Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
684
Views
0
Helpful
1
Replies

MAC VACL issue on Nexus 9000

aleksandrpartnenko1
Level 1
Level 1

‎07-17-2019 03:00 AM

Hello,

 

We have  a setup of Nexus 93180YC-EX running running 7.0(3)I7(6) OS version. On one of the VLAN/VXLAN we want to limit communication between hosts.

Host should be reachable only from outside network, but inside VLAN only communication with Anycast  gateway should be allowed.

To achieve that, following config was applied ( MAC aaaa.bbbb.cccc in this case is distributed anycast gateway MAC):

 

mac access-list ACL-NETWORK

  10 permit aaaa.bbbb.cccc 0000.0000.0000 any   #Allow any traffic from anycast gateway

  20 permit any aaaa.bbbb.cccc 0000.0000.0000  #Allow any traffic to  anycast gateway

  30 permit any ffff.ffff.ffff 0000.0000.0000             #Allow direct broadcast for ARP

  statistics per-entry

vlan access-map VACL-NETWORK 10

  match mac address ACL-NETWORK

  action forward

vlan filter VACL-NETWORK vlan-list 1695

 

This configuration works, but I‘ve noted that if hosts still have ARP cache, or configured static ARP entries, they able to communicate within VLAN. Issue does not depend on whenever devices connected to same switch, or the VXLAN between different LEAF‘s used.

 

Am I missing something in configuration?

 

Thank you in advance,

Alex

Labels:
0 Helpful
1 Reply 1

aleksandrpartnenko1
Level 1
Level 1

‎07-22-2019 12:55 AM

Resolved with TAC:

 

MAC packet classification allows you to control if MAC ACL will be applied to IP and non-IP traffic or to non-IP traffic only.

When MAC packet classification is disabled, MAC ACL is applied to non-IP traffic only.

 

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus9000/sw/6-x/security/configuration/guide/b_Cisco_Nexus_9000_Series_NX-OS_Security_Configuration_Guide/b_Cisco_Nexus_9000_Series_NX-OS_Security_Configuration_Guide_chapter_01011.html#task_...

 

section MAC Packet Classification.

 

In case of MAC ACL applying to the VLAN, you cannot enable MAC packet classification which means than MAC ACL is applied only on non-IP traffic.

 

ARP – is not IP, so it is intercepted and processed by MAC ACL.

 

But if hosts have static arp or valid ARP in ARP-cache, traffic that is being sent by host is IP traffic and will not be processed by MAC ACL.

 

Like a workaround you can apply MAC ACL to port and enable MAC packet classification.

In this case IP traffic also be filtered.

0 Helpful
Customers Also Viewed These Support Documents