is it supported to filter traffic based on source MAC address on L3 interface (e.g. on interface Bundle-Ether 1.1)?
Platform is ASR9k.
I know about this limitation. The question is if we are able to drop traffic from specific MAC address on L3 interface. If we cannot use ethernet access-list, is there any other option?
real scenario is in BGP peering where one Service Provider is sending to our peering router packets (we do not have BGP session to him). The Service Provider does some next-hop changes. The goal is to drop these packets.
LPTS will take care of policing these packets, to make sure that the control plane is not impacted.
If you really want to drop all these packets already at the NP by using an ACL, you could use the L3 ACL for this purpose. L3 ACL can be used even on an l2transport interface.
I think you may be misunderstanding Josef's use case.
If you have an interface on a public peering LAN, you wish to avoid someone you don't peer with pointing a default route at your interface to get free IP transit. Or someone advertising prefixes to a peer of theirs but setting the next-hop to be you.
It's forwarding plane traffic rather than control-plane so would not hit LPTS.
The source or destination address of the traffic could be anything so a L3 ACL would not help. A L2 ACL would deny traffic from a MAC address on the peering LAN with which you do not have a peering relationship.
I just read Mark's message and understood fully your scenario. In this case the only option that I can see is that you convert the L3 sub-int to L2 and apply the MAC ACL there. You would obviously have to use BVI as L3 interface in that case. I've seen some ISPs doing this in IXP. There is some performance impact when switching to BVI, so take some snapshot of the NP utilisation to evaluate how this approach would scale for you. The most straightforward way to see the NP utilisation is to run this command:
run attach <location>
np_perf -e <np>
One section of the output will show you the NP utilisation in %.
This command should not cause any impact on the forwarding.
I hope this helps,