Advisory Center. Any use or disclosure, in whole or in part, *

* of the IOSv Software or Documentation to any third party for any *

* purposes is expressly prohibited except as otherwise authorized by *

* Cisco in writing. *

**************************************************************************^C

banner login ^C

**************************************************************************

* IOSv is strictly limited to use for evaluation, demonstration and IOS *

* education. IOSv is provided as-is and is not supported by Cisco's *

* Technical Advisory Center. Any use or disclosure, in whole or in part, *

* of the IOSv Software or Documentation to any third party for any *

* purposes is expressly prohibited except as otherwise authorized by *

* Cisco in writing. *

**************************************************************************^C

!

line con 0

password cisco

line aux 0

line vty 0 4

exec-timeout 720 0

password cisco

login local

transport input telnet ssh

!

no scheduler allocate

!

end

paul driver · ‎11-08-2019

Hello

okay thanks for the clarification-

can you append the vacl to the rtr where the L3 interface for that vlan resides

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

raazans01 · ‎11-08-2019

Hi Paul,

I can test that but my goal is to restrict traffic between 2 hosts in the
same VLAN and are connected to the same switch.

paul driver · ‎11-08-2019

Hello

i understand as vacls work for traffic filtering within the same broadcast domain (vlan)

That vacl should work on a specific switch for all hosts that are assigned to the specific vlan in the VACL

just interested to see the result if it’s appended on the L3 switch/router as well it shouldn’t make any difference tbh

By the way did you remove both sequence 20 and 99 from the vacl?

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

raazans01 · ‎11-08-2019

No, I kept it as originally suggested this time around. But before posting
this question, I had also juat used a single ACL with permit IP any any and
used it in vlan access-map to drop packet. Basically deny all traffic. Even
that didn't work. I wonder if there is a Limitation in VIRL applying VACL
on NX-OS.

Georg Pauwen · ‎11-09-2019

Hello,

I just tested the most simple VACL on NX-OSv version 7.3, and it didn't work. I think it is a limitation of the VIRLimages and/or GNS3. VACLs also don't seem to work in the IOSvL2 15.2(4.0.55)E-1 image...

ip access-list acl-100
10 permit ip 172.24.51.2/32 172.24.51.3/32

!
vlan access-map vacl-seg 10
match ip address acl-100
action drop

!

vlan filter vacl-seg vlan-list 200

paul driver · ‎11-09-2019

Hello

Given you brief test and @Georg Pauwen also, I guess you have your have your answer to why it iisnt working as it should

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

VACL on NX-OS (Nexus 7k) to block/filter traffic between hosts on the same VLAN (on same or different Nexus 7K switches)