Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
828
Views
0
Helpful
8
Replies

Nexus N5K-C5672UP ACL question - host or /32 syntax?

Go to solution
mattcisconet
Level 1
Level 1

‎03-17-2018 08:31 AM - edited ‎03-08-2019 02:17 PM

Hello, 

 

Running version 7.1(0)N1(1a).

 

So to put it simply, I need to match tcp traffic from a network to a host.

 

Is this acceptable configuration syntax:

 

switch(config-acl)#permit tcp 172.16.17.0/24 172.16.154.90/32

 

or will the switch interpret the /32 host entry as something else entirely?  Would this be the proper syntax instead:

 

switch(config-acl)#permit tcp 172.16.17.0/24 host 172.16.154.90

 

I am asking because I used the former /32 syntax, and all heck broke loose.  Something definitely didn't work.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
mattcisconet
Level 1
Level 1
In response to mattcisconet

‎03-30-2018 04:01 PM - edited ‎03-30-2018 04:03 PM

Ok, so I worked with TAC on this and it ended up being a bug. Bug ID CSCus28695. My ACL had a "remark" statement in it, which caused it to match all traffic due to the bug.  I'm also running the ACL on a WCCP redirect list.  Wow, what a crazy thing.

I'm running a Nexus 5672UP with NX-OS 7.1(0)N1(1a). This is fixed in newer releases, or the workaround is just to remove the remark statement.

View solution in original post

0 Helpful
8 Replies 8

Go to solution
Reza Sharifi
Hall of Fame
Hall of Fame

‎03-17-2018 08:56 AM

Hi,

Not sure exactly what you are trying to do but an access list will not be effective unless it is applied to a physical interface or an SVI. If you are trying to allow communications between a host and a network, that is allowed by default on the switch as long as there is a route to that host and there is no access-list blocking it. 

HTH

0 Helpful

Go to solution
yeahman
Level 1
Level 1
In response to Reza Sharifi

‎03-17-2018 09:04 AM - edited ‎03-17-2018 09:06 AM

.

 

 

 

0 Helpful

Go to solution
mattcisconet
Level 1
Level 1
In response to Reza Sharifi

‎03-17-2018 09:08 AM

Thanks Reza.  I'm only asking about the syntax.  I understand how to apply ACLs to interfaces.

 

This is the issue:  When you run "show ip access list" the Nexus will output host statements has /32 entries like this:

 

permit tcp 172.16.17.0/24 172.16.90.47/32

 

this is the result of inputting this statement "permit tcp 172.16.17.0/24 host 172.16.90.47"

 

But what if you input this statement, as it appears in the "show" output?

 

permit tcp 172.16.17.0/24 172.16.90.47/32

 

How does the switch interpret that /32?  I think it does not interpret it as a single host, but rather a much broader network subnet.

 

Anybody know?

 

thanks.

0 Helpful

Go to solution
Reza Sharifi
Hall of Fame
Hall of Fame
In response to mattcisconet

‎03-17-2018 09:33 AM

Hi,

The Nexus switch will translate both statements as /32 in both show run and sh access-list

In below example, I have one statement with host keyword and one with /32 but sh access-list shows both as /32

 

show ip access list test
10 permit tcp 172.16.17.0/24 172.16.90.47/32
20 permit tcp 172.16.17.0/24 172.16.90.47/32

 

and this is from the running config

ip access-list test
10 permit tcp 172.16.17.0/24 172.16.90.47/32
20 permit tcp 172.16.17.0/24 172.16.90.47/32

HTH

0 Helpful

Go to solution
mattcisconet
Level 1
Level 1
In response to Reza Sharifi

‎03-17-2018 09:55 AM - edited ‎03-17-2018 09:55 AM

Thanks.  

 

That's right, the show run and show access lists with both translate the host entry as /32.

 

But when actually inputting the access-list statement, I am trying to confirm that when not using the "host" statement, but instead manually inputting a /32 address does the switch interpret that manually entered /32 as a host or as a network?  If it interprets it as a network, what is the reverse mask?  I have a feeling, but I'm not certain, that the switch interprets it as a network - this is because when I applied my access-list statements, I saw traffic that didn't match the /32 statement as a host, but instead seemed to match a much broader network statement.

 

Hope that makes sense.  Thanks.

0 Helpful

Go to solution
Reza Sharifi
Hall of Fame
Hall of Fame
In response to mattcisconet

‎03-17-2018 11:01 AM

does the switch interpret that manually entered /32 as a host or as a network?

/32 (mask 255.255.255.255) is just for that one host and not the whole network.

HTH

0 Helpful

Go to solution
mattcisconet
Level 1
Level 1
In response to Reza Sharifi

‎03-17-2018 01:02 PM

Yes exactly.  That is what I would have expected.  However in practice that did not appear to be the case.  I wonder if I have run into a bug.  I've opened a TAC case to try to work through it.

0 Helpful

Go to solution
mattcisconet
Level 1
Level 1
In response to mattcisconet

‎03-30-2018 04:01 PM - edited ‎03-30-2018 04:03 PM

Ok, so I worked with TAC on this and it ended up being a bug. Bug ID CSCus28695. My ACL had a "remark" statement in it, which caused it to match all traffic due to the bug.  I'm also running the ACL on a WCCP redirect list.  Wow, what a crazy thing.

I'm running a Nexus 5672UP with NX-OS 7.1(0)N1(1a). This is fixed in newer releases, or the workaround is just to remove the remark statement.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card