01-18-2017 07:41 AM
So we're running MLXe 8 and 16's on the 5.7. I built a vrf instance on it, which was pretty easy and got that bad boy working well. I'm also running MCT and VRRP-E for those instances, everything is set up properly, i have the MASTER-BACKUP relationship running like champs and they're talking over the wire.
Now we went ahead and applied ACLs to the intefaces that are associated with the vrf incease since we're running a virtual infrastructure (vmware) the team want's only the subnets to respond. No problem. Put in the permit x.x.x.x/24, deny any, apply in and out on the ve on both sides and we're golden since we can do that with the MLXe's. By that logic we should be able to only allow replies for that traffic.
To test that theory, a quick ping vrf NAME x.x.x.2 source x.x.x.2, which both sets of x.x.x.x/24's sit within the vrf instance, they work the way they are intended. Works well actually. They were typically denied by the ACL that was applied on the interface unless they resided on the same ip address.
So here's the kicker. We had to leak the vrf to the default vrf instance since we need to do a transfer via sftp for server images and what not. That's not the problem. We have acls that specifically prevent anything within the default vrf ip space from doing anything to the ve's on the non default vrf instance itself.
Now the better part is i can ping .1 on one subnet, but not 2 or 3 on the cores, nor a host, but i can also ping .2 and .3 on another subnet but not .1 on another subnet, but not a known good host. So i'm almost at a bit of a loss here. i'm not overly concerned since within the vrf instance its working just fine and blocking/allowing as is should and removing the leak will alleviate us of this issue.
Any thoughts team?
01-26-2017 01:30 PM
Welcome to the Community!
While we still encourage the Community to assist with your post, I wanted to let you know I have passed your questions on to our TAC Engagement Team. They will be reaching out to you shortly to gather more information regarding your configuration, so we can get you in touch with the correct group. I encourage you to continue to post in the Community and let me know if there is any way I can help.
Once your post is resolved, we will make sure to post the resolution back to the Community to help other members.
You can find out more about the TAC Engaged Program by clicking on the image below.
Brocade Community Team
03-21-2017 01:37 PM
I wanted to check in with you - TAC has been unable to reach you regarding this open issue within the Brocade Community and has closed the case I opened as a result. I hope you were able to find a resolution. If yes, it would be great if you could post the resolution to help others. If no, please let me know if there's any way we can further assist you with this issue.
Brocade Community Team