Testing ACL on nexus 3k switches. Very simple setup. Two switches, R1 and R2. Linked with each other over layer3 interfaces Eth1/1.
Trying to use ACL r1r2 to block the traffic from R1 loopback1 to R2 loopback2 without any luck. No hit showing on the ACL counter. Any ideas are appreciated! Config as follows: R1:
ip route 0.0.0.0/0 12.12.12.2
interface Ethernet1/1
no switchport
ip address 12.12.12.1/24
no shutdown
!
interface loopback1
ip address 1.1.1.1/32
R2:
interface Ethernet1/1
no switchport
ip access-group r1r2 in
ip address 12.12.12.2/24
no shutdown
!
interface loopback2
ip address 2.2.2.2/32
!
ip route 0.0.0.0/0 12.12.12.1
!
ip access-list r1r2
statistics per-entry
10 deny ip 1.1.1.1/32 2.2.2.2/32
100 permit ip any any
!
Tried reboot and attching log to the ACL entry. Not seeing any changes. R1 loop1 can still ping R2 loop2, ACL on R2 has no hit, no log.
R1# ping 2.2.2.2 source 1.1.1.1
PING 2.2.2.2 (2.2.2.2) from 1.1.1.1: 56 data bytes
64 bytes from 2.2.2.2: icmp_seq=0 ttl=254 time=3.382 ms
64 bytes from 2.2.2.2: icmp_seq=1 ttl=254 time=2.666 ms
64 bytes from 2.2.2.2: icmp_seq=2 ttl=254 time=2.639 ms
64 bytes from 2.2.2.2: icmp_seq=3 ttl=254 time=2.494 ms
64 bytes from 2.2.2.2: icmp_seq=4 ttl=254 time=2.526 ms
--- 2.2.2.2 ping statistics ---
5 packets transmitted, 5 packets received, 0.00% packet loss
round-trip min/avg/max = 2.494/2.741/3.382 ms
R1#
Made a test between two ASR1000v with almost the same config and works as expected. ACL blocks the traffic with no drama.
