Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Problem with VACLs (access-map) on Nexus 5000

Dear expert,

I have problem when try to implement access-map on my nexus 5500.

I have 2 nexus with VPC, and with some Vlan,

VLAN 2 with 192.168.2.x/24

VLAN 3 with 192.168.3.x/24

VLAN 4 with 192.168.4.x/24

VLAN 5 with 192.168.5.x/24

I want member of vlan 2 and 3 can't acceess each other with telnet and ssh, other traffic is forward.

this my configuration:

#########################################################

ip access-list VLAN2_DROP

permit tcp 192.168.2.0 0.0.255.255 192.168.2.0 0.0.0.255 eq 23

permit tcp 192.168.2.0 0.0.255.255 192.168.2.0 0.0.0.255 eq 22

permit tcp 192.168.3.0 0.0.255.255 192.168.2.0 0.0.0.255 eq 23

permit tcp 192.168.3.0 0.0.255.255 192.168.2.0 0.0.0.255 eq 22

vlan access-map VLAN2_FILTER

match ip address VLAN2_DROP

action drop

vlan access-map VLAN2_FILTER

action forward

vlan filter VLAN2_FILTER vlan-list 2

ip access-list VLAN3_DROP

permit tcp 192.168.3.0 0.0.255.255 192.168.3.0 0.0.0.255 eq 23

permit tcp 192.168.3.0 0.0.255.255 192.168.3.0 0.0.0.255 eq 22

permit tcp 192.168.2.0 0.0.255.255 192.168.3.0 0.0.0.255 eq 23

permit tcp 192.168.2.0 0.0.255.255 192.168.3.0 0.0.0.255 eq 22

vlan access-map VLAN3_FILTER

match ip address VLAN3_DROP

action drop

vlan access-map VLAN3_FILTER

action forward

vlan filter VLAN3_FILTER vlan-list 3

#########################################################

But the problem, The connection to vlan 2 and vlan 3 is drop (connection lost, rto) and

Other vlan (vlan 4 and 5) cant access the vlan 2 and 3 to (connection lost, rto).

when i try to show run on my nexus,

I find the result is like this.

#

vlan access-map VLAN2_FILTER

action forward

vlan access-map VLAN3_FILTER

action forward

#

based on result from show run, the traffic should be fine and connection still up, because DROP policy has been replace by FORWARD

but the fact is the traffic is down.

anyone can help me?

Thanks!!

Everyone's tags (3)
119
Views
0
Helpful
0
Replies
CreatePlease login to create content