02-08-2017 01:19 AM
I’m looking for a way to create and apply outbound filter on a ASR9K (ios-xr is currently 5.3.3 on a ASR9001 in the lab)
I would like to match for example on packet-lenght with an action drop or police traffic
A standard ACL will not work as I understand it, but you are able to match on packet-length in a class-map.
Using policy-map type pbr and class-map type traffic is only supported inbound, so now I wounder if there is another way to create a outbound filter that will match packet-length, tcp-flags, fragment-types
Just a short config example:
policy-map type pbr TEST_VER1
class type traffic PACKET_LENGTH_1
drop
!
end-policy-map
!
class-map type traffic match-all PACKET_LENGTH_1
match packet length ipv4 567
end-class-map
!
Thanks Jonas
Solved! Go to Solution.
02-08-2017 03:23 AM
PBR is the only way to do this ingress at the moment, its not possible egress.
In 6.2.2 you will be able to natively match the pkt length with an ACL(Without PBR), but this is supported on the 800G line cards(Tomahawk). The 9001 is built on the Typhoon Arch, there is no plan to support the packet length matching there.
Regards
Eddie.
02-08-2017 03:23 AM
PBR is the only way to do this ingress at the moment, its not possible egress.
In 6.2.2 you will be able to natively match the pkt length with an ACL(Without PBR), but this is supported on the 800G line cards(Tomahawk). The 9001 is built on the Typhoon Arch, there is no plan to support the packet length matching there.
Regards
Eddie.
02-08-2017 04:24 AM
Hello Eddie, thanks for the information.
I suppose the same is valid for matching fragments, tcp flags (supported in PBR) ?
Also do you know if the next gen 9001 is based on Tomahawk?
//J
02-08-2017 04:42 AM
There will be 9901 at the end of the year.
It will probably be Tomahawk based HW.
02-08-2017 04:59 AM
yes, asr9901 is Tomahawk based.
02-08-2017 11:57 AM
If you want to create an outbound filter that will match packet-length, you can use QOS policing for that purpose.
02-08-2017 01:08 PM
I don't think that will work if I want to have an drop or police action, it's seams to only be supported in PBR
02-09-2017 04:53 AM
Of course you can:
either via “conform-action drop”
or via “exceed-action drop”
adam
02-09-2017 07:28 AM
Hi Adam, may I ask you for an example?
afaik matching packet length require class-typ traffic
!!% Policy manager does not support this feature: Match type "ip packet-length" not supported for class-map type "qos"
And you can not use a class-map type traffic in a QoS policy
!!% Policy manager does not support this feature: Class-map type "traffic" not supported within policy-map type "qos"
It's working in PBR, but PBR is ingress
//J
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide