Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎01-31-2019 06:12 PM
hi everyone,
On my vdx 6740 vcs fabric with NOS 7.3.0aa I'm trying to understand ACLs, I'm testing this one:
VE's runs with 10.5.8.254 and all the hosts/nodes connected to VCS fabric can get to this IP, no problems.
Traffic to 10.5.8.81 gets denied, as expected.
Why traffic to VE's 10.5.8.254 is not denied???
Many thanks.
On my vdx 6740 vcs fabric with NOS 7.3.0aa I'm trying to understand ACLs, I'm testing this one:
code:
ip access-list deny_10-5-8-1 on Ve 4 at Ingress (From User)
seq 10 permit ip host 10.5.8.49 host 10.5.8.81 (Active)
seq 20 deny udp any host 10.5.8.254 (Active)
seq 30 deny tcp any host 10.5.8.254 (Active)
seq 40 deny ip any host 10.5.8.254 (Active)
seq 50 deny ip any host 10.5.8.81 (Active)
seq 60 permit ip any any (Active)
VE's runs with 10.5.8.254 and all the hosts/nodes connected to VCS fabric can get to this IP, no problems.
Traffic to 10.5.8.81 gets denied, as expected.
Why traffic to VE's 10.5.8.254 is not denied???
Many thanks.
Solved! Go to Solution.
1 ACCEPTED SOLUTION
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎01-31-2019 06:14 PM
Hi Pawel,
You need to use "hard-drop" instead of "deny" for the packets that go to the control plane/VDX own addresses.
Many thanks,
Sargis
You need to use "hard-drop" instead of "deny" for the packets that go to the control plane/VDX own addresses.
Many thanks,
Sargis
4 REPLIES 4
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎02-01-2019 04:23 PM
I don't really know, possibly different ways of programming the ASICs with hard-drop telling it not to trap the packets to CPU.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎02-01-2019 04:16 PM
But out curiosity - what is the rationale behind this logic?
Why not the same nomenclature for all?
Why not the same nomenclature for all?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎02-01-2019 04:15 PM
simplify  & many thanks.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎01-31-2019 06:14 PM
Hi Pawel,
You need to use "hard-drop" instead of "deny" for the packets that go to the control plane/VDX own addresses.
Many thanks,
Sargis
You need to use "hard-drop" instead of "deny" for the packets that go to the control plane/VDX own addresses.
Many thanks,
Sargis
