We've recently purchased a handful of switches and while we await their delivery I was looking into the demo provided here: https://github.com/CumulusNetworks/cldemo-vagrant/
I was curious if there are any known gotcha's regarding ACL's -- more specifically ACL's on / matching an SVI behaving differently in the virtualized environment compared to the hardware.
For context I was simply trying to drop all traffic to a subnet from a specific VLAN / SVI / bridge and I don't seem to be having much luck. Here is a succinct portion of the config:
address-virtual 44:38:39:00:01:20 10.5.0.1/24
# Custom rules
-A $INNFWD_CHAIN --in-interface vlan100 -d 10.5.0.0/24 -j DROP
The topology is that of the demo (https://raw.githubusercontent.com/CumulusNetworks/cldemo-vagrant/master/documentation/cldemo_topology.png). server01 & server02 can still reach each other within that subnet even with that rule in place. Any idea where I could be going wrong?
It may be worth noting that the SVI is on the spine in this instance instead of the leaf / the VRR IP is active on one spine (I turned off every switch besides spine01, leaf01 to ensure nothing goofy is going on).
Best answer by Pete B
@SleepyWombat So TIL that on a physical switch the ACLs are programmed into the ASIC, so all ACL checks are done on the ASIC. Since VX doesn't have an ASIC, and all ACL checks are done up at the kernel.
If you want to troubleshoot this in a more immediate fashion feel free to join our public Slack instance and ask there. Our consultants monitor it throughout the day and can pitch in and help you.