Solved: Re: Nexus 3000 filter to allow only PPPoE traffic

MarcosMarcos · ‎06-08-2022

Hi,
I should convert this working filter from Cisco 3750 to Cisco Nexus 3000 [version 7.0 (3) I7 (10)]

On those 2 VLANs (211,311) I only have to allow PPPoE traffic.... I tried without success (syntax is different)
Thanks!

mac access-list extended permit-pppoe
 permit any any 0x8863 0x0
 permit any any 0x8864 0x0
 deny   any any

vlan access-map vmap-permit-pppoe 10
 action forward
 match mac address permit-pppoe
vlan access-map vmap-permit-pppoe 20
 action drop

vlan filter vmap-permit-pppoe vlan-list 211,311

Christopher Hart · ‎06-13-2022

Hi Marcos,

Unfortunately, I do not believe this model of Nexus 3000 (N3K-C3064) supports MAC access control lists at all. This explains why the CLI to configure a MAC access control list is not present on this particular switch.

The latest "Configuring Access Control Lists" chapter of the Nexus 3000 Series NX-OS Security Configuration Guide document does not show how to configure a MAC access control list at all. If a feature is outright missing from a platform's configuration guide, that usually indicates the feature is not supported on that platform.

While researching this issue, you may find a reference to the "system mode" of N3K models. Some models of Nexus 3000 (the 3172 comes to mind specifically) can operate in an "N3K" mode or an "N9K" mode. On these models, the system switch-mode n9k command is used to switch from N3K to N9K mode (although the configuration must be erased prior to reloading the switch and transitioning from N3K to N9K mode in order for a transition to be successful). On these models, the N3K mode does not support MAC access control lists, but the N9K mode does. Unfortunately, the Nexus 3064 switch does not have a "system mode" - this is exclusive to some models of Nexus 3100 series switches.

Thank you!

-Christopher

View solution in original post

MHM Cisco World · ‎06-08-2022

VLAN like route-map
match first then action,
you mistake config action before match.

try push action down and check result.

MarcosMarcos · ‎06-09-2022

Thanks for your feedback.

The problem is the first step:

mac access-list extended permit-pppoe
..

There isn't "mac access-list" in Nexus:

(config)# mac ?
  address-table  MAC Address Table

and the rest of the configuration seems to match...

MHM Cisco World · ‎06-09-2022

@Christopher Hart
please can you make review on this issue,
MAC access-list is missing from NSK 3000, is he need any License?

Christopher Hart · ‎06-09-2022

Hi Marco!

What specific model of Nexus 3000 are you working with here?

Thank you!

-Christopher

MarcosMarcos · ‎06-13-2022

Hi Christopher, sorry for delay.
I have a pair of identical Nexus configured in VPC and they both have the same situation.

Here all details:

================ # sh env
Mod Model Power Current Power Current Status
Requested Requested Allocated Allocated
(Watts) (Amps) (Watts) (Amps)
--- ---------------------- ------- ---------- --------- ---------- ----------
1 N3K-C3064PQ-10GX 336.00 28.00 336.00 28.00 powered-up

================ # sh ver
Software
BIOS: version 4.5.0
NXOS: version 7.0(3)I7(10)
BIOS compile time: 11/09/2017
NXOS image file is: bootflash:///nxos.7.0.3.I7.10.bin
NXOS compile time: 8/20/2021 6:00:00 [08/20/2021 07:16:06]

Hardware
cisco Nexus3000 C3064PQ Chassis
Intel(R) Celeron(R) CPU P4505 @ 1.87GHz with 3902968 kB of memory.
Processor Board ID ...

================ # sh license
FEATURE LAN_BASE_SERVICES_PKG cisco 1.0 permanent uncounted \
...
FEATURE LAN_ENTERPRISE_SERVICES_PKG cisco 1.0 permanent uncounted \
...

VPC

# sh vpc
Legend:
                (*) - local vPC is down, forwarding via vPC peer-link

vPC domain id                     : 1
Peer status                       : peer adjacency formed ok
vPC keep-alive status             : peer is alive
Configuration consistency status  : success
Per-vlan consistency status       : success
Type-2 consistency status         : success
vPC role                          : primary
Number of vPCs configured         : 1
Peer Gateway                      : Enabled
Dual-active excluded VLANs        : -
Graceful Consistency Check        : Enabled
Auto-recovery status              : Enabled, timer is off.(timeout = 240s)
Delay-restore status              : Timer is off.(timeout = 30s)
Delay-restore SVI status          : Timer is off.(timeout = 10s)
Operational Layer3 Peer-router    : Disabled

Thanks!

Christopher Hart · ‎06-13-2022

Hi Marcos,

Unfortunately, I do not believe this model of Nexus 3000 (N3K-C3064) supports MAC access control lists at all. This explains why the CLI to configure a MAC access control list is not present on this particular switch.

The latest "Configuring Access Control Lists" chapter of the Nexus 3000 Series NX-OS Security Configuration Guide document does not show how to configure a MAC access control list at all. If a feature is outright missing from a platform's configuration guide, that usually indicates the feature is not supported on that platform.

While researching this issue, you may find a reference to the "system mode" of N3K models. Some models of Nexus 3000 (the 3172 comes to mind specifically) can operate in an "N3K" mode or an "N9K" mode. On these models, the system switch-mode n9k command is used to switch from N3K to N9K mode (although the configuration must be erased prior to reloading the switch and transitioning from N3K to N9K mode in order for a transition to be successful). On these models, the N3K mode does not support MAC access control lists, but the N9K mode does. Unfortunately, the Nexus 3064 switch does not have a "system mode" - this is exclusive to some models of Nexus 3100 series switches.

Thank you!

-Christopher

MHM Cisco World · ‎06-13-2022

As mr @Christopher Hart mention

Mac acl is not support in nsk 3000,

But

If you secure one end that not enough

I.e. secure 3750.