ARP ACL Configuration
Topology
Figure 13-31: ARP ACL configuration with MC LAG
TOR1
#configure terminal | Enter configure mode. |
TOR1(config)#bridge 1 protocol provider-rstp edge | Create provider RSTP bridge |
TOR1(config)#vlan 2-3990 type customer bridge 1 state enable | Enable customer VLAN for bridge |
TOR1(config)#vlan 2-3990 type service point- point bridge 1 state enable | Enable service VLAN for bridge |
TOR1(config)#cvlan registration table map1 bridge 1 | Create registration table |
TOR1(config-cvlan-registration)#cvlan 2- 3990 svlan 3990 | Map CVLAN to svlan |
TOR1(config-cvlan-registration)#exit | Exit the CVLAN registration table mode |
TOR1(config-if)#interface mlag1 | Enter MLAG interface |
TOR1(config-if)#switchport | Configure interface as switchport |
TOR1(config-if)#exit | Exit the interface mode |
TOR1(config)#interface mlag2 | Enter MLAG interface |
TOR1(config-if)#switchport | Configure interface as switchport |
TOR1(config-if)#bridge-group 1 | Associate the interface with bridge group 1 |
TOR1(config-if)#switchport mode provider- network | Set the switching characteristics of this interface to provider network |
TOR1(config-if)#switchport provider-network allowed vlan all | Set the switching characteristics of this interface to provider network and allow all VLAN |
TOR1(config-if)#exit | Exit the interface mode |
TOR1(config)#interface po1 | Enter dynamic LAG interface |
TOR1(config-if)#switchport | Configure interface as switchport |
TOR1(config-if)#mlag 1 | Enable MLAG group number |
TOR1(config-if)#exit | Exit the interface mode |
TOR1(config-if)#interface po2 | Enter dynamic LAG interface |
TOR1(config-if)#switchport | Configure interface as switchport |
TOR1(config-if)#mlag 2 | Enable MLAG group number |
TOR1(config-if)#exit | Exit the interface mode |
TOR1(config)#interface po3 | Enter dynamic LAG interface |
TOR1(config-if)#switchport | Configure interface as switchport |
TOR1(config-if)#exit | Exit the interface mode |
TOR1(config)#interface xe2 | Enter interface mode |
TOR1(config-if)#channel-group 3 mode active | Make part of channel group 3 |
TOR1(config-if)#exit | Exit the interface mode |
TOR1(config)#interface xe3 | Enter interface mode |
TOR1(config-if)#channel-group 1 mode active | Add this interface to channel group 1 and enable link aggregation so that it can be selected for aggregation by the local system |
TOR1(config-if)#exit | Exit the interface mode |
TOR1(config-if)#interface xe49/1 | Enter interface mode |
TOR1(config-if)#channel-group 2 mode active | Enable channel-group 2 |
TOR1(config-if)#exit | Exit the interface mode |
TOR1(config)#mcec domain configuration | Enter MCEC mode |
TOR1(config-mcec-domain)#domain-address 2222.3333.4444 | Domain address for the MLAG domain |
TOR1(config-mcec-domain)#domain-system- number 1 | Number to identify the node in a domain |
TOR1(config-mcec-domain)#intra-domain-link po3 | Intra domain line between MLAG domain |
TOR1(config)#hardware-profile filter ingress-arp enable | Enable globally hardware profile for ARP |
TOR1(config)#arp access-list cep | Create access list with name as CEP |
TOR1(config-arp-acl)#30 permit request ip any mac host 0000.2A6C.668D vlan 3990 inner- vlan 2 | Create permit rule for particular ARP request |
TOR1(config-arp-acl)#40 permit response ip any any mac host 0000.2A6C.668D host 0000.2A6C.7202 vlan 3990 inner-vlan 2 | Create permit rule for particular ARP response |
TOR1(config)#arp access-list pnp | Create access list with name as PNP |
TOR1(config-arp-acl)#20 permit request ip any mac host 0000.2A6C.7202 vlan 3990 inner- vlan 2 | Create permit rule for particular ARP request |
TOR1(config-arp-acl)#30 permit response ip any any mac host 0000.2A6C.7202 host 0000.2A6C.668D vlan 3990 inner-vlan 2 | Create permit rule for particular ARP response |
TOR1(config-if)#interface mlag1 | Enter mlag1 interface |
TOR1(config-if)#arp access-group cep in | Attach rule with access-group CEP |
TOR1(config-if)#interface mlag2 | Enter mlag2 interface |
TOR1(config-if)#arp access-group pnp in | Attach rule with access-group PNP |
TOR2
#configure terminal | Enter configure mode. |
TOR2(config)#bridge 1 protocol provider-rstp edge | Create provider RSTP bridge |
TOR2(config)#vlan 2-3990 type customer bridge 1 state enable | Enable customer VLAN for bridge |
TOR2(config)#vlan 2-3990 type service point- point bridge 1 state enable | Enable service VLAN for bridge |
TOR2(config)#cvlan registration table map1 bridge 1 | Create registration table |
TOR2(config-cvlan-registration)#cvlan 2- 3990 svlan 3990 | Map CVLAN to svlan |
TOR2(config-cvlan-registration)#exit | Exit the CVLAN registration table mode |
TOR2(config)#interface mlag1 | Enter MLAG interface |
TOR2(config-if)#switchport | Configure interface as switchport |
TOR2(config-if)#bridge-group 1 spanning-tree disable | Associate the interface with bridge group 1and disabling spanning-tree |
TOR2(config-if)#switchport mode customer- edge hybrid | Set the switching characteristics of this interface to customer- edge hybrid |
TOR2(config-if)#switchport customer-edge hybrid allowed vlan all | Set the switching characteristics of this interface to customer- edge hybrid and allow VLAN all |
TOR2(config-if)#switchport customer-edge vlan registration map1 | Configure the registration table mapping on MLAG interface |
TOR2(config-if)#exit | Exit the interface mode |
TOR2(config)#interface mlag2 | Enter MLAG interface |
TOR2(config-if)#switchport | Configure interface as switchport |
TOR2(config-if)#bridge-group 1 | Associate the interface with bridge group 1 |
TOR2(config-if)#switchport mode provider- network | Set the switching characteristics of this interface to provider network |
TOR2(config-if)#switchport provider-network allowed vlan all | Set the switching characteristics of this interface to provider network and allow all VLAN |
TOR2(config-if)#exit | Exit the interface mode |
TOR2(config)#interface po1 | Enter dynamic LAG interface |
TOR2(config-if)#switchport | Configure interface as switchport |
TOR2(config-if)#mlag 1 | Enable MLAG group number |
TOR2(config-if)#exit | Exit the interface mode |
TOR2(config)#interface po2 | Enter dynamic LAG interface |
TOR2(config-if)#switchport | Configure interface as switchport |
TOR2(config-if)#mlag 2 | Enable MLAG group number |
TOR2(config-if)#exit | Exit the interface mode |
TOR2(config)#interface po3 | Enter dynamic LAG interface |
TOR2(config-if)#switchport | Configure interface as switchport |
TOR2(config-if)#exit | Exit the interface mode |
TOR2(config)#interface xe2 | Enter interface mode |
TOR2(config-if)#channel-group 3 mode active | Make part of channel group 3 |
TOR2(config-if)#interface xe3 | Enter interface mode |
TOR2(config-if)#channel-group 1 mode active | Add this interface to channel group 1 and enable link aggregation so that it can be selected for aggregation by the local system |
TOR2(config-if)#exit | Exit the interface mode |
TOR2(config)#Interface xe49/1 | Enter interface mode |
TOR2(config-if)#channel-group 2 mode active | Enable channel-group 2 |
TOR2(config)#mcec domain configuration | Configure MCEC domain information |
TOR2(config-mcec-domain)#domain-address 2222.3333.4444 | Domain address for the MLAG domain |
TOR2(config-mcec-domain)#domain-system- number 2 | Number to identify the node in a domain |
TOR2(config-mcec-domain)#intra-domain-link po3 | Intra domain line between MLAG domain |
TOR2(config)#hardware-profile filter ingress-arp enable | Enable globally hardware profile for ARP |
TOR2(config)#arp access-list cep | Create access list with name as CEP |
TOR2(config-arp-acl)#30 permit request ip any mac host 0000.2A6C.668D vlan 3990 inner- vlan 2 | Create permit rule for particular ARP request |
TOR2(config-arp-acl)#40 permit response ip any any mac host 0000.2A6C.668D host 0000.2A6C.7202 vlan 3990 inner-vlan 2 | Create permit rule for particular ARP response |
TOR2(config)#arp access-list pnp | Create access list with name as PNP |
TOR2(config-arp-acl)#20 permit request ip any mac host 0000.2A6C.7202 vlan 3990 inner- vlan 2 | Create permit rule for particular ARP request |
TOR2(config-arp-acl)#30 permit response ip any any mac host 0000.2A6C.7202 host 0000.2A6C.668D vlan 3990 inner-vlan 2 | Create permit rule for particular ARP response |
TOR2(config-if)#interface mlag1 | Enter mlag1 interface |
TOR2(config-if)#arp access-group cep in | Attach rule with access-group CEP |
TOR2(config-if)#interface mlag2 | Enter mlag2 interface |
TOR2(config-if)#arp access-group pnp in | Attach rule with access-group PNP |
SW1
#configure terminal | Enter configure mode. |
SW1(config)#bridge 1 protocol rstp vlan- bridge | Configure the RSTP VLAN bridge |
SW1(config)#vlan 2-3990 type customer bridge 1 state enable | Enable customer VLAN for bridge |
SW1(config-if)#interface po1 | Enter dynamic LAG interface |
SW1(config-if)#switchport | Configure interface as switchport |
SW1(config-if)#bridge-group 1 spanning-tree disable | Associate the interface with bridge group 1and disabling spanning-tree |
SW1(config-if)#switchport mode hybrid | Set the switching characteristics of this interface hybrid |
SW1(config-if)#switchport hybrid allowed vlan all | Set the switching characteristics of this interface hybrid and allowing all VLAN |
SW1(config-if)#exit | Exit the interface mode |
SW1(config)#interface xe1 | Enter interface mode |
SW1(config-if)#channel-group 1 mode active | Add this interface to channel group 1 and enable link aggregation so that it can be selected for aggregation by the local system. |
SW1(config-if)#exit | Exit the interface mode |
SW1(config)#interface xe2 | Enter interface mode |
SW1(config-if)#channel-group 1 mode active | Add this interface to channel group 1 and enable link aggregation so that it can be selected for aggregation by the local system. |
SW1(config-if)#exit | Exit the interface mode |
SW1(config)#interface xe3 | Enter interface mode |
SW1(config-if)#switchport | Configure interface as switchport |
SW1(config-if)#bridge-group 1 spanning-tree disable | Associate the interface with bridge group 1and disabling spanning-tree |
SW1(config-if)#switchport mode hybrid | Set the switching characteristics of this interface hybrid |
SW1(config-if)#switchport hybrid allowed vlan all | Set the switching characteristics of this interface hybrid and allowing all VLAN |
SW1(config-if)#exit | Exit the interface mode |
LEAF
#configure terminal | Enter configure mode. |
Leaf(config)#bridge 1 protocol provider-rstp edge | Configure the RSTP VLAN bridge |
Leaf(config)#vlan 2-3990 type customer bridge 1 state enable | Enable customer VLAN for bridge |
Leaf(config)#vlan 2-3990 type service point- point bridge 1 state enable | Enable service VLAN for bridge |
Leaf(config)#cvlan registration table map1 bridge 1 | Create registration table |
Leaf(config-cvlan-registration)#cvlan 2- 3990 svlan 3990 | Map CVLAN to SVLAN |
Leaf(config-if)#exit | Exit the CVLAN registration table mode |
Leaf(config)#interface po2 | Enter interface mode |
Leaf(config-if)#switchport | Configure interface as switchport |
Leaf(config-if)#bridge-group 1 spanning-tree disable | Associate the interface with bridge group 1and disabling spanning-tree |
Leaf(config-if)#switchport mode provider- network | Set the switching characteristics of this interface provider network |
Leaf(config-if)#switchport provider-network allowed vlan all | Set the switching characteristics of this interface provider and allowing all VLAN |
Leaf(config-if)#exit | Exit the interface mode |
Leaf(config)#interface xe1 | Enter interface mode |
Leaf(config-if)#channel-group 2 mode active | Add this interface to channel group 2 and enable link aggregation so that it can be selected for aggregation by the local system. |
Leaf(config-if)#exit | Exit the interface mode |
Leaf(config)#interface xe2 | Enter interface mode |
Leaf(config-if)#channel-group 2 mode active | Add this interface to channel group 2 and enable link aggregation so that it can be selected for aggregation by the local system. |
Leaf(config-if)#exit | Exit the interface mode |
Leaf(config)#Interface xe3 | Enter interface mode |
Leaf(config-if)#switchport | Configure interface as switchport |
Leaf(config-if)#bridge-group 1 spanning-tree disable | Associate the interface with bridge group 1and disabling spanning-tree |
Leaf(config-if)#switchport mode customer- edge hybrid | Set the switching characteristics of this interface to customer- edge hybrid |
Leaf(config-if)#switchport customer-edge hybrid allowed vlan all | Set the switching characteristics of this interface to customer- edge hybrid and allow vlan all |
Leaf(config-if)#switchport customer-edge vlan registration map1 | Configure the registration table mapping on mlag interface |
Leaf(config-if)#exit | Exit the interface mode |
Validation
TOR1#show access-lists
ARP access list cep
30 permit request ip any mac host 0000.2A6C.668D vlan 3990 inner-vlan 2
40 permit response ip any any mac host 0000.2A6C.668D host 0000.2A6C.7202 vlan 3990 inner-vlan 2
default deny-all ARP access list pnp
20 permit request ip any mac host 0000.2A6C.7202 vlan 3990 inner-vlan 2 [match=1]
30 permit response ip any any mac host 0000.2A6C.7202 host 0000.2A6C.668D vlan 3990 inner-vlan 2 [match=1]
default deny-all log
TOR2#show access-lists
ARP access list cep
30 permit request ip any mac host 0000.2A6C.668D vlan 3990 inner-vlan 2 [match=1]
40 permit response ip any any mac host 0000.2A6C.668D host 0000.2A6C.7202 vlan 3990 inner-vlan 2 [match=1]
default deny-all log ARP access list pnp
20 permit request ip any mac host 0000.2A6C.7202 vlan 3990 inner-vlan 2
30 permit response ip any any mac host 0000.2A6C.7202 host 0000.2A6C.668D vlan 3990 inner-vlan 2
default deny-all
Last modified date: 10/12/2023