Solved: Re: VLAN Interface Access List Issue in Nexus 3K HSRP and VPC

naleenh86 · ‎02-21-2022

Hi All,

There is an issue in the behavior of access-list in VPC and HSRP environments.

Two access lists are configured to only allow traffic between VLAN 551 (10.10.151.0/24) and VLAN 562 (10.10.162.0/24).

Access lists are configured and applied in both the switches and applied inbounds to the 4 VLAN interfaces. When pinging from 10.10.151.10 to 10.10.162.254, did not work.

Adding 30 permit IP 10.10.151.0/24 10.10.162.254/32 to the IP access-list VLAN_562, solved the pinging issue.

Below are the configuration details. As the ACLs applied inbound and this behavior seems abnormal, 10.10.162.254 gateway considers traffic from 10.10.151.10 as inbound.

ip access-list VLAN_551
10 permit ip 10.10.151.0/24 10.10.162.0/24
20 permit ip 10.10.151.0/24 10.10.151.254/32

ip access-list VLAN_562
10 permit ip 10.10.162.0/24 10.10.151.0/24
20 permit ip 10.10.162.0/24 10.10.162.254/32

Nexus Switch A

interface Vlan551
description INTERNAL-BACKUP-NETWORK
no shutdown
ip access-group VLAN_551 in
no ip redirects
ip address 10.10.151.252/24
no ipv6 redirects
hsrp version 2
hsrp 551
preempt delay minimum 180
priority 150
ip 10.10.151.254

interface Vlan562
description BACKUP-NETWRK
no shutdown
ip access-group VLAN_562 in
no ip redirects
ip address 10.10.162.252/24
no ipv6 redirects
hsrp version 2
hsrp 562
preempt delay minimum 180
priority 150
ip 10.10.162.254

Nexus Switch B

interface Vlan551
description INTERNAL-BACKUP-NETWORK
no shutdown
ip access-group VLAN_551 in
no ip redirects
ip address 10.10.151.253/24
no ipv6 redirects
hsrp version 2
hsrp 551
preempt delay minimum 180
ip 10.10.151.254

interface Vlan562
description BACKUP-NETWRK
no shutdown
ip access-group VLAN_562 in
no ip redirects
ip address 10.10.162.253/24
no ipv6 redirects
hsrp version 2
hsrp 562
preempt delay minimum 180
ip 10.10.162.254

Thanks,

Naleen Hemachandra

naleenh86 · ‎02-22-2022

Sorry for the mistakes in the issue description. I have corrected some.

By the way, I have checked with the Cisco TAC. I understood that this behavior is normal and expected. As in here, we are using HSRP and if the packet is destined to the virtual mac address, it is received as inbound to the particular destination VLAN interface. Since I have added an inbound ACL to the destination VLAN interface, there should be a rule matching this source and destination in the ACL applied to the destination VLAN interface.

Thanks for the kind support.

View solution in original post

balaji.bandi · ‎02-21-2022

Just quick question, when you apply ACL ? Does the HSRP working ?

as per i know you need to allow - IP multicast address of 224.0.0.102 depends on version you using to establish HSRP peer ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Georg Pauwen · ‎02-21-2022

Hello,

it is difficult to tell what is going on, since the information below contains several mismatches, so we don't know what IP address you are actually pinging, and what interfaces the ACLs are applied to (mismatches are highlighted in bold, are these just typos) ?

-->

Access lists are configured and applied in both the switches and applied inbounds to the 4 VLAN interfaces. When pinging from 10.10.150.10 to 10.10.162.154, did not work.

Adding 30 permit IP 10.10.151.0/24 10.10.162.254/32 to the IP access-list VLAN_561, solved the pinging issue.

MHM Cisco World · ‎02-21-2022

If I am right the direction of ACL must be OUT not in since the source is same VLAN of SVI we apply ACL under it.

also check the solution of
peer-gateway to make both N3K forward traffic.

Georg Pauwen · ‎02-21-2022

Again,

since we don't know which access list you applied this to, it is diffcult to figure out what is going on:

--> Adding 30 permit IP 10.10.151.0/24 10.10.162.254/32 to the IP access-list VLAN_561, solved the pinging issue.

There is no access list VLAN_561, just VLAN_551 and VLAN_562.

naleenh86 · ‎02-22-2022

Sorry for the mistakes in the issue description. I have corrected some.

By the way, I have checked with the Cisco TAC. I understood that this behavior is normal and expected. As in here, we are using HSRP and if the packet is destined to the virtual mac address, it is received as inbound to the particular destination VLAN interface. Since I have added an inbound ACL to the destination VLAN interface, there should be a rule matching this source and destination in the ACL applied to the destination VLAN interface.

Thanks for the kind support.