09-10-2015 11:50 AM
I understand that ABF is not supported on BVI interfaces using the older Ethernet linecards. However the doc states that you can apply ABFv4 to l2transport interfaces. I have tried this, and though I see hits, the ACL does not appear to be doing anything. Is there any doc that explicitly shows how this works, or is it an error and it actually doesn't work?
Here's the relevant config, on a A9K-40GE-L linecard:
ipv4 access-list TEST
5 permit tcp 10.0.96.0 0.0.7.255 any eq www nexthop1 ipv4 172.20.60.52
10 permit tcp 10.0.96.0 0.0.7.255 any eq 554 nexthop1 ipv4 172.20.60.52
20 permit ipv4 any any
interface GigabitEthernet0/1/0/9.124 l2transport
encapsulation dot1q 124
rewrite ingress tag pop 1 symmetric
ipv4 access-group TEST ingress
interface BVI124
ipv4 address 172.20.55.177 255.255.255.248
l2vpn
bridge group 124
bridge-domain 124
interface GigabitEthernet0/1/0/9.124
!
routed interface BVI124
Thanks,
Paul
Solved! Go to Solution.
09-11-2015 01:37 AM
Hi Paul,
I'm afraid this is not supported.
The documentation states that "For ASR 9000 Ethernet linecards, ACL can be applied on the EFP level (IPv4 L3 ACL can be applied on an L2 interface)". Applying ABF is a different thing. L3 forwarding decision can not be made on L2 transport interfaces. The interface type (L2 vs L3) dictates the type of lookup that will be applied by the Network Processor. In your configuration ABF can only be applied on the BVI, but you would need an Enhanced Ethernet (aka Typhoon or Tomahawk) line card for that.
In general we strongly recommend deploying an Enhanced Ethernet line card in complex scenarios with BVI (e.g. if you have MPLS also enabled on the router) and at minimum SW release 5.1.x (5.1.3 being the generic recommendation as it's an Extended Maintenance Release).
Regards,
Aleksandar
09-11-2015 01:37 AM
Hi Paul,
I'm afraid this is not supported.
The documentation states that "For ASR 9000 Ethernet linecards, ACL can be applied on the EFP level (IPv4 L3 ACL can be applied on an L2 interface)". Applying ABF is a different thing. L3 forwarding decision can not be made on L2 transport interfaces. The interface type (L2 vs L3) dictates the type of lookup that will be applied by the Network Processor. In your configuration ABF can only be applied on the BVI, but you would need an Enhanced Ethernet (aka Typhoon or Tomahawk) line card for that.
In general we strongly recommend deploying an Enhanced Ethernet line card in complex scenarios with BVI (e.g. if you have MPLS also enabled on the router) and at minimum SW release 5.1.x (5.1.3 being the generic recommendation as it's an Extended Maintenance Release).
Regards,
Aleksandar
09-11-2015 08:18 AM
Thank you for clarifying that, Aleksandar. The documentation is really confusing on this. I don't know why it would be noted that the ACL could be applied to a L2 interface if it isn't going to do anything!
thank you,
Paul
09-11-2015 08:26 AM
Hi Paul,
you can still use the IPv4 ACL on L2 interface to control the admission of the traffic (permit/deny). It's the "ACL Based Forwarding" that can't be applied to L2 interfaces.
Regards,
Aleksandar
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide