Hello. On an IOS router (probably Cisco 881 or similar, with IOS 15.x), we need to filter traffic going to a Layer 2 tunnel, based on the Ethertype field. Here's the ACL:
access-list 200 deny 0x1515 0x0000
access-list 200 deny 0x1516 0x0000
access-list 200 permit 0x0000 0x0000
But, the only way I see to implement such ACL is to a bridge group, not to a physical interface. If we put xconnect on the same interface as the ACL, the ACL doesn't apply to traffic going into the tunnel, so unwanted traffic goes through:
interface Vlan1
no ip address
xconnect 10.200.0.1 1 encapsulation l2tpv3 pw-class LAN2LAN
bridge-group 1
bridge-group 1 input-type-list 200
If we put xconnect on another interface in the same bridge group, unwanted traffic is filtered out, but desired traffic from VLAN 1 doesn't enter the tunnel:
interface Vlan1
no ip address
bridge-group 1
bridge-group 1 input-type-list 200
!
interface Vlan2
no ip address
xconnect 10.200.0.1 1 encapsulation l2tpv3 pw-class LAN2LAN
bridge-group 1
Of course, both VLANs are up, xconnect is up, traffic from VLAN 2 goes through the tunnel.
Are we missing something? Is there any way to implement Ethertype ACL to a tunnel, or to a physical interface, not to a bridge group? Would some other type of tunnel help (e.g. GRE + IRB)? Would some other model of router help? Any ideas? Thanks a lot.