Configuring VXLAN ACL

This chapter contains these sections:

Access Control Lists for VXLAN Traffic on Cisco Nexus Switches

This section describes the supported and unsupported Access Control List (ACL) scenarios for VXLAN traffic on Cisco Nexus switches.

All scenarios that are mentioned in the previous table are explained with the following host details:

  • Host-1: 10.1.1.1/24 VLAN-10

  • Host-2: 10.1.1.2/24 VLAN-10

  • Host-3: 20.1.1.1/24 VLAN-20

  • Case 1: Layer 2 traffic/L2 VNI that flows between Host-1 and Host-2 on VLAN-10.

  • Case 2: Layer 3 traffic/L3 VNI that flows between Host-1 and Host-3 on VLAN-10 and VLAN-20.

Table 1. ACL Options That Can Be Used for VXLAN Traffic on Cisco Nexus 9300-FX/FX2/FX3/GX/GX2/H2R/H1
Scenario

ACL Direction

ACL Type

VTEP Type

Port Type

Flow Direction

Traffic Type

Supported

1

Ingress

PACL

Ingress VTEP

L2 port

Access to Network [GROUP:encap direction]

Native L2 traffic [GROUP:inner]

YES

2

VACL

Ingress VTEP

VLAN

Access to Network [GROUP:encap direction]

Native L2 traffic [GROUP:inner]

YES

3

Ingress

RACL

Ingress VTEP

Tenant L3 SVI

Access to Network [GROUP:encap direction]

Native L3 traffic [GROUP:inner]

YES

4

Egress

RACL

Ingress VTEP

uplink L3/L3-PO/SVI

Access to Network [GROUP:encap direction]

VXLAN encap [GROUP:outer]

NO

5

Ingress

RACL

Egress VTEP

Uplink L3/L3-PO/SVI

Network to Access [GROUP:decap direction]

VXLAN encap [GROUP:outer]

NO

6

Egress

PACL

Egress VTEP

L2 port

Network to Access [GROUP:decap direction]

Native L2 traffic [GROUP:inner]

NO

7a

VACL

Egress VTEP

VLAN

Network to Access [GROUP:decap direction]

Native L2 traffic [GROUP:inner]

YES

7b

VACL

Egress VTEP

Destination VLAN

Network to Access [GROUP:decap direction]

Native L3 traffic [GROUP:inner]

YES

8

Egress

RACL

Egress VTEP

Tenant L3 SVI

Network to Access [GROUP:decap direction]

Post-decap L3 traffic [GROUP:inner]

YES

ACL implementation for VXLAN is the same as regular IP traffic. The host traffic is not encapsulated in the ingress direction at the encapsulation switch. The implementation is a bit different for the VXLAN encapsulated traffic at the decapsulation switch as the ACL classification is based on the inner payload. The supported ACL scenarios for VXLAN are explained in the following topics and the unsupported cases are also covered for both encapsulation and decapsulation switches.

Figure 1. Port ACL on VXLAN Encap Switch
Port ACL on VXLAN Encap Switch

Guidelines and Limitations for VXLAN ACLs

This section describes the guidelines and limitations for VXLAN ACLs.

VXLAN ACLs have the following guidelines and limitations:

  • A router ACL (RACL) on an SVI of the incoming VLAN-10 and the uplink port (eth1/2) does not support filtering the encapsulated VXLAN traffic with outer or inner headers in an egress direction. The limitation also applies to the Layer 3 port-channel uplink interfaces.

  • A router ACL (RACL) on an SVI and the Layer 3 uplink ports is not supported to filter the encapsulated VXLAN traffic with outer or inner headers in an ingress direction. This limitation also applies to the Layer 3 port-channel uplink interfaces.

  • A port ACL (PACL) cannot be applied on the Layer 2 port to which a host is connected. Cisco NX-OS does not support a PACL in the egress direction.

  • Beginning with Cisco NX-OS Release 10.6(2)F, PACL on Service VRF interfaces is supported.

VXLAN Tunnel Encapsulation Switch

Configure the Port ACL on the Access Port on Ingress

You can apply a port ACL (PACL) on the Layer 2 trunk or access port that a host is connected on the encapsulating switch. As the incoming traffic from access to the network is normal IP traffic. The ACL that is being applied on the Layer 2 port can filter it as it does for any IP traffic in the non-VXLAN environment.

The ing-racl TCAM region must be carved as follows:

Procedure

Step 1

Use the configure terminal command to enter global configuration mode.

Example:

switch# configure terminal

Enters global configuration mode.

Step 2

Configure the global TCAM region and create the IPv4 access list.

  1. Use the hardware access-list tcam region ing-racl 256 command to attach the UDFs to the ing-racl TCAM region for IPv4 or IPv6 port ACLs.

    Example:

    switch(config)# hardware access-list tcam region ing-racl 256

    Attaches the UDFs to the ing-racl TCAM region, which applies to IPv4 or IPv6 port ACLs.

  2. Use the ip access-list name command to create an IPv4 ACL and enter IP ACL configuration mode.

    Example:

    switch(config)# ip access list PACL_On_Host_Port

    Creates an IPv4 ACL and enters IP ACL configuration mode. The name arguments can be up to 64 characters.

  3. Use the sequence-number permit ip source-address destination-address command to create an ACL rule that permits or denies IPv4 traffic matching its condition.

    Example:

    switch(config-acl)# 10 permit ip 10.1.1.1/32 10.1.1.2/32

    Creates an ACL rule that permits or denies IPv4 traffic matching its condition.

    The source-address destination-address arguments can be the IP address with a network wildcard, the IP address and variable-length subnet mask, the host address, and any to designate any address.

Step 3

Use the exit command to exit IP ACL configuration mode.

Example:

switch(config-acl)# exit

Exits IP ACL configuration mode.

Step 4

Use the interface ethernet slot/port command to enter interface configuration mode.

Example:

switch(config)# interface ethernet1/1

Enters interface configuration mode.

Step 5

Configure the interface and apply the port ACL.

  1. Use the ip port access-group pacl-name in command to apply a Layer 2 PACL to the interface.

    Example:

    switch(config-if)# ip port access-group PACL_On_Host_Port in

    Applies a Layer 2 PACL to the interface. Only inbound filtering is supported with port ACLs. You can apply one port ACL to an interface.

  2. Use the switchport command to configure the interface as a Layer 2 interface.

    Example:

    switch(config-if)# switchport

    Configures the interface as a Layer 2 interface.

  3. Use the switchport mode trunk command to configure the interface as a Layer 2 trunk port.

    Example:

    switch(config-if)# switchport mode trunk

    Configures the interface as a Layer 2 trunk port.

  4. Use the switchport trunk allowed vlan vlan-list command to set the allowed VLANs for the trunk interface.

    Example:

    switch(config-if)# switchport trunk allowed vlan 10,20

    Sets the allowed VLANs for the trunk interface. The default is to allow all VLANs on the trunk interface, 1 through 3967 and 4048 through 4094. VLANs 3968 through 4047 are the default VLANs reserved for internal use.

Step 6

Use the no shutdown command to enable the interface.

Example:

switch(config-if)# no shutdown

Negates the shutdown command.

Configure the VLAN ACL on the Server VLAN

A VLAN ACL (VACL) can be applied on the incoming VLAN-10 that the host is connected to on the encap switch. As the incoming traffic from access to network is normal IP traffic, the ACL that is being applied to VLAN-10 can filter it as it does for any IP traffic in the non-VXLAN environment. For more information on VACL, see Access Control Lists for VXLAN Traffic on Cisco Nexus Switches.

Procedure

Step 1

Use the configure terminal command to enter global configuration mode.

Example:

switch# configure terminal

Enters global configuration mode.

Step 2

Use the ip access-list name command to create an IPv4 ACL and enter IP ACL configuration mode.

Example:

switch(config)# ip access list Vacl_On_Source_VLAN

The name arguments can be up to 64 characters.

Step 3

Use the sequence-number permit ip source-address destination-address command to create an ACL rule that permits or denies IPv4 traffic matching its condition.

Example:

switch(config-acl)# 10 permit ip 10.1.1.1 10.1.1.2

The source-address destination-address arguments can be the IP address with a network wildcard, the IP address and variable-length subnet mask, the host address, and any to designate any address.

Step 4

Use the vlan access-map map-name [sequence-number] command to enter VLAN access-map configuration mode for the specified VLAN access map.

Example:

switch(config-acl)# vlan access-map Vacl_on_Source_Vlan 10

If the VLAN access map does not exist, the device creates it.

If you do not specify a sequence number, the device creates a new entry whose sequence number is 10 greater than the last sequence number in the access map.

Step 5

Use the match ip address ip-access-list command to specify an ACL for the access-map entry.

Example:

switch(config-acl)# match ip address Vacl_on_Source_Vlan

Specifies an ACL for the access-map entry.

Step 6

Use the action forward command to specify the action that the device applies to traffic that matches the ACL.

Example:

switch(config-acl)# action forward

Specifies the action that the device applies to traffic that matches the ACL.

Step 7

Use the vlan access-map name command to enter VLAN access-map configuration mode for the specified VLAN access map.

Example:

switch(config-acl)# vlan access map Vacl_on_Source_Vlan

Enters VLAN access-map configuration mode for the VLAN access map specified.

Configure the Routed ACL on an SVI on Ingress

A router ACL (RACL) in the ingress direction can be applied on an SVI of the incoming VLAN-10 that the host that connects to the encapsulating switch. As the incoming traffic from access to network is normal IP traffic, the ACL that is being applied on SVI 10 can filter it as it does for any IP traffic in the non-VXLAN environment.

The ing-racl TCAM region must be carved as follows:

Procedure

Step 1

Use the configure terminal command to enter global configuration mode.

Example:

switch# configure terminal

Enters global configuration mode.

Step 2

Use the hardware access-list tcam region ing-racl 256 command to attach the UDFs to the ing-racl TCAM region, which applies to IPv4 or IPv6 port ACLs.

Example:

switch(config)# hardware access-list tcam region ing-racl 256

Attaches the UDFs to the ing-racl TCAM region, which applies to IPv4 or IPv6 port ACLs.

Step 3

Configure the IPv4 access list.

  1. Use the ip access-list name command to create an IPv4 ACL and enter IP ACL configuration mode.

    Example:

    switch(config)# ip access list PACL_On_Host_Port

    Creates an IPv4 ACL and enters IP ACL configuration mode. The name arguments can be up to 64 characters.

  2. Use the sequence-number permit ip source-address destination-address command to create an ACL rule that permits or denies IPv4 traffic matching its condition.

    Example:

    switch(config-acl)# 10 permit ip 10.1.1.1/32 10.1.1.2/32

    Creates an ACL rule that permits or denies IPv4 traffic matching its condition.

    The source-address destination-address arguments can be the IP address with a network wildcard, the IP address and variable-length subnet mask, the host address, and any to designate any address.

  3. Use the exit command to exit IP ACL configuration mode.

    Example:

    switch(config-acl)# exit

    Exits IP ACL configuration mode.

Step 4

Use the interface ethernet slot/port command to enter interface configuration mode.

Example:

switch(config)# interface ethernet1/1

Enters interface configuration mode.

Step 5

Use the no shutdown command to enable the interface.

Example:

switch(config-if)# no shutdown

Negates shutdown command.

Step 6

Use the ip access-group racl-name in command to apply a Layer 2 PACL to the interface. Only inbound filtering is supported with port ACLs. You can apply one port ACL to an interface.

Example:

switch(config-if)# ip port access-group Racl_On_Source_Vlan_SVI in

Applies a Layer 2 PACL to the interface. Only inbound filtering is supported with port ACLs. You can apply one port ACL to an interface.

Step 7

Configure the SVI for the host.

  1. Use the vrf member vxlan-number command to configure the VRF for the SVI.

    Example:

    switch(config-if)# vrf member Cust-A

    Configure SVI for host.

  2. Use the no ip redirects command to prevent the device from sending redirects.

    Example:

    switch(config-if)# no ip redirects

    Prevents the device from sending redirects.

  3. Use the ip address ip-address command to configure an IP address for this interface.

    Example:

    switch(config-if)# ip address 10.1.1.10

    Configures an IP address for this interface.

  4. Use the no ipv6 redirects command to disable the ICMP redirect messages on BFD-enabled interfaces.

    Example:

    switch(config-if)# no ipv6 redirects

    Disables the ICMP redirect messages on BFD-enabled interfaces.

  5. Use the fabric forwarding mode anycast-gateway command to configure Anycast gateway forwarding mode.

    Example:

    switch(config-if)# fabric forwarding mode anycast-gateway

    Configure Anycast gateway forwarding mode.

Routed ACL on the Uplink on Egress

The objective of this section is to describe the limitations of applying a routed ACL (RACL) on the uplink in the egress direction.

A routed ACL (RACL) on an SVI of the incoming VLAN-10 and the uplink port (eth1/2) is not supported to filter encapsulated VXLAN traffic with an outer or inner header in the egress direction.

  • This limitation also applies to Layer 3 port-channel uplink interfaces.

VXLAN Tunnel Decapsulation Switch

Routed ACL on the Uplink on Ingress

The objective of this section is to describe the support limitations for Routed ACLs (RACL) on SVIs and Layer 3 uplink ports in the ingress direction.

This section describes the support limitations for applying a Routed ACL (RACL) on a SVI and Layer 3 uplink ports in the ingress direction.

  • A RACL on a SVI and the Layer 3 uplink ports is not supported to filter the encapsulated VXLAN traffic with outer or inner header in an ingress direction.

  • This limitation also applies to the Layer 3 port-channel uplink interfaces.

Port ACL on the Access Port on Egress

The objective of this section is to describe the support for Port ACLs (PACLs) on access ports in the egress direction.

Port ACLs (PACLs) are not supported on Layer 2 access ports in the egress direction on Cisco Nexus 9000 Series switches.

  • Do not apply a PACL on the Layer 2 port to which a host is connected.

  • Cisco Nexus 9000 Series switches do not support a PACL in the egress direction.

Configure the VLAN ACL for the Layer 2 VNI Traffic

A VLAN ACL (VACL) can be applied on VLAN-10 to filter with the inner header when the Layer 2 VNI traffic is flowing from Host-1 to Host-2. For more information on VACL, see Access Control Lists for VXLAN Traffic on Cisco Nexus Switches.

The VACL TCAM region must be carved as follows:

Procedure

Step 1

Use the configure terminal command to enter global configuration mode.

Example:

switch# configure terminal

Enters global configuration mode.

Step 2

Use the hardware access-list tcam region vacl 256 command to change the ACL TCAM region size.

Example:

switch(config)# hardware access-list tcam region vacl 256

Changes the ACL TCAM region size.

Step 3

Configure the IPv4 ACL and rules.

  1. Use the ip access-list name command to create an IPv4 ACL and enter IP ACL configuration mode.

    Example:

    switch(config)# ip access list VXLAN-L2-VNI

    Creates an IPv4 ACL and enters IP ACL configuration mode. The name arguments can be up to 64 characters.

  2. Use the statistics per-entry command to specify that the device maintains global statistics for packets that match the rules in the VACL.

    Example:

    switch(config-acl)# statistics per-entry

    Specifies that the device maintains global statistics for packets that match the rules in the VACL.

  3. Use the sequence-number permit ip source-address destination-address command to create an ACL rule that permits or denies IPv4 traffic matching its condition.

    Example:

    switch(config-acl)# 10 permit ip 10.1.1.1/32 10.1.1.2/32

    Creates an ACL rule that permits or denies IPv4 traffic matching its condition.

    The source-address destination-address arguments can be the IP address with a network wildcard, the IP address and variable-length subnet mask, the host address, and any to designate any address.

  4. Use the sequence-number permit protocol source-address destination-address command to create an ACL rule that permits or denies IPv4 traffic matching its condition.

    Example:

    switch(config-acl)# 20 permit tcp 10.1.1.2/32 10.1.1.1/32

    Creates an ACL rule that permits or denies IPv4 traffic matching its condition.

    The source-address destination-address arguments can be the IP address with a network wildcard, the IP address and variable-length subnet mask, the host address, and any to designate any address.

  5. Use the exit command to exit ACL configuration mode.

    Example:

    switch(config-acl)# exit

    Exit ACL configuration mode.

Step 4

Use the vlan access-map map-name [sequence-number] command to enter VLAN access-map configuration mode for the specified VLAN access map.

Example:

switch(config)# vlan access-map VXLAN-L2-VNI 10

Enters VLAN access-map configuration mode for the VLAN access map specified. If the VLAN access map does not exist, the device creates it.

If you do not specify a sequence number, the device creates a new entry whose sequence number is 10 greater than the last sequence number in the access map.

Step 5

Use the match ip address list-name command to configure the IP list name.

Example:

switch(config-access-map)# match ip VXLAN-L2-VNI

Configure the IP list name.

Configure the VLAN ACL for the Layer 3 VNI Traffic

A VLAN ACL (VACL) can be applied on the destination VLAN-20 to filter with the inner header when the Layer 3 VNI traffic is flowing from Host-1 to Host-3. It slightly differs from the previous case as the VACL for the Layer 3 traffic is accounted on the egress on the system. The keyword output must be used while dumping the VACL entries for the Layer 3 VNI traffic. For more information on VACL, see Access Control Lists for VXLAN Traffic on Cisco Nexus Switches.

The VACL TCAM region must be carved as follows.

Procedure

Step 1

Use the configure terminal command to enter global configuration mode.

Example:

switch# configure terminal

Enters global configuration mode.

Step 2

Configure the VACL TCAM region size.

  1. Use the hardware access-list tcam region vacl 256 command to change the ACL TCAM region size.

    Example:

    switch(config)# hardware access-list tcam region vacl 256

    Changes the ACL TCAM region size.

Step 3

Configure the IPv4 ACL and rules for the VACL.

  1. Use the ip access-list name command to create an IPv4 ACL and enter IP ACL configuration mode.

    Example:

    switch(config)# ip access list VXLAN-L3-VNI

    Creates an IPv4 ACL and enters IP ACL configuration mode. The name arguments can be up to 64 characters.

  2. Use the statistics per-entry command to specify that the device maintains global statistics for packets that match the rules in the VACL.

    Example:

    switch(config)# statistics per-entry

    Specifies that the device maintains global statistics for packets that match the rules in the VACL.

  3. Use the sequence-number permit ip source-address destination-address command to create an ACL rule that permits or denies IPv4 traffic matching its condition.

    Example:

    switch(config-acl)# 10 permit ip 10.1.1.1/32 20.1.1.1/32

    Creates an ACL rule that permits or denies IPv4 traffic matching its condition.

    The source-address destination-address arguments can be the IP address with a network wildcard, the IP address and variable-length subnet mask, the host address, and any to designate any address.

  4. Use the sequence-number permit protocol source-address destination-address command to configure the ACL to redirect-specific HTTP methods to a server.

    Example:

    switch(config-acl)# 20 permit tcp 20.1.1.1/32 10.1.1.1/32

    Configures the ACL to redirect-specific HTTP methods to a server.

Step 4

Configure the VLAN access map and action.

  1. Use the vlan access-map map-name [sequence-number] command to enter VLAN access-map configuration mode for the VLAN access map specified.

    Example:

    switch(config-acl)# vlan access-map VXLAN-L3-VNI 10

    Enters VLAN access-map configuration mode for the VLAN access map specified. If the VLAN access map does not exist, the device creates it.

    If you do not specify a sequence number, the device creates a new entry whose sequence number is 10 greater than the last sequence number in the access map.

  2. Use the action forward command to specify the action that the device applies to traffic that matches the ACL.

    Example:

    switch(config-acl)# action forward

    Specifies the action that the device applies to traffic that matches the ACL.

Configure the Routed ACL on an SVI on Egress

A router ACL (RACL) on the egress direction can be applied on an SVI of the destination VLAN-20 that Host-3 is connected to on the decap switch to filter with the inner header for traffic flows from the network to access which is normal post-decapsulated IP traffic post. The ACL that is being applied on SVI 20 can filter it as it does for any IP traffic in the non-VXLAN environment. For more information on ACL, see Access Control Lists for VXLAN Traffic on Cisco Nexus Switches.

The egr-racl TCAM region must be carved as follows:

Procedure

Step 1

Use the configure terminal command to enter global configuration mode.

Example:

switch# configure terminal

Enters global configuration mode.

Step 2

Use the hardware access-list tcam region egr-racl 256 command to change the ACL TCAM region size.

Example:

switch(config)# hardware access-list tcam region egr-racl 256

Changes the ACL TCAM region size.

Step 3

Use the following commands to configure the routed ACL and apply it to the SVI interface.

  1. Use the ip access-list name command to create an IPv4 ACL and enter IP ACL configuration mode.

    Example:

    switch(config)# ip access-list Racl_on_Source_Vlan_SVI

    Creates an IPv4 ACL and enters IP ACL configuration mode. The name arguments can be up to 64 characters.

  2. Use the sequence-number permit ip source-address destination-address command to create an ACL rule that permits or denies IPv4 traffic matching its condition.

    Example:

    switch(config-acl)# 10 permit ip 10.1.1.1/32 20.1.1.1/32

    Creates an ACL rule that permits or denies IPv4 traffic matching its condition.

    The source-address destination-address arguments can be the IP address with a network wildcard, the IP address and variable-length subnet mask, the host address, and any to designate any address.

  3. Use the interface vlan vlan-id command to enter interface configuration mode for the VLAN SVI.

    Example:

    switch(config-acl)# interface vlan vlan20

    Enters interface configuration mode, where vlan-id is the ID of the VLAN that you want to configure with a DHCP server IP address.

  4. Use the no shutdown command to negate the shutdown command.

    Example:

    switch(config-if)# no shutdown

    Negate the shutdown command.

  5. Use the ip access-group access-list out command to apply the ACL to the SVI interface in the outbound direction.

    Example:

    switch(config-if)# ip access-group Racl_On_Detination_Vlan_SVI out

    Applies an IPv4 or IPv6 ACL to the Layer 3 interfaces for traffic flowing in the direction specified. You can apply one router ACL per direction.

  6. Use the vrf member vxlan-number command to configure the SVI for the host.

    Example:

    switch(config-if)# vrf member Cust-A

    Configure SVI for host.

  7. Use the no ip redirects command to prevent the device from sending redirects.

    Example:

    switch(config-if)# no ip redirects

    Prevents the device from sending redirects.

  8. Use the ip address ip-address/length command to configure an IP address for the interface.

    Example:

    switch(config-if)# ip address 20.1.1.10/24

    Configures an IP address for this interface.

  9. Use the no ipv6 redirects command to disable ICMP redirect messages on BFD-enabled interfaces.

    Example:

    switch(config-if)# no ipv6 redirects

    Disables the ICMP redirect messages on BFD-enabled interfaces.

Step 4

Use the fabric forwarding mode anycast-gateway command to configure Anycast gateway forwarding mode.

Example:

switch(config-if)# fabric forwarding mode anycast-gateway

Configure Anycast gateway forwarding mode.