0

i have a n3k-c3064pq-10gx with version 7.0(3)I7(9) Bios:version 4.5.0 version and i have 2x 10G SFP+ (LACP) from my carrier and here is my switch config : SWT(config-acl)# show ip access-lists uplink-acl

IP access list uplink-acl statistics per-entry 10 permit ip x.x.x.x/32 any [match=0] 20 permit ip y.y.y.y/28 any [match=0] 30 permit ip z.z.z.z/32 any [match=0] 40 deny tcp any any eq bgp [match=8] 70 deny udp any any eq ntp [match=3] 80 permit ip any any [match=2401] SWT(config-acl)# sh run int po110 !Command: show running-config interface port-channel110 !Running configuration last done at: Fri Dec 25 12:00:34 2020 !Time: Fri Dec 25 12:02:15 2020 version 7.0(3)I7(9) Bios:version 4.5.0 interface port-channel110 description UPLINK no switchport ip access-group uplink-acl in no ip redirects ip address 1.2.3.4/29

when i telnet to TCP 179 from outside of my network it shows the packets has been matched with rule id 40 but from the internet it shows TCP 179 is open, also i have add ip access-list match-local-traffic in global config, any idea or help? Thanky ou.

Improve this question
3
  • Logically, that should work. However, you may need to edit the control-plane-policy (CoPP) to make it work -- the nexus platform is weird. Commented Dec 25, 2020 at 9:26
  • any working sample, that how can i do this in CoPP ? because i have read CoPP for n3k it just only support PPS rate limiting not drop or permit Commented Dec 25, 2020 at 9:28
  • i have set 1.2.3.4/29 on int po110 and its also strange when i add "5 deny ip any 1.2.3.4/32" still i can telnet to tcp 179 from the internet! with this rule i have blocked everything totally! i do not want why does it work! any idea? Commented Dec 25, 2020 at 9:38

0

Reset to default

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.