[c-nsp] acl on bvi in ios xr (9k) 4.1.2

[Aaron]

Hi Tim, et al, why don't you have your bvi1 listed as a routed interface
within that bg:bd ?

l2vpn
 bridge group EDFA
  bridge-domain EDFA
? interface BVI1 ?

Also, have you tested real traffic via those foo-out egress acls on those l2
interfaces?  I tried that the other day on my gig0/0/0/1.10 and I don't
recall them working.  Am I the only one that thinks it's strange to add
layer 3 packet filter acl's to a layer 2 transport/bridging interface? 

Aaron 

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of tim
Sent: Monday, July 23, 2012 4:15 AM
To: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] acl on bvi in ios xr (9k) 4.1.2

On 19.07.2012 6:39 PM, Aaron wrote:
> Are acl's supported on BVI's ?
> 
> I have a phy int g0/0/0/1 with a flow point (sub int) g0/0/0/1.10 
> l2transport config'd and put into l2vpn bg:bd with a routed int inside 
> that bg:bd as bvi 10
> 
>  
> 
> I would think that the appropriate location to place an ipv4 
> access-list would be on the L3 interface , that being the bvi.  But I 
> don't see the command "ipv4 access-list" under the bvi.

We habe a case where two physical interfaces are in a local l2-vpn, there
you can put the ipv4 access-list on the physical interface:

interface GigabitEthernet0/0/0/2
 l2transport
 ipv4 access-group foo-out egress
!
interface GigabitEthernet0/0/0/3
 l2transport
 ipv4 access-group foo-out egress
!
interface BVI1
 ipv4 address 192.0.2.1/28
!
l2vpn
 bridge group EDFA
  bridge-domain EDFA
   interface GigabitEthernet0/0/0/2
   interface GigabitEthernet0/0/0/3
  !
 !
!
(ASR 9006, IOS XR 4.1.1)

Not intuitive, but works.

In your scenario you can try to put the access-list under int g0/0/0/1.10.


HTH,
	Tim
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/