Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
549
Views
0
Helpful
0
Replies

Ethertype ACL with a Layer 2 tunnel

sasha
Level 1
Level 1

‎02-08-2020 01:39 PM

Hello. On an IOS router (probably Cisco 881 or similar, with IOS 15.x), we need to filter traffic going to a Layer 2 tunnel, based on the Ethertype field. Here's the ACL:

access-list 200 deny 0x1515 0x0000
access-list 200 deny 0x1516 0x0000
access-list 200 permit 0x0000 0x0000

But, the only way I see to implement such ACL is to a bridge group, not to a physical interface. If we put xconnect on the same interface as the ACL, the ACL doesn't apply to traffic going into the tunnel, so unwanted traffic goes through:

interface Vlan1
 no ip address
 xconnect 10.200.0.1 1 encapsulation l2tpv3 pw-class LAN2LAN
 bridge-group 1
 bridge-group 1 input-type-list 200

If we put xconnect on another interface in the same bridge group, unwanted traffic is filtered out, but desired traffic from VLAN 1 doesn't enter the tunnel:

interface Vlan1
 no ip address
 bridge-group 1
 bridge-group 1 input-type-list 200
!
interface Vlan2
 no ip address
 xconnect 10.200.0.1 1 encapsulation l2tpv3 pw-class LAN2LAN
 bridge-group 1

Of course, both VLANs are up, xconnect is up, traffic from VLAN 2 goes through the tunnel.

Are we missing something? Is there any way to implement Ethertype ACL to a tunnel, or to a physical interface, not to a bridge group? Would some other type of tunnel help (e.g. GRE + IRB)? Would some other model of router help? Any ideas? Thanks a lot.

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card