Solved: Re: mac access-list ISR4221

ti_grupoetapa · ‎06-16-2022

HI,

My name is Alexandre, I'm from Brazil.

How to configure ACL by mac on isr4221 router. I have a router 1905, I do it through int BVI and it works.

can anyone help me

ti_grupoetapa · ‎08-17-2022

Hi,

Georg

Yes, but I already managed to create the rules as follows:

Cisco IOS XE Software, Version 17.03.04a

cisco ISR4221/K9

interface GigabitEthernet0/0/0
no ip address
negotiation auto
service instance 111 ethernet
encapsulation dot1q 111
mac access-group NOTE in
bridge-domain 111
!
service instance 113 ethernet
encapsulation dot1q 113
mac access-group NOTE in
bridge-domain 113

-------------------------------------------------------------

interface BDI111
ip address 172.21.0.1 255.255.255.0
encapsulation dot1Q 111
interface BDI113
ip address 172.25.0.1 255.255.255.0
encapsulation dot1Q 113

--------------------------------------------------------------
mac access-list extended ETAPA_NOTE
permit host xxxx.xx34.a48c any
permit host xxxx.xxab.8026 any

bridge irb

----------------------------------------------------------------------

thanks.

View solution in original post

Georg Pauwen · ‎06-16-2022

Hello,

can you post the configuration of the 1905 you currently have ? The ISR4321 uses BDI instead of BVI, other than that, a MAC access list shou;d, in theory, work the same...

Georg Pauwen · ‎06-17-2022

Hello,

which commands do you have available under the physical interface interface GigabitEthernet0/0/0 ?

ISR4221#conf t

ISR4221(config)#interface GigabitEthernet0/0/0

ISR4221(config-if)#?

Is the 'service instance' command available under the physical interface ?

ti_grupoetapa · ‎06-17-2022

Hello

Georg

You are correct !!!! but I would like to apply in the interface 0/0/0.113. This is possible ?

ti_grupoetapa · ‎06-17-2022

Helo

Georg

Is this possible ?

but I would like to apply in the interface 0/0/0.113 virtual interface

Georg Pauwen · ‎06-17-2022

Hello,

I don't think so. You have to configure the service instance under the physical interface, that apparently is the way the BDIs work in XE...

ti_grupoetapa · ‎07-01-2022

Sorry for the delay.

However, even after the update, the commands listed in the manual still do not appear. Below are the sub-commands that appear:

-----------------------------------------------------------------------------------------------

ROUTER(config-if-srv)#
   Ethernet EFP configuration commands:
   default Set a command to its defaults
   description Service instance specific description
   encapsulation Configure ethernet frame match criteria
   errdisable Configure error disable
   ethernet ethernet
exit Exit from ETHER EFP configuration mode
group Join a service group
ip Interface Internet Protocol config commands
ipv6 IPv6 interface subcommands
l2protocol Configure l2 control protocol processing
mac Commands for MAC Address-based features
no Negate a command or set its defaults
service-policy Attach a policy-map to an EFP
shutdown Take the Service Instance out of Service
snmp Modify SNMP service instance parameters
storm-control storm configuration

----------------------------------------------------------------------------------------------------------

ROUTER(config)#do sh version
Cisco IOS XE Software, Version 17.03.04a
Cisco IOS Software [Amsterdam], ISR Software (X86_64_LINUX_IOSD-UNIVERSALK9_IAS-M), Version 17.3.4a, RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2021 by Cisco Systems, Inc.
Compiled Tue 20-Jul-21 05:06 by mcpre

.........

---------------------------------------------------------------------------------------------------------------------

Georg Pauwen · ‎07-01-2022

Hello,

I lost track of what you are actually trying to accomplish. A MAC access list under the service instance of a subinterface, right ?

ti_grupoetapa · ‎08-17-2022

Hi,

Georg

Yes, but I already managed to create the rules as follows:

Cisco IOS XE Software, Version 17.03.04a

cisco ISR4221/K9

interface GigabitEthernet0/0/0
no ip address
negotiation auto
service instance 111 ethernet
encapsulation dot1q 111
mac access-group NOTE in
bridge-domain 111
!
service instance 113 ethernet
encapsulation dot1q 113
mac access-group NOTE in
bridge-domain 113

-------------------------------------------------------------

interface BDI111
ip address 172.21.0.1 255.255.255.0
encapsulation dot1Q 111
interface BDI113
ip address 172.25.0.1 255.255.255.0
encapsulation dot1Q 113

--------------------------------------------------------------
mac access-list extended ETAPA_NOTE
permit host xxxx.xx34.a48c any
permit host xxxx.xxab.8026 any

bridge irb

----------------------------------------------------------------------

thanks.

Georg Pauwen · ‎08-18-2022

Hello,

I am running 17.03, the command is only available under the main interface:

internet-rtr01(config)#interface gigabitEthernet 4.1
internet-rtr01(config-subif)#service-?
service-insertion service-policy service-routing

internet-rtr01(config)#interface gigabitEthernet 4
internet-rtr01(config-if)#service ?
instance Configure Ether Service Instance

acfreitas · ‎08-18-2022

Hi

Georg

Yeah

It was for a block via MAC-ADDRESS. Before I did via BVI Now I do it via BDI, as you said.

I didn't understand that it could only be done in the physical interface.

Thanks

balaji.bandi · ‎06-17-2022

How to configure ACL by mac on isr4221 router. I have a router 1905, I do it through int BVI and it works.

Are you replacing 1905 with ISR 4221? then what @Georg Pauwen should work in technically.

some reference :

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_data_acl/configuration/xe-3s/asr903/sec-data-acl-xe-3s-asr903-book/mac-access-control-lists.pdf

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help