Solved: permit arp using ip access list

saeedek · ‎10-19-2021

hi all,

i have nexus 9364c run nx-os 7.0(3)I7(5)

i need to permit arp request message using ipv4 access control list.

can somebody help me

Sergiu.Daniluk · ‎10-20-2021

Hi @saeedek

Before answering your question, there are a couple of notes I would like to add:

1. Since interface eth1/1 is a switchport, the correct way to apply an IP access list is using "ip port access-group X"

2. The ARP is allowed even if you do not have a mac access-list configured and applied on the interface. Basically you do not need it to allow ARP traffic to pass through that interface, especially if you do not plan to filter anything else.

Coming back to your query:

A MAC ACL that is on the interface applies only to non-IP traffic entering the interface (including ARP).
IP port ACL on the interface will match on IP traffic only

In other words, there is no order. The MAC ACL and IP ACL work independent of each other.

On the other hand, there is an other if you have other type of ACLs applied on your Nexus. Below is a picture which express the order (from left to right, blue line is switched traffic, red line is routed traffic).

Stay safe,

Sergiu

View solution in original post

Sergiu.Daniluk · ‎10-19-2021

Hi @saeedek

ARP is a layer 2 protocol, which means that IP access-list will not be able to capture it and it is allowed between two IP addresses from the same subnet, even if the ACL is denying them.

If you are interested in allowing/denying ARP, you can have a look at the MAC ACLs:

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus9000/sw/7-x/security/configuration/guide/b_Cisco_Nexus_9000_Series_NX-OS_Security_Configuration_Guide_7x/b_Cisco_Nexus_9000_Series_NX-OS_Security_Configuration_Guide_7x_chapter_01010.html

Stay safe,

Sergiu

saeedek · ‎10-20-2021

dear Sergiu,

thanks for your reply.

i have question

if i have ipv4 acl and mac access list.then i will apply both under ethernet interface.what is the order will be performed.

int eth1/1

switchport

ip access-group traffic in

mac port access-group 1

where mac access list will permit any any for arp messages

and ip acl for traffic control

Sergiu.Daniluk · ‎10-20-2021

Hi @saeedek

Before answering your question, there are a couple of notes I would like to add:

1. Since interface eth1/1 is a switchport, the correct way to apply an IP access list is using "ip port access-group X"

2. The ARP is allowed even if you do not have a mac access-list configured and applied on the interface. Basically you do not need it to allow ARP traffic to pass through that interface, especially if you do not plan to filter anything else.

Coming back to your query:

A MAC ACL that is on the interface applies only to non-IP traffic entering the interface (including ARP).
IP port ACL on the interface will match on IP traffic only

In other words, there is no order. The MAC ACL and IP ACL work independent of each other.

On the other hand, there is an other if you have other type of ACLs applied on your Nexus. Below is a picture which express the order (from left to right, blue line is switched traffic, red line is routed traffic).

Stay safe,

Sergiu

saeedek · ‎10-24-2021

dear Sergiu,

thanks for your reply and i got idea