Re: ASR920: Cannot apply inbound L3 ACL and QoS on the same Physical Interface

ronit · ‎03-11-2021

Team,

While testing inbound ACLs (Layer 3) and inbound QoS (Marking only) on ASR920 routers, I found that there's a limit and both can't be used at the same time.

Applying the ACL on the main interface does nothing at all. ACL doesn’t work (Permits all)
Applying the ACL under the service-instance throws up a conflict with QoS

If QoS is applied first and ACL applied later, QoS works, but ACL doesn’t work (Permits all)

Mar 12 11:22:02.396 SGT: %IOSXE-3-PLATFORM: R0/0: cylon_mgr: Acl functionality will not work with QoS already being applied

If ACL is applied first and QoS applied later, ACL works, but QoS doesn’t work (No counter increase in “show policy-map int Gix/x/x”

Mar 12 11:28:31.963 SGT: %IOSXE-3-PLATFORM: R0/0: cylon_mgr: Qos policy on interface and ACL on EVC is not supported.Qos policycant be attached.

ACL on "interface BDI" works, but I am curious, as this isn't specified as a restriction for ACLs on the ASR920 security guide or the QoS guide. Is this restriction real, or am I doing something wrong?

Giuseppe Larosa · ‎03-12-2021

Hello @ronit ,

in order to get better help can yoiu post the following:

show version

the configuration of ACL , QoS and interface where you try to apply both.

ASR920 is known to be a platform with some functional limitations when compared to ASR 1000. you may have hit one of these. But it is difficult to say.

Hope to help

Giuseppe

ronit · ‎03-12-2021

@Giuseppe Larosa thank you for replying. Attached is a "show tech" from this router. I am trying to apply ACL "RATP-WNET" on Gi0/0/0, which I eventually applied on "interface BDI 10". The service-policy is the one which is already applied on Gi0/0/0.

The weird thing is, neither the security guide, nor the QoS guide mention any of this as a limitation.

Giuseppe Larosa · ‎03-12-2021

Hello @ronit ,

So you have

interface GigabitEthernet0/0/0
description RATP-A-WNET-YARD2
no ip address
negotiation auto
storm-control broadcast level 5.00 4.00
storm-control multicast level 5.00 4.00
storm-control unicast level 5.00 4.00
storm-control action trap
>>service-policy input Ingress_Access
service instance 10 ethernet
encapsulation untagged
bridge-domain 10
!

where:

policy-map Ingress_Access
class CoS5-Ingress
set mpls experimental imposition 5
set cos 5
class CoS4-Ingress
set mpls experimental imposition 4
set cos 4
class CoS3-Ingress
set mpls experimental imposition 3
set cos 3
class CoS2-Ingress
set mpls experimental imposition 2
set cos 2
class CoS1-Ingress
set mpls experimental imposition 1
set cos 1

and the class-maps are defined as follows:

class-map match-all CoS5-Ingress
match access-group 2005
class-map match-all CoS4-Ingress
match access-group 2004
class-map match-all CoS1-Ingress
match access-group 2001
class-map match-all CoS3-Ingress
match access-group 2003
class-map match-all CoS2-Ingress
match access-group 2002

access-list 2005 permit ip any host 10.10.2.1
access-list 2005 remark CoS5
access-list 2005 remark RCP<-->VATC
access-list 2005 permit ip 10.242.0.23 0.0.255.0 10.242.0.11 0.0.255.0
access-list 2005 permit ip 10.242.0.25 0.0.255.0 10.242.0.11 0.0.255.0
access-list 2005 permit ip 10.242.0.11 0.0.255.0 10.242.0.23 0.0.255.0
access-list 2005 permit ip 10.242.0.11 0.0.255.0 10.242.0.25 0.0.255.0
access-list 2005 permit ip 10.242.0.23 0.0.255.0 10.242.0.21 0.0.255.0
access-list 2005 permit ip 10.242.0.25 0.0.255.0 10.242.0.21 0.0.255.0
access-list 2005 permit ip 10.242.0.21 0.0.255.0 10.242.0.23 0.0.255.0
access-list 2005 permit ip 10.242.0.21 0.0.255.0 10.242.0.25 0.0.255.0
access-list 2005 remark RATO<-->Any
access-list 2005 permit ip 10.11.0.60 0.0.255.0 any
access-list 2005 permit ip 10.11.0.61 0.0.255.0 any
access-list 2005 permit ip any 10.11.0.60 0.0.255.0
access-list 2005 permit ip any 10.11.0.61 0.0.255.0
access-list 2005 permit ip 10.11.1.0 0.0.0.255 any
access-list 2005 permit ip 10.11.2.0 0.0.0.255 any
access-list 2005 permit ip 10.11.3.0 0.0.0.255 any
access-list 2005 permit ip 10.11.4.0 0.0.0.255 any
access-list 2005 permit ip 10.11.5.0 0.0.0.255 any
access-list 2005 permit ip 10.11.6.0 0.0.0.255 any
access-list 2005 permit ip 10.11.7.0 0.0.0.255 any
access-list 2005 permit ip 10.11.8.0 0.0.0.255 any
access-list 2005 permit ip 10.11.9.0 0.0.0.255 any
access-list 2005 permit ip 10.11.10.0 0.0.0.255 any

and the ACL you have tried to apply is

ip access-list extended RATP-WNET
permit ip host 10.10.2.20 host 10.10.2.21
permit ip host 10.10.2.20 host 10.10.3.20
permit ip host 10.10.2.20 host 10.10.3.21
permit ip host 10.10.2.20 host 10.10.2.114
permit ip host 10.10.2.20 host 10.10.2.214
permit ip host 10.10.2.20 host 10.12.1.181
permit ip host 10.10.2.20 host 10.12.1.182
permit ip host 10.10.2.20 host 10.12.1.101
permit ip host 10.10.2.20 host 10.12.1.102
permit ip host 10.10.2.20 host 10.11.2.60
permit ip host 10.10.2.20 host 10.11.2.61
permit ip host 10.10.2.20 host 10.10.2.101
permit ip host 10.10.2.20 host 10.10.2.201
permit ip host 10.10.2.20 host 10.10.0.180
permit ip host 10.10.2.20 host 10.7.0.11
permit ip host 10.10.2.20 host 10.7.0.12
permit ip host 10.10.2.20 host 10.7.0.13
permit ip host 10.10.2.20 host 10.7.0.14
permit ip host 10.10.2.21 host 10.10.2.1
permit ip host 10.10.2.21 host 10.10.2.20
permit ip host 10.10.2.21 host 10.10.3.20
permit ip host 10.10.2.21 host 10.10.3.21
permit ip host 10.10.2.21 host 10.10.2.114
permit ip host 10.10.2.21 host 10.10.2.214
permit ip host 10.10.2.21 host 10.12.1.181
permit ip host 10.10.2.21 host 10.12.1.182
permit ip host 10.10.2.21 host 10.12.1.101
permit ip host 10.10.2.21 host 10.11.2.60
permit ip host 10.10.2.21 host 10.11.2.61
permit ip host 10.10.2.21 host 10.10.2.101
permit ip host 10.10.2.21 host 10.10.2.201
permit ip host 10.10.2.21 host 10.10.0.180
permit ip host 10.10.2.21 host 10.7.0.11
permit ip host 10.10.2.21 host 10.7.0.12
permit ip host 10.10.2.21 host 10.7.0.13
permit ip host 10.10.2.21 host 10.7.0.14
deny ip any any log

interface BDI10
description RATP-WNET
vrf forwarding CBTC
ip address 10.10.2.4 255.255.0.0
ip access-group RATP-WNET in
standby delay minimum 5 reload 90
standby 12 ip 10.10.2.1
standby 12 timers msec 300 msec 900
standby 12 priority 250
standby 12 preempt delay minimum 30 reload 90
standby 12 authentication md5 key-string 7 06363F781C56051B54
!

applying the ACL at inteface BDI 10 level is not the same because some of the lines are involving hosts in the same subnet 10.10.0.0/16 so their packets would probably bypass the BDI ( no need to route)

Hope to help

Giuseppe

ronit · ‎03-12-2021

I understand and agree that applying it on BDI is not a permanent solution, just a temporary workaround. Why would I not be able to apply it under the service instance?

interface GigabitEthernet0/0/0
description RATP-A-WNET-YARD2
no ip address
negotiation auto
storm-control broadcast level 5.00 4.00
storm-control multicast level 5.00 4.00
storm-control unicast level 5.00 4.00
storm-control action trap
service-policy input Ingress_Access
service instance 10 ethernet
encapsulation untagged
bridge-domain 10

ip access-group RATP-WNET in
!

Giuseppe Larosa · ‎03-12-2021

Hello @ronit ,

the service instance

service instance 10 ethernet

is an OSI layer 2 concept an EVC in terms of metro ethernet I don't think you can apply an IP ACL OSI layer 3 and above at this level.

Port based ACLs are already something "strange" as we apply an IP ACL to an interface with no ip address.

In a Cisco LAN switch we could think of using a VACL to achieve the desired results.

But this device is a PE in the context of Carrier Ethernet / metro ethernet and not a LAN switch,

Hope to help

Giuseppe