cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Cisco Community Designated VIP Class of 2020

313
Views
10
Helpful
11
Replies
Highlighted
Beginner

MAC ACL on L3 interface

Hello team,

is it supported to filter traffic based on source MAC address on L3 interface (e.g. on interface Bundle-Ether 1.1)?

Platform is ASR9k.

Best regards,

Josef

Everyone's tags (1)
11 REPLIES 11
Cisco Employee

hi Josef,

hi Josef,

ethernet access-list is applicable only to Layer 2 interfaces.

/Aleksandar

Beginner

Hello Aleksander,

Hello Aleksander,

I know about this limitation. The question is if we are able to drop traffic from specific MAC address on L3 interface. If we cannot use ethernet access-list, is there any other option?

Best regards,
Josef

Cisco Employee

hi Josef,

hi Josef,

can you please explain what real life scenario are you trying to address? That way I can help you better.

regards,

/Aleksandar

Beginner

Hello Aleksander,

Hello Aleksander,

real scenario is in BGP peering where one Service Provider is sending to our peering router packets (we do not have BGP session to him). The Service Provider does some next-hop changes. The goal is to drop these packets.

Best regards,
Josef

Cisco Employee

Hi Josef,

Hi Josef,

LPTS will take care of policing these packets, to make sure that the control plane is not impacted.

If you really want to drop all these packets already at the NP by using an ACL, you could use the L3 ACL for this purpose. L3 ACL can be used even on an l2transport interface.

Aleksandar

Beginner

I think you may be

I think you may be misunderstanding Josef's use case.

If you have an interface on a public peering LAN, you wish to avoid someone you don't peer with pointing a default route at your interface to get free IP transit. Or someone advertising prefixes to a peer of theirs but setting the next-hop to be you.

It's forwarding plane traffic rather than control-plane so would not hit LPTS. 

The source or destination address of the traffic could be anything so a L3 ACL would not help. A L2 ACL would deny traffic from a MAC address on the peering LAN with which you do not have a peering relationship.

Beginner

Hi all,

Hi all,

our case is for IXP (Internet Exchange Point), so this is specific case. It is on one vlan where all ISPs peer.

Best regards,
Josef

Cisco Employee

hi Josef,

hi Josef,

I just read Mark's message and understood fully your scenario. In this case the only option that I can see is that you convert the L3 sub-int to L2 and apply the MAC ACL there. You would obviously have to use BVI as L3 interface in that case. I've seen some ISPs doing this in IXP. There is some performance impact when switching to BVI, so take some snapshot of the NP utilisation to evaluate how this approach would scale for you. The most straightforward way to see the NP utilisation is to run this command:

run attach <location>
np_perf -e <np>

One section of the output will show you the NP utilisation in %.

This command should not cause any impact on the forwarding.

I hope this helps,

Aleksandar

Beginner

Hi Aleksandar,

Hi Aleksandar,

thank you for this explanation, it is good idea.

Best regards,
Josef

Hi Josef:

Hi Josef:

Please also note that the behavior you are describing is most likely against the terms of use for the IXP in question.  While I understand and appreciate the need for a operational solution, don't forget that a administrative solution (in this case, involving the IXP operator) can also help.  You should not be forced to configure workarounds for something that someone else shouldn't be doing anyways.

Cisco Employee

hi Mark,

hi Mark,

thanks for clarifying!

/Aleksandar

CreatePlease to create content
Content for Community-Ad
FusionCharts will render here