[c-nsp] acl on bvi in ios xr (9k) 4.1.2

Tassos Chatzithomaoglou achatz at forthnetgroup.gr
Fri Jul 20 05:26:03 EDT 2012


That's exactly what we also did.
MPLS & ACLs work fine with IRB on MX, so we switched to them.
Probably the new ASR9k RSP/LCs (will) support it, but they are way too expensive to proceed with a replacement.

--
Tassos

Mack McBride wrote on 19/07/2012 22:45:
> Unfortunately there are good reasons to combine switching and routing.
> Otherwise you are stuck with a router on a stick configuration.
> I have made my complaints about the lack of support for switching on any device that can handle a full routing table for the next five years.
> Our sales guys have relayed those to the technical teams but there hasn't been any feedback or visible movement.
> If cisco deploys FIB compression it might solve some of those concerns but the feedback is that the development on that has stopped or is at least not on the road map.
>
> The ASR 9K is a great box but without decent switching support and rapid-pvst it doesn't work well in a managed services/colocation environment.
> The Nexus 7K is stuck at the same place the 6500 and 7600 are routing table wise and lack of MPLS support is still a concern.
> The Juniper MX series can handle switching and rapid-pvst and upwards to 4 million routes (usual division of IPv4/IPv6 applies but is dynamic)
> and we are currently testing it for a replacement for the 6500/7600.
>
> LR Mack McBride
> Network Architect
>
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Jared Mauch
> Sent: Thursday, July 19, 2012 12:55 PM
> To: Aaron
> Cc: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] acl on bvi in ios xr (9k) 4.1.2
>
> I'm still unclear why so many people want to make something built as a router do BVI.  Ethernet switches aren't that expensive in my experience :)
>
> - Jared
>
> On Jul 19, 2012, at 2:50 PM, Aaron wrote:
>
>> Thanks Chip
>>
>> Yeah, with some of this newer gear and software, it seems like Cisco
>> is still learning about Cisco  :)
>>
>> Aaron
>>
>> -----Original Message-----
>> From: chip [mailto:chip.gwyn at gmail.com]
>> Sent: Thursday, July 19, 2012 12:56 PM
>> To: Aaron
>> Cc: Tassos Chatzithomaoglou; cisco-nsp at puck.nether.net
>> Subject: Re: [c-nsp] acl on bvi in ios xr (9k) 4.1.2
>>
>> Ok, so looking at the release notes.  Only 4.2.1 supports acl's on BVI
>> interfaces and only in the egress direction.   Looks like you can
>> apply it, but it may not work:
>>
>> http://www.cisco.com/en/US/partner/docs/routers/asr9000/software/asr9k
>> _r4.2/
>> general/release/notes/reln_a9k_421.html#concept_641E24E225D747C08099E2
>> 0F3AFA
>> A93A
>>
>> The router snippet I displayed was from a 4.2.0 ASR9006 with a  RSP440
>> and my testing indicates that the ACL*WILL* drop packets according to
>> the ACL's rules.
>>
>> I've found that there's still a lack of clarity wrt to 9k's and XR
>> within Cisco and its getting a bit frustrating.
>>
>> --chip
>>
>> On Thu, Jul 19, 2012 at 1:47 PM, Aaron <aaron1 at gvtc.com> wrote:
>>> Thanks Tassos et al, But that list you just sent is in a config doc
>>> for 4.2.x
>>>
>>> So are those bvi limitation in 4.2.x ?  chip said that he thinks that
>>> bvi acl is supported in 4.2.0 and my SE just told me that too.  (she
>>> also told me that bvi acl support in 4.2.0 requires the new line
>>> cards ! ugh)
>>>
>>> So I'm confused with that list of bvi limitations within the 4.2.x
>>> config
>> doc.
>>> Aaron
>>>
>>> -----Original Message-----
>>> From: Tassos Chatzithomaoglou [mailto:achatz at forthnetgroup.gr]
>>> Sent: Thursday, July 19, 2012 12:18 PM
>>> To: cisco-nsp at puck.nether.net
>>> Cc: chip; Aaron
>>> Subject: Re: [c-nsp] acl on bvi in ios xr (9k) 4.1.2
>>>
>>> Many things missing....
>>>
>>>
>>>
>>> http://www.cisco.com/en/US/docs/routers/asr9000/software/asr9k_r4.2/i
>>> n
>>> terfaces/configuration/guide/hc42irb.html#wp1011723
>>>
>>> The following areas are /not/ supported on the BVI:
>>>
>>> -Access Control Lists (ACLs). However, Layer 2 ACLs can be configured
>>> on
>> each Layer 2 port of the bridge domain.
>>> -IP fast reroute (FRR)
>>>
>>> -NetFlow
>>>
>>> -MoFRR
>>>
>>> -MPLS label switching
>>>
>>> -mVPNv4
>>>
>>> -Quality of Service (QoS)
>>>
>>> -Traffic mirroring
>>>
>>> -Unnumbered interface for BVI
>>>
>>> -Video monitoring (Vidmon)
>>>
>>>
>>>
>>> --
>>> Tassos
>>>
>>> chip wrote on 19/7/2012 19:45:
>>>> interface BVI101
>>>>   description cust-bgp-1 vlan 101
>>>>   ipv4 address x.x.x.x 255.255.255.252
>>>>   ipv4 access-group cust-bgp-1-out-acl egress
>>>>
>>>> This is gained support in 4.2.0 I think.
>>>>
>>>> --chip
>>>>
>>>> On Thu, Jul 19, 2012 at 12:39 PM, Aaron <aaron1 at gvtc.com> wrote:
>>>>> Are acl's supported on BVI's ?
>>>>>
>>>>> I have a phy int g0/0/0/1 with a flow point (sub int) g0/0/0/1.10
>>>>> l2transport config'd and put into l2vpn bg:bd with a routed int
>>>>> inside that bg:bd as bvi 10
>>>>>
>>>>>
>>>>>
>>>>> I would think that the appropriate location to place an ipv4
>>>>> access-list would be on the L3 interface , that being the bvi.  But
>>>>> I don't see the command "ipv4 access-list" under the bvi.
>>>>>
>>>>>
>>>>>
>>>>> What am I missing here ?
>>>>>
>>>>>
>>>>>
>>>>> Aaron
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>>>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>>>
>>>
>>
>>
>> --
>> Just my $.02, your mileage may vary,  batteries not included, etc....
>>
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>




More information about the cisco-nsp mailing list