[c-nsp] acl on bvi in ios xr (9k) 4.1.2

Aaron aaron1 at gvtc.com
Thu Jul 19 14:50:48 EDT 2012


Thanks Chip

Yeah, with some of this newer gear and software, it seems like Cisco is
still learning about Cisco  :)

Aaron

-----Original Message-----
From: chip [mailto:chip.gwyn at gmail.com] 
Sent: Thursday, July 19, 2012 12:56 PM
To: Aaron
Cc: Tassos Chatzithomaoglou; cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] acl on bvi in ios xr (9k) 4.1.2

Ok, so looking at the release notes.  Only 4.2.1 supports acl's on BVI
interfaces and only in the egress direction.   Looks like you can
apply it, but it may not work:

http://www.cisco.com/en/US/partner/docs/routers/asr9000/software/asr9k_r4.2/
general/release/notes/reln_a9k_421.html#concept_641E24E225D747C08099E20F3AFA
A93A

The router snippet I displayed was from a 4.2.0 ASR9006 with a  RSP440 and
my testing indicates that the ACL*WILL* drop packets according to the ACL's
rules.

I've found that there's still a lack of clarity wrt to 9k's and XR within
Cisco and its getting a bit frustrating.

--chip

On Thu, Jul 19, 2012 at 1:47 PM, Aaron <aaron1 at gvtc.com> wrote:
> Thanks Tassos et al, But that list you just sent is in a config doc 
> for 4.2.x
>
> So are those bvi limitation in 4.2.x ?  chip said that he thinks that 
> bvi acl is supported in 4.2.0 and my SE just told me that too.  (she 
> also told me that bvi acl support in 4.2.0 requires the new line cards 
> ! ugh)
>
> So I'm confused with that list of bvi limitations within the 4.2.x config
doc.
>
> Aaron
>
> -----Original Message-----
> From: Tassos Chatzithomaoglou [mailto:achatz at forthnetgroup.gr]
> Sent: Thursday, July 19, 2012 12:18 PM
> To: cisco-nsp at puck.nether.net
> Cc: chip; Aaron
> Subject: Re: [c-nsp] acl on bvi in ios xr (9k) 4.1.2
>
> Many things missing....
>
>
>
> http://www.cisco.com/en/US/docs/routers/asr9000/software/asr9k_r4.2/in
> terfaces/configuration/guide/hc42irb.html#wp1011723
>
> The following areas are /not/ supported on the BVI:
>
> -Access Control Lists (ACLs). However, Layer 2 ACLs can be configured on
each Layer 2 port of the bridge domain.
>
> -IP fast reroute (FRR)
>
> -NetFlow
>
> -MoFRR
>
> -MPLS label switching
>
> -mVPNv4
>
> -Quality of Service (QoS)
>
> -Traffic mirroring
>
> -Unnumbered interface for BVI
>
> -Video monitoring (Vidmon)
>
>
>
> --
> Tassos
>
> chip wrote on 19/7/2012 19:45:
>> interface BVI101
>>   description cust-bgp-1 vlan 101
>>   ipv4 address x.x.x.x 255.255.255.252
>>   ipv4 access-group cust-bgp-1-out-acl egress
>>
>> This is gained support in 4.2.0 I think.
>>
>> --chip
>>
>> On Thu, Jul 19, 2012 at 12:39 PM, Aaron <aaron1 at gvtc.com> wrote:
>>> Are acl's supported on BVI's ?
>>>
>>> I have a phy int g0/0/0/1 with a flow point (sub int) g0/0/0/1.10 
>>> l2transport config'd and put into l2vpn bg:bd with a routed int 
>>> inside that bg:bd as bvi 10
>>>
>>>
>>>
>>> I would think that the appropriate location to place an ipv4 
>>> access-list would be on the L3 interface , that being the bvi.  But 
>>> I don't see the command "ipv4 access-list" under the bvi.
>>>
>>>
>>>
>>> What am I missing here ?
>>>
>>>
>>>
>>> Aaron
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> cisco-nsp mailing list  cisco-nsp at puck.nether.net 
>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>>
>
>



--
Just my $.02, your mileage may vary,  batteries not included, etc....



More information about the cisco-nsp mailing list