Solved: L2 based PBR on Nexus VXLAN Fabric using NDFC

Jayashanker warrier · ‎12-18-2024

My customer has a NXOS VXLAN fabric and wants to enable PBR with L2 as the classification.. is this supported? The customer is using ND 3.2 with NDFC

The fabric is full of L2 and the GW is in the external network.. on a L2VNI can we enable PBR where-in for certain MAC address we need to enable a policy which can re-direct to FW?

M02@rt37 · ‎12-19-2024

Hello @Jayashanker warrier

Enabling PBR with L2 classification in a VXLAN fabric on NX-OS has limitations.

Typically, PBR operates at L3, using IP address-based classification to apply policies for traffic redirection. However, for a VXLAN fabric that is predominantly L2, implementing PBR based on MAC addresses is not directly supported by NX-OS. In your scenario, the customer wants to classify traffic by MAC address within a L2VNI and redirect certain traffic to a firewall. While NDFC 3.2 provides robust management for VXLAN environments, it primarily supports L3 PBR, not direct L2 MAC address-based policies.

To achieve the desired result, one approach would be to use a Layer 3 gateway located in the external network, which can apply PBR based on IP addresses that correspond to the MAC addresses you wish to redirect. This method could involve leveraging MAC ACLs or VLAN-based policies in combination with VXLAN routing, where you apply PBR to L3 traffic that originates from the L2VXLAN.

Another solution is to apply PBR at the edge devices of the VXLAN fabric, where the traffic exits the fabric. Here, you can classify and direct traffic using IP-based ACLs or route maps, which could be derived from the IP addresses corresponding to specific MAC addresses. While the configuration will not directly apply PBR to MAC addresses in a traditional sense, this workaround can still achieve the desired traffic redirection...

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

View solution in original post

M02@rt37 · ‎12-19-2024

Hello @Jayashanker warrier

Enabling PBR with L2 classification in a VXLAN fabric on NX-OS has limitations.

Typically, PBR operates at L3, using IP address-based classification to apply policies for traffic redirection. However, for a VXLAN fabric that is predominantly L2, implementing PBR based on MAC addresses is not directly supported by NX-OS. In your scenario, the customer wants to classify traffic by MAC address within a L2VNI and redirect certain traffic to a firewall. While NDFC 3.2 provides robust management for VXLAN environments, it primarily supports L3 PBR, not direct L2 MAC address-based policies.

To achieve the desired result, one approach would be to use a Layer 3 gateway located in the external network, which can apply PBR based on IP addresses that correspond to the MAC addresses you wish to redirect. This method could involve leveraging MAC ACLs or VLAN-based policies in combination with VXLAN routing, where you apply PBR to L3 traffic that originates from the L2VXLAN.

Another solution is to apply PBR at the edge devices of the VXLAN fabric, where the traffic exits the fabric. Here, you can classify and direct traffic using IP-based ACLs or route maps, which could be derived from the IP addresses corresponding to specific MAC addresses. While the configuration will not directly apply PBR to MAC addresses in a traditional sense, this workaround can still achieve the desired traffic redirection...

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.