07-17-2019 03:00 AM
Hello,
We have a setup of Nexus 93180YC-EX running running 7.0(3)I7(6) OS version. On one of the VLAN/VXLAN we want to limit communication between hosts.
Host should be reachable only from outside network, but inside VLAN only communication with Anycast gateway should be allowed.
To achieve that, following config was applied ( MAC aaaa.bbbb.cccc in this case is distributed anycast gateway MAC):
mac access-list ACL-NETWORK
10 permit aaaa.bbbb.cccc 0000.0000.0000 any #Allow any traffic from anycast gateway
20 permit any aaaa.bbbb.cccc 0000.0000.0000 #Allow any traffic to anycast gateway
30 permit any ffff.ffff.ffff 0000.0000.0000 #Allow direct broadcast for ARP
statistics per-entry
vlan access-map VACL-NETWORK 10
match mac address ACL-NETWORK
action forward
vlan filter VACL-NETWORK vlan-list 1695
This configuration works, but I‘ve noted that if hosts still have ARP cache, or configured static ARP entries, they able to communicate within VLAN. Issue does not depend on whenever devices connected to same switch, or the VXLAN between different LEAF‘s used.
Am I missing something in configuration?
Thank you in advance,
Alex
07-22-2019 12:55 AM
Resolved with TAC:
MAC packet classification allows you to control if MAC ACL will be applied to IP and non-IP traffic or to non-IP traffic only.
When MAC packet classification is disabled, MAC ACL is applied to non-IP traffic only.
section MAC Packet Classification.
In case of MAC ACL applying to the VLAN, you cannot enable MAC packet classification which means than MAC ACL is applied only on non-IP traffic.
ARP – is not IP, so it is intercepted and processed by MAC ACL.
But if hosts have static arp or valid ARP in ARP-cache, traffic that is being sent by host is IP traffic and will not be processed by MAC ACL.
Like a workaround you can apply MAC ACL to port and enable MAC packet classification.
In this case IP traffic also be filtered.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide