ACLs - Just like a firewall, the CSS will match traffic based on the line number of the ACL clause and has a hidden implicit deny at the end of each ACL configuration. The first 2 entries will be your permit, the 3rd your deny, and the last to allow all other outbound traffic to pass. Simply replace the 220.127.116.11 IP address with the site's true IP.
!**************************** ACL **************************** acl 1 clause 1 permit tcp nql Networks destination 18.104.22.168 eq 2400 clause 2 permit tcp nql Networks destination 22.214.171.124 eq 3500 clause 3 deny any nql Networks destination 126.96.36.199 clause 4 permit any any destination any
If your CSS is in routed mode you would need to create another ACL entry with a "permit ip any any" and apply it to that circuit. This would allow all traffic entering/exiting that circuit VLAN to pass. The ACL 1 configuration should be applied to the circuit VLAN were your server's outbound traffic would be intercetped 1st. If you CSS is in bridged or one-armed mode the ACL will be applied to the single circuit VLAN.
PLEASE be sure to configure you ACL clauses and apply them to the approprite Cicuit VLAN BEFORE implimenting the "acl enable" global command. If you do this command 1st and you do not configure the ACLs clauses, and apply them to the correct Circuits you will lock yourself out of the CSS (if you are SSH'ed or Telnet'ed into the device) and the device will begin to drop all traffic.
Also please be advised, setting up ACLs on the CSS can be VERY CPU intensive. I would recommend configuring ACLs during your non-peak hours of traffic. Also, it would be best to take a snap shot of the CPU BEFORE and AFTER implmenting the rules. This would give you an estatement of how much processing is involved by simply configuing the ACLs on the CSS.
The following command can be used to obtain the CPU information:
VMware Trunk Port Group is supported from ACI version 2.1
VMM integration must be configured properly
ASA device package must be uploaded to APIC
ASAv version must be compatible with ACI and device package version
In the Previous articles of ACI Automation, we are using Postman/Newman as the Rest API tool to automate the ACI Configuration.
In this article I’m going to discuss on usin...
One of the first steps in building your ACI Fabric is to go through Fabric Discovery. While Fabric Discovery is usually a straightforward process, there are various issues that may prevent you from discovering an ACI switch. This article wil...