ARP ACL Configuration
Topology
Figure 9-17: ARP ACL configuration with MC LAG
TOR1
TOR1(config)#bridge 1 protocol provider-rstp edge | Create provider rstp bridge |
TOR1(config)#vlan 2-3990 type customer bridge 1 state enable | Enable customer vlan for bridge |
TOR1(config)#vlan 2-3990 type service point-point bridge 1 state enable | Enable service vlan for bridge |
TOR1(config)#cvlan registration table map1 bridge 1 | Create registration table |
TOR1(config-cvlan-registration)#cvlan 2-3990 svlan 3990 | Map cvlan to svlan |
TOR1(config-cvlan-registration)#exit | Exit the cvlan registration table mode |
TOR1(config-if)#interface mlag1 | Enter mlag interface |
TOR1(config-if)#switchport | Configure interface as switchport |
TOR1(config-if)#bridge-group 1 spanning-tree disable | Associate the interface with bridge group 1and disabling spanning-tree |
TOR1(config-if)#switchport mode customer-edge hybrid | Set the switching characteristics of this interface to customer-edge hybrid |
TOR1(config-if)#switchport customer-edge hybrid allowed vlan all | Set the switching characteristics of this interface to customer-edge hybrid and allow vlan all |
TOR1(config-if)#switchport customer-edge vlan registration map1 | Configure the registration table mapping on mlag interface |
TOR1(config-if)#exit | Exit the interface mode |
TOR1(config)#interface mlag2 | Enter mlag interface |
TOR1(config-if)#switchport | Configure interface as switchport |
TOR1(config-if)#bridge-group 1 | Associate the interface with bridge group 1 |
TOR1(config-if)#switchport mode provider- network | Set the switching characteristics of this interface to provider network |
TOR1(config-if)#switchport provider-network allowed vlan all | Set the switching characteristics of this interface to provider network and allow all vlan |
TOR1(config-if)#exit | Exit the interface mode |
TOR1(config)#interface po1 | Enter dynamic lag interface |
TOR1(config-if)#switchport | Configure interface as switchport |
TOR1(config-if)#mlag 1 | Enable mlag group number |
TOR1(config-if)#exit | Exit the interface mode |
TOR1(config-if)#interface po2 | Enter dynamic lag interface |
TOR1(config-if)#switchport | Configure interface as switchport |
TOR1(config-if)#mlag 2 | Enable mlag group number |
TOR1(config-if)#exit | Exit the interface mode |
TOR1(config)#interface po3 | Enter dynamic lag interface |
TOR1(config-if)#switchport | Configure interface as switchport |
TOR1(config-if)#bridge-group 1 | Associate the interface with bridge group 1 |
TOR1(config-if)#switchport mode provider-network | Set the switching characteristics of this interface to provider network |
TOR1(config-if)#switchport provider-network allowed vlan all | Set the switching characteristics of this interface to provider network and allow all vlan |
TOR1(config)#interface xe2 | Enter interface mode |
TOR1(config-if)#channel-group 3 mode active | Make part of channel group 3 |
TOR1(config-if)#exit | Exit the interface mode |
TOR1(config)#interface xe3 | Enter interface mode |
TOR1(config-if)#channel-group 1 mode active | Add this interface to channel group 1 and enable link aggregation so that it can be selected for aggregation by the local system |
TOR1(config-if)#exit | Exit the interface mode |
TOR1(config-if)#interface xe49/1 | Enter interface mode |
TOR1(config-if)#channel-group 2 mode active | Enable channel-group 2 |
TOR1(config-if)#exit | Exit the interface mode |
TOR1(config)#mcec domain configuration | Enter MCEC mode |
TOR1(config-mcec-domain)#domain-address 2222.3333.4444 | Domain address for the mlag domain |
TOR1(config-mcec-domain)#domain-system-number 1 | Number to identify the node in a domain |
TOR1(config-mcec-domain)#intra-domain-link po3 | Intra domain line between mlag domain |
TOR1(config)#hardware-profile filter ingress-arp enable | Enable globally hardware profile for arp |
TOR1(config)#arp access-list cep | Create access list with name as cep |
TOR1(config-arp-acl)#30 permit request ip any mac host 0000.2A6C.668D vlan 3990 inner-vlan 2 | Create permit rule for particular arp request |
TOR1(config-arp-acl)#40 permit response ip any any mac host 0000.2A6C.668D host 0000.2A6C.7202 vlan 3990 inner-vlan 2 | Create permit rule for particular arp response |
TOR1(config)#arp access-list pnp | Create access list with name as pnp |
TOR1(config-arp-acl)#20 permit request ip any mac host 0000.2A6C.7202 vlan 3990 inner-vlan 2 | Create permit rule for particular arp request |
TOR1(config-arp-acl)#30 permit response ip any any mac host 0000.2A6C.7202 host 0000.2A6C.668D vlan 3990 inner-vlan 2 | Create permit rule for particular arp response |
TOR1(config-if)#interface mlag1 | Enter mlag1 interface |
TOR1(config-if)#arp access-group cep in | Attach rule with access-group cep |
TOR1(config-if)#interface mlag2 | Enter mlag2 interface |
TOR1(config-if)#arp access-group pnp in | Attach rule with access-group pnp |
TOR2
TOR2(config)#bridge 1 protocol provider-rstp edge | Create provider rstp bridge |
TOR2(config)#vlan 2-3990 type customer bridge 1 state enable | Enable customer vlan for bridge |
TOR2(config)#vlan 2-3990 type service point-point bridge 1 state enable | Enable service vlan for bridge |
TOR2(config)#cvlan registration table map1 bridge 1 | Create registration table |
TOR2(config-cvlan-registration)#cvlan 2-3990 svlan 3990 | Map cvlan to svlan |
TOR2(config-cvlan-registration)#exit | Exit the cvlan registration table mode |
TOR2(config)#interface mlag1 | Enter mlag interface |
TOR2(config-if)#switchport | Configure interface as switchport |
TOR2(config-if)#bridge-group 1 spanning-tree disable | Associate the interface with bridge group 1and disabling spanning-tree |
TOR2(config-if)#switchport mode customer-edge hybrid | Set the switching characteristics of this interface to customer-edge hybrid |
TOR2(config-if)#switchport customer-edge hybrid allowed vlan all | Set the switching characteristics of this interface to customer-edge hybrid and allow vlan all |
TOR2(config-if)#switchport customer-edge vlan registration map1 | Configure the registration table mapping on mlag interface |
TOR2(config-if)#exit | Exit the interface mode |
TOR2(config)#interface mlag2 | Enter mlag interface |
TOR2(config-if)#switchport | Configure interface as switchport |
TOR2(config-if)#bridge-group 1 | Associate the interface with bridge group 1 |
TOR2(config-if)#switchport mode provider- network | Set the switching characteristics of this interface to provider network |
TOR2(config-if)#switchport provider-network allowed vlan all | Set the switching characteristics of this interface to provider network and allow all vlan |
TOR2(config-if)#exit | Exit the interface mode |
TOR2(config)#interface po1 | Enter dynamic lag interface |
TOR2(config-if)#switchport | Configure interface as switchport |
TOR2(config-if)#mlag 1 | Enable mlag group number |
TOR2(config-if)#exit | Exit the interface mode |
TOR2(config)#interface po2 | Enter dynamic lag interface |
TOR2(config-if)#switchport | Configure interface as switchport |
TOR2(config-if)#mlag 2 | Enable mlag group number |
TOR2(config-if)#exit | Exit the interface mode |
TOR2(config)#interface po3 | Enter dynamic lag interface |
TOR2(config-if)#switchport | Configure interface as switchport |
TOR2(config-if)#bridge-group 1 | Associate the interface with bridge group 1 |
TOR2(config-if)#switchport mode provider-network | Set the switching characteristics of this interface to provider network |
TOR2(config-if)#switchport provider-network allowed vlan all | Set the switching characteristics of this interface to provider network and allow all vlan |
TOR2(config-if)#exit | Exit the interface mode |
TOR2(config)#interface xe2 | Enter interface mode |
TOR2(config-if)#channel-group 3 mode active | Make part of channel group 3 |
TOR2(config-if)#interface xe3 | Enter interface mode |
TOR2(config-if)#channel-group 1 mode active | Add this interface to channel group 1 and enable link aggregation so that it can be selected for aggregation by the local system |
TOR2(config-if)#exit | Exit the interface mode |
TOR2(config)#Interface xe49/1 | Enter interface mode |
TOR2(config-if)#channel-group 2 mode active | Enable channel-group 2 |
TOR2(config)#mcec domain configuration | Configure mcec domain information |
TOR2(config-mcec-domain)#domain-address 2222.3333.4444 | Domain address for the mlag domain |
TOR2(config-mcec-domain)#domain-system-number 2 | Number to identify the node in a domain |
TOR2(config-mcec-domain)#intra-domain-link po3 | Intra domain line between mlag domain |
TOR2(config)#hardware-profile filter ingress-arp enable | Enable globally hardware profile for arp |
TOR2(config)#arp access-list cep | Create access list with name as cep |
TOR2(config-arp-acl)#30 permit request ip any mac host 0000.2A6C.668D vlan 3990 inner-vlan 2 | Create permit rule for particular arp request |
TOR2(config-arp-acl)#40 permit response ip any any mac host 0000.2A6C.668D host 0000.2A6C.7202 vlan 3990 inner-vlan 2 | Create permit rule for particular arp response |
TOR2(config)#arp access-list pnp | Create access list with name as pnp |
TOR2(config-arp-acl)#20 permit request ip any mac host 0000.2A6C.7202 vlan 3990 inner-vlan 2 | Create permit rule for particular arp request |
TOR2(config-arp-acl)#30 permit response ip any any mac host 0000.2A6C.7202 host 0000.2A6C.668D vlan 3990 inner-vlan 2 | Create permit rule for particular arp response |
TOR2(config-if)#interface mlag1 | Enter mlag1 interface |
TOR2(config-if)#arp access-group cep in | Attach rule with access-group cep |
TOR2(config-if)#interface mlag2 | Enter mlag2 interface |
TOR2(config-if)#arp access-group pnp in | Attach rule with access-group pnp |
SW1
SW1(config)#bridge 1 protocol rstp vlan-bridge | Configure the rstp vlan bridge |
SW1(config)#vlan 2-3990 type customer bridge 1 state enable | Enable customer vlan for bridge |
SW1(config-if)#interface po1 | Enter dynamic lag interface |
SW1(config-if)#switchport | Configure interface as switchport |
SW1(config-if)#bridge-group 1 spanning-tree disable | Associate the interface with bridge group 1and disabling spanning-tree |
SW1(config-if)#switchport mode hybrid | Set the switching characteristics of this interface hybrid |
SW1(config-if)#switchport hybrid allowed vlan all | Set the switching characteristics of this interface hybrid and allowing all vlan |
SW1(config-if)#exit | Exit the interface mode |
SW1(config)#interface xe1 | Enter interface mode |
SW1(config-if)#channel-group 1 mode active | Add this interface to channel group 1 and enable link aggregation so that it can be selected for aggregation by the local system. |
SW1(config-if)#exit | Exit the interface mode |
SW1(config)#interface xe2 | Enter interface mode |
SW1(config-if)#channel-group 1 mode active | Add this interface to channel group 1 and enable link aggregation so that it can be selected for aggregation by the local system. |
SW1(config-if)#exit | Exit the interface mode |
SW1(config)#interface xe3 | Enter interface mode |
SW1(config-if)#switchport | Configure interface as switchport |
SW1(config-if)#bridge-group 1 spanning-tree disable | Associate the interface with bridge group 1and disabling spanning-tree |
SW1(config-if)#switchport mode hybrid | Set the switching characteristics of this interface hybrid |
SW1(config-if)#switchport hybrid allowed vlan all | Set the switching characteristics of this interface hybrid and allowing all vlan |
SW1(config-if)#exit | Exit the interface mode |
LEAF
Leaf(config)#bridge 1 protocol provider-rstp edge | Configure the rstp vlan bridge |
Leaf(config)#vlan 2-3990 type customer bridge 1 state enable | Enable customer vlan for bridge |
Leaf(config)#vlan 2-3990 type service point-point bridge 1 state enable | Enable service vlan for bridge |
Leaf(config)#cvlan registration table map1 bridge 1 | Create registration table |
Leaf(config-cvlan-registration)#cvlan 2-3990 svlan 3990 | Map cvlan to svlan |
Leaf(config-if)#exit | Exit the cvlan registration table mode |
Leaf(config)#interface po2 | Enter interface mode |
Leaf(config-if)#switchport | Configure interface as switchport |
Leaf(config-if)#bridge-group 1 spanning-tree disable | Associate the interface with bridge group 1and disabling spanning-tree |
Leaf(config-if)#switchport mode provider-network | Set the switching characteristics of this interface provider network |
Leaf(config-if)#switchport provider-network allowed vlan all | Set the switching characteristics of this interface provider and allowing all vlan |
Leaf(config-if)#exit | Exit the interface mode |
Leaf(config)#interface xe1 | Enter interface mode |
Leaf(config-if)#channel-group 2 mode active | Add this interface to channel group 2 and enable link aggregation so that it can be selected for aggregation by the local system. |
Leaf(config-if)#exit | Exit the interface mode |
Leaf(config)#interface xe2 | Enter interface mode |
Leaf(config-if)#channel-group 2 mode active | Add this interface to channel group 2 and enable link aggregation so that it can be selected for aggregation by the local system. |
Leaf(config-if)#exit | Exit the interface mode |
Leaf(config)#Interface xe3 | Enter interface mode |
Leaf(config-if)#switchport | Configure interface as switchport |
Leaf(config-if)#bridge-group 1 spanning-tree disable | Associate the interface with bridge group 1and disabling spanning-tree |
Leaf(config-if)#switchport mode customer-edge hybrid | Set the switching characteristics of this interface to customer-edge hybrid |
Leaf(config-if)#switchport customer-edge hybrid allowed vlan all | Set the switching characteristics of this interface to customer-edge hybrid and allow vlan all |
Leaf(config-if)#switchport customer-edge vlan registration map1 | Configure the registration table mapping on mlag interface |
Leaf(config-if)#exit | Exit the interface mode |
Validation
TOR1#show access-lists
ARP access list cep
30 permit request ip any mac host 0000.2A6C.668D vlan 3990 inner-vlan 2
40 permit response ip any any mac host 0000.2A6C.668D host 0000.2A6C.7202 vlan 3990 inner-vlan 2
default deny-all
ARP access list pnp
20 permit request ip any mac host 0000.2A6C.7202 vlan 3990 inner-vlan 2 [match=1]
30 permit response ip any any mac host 0000.2A6C.7202 host 0000.2A6C.668D vlan 3990 inner-vlan 2 [match=1]
default deny-all log
TOR2#show access-lists
ARP access list cep
30 permit request ip any mac host 0000.2A6C.668D vlan 3990 inner-vlan 2 [match=1]
40 permit response ip any any mac host 0000.2A6C.668D host 0000.2A6C.7202 vlan 3990 inner-vlan 2 [match=1]
default deny-all log
ARP access list pnp
20 permit request ip any mac host 0000.2A6C.7202 vlan 3990 inner-vlan 2
30 permit response ip any any mac host 0000.2A6C.7202 host 0000.2A6C.668D vlan 3990 inner-vlan 2
default deny-all
Last modified date: 07/13/2023