On my vdx 6740 vcs fabric with NOS 7.3.0aa I'm trying to understand ACLs, I'm testing this one:
ip access-list deny_10-5-8-1 on Ve 4 at Ingress (From User)
seq 10 permit ip host 10.5.8.49 host 10.5.8.81 (Active)
seq 20 deny udp any host 10.5.8.254 (Active)
seq 30 deny tcp any host 10.5.8.254 (Active)
seq 40 deny ip any host 10.5.8.254 (Active)
seq 50 deny ip any host 10.5.8.81 (Active)
seq 60 permit ip any any (Active)
VE's runs with 10.5.8.254 and all the hosts/nodes connected to VCS fabric can get to this IP, no problems.
Traffic to 10.5.8.81 gets denied, as expected.
Why traffic to VE's 10.5.8.254 is not denied???
Best answer by Sargis Minasyan
You need to use "hard-drop" instead of "deny" for the packets that go to the control plane/VDX own addresses.