UCS Technology Labs Nexus 1000v on UCS

Access Control Lists in Nexus 1000v

Last updated: April 12, 2013

Task
Set up an ACL on N1Kv that prohibits standard web traffic from reaching Win2k8-www-3.
Permit all other traffic to that server.

Configuration
First, let's be sure of our Veth interface number.

FEEDBACK

N1Kv-01(config)# sh int status

------------------------------------------------------------------------------Port

Name

Status

Vlan

Duplex Speed

Type

------------------------------------------------------------------------------mgmt0

--

up

routed

full

1000

--

Eth3/1

--

up

trunk

full

1000

--

Eth3/2

--

up

trunk

full

1000

--

Eth3/3

--

up

trunk

full

unknown --

Eth3/4

--

up

trunk

full

unknown --

Eth3/5

--

up

trunk

full

unknown --

Eth4/1

--

up

trunk

full

1000

--

Eth4/2

--

up

trunk

full

1000

--

Eth4/3

--

up

trunk

full

unknown --

Eth4/4

--

up

trunk

full

unknown --

Eth4/5

--

up

trunk

full

unknown --

Po1

--

up

trunk

full

1000

--

Po2

--

up

trunk

full

1000

--

Po3

--

up

trunk

full

unknown --

Po4

--

up

trunk

full

unknown --

Veth1

VMware VMkernel, v up

115

auto

auto

--

Veth2

VMware VMkernel, v up

116

auto

auto

--

Veth3

N1Kv-01-VSM-2, Net up

120

auto

auto

--

Veth4

N1Kv-01-VSM-2, Net up

121

auto

auto

--

Veth5

N1Kv-01-VSM-2, Net up

120

auto

auto

--

Veth6

Win2k8-www-1, Netw up

110

auto

auto

--

Veth7

VMware VMkernel, v up

115

auto

auto

--

Veth8

VMware VMkernel, v up

116

auto

auto

--

Veth9

N1Kv-01-VSM-1, Net up

120

auto

auto

--

Veth10

N1Kv-01-VSM-1, Net up

121

auto

auto

--

Veth11

N1Kv-01-VSM-1, Net up

120

auto

auto

--

Veth12

Win2k8-www-2, Netw up

110

auto

auto

--

Veth13

Win2k8-www-3, Netw up

Veth14

vCenter, Network A up

auto

auto

--

control0

--

routed

full

1000

--

up

110

auto

auto

N1Kv-01(config)#

Next, browse to Win2k8-www-3 to make sure it's still alive. Let's also ping it infinitely.

--

Now apply an access list, blocking port 80 traffic from ever reaching it, therefore preventing us
from getting a reply when we browse to it.

ip access-list NoHTTP
10 deny tcp any any eq www
20 permit ip any any
interface Vethernet13
ip port access-group NoHTTP out

Verification
Check our ping and try to refresh the browser window.

Note:
Even if we vMotion this guest to another host, the ACL will still be in effect.
Guests don't change vethernet port numbers simply because of vMotion, and they
retain all of their settings. One thing to be cautious of, however, is that if you edit
the settings of the guest and change the network adapter to a different port
profile/group and click Apply, and then even go back into the settings and move
the adapter back to the original port profile/group, the ACL will not remain. This is
true for any settings applied to the vethernet interface, such as QoS, Netflow,
DHCP trust, and so on.

^ back to top

Disclaimer (http://www.ine.com/feedback.htm) | Privacy Policy (http://www.ine.com/resources/)

Inc., All Rights Reserved (http://www.ine.com/about-us.htm)

2013 INE