11-05-2019 11:11 AM
I am working on a solution to block traffic between hosts on the same subnet/VLAN to prevent lateral workstation communications. In my virtual lab (VIRL), I tested configurations using access-list and vlan access-map on IOS switch and it worked fine. When I tested the same exact configuration on a Nx-os (nexus 7K), it didn't appear to be working. When I tested connectivity between 2 hosts connected to the same N7k switch and on same VLAN 351, traffic was still passing and no hits were seen on the ACL.
Both hosts on n7k are connected to a switchport (no ip on the interface) and the switch is trunked to a router (Ios) and has a subinterface for VLAN 351 and has a dhcp pool for VLAN351 for the hosts on VLAN351.
On n7k, switch, created acls, vlan access-map and used vlan filter vacl-name vlan-list 351 to apply the VACL.
Am I missing something in my configurations?
Solved! Go to Solution.
11-08-2019 12:30 PM
Below are router configs
Current configuration : 4477 bytes
!
version 15.7
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname iosv-1
!
boot-start-marker
boot-end-marker
!
!
vrf definition Mgmt-intf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
enable password cisco
!
no aaa new-model
!
!
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
!
!
!
!
!
!
!
!
ip dhcp excluded-address 172.24.51.1 172.24.51.2
!
ip dhcp pool infosec
network 172.24.51.0 255.255.255.0
default-router 172.24.51.1
!
!
!
no ip domain lookup
ip domain name virl.info
ip cef
ipv6 unicast-routing
ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
username cisco privilege 15 secret 5 $1$ML2/$/EXoxHR/.pQ9qObMRCHs/0
!
redundancy
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Loopback0
description Loopback
ip address 192.168.0.1 255.255.255.255
ipv6 address 2001:DB8:B:0:1::2/128
ipv6 ospf 1 area 0
ipv6 ospf cost 1
!
interface GigabitEthernet0/0
description OOB Management
vrf forwarding Mgmt-intf
ip address 10.255.0.2 255.255.0.0
duplex full
speed auto
media-type rj45
!
interface GigabitEthernet0/1
description to nx-osv-1
no ip address
ip ospf cost 1
duplex auto
speed auto
media-type rj45
ipv6 address 2001:DB8:A:0:1:1:0:6/126
ipv6 ospf 1 area 0
ipv6 ospf cost 1
!
interface GigabitEthernet0/1.1
description infosec vlan
encapsulation dot1Q 351
ip address 172.24.51.1 255.255.255.0
!
router ospfv3 1
router-id 192.168.0.1
!
address-family ipv6 unicast
exit-address-family
!
router ospf 1
passive-interface Loopback0
network 10.0.0.4 0.0.0.3 area 0
network 192.168.0.1 0.0.0.0 area 0
!
router bgp 1
bgp router-id 192.168.0.1
bgp log-neighbor-changes
neighbor 2001:DB8:B:0:1::3 remote-as 1
neighbor 2001:DB8:B:0:1::3 description iBGP peer nx-osv-1
neighbor 2001:DB8:B:0:1::3 update-source Loopback0
neighbor 192.168.0.3 remote-as 1
neighbor 192.168.0.3 description iBGP peer nx-osv-1
neighbor 192.168.0.3 update-source Loopback0
!
address-family ipv4
network 192.168.0.1 mask 255.255.255.255
no neighbor 2001:DB8:B:0:1::3 activate
neighbor 192.168.0.3 activate
exit-address-family
!
address-family ipv6
network 2001:DB8:B:0:1::2/128
neighbor 2001:DB8:B:0:1::3 activate
exit-address-family
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip ssh server algorithm authentication password
!
ipv6 ioam timestamp
!
!
!
control-plane
!
banner exec ^C
banner exec ^C
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS *
* education. IOSv is provided as-is and is not supported by Cisco's *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any *
* purposes is expressly prohibited except as otherwise authorized by *
* Cisco in writing. *
**************************************************************************^C
banner incoming ^C
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS *
* education. IOSv is provided as-is and is not supported by Cisco's *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any *
* purposes is expressly prohibited except as otherwise authorized by *
* Cisco in writing. *
**************************************************************************^C
banner login ^C
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS *
* education. IOSv is provided as-is and is not supported by Cisco's *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any *
* purposes is expressly prohibited except as otherwise authorized by *
* Cisco in writing. *
**************************************************************************^C
!
line con 0
password cisco
line aux 0
line vty 0 4
exec-timeout 720 0
password cisco
login local
transport input telnet ssh
!
no scheduler allocate
!
end
11-08-2019 01:03 PM
Hello
okay thanks for the clarification-
can you append the vacl to the rtr where the L3 interface for that vlan resides
11-08-2019 01:08 PM
11-08-2019 01:22 PM - edited 11-08-2019 03:30 PM
Hello
i understand as vacls work for traffic filtering within the same broadcast domain (vlan)
That vacl should work on a specific switch for all hosts that are assigned to the specific vlan in the VACL
just interested to see the result if it’s appended on the L3 switch/router as well it shouldn’t make any difference tbh
By the way did you remove both sequence 20 and 99 from the vacl?
11-08-2019 04:27 PM
11-09-2019 01:04 AM
Hello,
I just tested the most simple VACL on NX-OSv version 7.3, and it didn't work. I think it is a limitation of the VIRLimages and/or GNS3. VACLs also don't seem to work in the IOSvL2 15.2(4.0.55)E-1 image...
ip access-list acl-100
10 permit ip 172.24.51.2/32 172.24.51.3/32
!
vlan access-map vacl-seg 10
match ip address acl-100
action drop
!
vlan filter vacl-seg vlan-list 200
11-09-2019 01:51 AM
Hello
Given you brief test and @Georg Pauwen also, I guess you have your have your answer to why it iisnt working as it should
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide