Solved

VE's are resilient to ACLs - by design or it's a gigantic flaw?

  • 31 January 2019
  • 4 replies
  • 183 views

hi everyone,

On my vdx 6740 vcs fabric with NOS 7.3.0aa I'm trying to understand ACLs, I'm testing this one:
code:
ip access-list deny_10-5-8-1 on Ve 4 at Ingress (From User)
seq 10 permit ip host 10.5.8.49 host 10.5.8.81 (Active)
seq 20 deny udp any host 10.5.8.254 (Active)
seq 30 deny tcp any host 10.5.8.254 (Active)
seq 40 deny ip any host 10.5.8.254 (Active)
seq 50 deny ip any host 10.5.8.81 (Active)
seq 60 permit ip any any (Active)


VE's runs with 10.5.8.254 and all the hosts/nodes connected to VCS fabric can get to this IP, no problems.
Traffic to 10.5.8.81 gets denied, as expected.

Why traffic to VE's 10.5.8.254 is not denied???
Many thanks.
icon

Best answer by Sargis Minasyan 31 January 2019, 19:14

Hi Pawel,

You need to use "hard-drop" instead of "deny" for the packets that go to the control plane/VDX own addresses.

Many thanks,
Sargis
View original

4 replies

Hi Pawel,

You need to use "hard-drop" instead of "deny" for the packets that go to the control plane/VDX own addresses.

Many thanks,
Sargis
simplify 🙂 & many thanks.
But out curiosity - what is the rationale behind this logic?
Why not the same nomenclature for all?
I don't really know, possibly different ways of programming the ASICs with hard-drop telling it not to trap the packets to CPU.

Reply