Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

ASR9000 HVPLS access neighbor ACL

Hi all.

In our network is full mesh VPLS on ASR9010 and xconnects to me3600, like this:

l2vpn
 bridge group BG
  bridge-domain BD
    !
   !
   interface TenGigE0/2/0/0.12
   !
   interface TenGigE0/2/0/1.12
   !
   interface TenGigE0/2/0/2.12
   !
   neighbor 10.11.2.45 pw-id 12
   !
   neighbor 10.11.2.175 pw-id 12
   !
   vfi vl12
    neighbor 10.10.1.1 pw-id 12
    !
    neighbor 10.10.1.2 pw-id 12

 

So, to the interface TenGigE0/2/0/0.12 I can add ethernet-services access-list in any direction to filter some MAC addresses.

Can I do something like this on neighbor 10.11.2.45  ? 

I red a lot of documentation and couldn't find any similar faetures.

6 REPLIES
Cisco Employee

Hi,Layer 2 ACL is not

Hi,

Layer 2 ACL is not supported under neighbor.Moreover what is the need - that you not able to full-fill using currently supported model ?

IMO it's not supported in IOS as well.

 

Thanx

Saurabh

Hi Saurabh,But what is the

Hi Saurabh,

But what is the currently supported model? Can you show me a guide?

I need to filter some traffic that goes to the neighbor. May be there are some other possibilities doing this, if I can not do it with ACL.

Cisco Employee

  L2 ACL supported is as

 

 L2 ACL supported is as follows aren't you able to levrage it and block that specifc traffic  ? say by using  specific SMAC and DMAC etc.

http://www.cisco.com/c/en/us/td/docs/routers/asr9000/software/asr9k_r4-1/lxvpn/configuration/guide/lesc41/lesc41esal.html

The other way is to use QoS to drop the traffic.

 

Thnx

Saurabh

Yes, to L2 interfaces I did

Yes, to L2 interfaces I did it.

But I also need to filter some traffic in this configuration:

l2vpn
 bridge group BG
  bridge-domain BD
   !
   neighbor 10.11.2.45 pw-id 12
   !
   neighbor 10.11.2.175 pw-id 12
   !
   vfi vl12
    neighbor 10.10.1.1 pw-id 12
    !
    neighbor 10.10.1.2 pw-id 12

 

I want to pass traffic to neighbor 10.11.2.45 only from some MAC's from VPLS and drop other traffic to this neighbor. And I can't find any documentation doing this.

Cisco Employee

I am not aware of full

I am not aware of full picture of your network but what I meant was why don't you use l2 acl on respective port and choose smac X (some specifc MAC) and dst mac Y which you want to pass thru for this neighbor rest you can drop/deny or visa-versa,moreover we have several other matching criterias as well mentioned below to distinguish the stream/packet which can help to avoid blocking for other neighbors.I am sure if you play around these you will able to achieve what you looking for

 

(config)#ethernet-services access-list tt permit x.x.x x.x.x y.y.y y.y.y ?

  <0x1-0xffff>  An Ethertype Number in hex
  capture       Capture matched packet
  cos           Class of Service
  dei           Discard Eligibility Indication
  inner-cos     Class of Service of Inner Header
  inner-dei     Discard Eligibility Indication for Inner Header
  inner-vlan    Enter a vlan id or range of vlan ids of the Inner Header
  vlan          Enter a vlan id or range of vlan ids

 

Thnx

Saurabh

In core of our network are

In core of our network are ASR9010 in full-mesh VPLS. From VPLS are xconnects to access switches ME3600x. 

For example in vlan 12 (l2 vpn in ASR9000) are 50.000 MAC's. And only 10 of them (PPPoE BRAS) need to communicate with subscribers connected to ME3600x. So, to avoid many broadcasts and huge of MAC's in this vlan on ME3600x I need to permit someway communication only with 10 MAC's from core xconnect.

 

We also have catalyst switches connected to ASR9010 with l2 interfaces. On these interfaces I applied ethernet-services access-lists with needed rules. All works well.

193
Views
0
Helpful
6
Replies
CreatePlease login to create content