[c-nsp] acl on bvi in ios xr (9k) 4.1.2

tim tim at haitabu.net
Fri Aug 17 03:44:16 EDT 2012 

As update for the list after some e-mails offlist:

On 06.08.2012 6:03 PM, Aaron wrote:
> I think the phy int can't be l2transport if you want the subordinate subints
> to be l2transport....
> 
> Is g0/0/0/0 l2transport ?
> 
> Sh run int g0/0/0/0......lemme see it please

Strange IOS XR, you have to configure

interface GigabitEthernet0/0/0/0.123 l2transport

and not

interface GigabitEthernet0/0/0/0.123
 l2transport

The second one does not work, strange...




Config now:
-----------

interface GigabitEthernet0/0/0/0
!
interface GigabitEthernet0/0/0/0.123 l2transport
 encapsulation dot1q 123 exact
 rewrite ingress tag pop 1 symmetric
!
interface BVI1
 ipv4 address 192.0.2.1 255.255.255.0
!
l2vpn
 bridge group EDFA
  bridge-domain EDFA
   interface GigabitEthernet0/0/0/0.123
   !
   routed interface BVI1
  !
 !
!


other side (asr 1001):
-----------------------
interface GigabitEthernet0/0/2
 no ip address
 no negotiation auto
!
interface GigabitEthernet0/0/2.123
 encapsulation dot1Q 123
 ip address 192.0.2.3 255.255.255.0 secondary
 ip address 192.0.2.2 255.255.255.0
!


test:
-----
RP/0/RSP0/CPU0:9010#ping 192.0.2.2
Fri Aug 10 07:57:06.302 UTC
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.0.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

RP/0/RSP0/CPU0:9010#ping 192.0.2.3
Fri Aug 10 07:57:55.397 UTC
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.0.2.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/2 ms


asr1001#ping 192.0.2.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.0.2.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms



appling the ACL:
----------------
RP/0/RSP0/CPU0:9010#sho access-lists ipv4 foo-out
Fri Aug 10 07:59:05.525 UTC
ipv4 access-list foo-out
 10 deny ipv4 any host 192.0.2.3
 20 permit ipv4 any host 192.0.2.2


interface GigabitEthernet0/0/0/0.123 l2transport
 encapsulation dot1q 123 exact
 rewrite ingress tag pop 1 symmetric
 ipv4 access-group foo-out egress
!


RP/0/RSP0/CPU0:9010#ping 192.0.2.2

Fri Aug 10 07:59:27.547 UTC
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.0.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
RP/0/RSP0/CPU0:9010#ping 192.0.2.3
Fri Aug 10 07:59:29.402 UTC
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.0.2.3, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)


=> Seems to work...

Cheers,
	Tim

More information about the cisco-nsp mailing list