Nexus ACL not working???

[wintermute000]

Run into this strange issue, not much XP on nexus (none on L3 actually, only 5/2k switching).


I have this simple ACL on a Nexus 7k


ip access-list ACL
10 deny icmp any any


applied to a SVI inbound.


From a host on that VLAN, I can merrily ping the SVI, or indeed a loopback behind the SVI if I route through the SVI.
WTF is going on?


Checks I have made:
- using ip access-list summary, I can see the ACL is configured and active as a routed ACL.
- if I add statistics per-entry and log options to the ACL, no hits are generated, whether hitting the SVI directly or routing through it to a loopback.
- if I add a blanket deny ip any any, nothing happens either.
- applying the ACL in both directions does nothing either.
- its not just icmp, telnet is allowed too.


i.e. an ACL on a SVI on a Nexus 7k appears to do NOTHING



I first encountered this during hardware labs for DCUFI course, went home and replicated in VIRL...... The instructor said that he'd never been able to work out why, and every single other student (and according to the instructor every time he has run the course) hit this same issue so really bugging me! In fact for a 6k course I am bitterly disappointed that Cisco can't explain why their lab doesn't freaking work (in fact the instructor said that when he has pressed the issue in the past, Cisco basically sent him a cease and desist....) now that I can replicate in VIRL I am reluctant to believe it is a bug, rather there is some platform or NX-OS configuration idiosyncracy that I am not aware of.


Anyone with Layer 3 SVIs/ACLs active on a NX-OS platform and/or has any idea of what this is?!?!???!! 


As an side, DCUFI plain out sucks as a course. Maybe 30% of it is the stuff you want (VDC, vPC, vPC+, Fabricpath, OTV, etc.) and the rest is either CCNP-switch with Nexus syntax or memorising platform numbers / crappy 'i'll look it up when I need to' BS like RBAC or management features. Well in its defence it did end up as a nice introduction to fiberchannel.

[DanC]

Can't say I've ever come across this situation but then again I've never used ACL's on an SVI in Nexus. I can say, I had lots of problems using ACL's on the mgmt interface on the 7700, lots of weird behaviour, basically not doing what it should be doing (securing for ssh and tacacs) and never got to the bottom of it.

I know exactly what you mean about the DCUFI. The course provider I took it with had to write their own versions to keep up to date with the latest code revisions and hardware to stop people complaining. Some of the shit in there is just ridiculous, like a one pager on Multicast and a 3 pager on MPLS... what's the point? May as well just say the box is capable of it, read the configuration guides for more info, not just give a useless semi insight into the technology.

[wintermute000]

I learnt that routed ACLs are not supported on F1 cards. Perhaps that was the case, but I can't go back in time to check out the show module from the exam lab kit :p