cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
131
Views
0
Helpful
1
Replies
Highlighted

MAC VACL issue on Nexus 9000

Hello,

 

We have  a setup of Nexus 93180YC-EX running running 7.0(3)I7(6) OS version. On one of the VLAN/VXLAN we want to limit communication between hosts.

Host should be reachable only from outside network, but inside VLAN only communication with Anycast  gateway should be allowed.

To achieve that, following config was applied ( MAC aaaa.bbbb.cccc in this case is distributed anycast gateway MAC):

 

mac access-list ACL-NETWORK

  10 permit aaaa.bbbb.cccc 0000.0000.0000 any   #Allow any traffic from anycast gateway

  20 permit any aaaa.bbbb.cccc 0000.0000.0000  #Allow any traffic to  anycast gateway

  30 permit any ffff.ffff.ffff 0000.0000.0000             #Allow direct broadcast for ARP

  statistics per-entry

vlan access-map VACL-NETWORK 10

  match mac address ACL-NETWORK

  action forward

vlan filter VACL-NETWORK vlan-list 1695

 

This configuration works, but I‘ve noted that if hosts still have ARP cache, or configured static ARP entries, they able to communicate within VLAN. Issue does not depend on whenever devices connected to same switch, or the VXLAN between different LEAF‘s used.

 

Am I missing something in configuration?

 

Thank you in advance,

Alex

1 REPLY 1

Re: MAC VACL issue on Nexus 9000

Resolved with TAC:

 

MAC packet classification allows you to control if MAC ACL will be applied to IP and non-IP traffic or to non-IP traffic only.

When MAC packet classification is disabled, MAC ACL is applied to non-IP traffic only.

 

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus9000/sw/6-x/security/configuration/guide/b_Cisco_Nexus_9000_Series_NX-OS_Security_Configuration_Guide/b_Cisco_Nexus_9000_Series_NX-OS_Security_Configuration_Guide_chapter_01011.html#task_...

 

section MAC Packet Classification.

 

In case of MAC ACL applying to the VLAN, you cannot enable MAC packet classification which means than MAC ACL is applied only on non-IP traffic.

 

ARP – is not IP, so it is intercepted and processed by MAC ACL.

 

But if hosts have static arp or valid ARP in ARP-cache, traffic that is being sent by host is IP traffic and will not be processed by MAC ACL.

 

Like a workaround you can apply MAC ACL to port and enable MAC packet classification.

In this case IP traffic also be filtered.

CreatePlease to create content
Content for Community-Ad
July's Community Spotlight Awards