03-11-2021 08:02 PM
Team,
While testing inbound ACLs (Layer 3) and inbound QoS (Marking only) on ASR920 routers, I found that there's a limit and both can't be used at the same time.
Mar 12 11:22:02.396 SGT: %IOSXE-3-PLATFORM: R0/0: cylon_mgr: Acl functionality will not work with QoS already being applied
Mar 12 11:28:31.963 SGT: %IOSXE-3-PLATFORM: R0/0: cylon_mgr: Qos policy on interface and ACL on EVC is not supported.Qos policycant be attached.
ACL on "interface BDI" works, but I am curious, as this isn't specified as a restriction for ACLs on the ASR920 security guide or the QoS guide. Is this restriction real, or am I doing something wrong?
03-12-2021 12:19 AM
Hello @ronit ,
in order to get better help can yoiu post the following:
show version
the configuration of ACL , QoS and interface where you try to apply both.
ASR920 is known to be a platform with some functional limitations when compared to ASR 1000. you may have hit one of these. But it is difficult to say.
Hope to help
Giuseppe
03-12-2021 12:57 AM
@Giuseppe Larosa thank you for replying. Attached is a "show tech" from this router. I am trying to apply ACL "RATP-WNET" on Gi0/0/0, which I eventually applied on "interface BDI 10". The service-policy is the one which is already applied on Gi0/0/0.
The weird thing is, neither the security guide, nor the QoS guide mention any of this as a limitation.
03-12-2021 01:42 AM
Hello @ronit ,
So you have
interface GigabitEthernet0/0/0
description RATP-A-WNET-YARD2
no ip address
negotiation auto
storm-control broadcast level 5.00 4.00
storm-control multicast level 5.00 4.00
storm-control unicast level 5.00 4.00
storm-control action trap
>>service-policy input Ingress_Access
service instance 10 ethernet
encapsulation untagged
bridge-domain 10
!
where:
policy-map Ingress_Access
class CoS5-Ingress
set mpls experimental imposition 5
set cos 5
class CoS4-Ingress
set mpls experimental imposition 4
set cos 4
class CoS3-Ingress
set mpls experimental imposition 3
set cos 3
class CoS2-Ingress
set mpls experimental imposition 2
set cos 2
class CoS1-Ingress
set mpls experimental imposition 1
set cos 1
and the class-maps are defined as follows:
class-map match-all CoS5-Ingress
match access-group 2005
class-map match-all CoS4-Ingress
match access-group 2004
class-map match-all CoS1-Ingress
match access-group 2001
class-map match-all CoS3-Ingress
match access-group 2003
class-map match-all CoS2-Ingress
match access-group 2002
access-list 2005 permit ip any host 10.10.2.1
access-list 2005 remark CoS5
access-list 2005 remark RCP<-->VATC
access-list 2005 permit ip 10.242.0.23 0.0.255.0 10.242.0.11 0.0.255.0
access-list 2005 permit ip 10.242.0.25 0.0.255.0 10.242.0.11 0.0.255.0
access-list 2005 permit ip 10.242.0.11 0.0.255.0 10.242.0.23 0.0.255.0
access-list 2005 permit ip 10.242.0.11 0.0.255.0 10.242.0.25 0.0.255.0
access-list 2005 permit ip 10.242.0.23 0.0.255.0 10.242.0.21 0.0.255.0
access-list 2005 permit ip 10.242.0.25 0.0.255.0 10.242.0.21 0.0.255.0
access-list 2005 permit ip 10.242.0.21 0.0.255.0 10.242.0.23 0.0.255.0
access-list 2005 permit ip 10.242.0.21 0.0.255.0 10.242.0.25 0.0.255.0
access-list 2005 remark RATO<-->Any
access-list 2005 permit ip 10.11.0.60 0.0.255.0 any
access-list 2005 permit ip 10.11.0.61 0.0.255.0 any
access-list 2005 permit ip any 10.11.0.60 0.0.255.0
access-list 2005 permit ip any 10.11.0.61 0.0.255.0
access-list 2005 permit ip 10.11.1.0 0.0.0.255 any
access-list 2005 permit ip 10.11.2.0 0.0.0.255 any
access-list 2005 permit ip 10.11.3.0 0.0.0.255 any
access-list 2005 permit ip 10.11.4.0 0.0.0.255 any
access-list 2005 permit ip 10.11.5.0 0.0.0.255 any
access-list 2005 permit ip 10.11.6.0 0.0.0.255 any
access-list 2005 permit ip 10.11.7.0 0.0.0.255 any
access-list 2005 permit ip 10.11.8.0 0.0.0.255 any
access-list 2005 permit ip 10.11.9.0 0.0.0.255 any
access-list 2005 permit ip 10.11.10.0 0.0.0.255 any
and the ACL you have tried to apply is
ip access-list extended RATP-WNET
permit ip host 10.10.2.20 host 10.10.2.21
permit ip host 10.10.2.20 host 10.10.3.20
permit ip host 10.10.2.20 host 10.10.3.21
permit ip host 10.10.2.20 host 10.10.2.114
permit ip host 10.10.2.20 host 10.10.2.214
permit ip host 10.10.2.20 host 10.12.1.181
permit ip host 10.10.2.20 host 10.12.1.182
permit ip host 10.10.2.20 host 10.12.1.101
permit ip host 10.10.2.20 host 10.12.1.102
permit ip host 10.10.2.20 host 10.11.2.60
permit ip host 10.10.2.20 host 10.11.2.61
permit ip host 10.10.2.20 host 10.10.2.101
permit ip host 10.10.2.20 host 10.10.2.201
permit ip host 10.10.2.20 host 10.10.0.180
permit ip host 10.10.2.20 host 10.7.0.11
permit ip host 10.10.2.20 host 10.7.0.12
permit ip host 10.10.2.20 host 10.7.0.13
permit ip host 10.10.2.20 host 10.7.0.14
permit ip host 10.10.2.21 host 10.10.2.1
permit ip host 10.10.2.21 host 10.10.2.20
permit ip host 10.10.2.21 host 10.10.3.20
permit ip host 10.10.2.21 host 10.10.3.21
permit ip host 10.10.2.21 host 10.10.2.114
permit ip host 10.10.2.21 host 10.10.2.214
permit ip host 10.10.2.21 host 10.12.1.181
permit ip host 10.10.2.21 host 10.12.1.182
permit ip host 10.10.2.21 host 10.12.1.101
permit ip host 10.10.2.21 host 10.11.2.60
permit ip host 10.10.2.21 host 10.11.2.61
permit ip host 10.10.2.21 host 10.10.2.101
permit ip host 10.10.2.21 host 10.10.2.201
permit ip host 10.10.2.21 host 10.10.0.180
permit ip host 10.10.2.21 host 10.7.0.11
permit ip host 10.10.2.21 host 10.7.0.12
permit ip host 10.10.2.21 host 10.7.0.13
permit ip host 10.10.2.21 host 10.7.0.14
deny ip any any log
interface BDI10
description RATP-WNET
vrf forwarding CBTC
ip address 10.10.2.4 255.255.0.0
ip access-group RATP-WNET in
standby delay minimum 5 reload 90
standby 12 ip 10.10.2.1
standby 12 timers msec 300 msec 900
standby 12 priority 250
standby 12 preempt delay minimum 30 reload 90
standby 12 authentication md5 key-string 7 06363F781C56051B54
!
applying the ACL at inteface BDI 10 level is not the same because some of the lines are involving hosts in the same subnet 10.10.0.0/16 so their packets would probably bypass the BDI ( no need to route)
Hope to help
Giuseppe
03-12-2021 01:50 AM
I understand and agree that applying it on BDI is not a permanent solution, just a temporary workaround. Why would I not be able to apply it under the service instance?
interface GigabitEthernet0/0/0
description RATP-A-WNET-YARD2
no ip address
negotiation auto
storm-control broadcast level 5.00 4.00
storm-control multicast level 5.00 4.00
storm-control unicast level 5.00 4.00
storm-control action trap
service-policy input Ingress_Access
service instance 10 ethernet
encapsulation untagged
bridge-domain 10
ip access-group RATP-WNET in
!
03-12-2021 04:32 AM
Hello @ronit ,
the service instance
service instance 10 ethernet
is an OSI layer 2 concept an EVC in terms of metro ethernet I don't think you can apply an IP ACL OSI layer 3 and above at this level.
Port based ACLs are already something "strange" as we apply an IP ACL to an interface with no ip address.
In a Cisco LAN switch we could think of using a VACL to achieve the desired results.
But this device is a PE in the context of Carrier Ethernet / metro ethernet and not a LAN switch,
Hope to help
Giuseppe
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide