We've recently purchased a handful of switches and while we await their delivery I was looking into the demo provided here: https://github.com/CumulusNetworks/cldemo-vagrant/
I was curious if there are any known gotcha's regarding ACL's -- more specifically ACL's on / matching an SVI behaving differently in the virtualized environment compared to the hardware.
For context I was simply trying to drop all traffic to a subnet from a specific VLAN / SVI / bridge and I don't seem to be having much luck. Here is a succinct portion of the config:
address-virtual 44:38:39:00:01:20 10.5.0.1/24
# Custom rules
-A $INNFWD_CHAIN --in-interface vlan100 -d 10.5.0.0/24 -j DROP
The topology is that of the demo (https://raw.githubusercontent.com/CumulusNetworks/cldemo-vagrant/master/documentation/cldemo_topology.png). server01 & server02 can still reach each other within that subnet even with that rule in place. Any idea where I could be going wrong?
It may be worth noting that the SVI is on the spine in this instance instead of the leaf / the VRR IP is active on one spine (I turned off every switch besides spine01, leaf01 to ensure nothing goofy is going on).
Best answer by Pete B
If you want to troubleshoot this in a more immediate fashion feel free to join our public Slack instance and ask there. Our consultants monitor it throughout the day and can pitch in and help you.