cancel
Showing results for 
Search instead for 
Did you mean: 

VE's are resilient to ACLs - by design or it's a gigantic flaw?

VE's are resilient to ACLs - by design or it's a gigantic flaw?

Pawel_Eljasz
New Contributor II
hi everyone,

On my vdx 6740 vcs fabric with NOS 7.3.0aa I'm trying to understand ACLs, I'm testing this one:
code:
ip access-list deny_10-5-8-1 on Ve 4 at Ingress (From User)
seq 10 permit ip host 10.5.8.49 host 10.5.8.81 (Active)
seq 20 deny udp any host 10.5.8.254 (Active)
seq 30 deny tcp any host 10.5.8.254 (Active)
seq 40 deny ip any host 10.5.8.254 (Active)
seq 50 deny ip any host 10.5.8.81 (Active)
seq 60 permit ip any any (Active)


VE's runs with 10.5.8.254 and all the hosts/nodes connected to VCS fabric can get to this IP, no problems.
Traffic to 10.5.8.81 gets denied, as expected.

Why traffic to VE's 10.5.8.254 is not denied???
Many thanks.
1 ACCEPTED SOLUTION

Sargis_Minasyan
Extreme Employee
Hi Pawel,

You need to use "hard-drop" instead of "deny" for the packets that go to the control plane/VDX own addresses.

Many thanks,
Sargis

View solution in original post

4 REPLIES 4

Sargis_Minasyan
Extreme Employee
I don't really know, possibly different ways of programming the ASICs with hard-drop telling it not to trap the packets to CPU.

Pawel_Eljasz
New Contributor II
But out curiosity - what is the rationale behind this logic?
Why not the same nomenclature for all?

Pawel_Eljasz
New Contributor II
simplify  & many thanks.

Sargis_Minasyan
Extreme Employee
Hi Pawel,

You need to use "hard-drop" instead of "deny" for the packets that go to the control plane/VDX own addresses.

Many thanks,
Sargis
GTM-P2G8KFN