Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
956
Views
5
Helpful
9
Replies

Access-List limitations on ASR920

Ronit Bhattacharjee
Level 1
Level 1

‎02-12-2023 10:18 PM

We have multiple Layer 2 MPLS networks deployed with Cisco ASR920 routers. We have issues matching/denying traffic on ACLs. We tried 3 options
1. Applying the ACL inbound on the physical interface closest to the source - Doesn't match anything

2. Applying the ACL inbound on the service-instance inside the physical interface closest to the source - Clashes with QoS on the physical interface

3. Applying the ACL inbound on the "interface bdi" matches traffic only sourced from a local physical interface, not coming inbound via a pseudowire

I have attached a diagram which shows all three scenarios. Access-List Issue.png

 

Labels:
9 Replies 9

paul driver
VIP
VIP

‎02-13-2023 01:17 AM

Hello

@Ronit Bhattacharjee wrote:

3. Applying the ACL inbound on the "interface bdi" matches traffic only sourced from a local physical interface, not coming inbound via a pseudowire


Can you confirm if the ACL is a extended access list?


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

Ronit Bhattacharjee
Level 1
Level 1
In response to paul driver

‎02-13-2023 01:19 AM

Yes, it is a regular extended Layer 3 ACL matching IPs.

0 Helpful

Ronit Bhattacharjee
Level 1
Level 1

‎02-13-2023 04:39 AM

Tested a few more scenarios and the only thing that works is if I apply the ACL on the service instance and remove the QoS service-policy.

Access-List Issue.png

0 Helpful

MHM Cisco World
VIP
VIP
In response to Ronit Bhattacharjee

‎02-13-2023 07:29 AM

the traffic is not routing so ACL can not apply here. 
you need some kind of L2 ACL link 
Mac ACL 
port ACL 
Vlan ACL <<- this must be sure that you run VLAN in PW. 

0 Helpful

Ronit Bhattacharjee
Level 1
Level 1
In response to MHM Cisco World

‎02-13-2023 05:15 PM

The traffic is Layer 3, routing out of the BD using the "int BDI" on the left side router. In the lab, when I tested the ACL on the physical interface, I generated traffic from the router.

On our projects, we have actually deployed the ACL inbound on the interface bdi, but this works only if the traffic is originated from a local from a local physical interface, not when it is coming over a pseudowire from another router.

0 Helpful

Ronit Bhattacharjee
Level 1
Level 1

‎02-14-2023 12:21 AM

Tested a few more scenarios. Looks like, on this platform, with our design, the only way to successfully have ACLs is on the interface inside the service instance. But then you cannot apply a QoS service-policy for marking on the same interfaceAccess-List Issue.png

0 Helpful

mlund
Level 7
Level 7

‎02-14-2023 07:34 AM

If your goal is to deny traffic based on acl, then you can do it this way

specify the acl, make a class-map that match the acl, make a policy-map with the just made class-map, in the class-map set qos-group. apply the policy on input interface.

Make a new class-map that match the qos-group from above, make a new policy-map, in the class-map set police <value> conform action drop exceed action drop, apply policy-map to the outgoing interface.

I have done it this way, work as a charm for denying mDNS 

0 Helpful

Ronit Bhattacharjee
Level 1
Level 1
In response to mlund

‎02-14-2023 05:23 PM

Interesting idea, thanks

0 Helpful

MHM Cisco World
VIP
VIP

‎02-14-2023 07:49 AM

I think I found the solution here. 
you use Port-ACL ??

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card