Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

VACLs (access-map) on Nexus 5000

Dear expert,

I have problem when try to implement access-map on my nexus 5500.

I have 2 nexus with VPC, and with some Vlan,

VLAN 2 with 192.168.2.x/24

VLAN 3 with 192.168.3.x/24

VLAN 4 with 192.168.4.x/24

VLAN 5 with 192.168.5.x/24

I want member of vlan 2 and 3 can't acceess each other with telnet and ssh, other traffic is forward.

this my configuration:

#########################################################

ip access-list VLAN2_DROP

permit tcp 192.168.2.0 0.0.255.255 192.168.2.0 0.0.0.255 eq 23

permit tcp 192.168.2.0 0.0.255.255 192.168.2.0 0.0.0.255 eq 22

permit tcp 192.168.3.0 0.0.255.255 192.168.2.0 0.0.0.255 eq 23

permit tcp 192.168.3.0 0.0.255.255 192.168.2.0 0.0.0.255 eq 22

vlan access-map VLAN2_FILTER

match ip address VLAN2_DROP

action drop

vlan access-map VLAN2_FILTER

action forward

vlan filter VLAN2_FILTER vlan-list 2

ip access-list VLAN3_DROP

permit tcp 192.168.3.0 0.0.255.255 192.168.3.0 0.0.0.255 eq 23

permit tcp 192.168.3.0 0.0.255.255 192.168.3.0 0.0.0.255 eq 22

permit tcp 192.168.2.0 0.0.255.255 192.168.3.0 0.0.0.255 eq 23

permit tcp 192.168.2.0 0.0.255.255 192.168.3.0 0.0.0.255 eq 22

vlan access-map VLAN3_FILTER

match ip address VLAN3_DROP

action drop

vlan access-map VLAN3_FILTER

action forward

vlan filter VLAN3_FILTER vlan-list 3

#########################################################

But the problem, The connection to vlan 2 and vlan 3 is drop (connection lost, rto) and

Other vlan (vlan 4 and 5) cant access the vlan 2 and 3 to (connection lost, rto).

when i try to show run on my nexus,

I find the result is like this.

#

vlan access-map VLAN2_FILTER

action forward

vlan access-map VLAN3_FILTER

action forward

#

based  on result from show run, the traffic should be fine and connection  still up, because DROP policy has been replace by FORWARD

but the fact is the traffic is down.

anyone can help me?

Thanks!!

1 REPLY
New Member

Re: VACLs (access-map) on Nexus 5000

I will answer my question..

the right configuration is:

ip access-list VLAN2_DROP

deny tcp 192.168.2.0 0.0.255.255 192.168.2.0 0.0.0.255 eq 23

deny tcp 192.168.2.0 0.0.255.255 192.168.2.0 0.0.0.255 eq 22

deny tcp 192.168.3.0 0.0.255.255 192.168.2.0 0.0.0.255 eq 23

deny tcp 192.168.3.0 0.0.255.255 192.168.2.0 0.0.0.255 eq 22

permit ip any any

vlan access-map VLAN2_FILTER

  match ip address VLAN2_DROP

  action forward

exit

vlan filter VLAN2_FILTER vlan-list 2

ip access-list VLAN3_DROP

deny tcp 192.168.3.0 0.0.255.255 192.168.3.0 0.0.0.255 eq 23

deny tcp 192.168.3.0 0.0.255.255 192.168.3.0 0.0.0.255 eq 22

deny tcp 192.168.2.0 0.0.255.255 192.168.3.0 0.0.0.255 eq 23

deny tcp 192.168.2.0 0.0.255.255 192.168.3.0 0.0.0.255 eq 22

permit ip any any

vlan access-map VLAN3_FILTER

match ip address VLAN3_DROP

action forward

exit

vlan filter VLAN3_FILTER vlan-list 3

i hope this help!!

Thanks,

1049
Views
0
Helpful
1
Replies