layout-3 layout-6 layout-1 layout-top
NVIDIA Docs Hubchevron_right NVIDIA Networkingchevron_right Networking Softwarechevron_right Switch Softwarechevron_right

Cumulus Linux

layout-top layout-6 layout-1

If you are using the current version of Cumulus Linux, the content on this page may not be up to date. The current version of the documentation is available here. If you are redirected to the main page of the user guide, then this page may have been renamed; please search for it there.

MAC Address Translation

MAC address translation enables you to translate the source MAC address for packets on egress and the destination MAC address for packets on ingress. MAC address translation is equivalent to static NAT but operates at layer 2 on Ethernet frames.

Configure MAC Address Translation

To configure MAC address translation:

  • Enable MAC address translation.
  • Create a rule that matches a source or destination MAC address and translate the MAC address to a public MAC address.
  • Apply the rule that matches a source MAC address to an outbound interface. Apply the rule that matches a destination MAC address to an inbound interface.

Cumulus Linux only supports one MAC address in a translation rule.

The following example matches Ethernet packets with source MAC address 01:12:34:32:11:01 and translates the MAC address to 99:de:fc:32:11:01 on egress on swp5.

cumulus@switch:~$ nv set acl MACL1 type mac
cumulus@switch:~$ nv set acl MACL1 rule 1 match mac source-mac 01:12:34:32:11:01  
cumulus@switch:~$ nv set acl MACL1 rule 1 action source-nat translate-mac 99:de:fc:32:11:01 
cumulus@switch:~$ nv config apply

cumulus@switch:~$ nv set interface swp5 acl MACL1 outbound  
cumulus@switch:~$ nv config apply 

The following example matches Ethernet packets with destination MAC address 01:12:34:32:11:01 and translates the MAC address to 99:de:fc:32:11:01 on ingress on swp5.

cumulus@switch:~$ nv set acl MACL2 type mac
cumulus@switch:~$ nv set acl MACL2 rule 1 match mac dest-mac 01:12:34:32:11:01 
cumulus@switch:~$ nv set acl MACL2 rule 1 action dest-nat translate-mac 99:de:fc:32:11:01
cumulus@switch:~$ nv config apply

cumulus@switch:~$ nv set interface swp5 acl MACL2 inbound  
cumulus@switch:~$ nv config apply 

To create rules, use cl-acltool.

To add rules using cl-acltool, either edit an existing file in the /etc/cumulus/acl/policy.d directory and add rules under [ebtables] or create a new file in the /etc/cumulus/acl/policy.d directory and add rules under an [ebtables] section. For example:

cumulus@switch:~$ sudo nano /etc/cumulus/acl/policy.d/60_mac.rules
[ebtables]

 #Add rule

Example Rules

The following example matches Ethernet packets with source MAC address 01:12:34:32:11:01 and translates the MAC address to 99:de:fc:32:11:01 on egress on swp5.

[ebtables]

-t nat -A POSTROUTING -s 01:12:34:32:11:01 -j snat --to-source 99:de:fc:32:11:01 –o swp5  

The following example matches Ethernet packets with destination MAC address 01:12:34:32:11:01 coming in on swp5 and translates the MAC address to 99:de:fc:32:11:01 on ingress on swp5.

[ebtables]

-t nat -A PREROUTING -d 01:12:34:32:11:01 -j dnat --to-dst 99:de:fc:32:11:01 –i swp5 

Show MAC Address Translation Configuration and Statistics

To show the current MAC address translation configuration:

cumulus@switch:~$ nv show acl
       type  Summary
-----  ----  -------
MACL1  mac   rule: 1
MACL2  mac   rule: 1

To show information about a specific MAC address translation rule, run the nv show acl <name> --applied -o=json command:

cumulus@switch:~$ nv show acl MACL1 --applied -o=json
{
  "rule": {
    "1": {
      "action": {
        "source-nat": {
          "translate-ip": {},
          "translate-mac": "99:de:fc:32:11:01",
          "translate-port": {}
        }
      },
      "match": {
        "mac": {
          "dest-mac-mask": "ff:ff:ff:ff:ff:ff",
          "source-mac": "b8:ce:f6:3c:62:06",
          "source-mac-mask": "ff:ff:ff:ff:ff:ff"
        }
      }
    }
  },
  "type": "mac"
}

To show statistics for MAC address translation, such as the number of packets that match the rules and the number of bytes in the matched packets, run the NVUE nv show interface acl-statistics command or the Linux cl-acltool -L eb command:

cumulus@switch:~$ nv show interface acl-statistics
Interface  ACL Name   Rule ID   In Packets  In Bytes  Out Packets  Out Bytes
---------  ---------  -------   ----------  --------  -----------  ---------
swp2       macl_snat  10                              14            1.13 KB

cumulus@switch:~$ sudo cl-acltool -L eb
-s ec:d:9a:84:8b:82 -o swp2 --comment rule_id:10 -j snat --to-src 0:0:0:0:0:2 --snat-target ACCEPT, pcnt = 14 -- bcnt = 1162

In the above example Linux command output:

  • pcnt shows how many packets matched this rule (14 packets).
  • bcnt shows the total number of bytes in the matched packets (1162 bytes).

    Copyright © 2024  NVIDIA Corporation