Mailing List Archive: Cisco: NSP

acl on bvi in ios xr (9k) 4.1.2

1 2

View All

Index | Next | Previous | View Threaded

aaron1 at gvtc

Jul 19, 2012, 9:39 AM

Post #1 of 28 (1540 views)
Permalink

acl on bvi in ios xr (9k) 4.1.2

Are acl's supported on BVI's ?

I have a phy int g0/0/0/1 with a flow point (sub int) g0/0/0/1.10
l2transport config'd and put into l2vpn bg:bd with a routed int inside that
bg:bd as bvi 10

I would think that the appropriate location to place an ipv4 access-list
would be on the L3 interface , that being the bvi. But I don't see the
command "ipv4 access-list" under the bvi.

What am I missing here ?

Aaron

_______________________________________________
cisco-nsp mailing list cisco-nsp [at] puck
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

chip.gwyn at gmail

Jul 19, 2012, 9:45 AM

Post #2 of 28 (1509 views)
Permalink

Re: acl on bvi in ios xr (9k) 4.1.2 [In reply to]

interface BVI101
description cust-bgp-1 vlan 101
ipv4 address x.x.x.x 255.255.255.252
ipv4 access-group cust-bgp-1-out-acl egress

This is gained support in 4.2.0 I think.

--chip

On Thu, Jul 19, 2012 at 12:39 PM, Aaron <aaron1 [at] gvtc> wrote:
> Are acl's supported on BVI's ?
>
> I have a phy int g0/0/0/1 with a flow point (sub int) g0/0/0/1.10
> l2transport config'd and put into l2vpn bg:bd with a routed int inside that
> bg:bd as bvi 10
>
>
>
> I would think that the appropriate location to place an ipv4 access-list
> would be on the L3 interface , that being the bvi. But I don't see the
> command "ipv4 access-list" under the bvi.
>
>
>
> What am I missing here ?
>
>
>
> Aaron
>
>
>
>
>
>
>
>
>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp [at] puck
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

--
Just my $.02, your mileage may vary, batteries not included, etc....
_______________________________________________
cisco-nsp mailing list cisco-nsp [at] puck
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

achatz at forthnetgroup

Jul 19, 2012, 10:17 AM

Post #3 of 28 (1512 views)
Permalink

Re: acl on bvi in ios xr (9k) 4.1.2 [In reply to]

Many things missing....

http://www.cisco.com/en/US/docs/routers/asr9000/software/asr9k_r4.2/interfaces/configuration/guide/hc42irb.html#wp1011723

The following areas are /not/ supported on the BVI:

–Access Control Lists (ACLs). However, Layer 2 ACLs can be configured on each Layer 2 port
of the bridge domain.

–IP fast reroute (FRR)

–NetFlow

–MoFRR

–MPLS label switching

–mVPNv4

–Quality of Service (QoS)

–Traffic mirroring

–Unnumbered interface for BVI

–Video monitoring (Vidmon)

--
Tassos

chip wrote on 19/7/2012 19:45:
> interface BVI101
> description cust-bgp-1 vlan 101
> ipv4 address x.x.x.x 255.255.255.252
> ipv4 access-group cust-bgp-1-out-acl egress
>
> This is gained support in 4.2.0 I think.
>
> --chip
>
> On Thu, Jul 19, 2012 at 12:39 PM, Aaron <aaron1 [at] gvtc> wrote:
>> Are acl's supported on BVI's ?
>>
>> I have a phy int g0/0/0/1 with a flow point (sub int) g0/0/0/1.10
>> l2transport config'd and put into l2vpn bg:bd with a routed int inside that
>> bg:bd as bvi 10
>>
>>
>>
>> I would think that the appropriate location to place an ipv4 access-list
>> would be on the L3 interface , that being the bvi. But I don't see the
>> command "ipv4 access-list" under the bvi.
>>
>>
>>
>> What am I missing here ?
>>
>>
>>
>> Aaron
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> _______________________________________________
>> cisco-nsp mailing list cisco-nsp [at] puck
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>

_______________________________________________
cisco-nsp mailing list cisco-nsp [at] puck
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

aaron1 at gvtc

Jul 19, 2012, 10:47 AM

Post #4 of 28 (1504 views)
Permalink

Re: acl on bvi in ios xr (9k) 4.1.2 [In reply to]

Thanks Tassos et al, But that list you just sent is in a config doc for 4.2.x

So are those bvi limitation in 4.2.x ? chip said that he thinks that bvi acl is supported in 4.2.0 and my SE just told me that too. (she also told me that bvi acl support in 4.2.0 requires the new line cards ! ugh)

So I'm confused with that list of bvi limitations within the 4.2.x config doc.

Aaron

-----Original Message-----
From: Tassos Chatzithomaoglou [mailto:achatz [at] forthnetgroup]
Sent: Thursday, July 19, 2012 12:18 PM
To: cisco-nsp [at] puck
Cc: chip; Aaron
Subject: Re: [c-nsp] acl on bvi in ios xr (9k) 4.1.2

Many things missing....

http://www.cisco.com/en/US/docs/routers/asr9000/software/asr9k_r4.2/interfaces/configuration/guide/hc42irb.html#wp1011723

The following areas are /not/ supported on the BVI:

–Access Control Lists (ACLs). However, Layer 2 ACLs can be configured on each Layer 2 port of the bridge domain.

–IP fast reroute (FRR)

–NetFlow

–MoFRR

–MPLS label switching

–mVPNv4

–Quality of Service (QoS)

–Traffic mirroring

–Unnumbered interface for BVI

–Video monitoring (Vidmon)

--
Tassos

chip wrote on 19/7/2012 19:45:
> interface BVI101
> description cust-bgp-1 vlan 101
> ipv4 address x.x.x.x 255.255.255.252
> ipv4 access-group cust-bgp-1-out-acl egress
>
> This is gained support in 4.2.0 I think.
>
> --chip
>
> On Thu, Jul 19, 2012 at 12:39 PM, Aaron <aaron1 [at] gvtc> wrote:
>> Are acl's supported on BVI's ?
>>
>> I have a phy int g0/0/0/1 with a flow point (sub int) g0/0/0/1.10
>> l2transport config'd and put into l2vpn bg:bd with a routed int
>> inside that bg:bd as bvi 10
>>
>>
>>
>> I would think that the appropriate location to place an ipv4
>> access-list would be on the L3 interface , that being the bvi. But I
>> don't see the command "ipv4 access-list" under the bvi.
>>
>>
>>
>> What am I missing here ?
>>
>>
>>
>> Aaron
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> _______________________________________________
>> cisco-nsp mailing list cisco-nsp [at] puck
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>

_______________________________________________
cisco-nsp mailing list cisco-nsp [at] puck
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

chip.gwyn at gmail

Jul 19, 2012, 10:55 AM

Post #5 of 28 (1503 views)
Permalink

Re: acl on bvi in ios xr (9k) 4.1.2 [In reply to]

Ok, so looking at the release notes. Only 4.2.1 supports acl's on BVI
interfaces and only in the egress direction. Looks like you can
apply it, but it may not work:

http://www.cisco.com/en/US/partner/docs/routers/asr9000/software/asr9k_r4.2/general/release/notes/reln_a9k_421.html#concept_641E24E225D747C08099E20F3AFAA93A

The router snippet I displayed was from a 4.2.0 ASR9006 with a RSP440
and my testing indicates that the ACL*WILL* drop packets according to
the ACL's rules.

I've found that there's still a lack of clarity wrt to 9k's and XR
within Cisco and its getting a bit frustrating.

--chip

On Thu, Jul 19, 2012 at 1:47 PM, Aaron <aaron1 [at] gvtc> wrote:
> Thanks Tassos et al, But that list you just sent is in a config doc for 4.2.x
>
> So are those bvi limitation in 4.2.x ? chip said that he thinks that bvi acl is supported in 4.2.0 and my SE just told me that too. (she also told me that bvi acl support in 4.2.0 requires the new line cards ! ugh)
>
> So I'm confused with that list of bvi limitations within the 4.2.x config doc.
>
> Aaron
>
> -----Original Message-----
> From: Tassos Chatzithomaoglou [mailto:achatz [at] forthnetgroup]
> Sent: Thursday, July 19, 2012 12:18 PM
> To: cisco-nsp [at] puck
> Cc: chip; Aaron
> Subject: Re: [c-nsp] acl on bvi in ios xr (9k) 4.1.2
>
> Many things missing....
>
>
>
> http://www.cisco.com/en/US/docs/routers/asr9000/software/asr9k_r4.2/interfaces/configuration/guide/hc42irb.html#wp1011723
>
> The following areas are /not/ supported on the BVI:
>
> �Access Control Lists (ACLs). However, Layer 2 ACLs can be configured on each Layer 2 port of the bridge domain.
>
> �IP fast reroute (FRR)
>
> �NetFlow
>
> �MoFRR
>
> �MPLS label switching
>
> �mVPNv4
>
> �Quality of Service (QoS)
>
> �Traffic mirroring
>
> �Unnumbered interface for BVI
>
> �Video monitoring (Vidmon)
>
>
>
> --
> Tassos
>
> chip wrote on 19/7/2012 19:45:
>> interface BVI101
>> description cust-bgp-1 vlan 101
>> ipv4 address x.x.x.x 255.255.255.252
>> ipv4 access-group cust-bgp-1-out-acl egress
>>
>> This is gained support in 4.2.0 I think.
>>
>> --chip
>>
>> On Thu, Jul 19, 2012 at 12:39 PM, Aaron <aaron1 [at] gvtc> wrote:
>>> Are acl's supported on BVI's ?
>>>
>>> I have a phy int g0/0/0/1 with a flow point (sub int) g0/0/0/1.10
>>> l2transport config'd and put into l2vpn bg:bd with a routed int
>>> inside that bg:bd as bvi 10
>>>
>>>
>>>
>>> I would think that the appropriate location to place an ipv4
>>> access-list would be on the L3 interface , that being the bvi. But I
>>> don't see the command "ipv4 access-list" under the bvi.
>>>
>>>
>>>
>>> What am I missing here ?
>>>
>>>
>>>
>>> Aaron
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> cisco-nsp mailing list cisco-nsp [at] puck
>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>>
>
>

--
Just my $.02, your mileage may vary, batteries not included, etc....

_______________________________________________
cisco-nsp mailing list cisco-nsp [at] puck
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

aaron1 at gvtc

Jul 19, 2012, 11:50 AM

Post #6 of 28 (1514 views)
Permalink

Re: acl on bvi in ios xr (9k) 4.1.2 [In reply to]

Thanks Chip

Yeah, with some of this newer gear and software, it seems like Cisco is
still learning about Cisco :)

Aaron

-----Original Message-----
From: chip [mailto:chip.gwyn [at] gmail]
Sent: Thursday, July 19, 2012 12:56 PM
To: Aaron
Cc: Tassos Chatzithomaoglou; cisco-nsp [at] puck
Subject: Re: [c-nsp] acl on bvi in ios xr (9k) 4.1.2

Ok, so looking at the release notes. Only 4.2.1 supports acl's on BVI
interfaces and only in the egress direction. Looks like you can
apply it, but it may not work:

http://www.cisco.com/en/US/partner/docs/routers/asr9000/software/asr9k_r4.2/
general/release/notes/reln_a9k_421.html#concept_641E24E225D747C08099E20F3AFA
A93A

The router snippet I displayed was from a 4.2.0 ASR9006 with a RSP440 and
my testing indicates that the ACL*WILL* drop packets according to the ACL's
rules.

I've found that there's still a lack of clarity wrt to 9k's and XR within
Cisco and its getting a bit frustrating.

--chip

On Thu, Jul 19, 2012 at 1:47 PM, Aaron <aaron1 [at] gvtc> wrote:
> Thanks Tassos et al, But that list you just sent is in a config doc
> for 4.2.x
>
> So are those bvi limitation in 4.2.x ? chip said that he thinks that
> bvi acl is supported in 4.2.0 and my SE just told me that too. (she
> also told me that bvi acl support in 4.2.0 requires the new line cards
> ! ugh)
>
> So I'm confused with that list of bvi limitations within the 4.2.x config
doc.
>
> Aaron
>
> -----Original Message-----
> From: Tassos Chatzithomaoglou [mailto:achatz [at] forthnetgroup]
> Sent: Thursday, July 19, 2012 12:18 PM
> To: cisco-nsp [at] puck
> Cc: chip; Aaron
> Subject: Re: [c-nsp] acl on bvi in ios xr (9k) 4.1.2
>
> Many things missing....
>
>
>
> http://www.cisco.com/en/US/docs/routers/asr9000/software/asr9k_r4.2/in
> terfaces/configuration/guide/hc42irb.html#wp1011723
>
> The following areas are /not/ supported on the BVI:
>
> -Access Control Lists (ACLs). However, Layer 2 ACLs can be configured on
each Layer 2 port of the bridge domain.
>
> -IP fast reroute (FRR)
>
> -NetFlow
>
> -MoFRR
>
> -MPLS label switching
>
> -mVPNv4
>
> -Quality of Service (QoS)
>
> -Traffic mirroring
>
> -Unnumbered interface for BVI
>
> -Video monitoring (Vidmon)
>
>
>
> --
> Tassos
>
> chip wrote on 19/7/2012 19:45:
>> interface BVI101
>> description cust-bgp-1 vlan 101
>> ipv4 address x.x.x.x 255.255.255.252
>> ipv4 access-group cust-bgp-1-out-acl egress
>>
>> This is gained support in 4.2.0 I think.
>>
>> --chip
>>
>> On Thu, Jul 19, 2012 at 12:39 PM, Aaron <aaron1 [at] gvtc> wrote:
>>> Are acl's supported on BVI's ?
>>>
>>> I have a phy int g0/0/0/1 with a flow point (sub int) g0/0/0/1.10
>>> l2transport config'd and put into l2vpn bg:bd with a routed int
>>> inside that bg:bd as bvi 10
>>>
>>>
>>>
>>> I would think that the appropriate location to place an ipv4
>>> access-list would be on the L3 interface , that being the bvi. But
>>> I don't see the command "ipv4 access-list" under the bvi.
>>>
>>>
>>>
>>> What am I missing here ?
>>>
>>>
>>>
>>> Aaron
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> cisco-nsp mailing list cisco-nsp [at] puck
>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>>
>
>

--
Just my $.02, your mileage may vary, batteries not included, etc....

_______________________________________________
cisco-nsp mailing list cisco-nsp [at] puck
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

jared at puck

Jul 19, 2012, 11:55 AM

Post #7 of 28 (1508 views)
Permalink

Re: acl on bvi in ios xr (9k) 4.1.2 [In reply to]

I'm still unclear why so many people want to make something built as a router do BVI. Ethernet switches aren't that expensive in my experience :)

- Jared

On Jul 19, 2012, at 2:50 PM, Aaron wrote:

> Thanks Chip
>
> Yeah, with some of this newer gear and software, it seems like Cisco is
> still learning about Cisco :)
>
> Aaron
>
> -----Original Message-----
> From: chip [mailto:chip.gwyn [at] gmail]
> Sent: Thursday, July 19, 2012 12:56 PM
> To: Aaron
> Cc: Tassos Chatzithomaoglou; cisco-nsp [at] puck
> Subject: Re: [c-nsp] acl on bvi in ios xr (9k) 4.1.2
>
> Ok, so looking at the release notes. Only 4.2.1 supports acl's on BVI
> interfaces and only in the egress direction. Looks like you can
> apply it, but it may not work:
>
> http://www.cisco.com/en/US/partner/docs/routers/asr9000/software/asr9k_r4.2/
> general/release/notes/reln_a9k_421.html#concept_641E24E225D747C08099E20F3AFA
> A93A
>
> The router snippet I displayed was from a 4.2.0 ASR9006 with a RSP440 and
> my testing indicates that the ACL*WILL* drop packets according to the ACL's
> rules.
>
> I've found that there's still a lack of clarity wrt to 9k's and XR within
> Cisco and its getting a bit frustrating.
>
> --chip
>
> On Thu, Jul 19, 2012 at 1:47 PM, Aaron <aaron1 [at] gvtc> wrote:
>> Thanks Tassos et al, But that list you just sent is in a config doc
>> for 4.2.x
>>
>> So are those bvi limitation in 4.2.x ? chip said that he thinks that
>> bvi acl is supported in 4.2.0 and my SE just told me that too. (she
>> also told me that bvi acl support in 4.2.0 requires the new line cards
>> ! ugh)
>>
>> So I'm confused with that list of bvi limitations within the 4.2.x config
> doc.
>>
>> Aaron
>>
>> -----Original Message-----
>> From: Tassos Chatzithomaoglou [mailto:achatz [at] forthnetgroup]
>> Sent: Thursday, July 19, 2012 12:18 PM
>> To: cisco-nsp [at] puck
>> Cc: chip; Aaron
>> Subject: Re: [c-nsp] acl on bvi in ios xr (9k) 4.1.2
>>
>> Many things missing....
>>
>>
>>
>> http://www.cisco.com/en/US/docs/routers/asr9000/software/asr9k_r4.2/in
>> terfaces/configuration/guide/hc42irb.html#wp1011723
>>
>> The following areas are /not/ supported on the BVI:
>>
>> -Access Control Lists (ACLs). However, Layer 2 ACLs can be configured on
> each Layer 2 port of the bridge domain.
>>
>> -IP fast reroute (FRR)
>>
>> -NetFlow
>>
>> -MoFRR
>>
>> -MPLS label switching
>>
>> -mVPNv4
>>
>> -Quality of Service (QoS)
>>
>> -Traffic mirroring
>>
>> -Unnumbered interface for BVI
>>
>> -Video monitoring (Vidmon)
>>
>>
>>
>> --
>> Tassos
>>
>> chip wrote on 19/7/2012 19:45:
>>> interface BVI101
>>> description cust-bgp-1 vlan 101
>>> ipv4 address x.x.x.x 255.255.255.252
>>> ipv4 access-group cust-bgp-1-out-acl egress
>>>
>>> This is gained support in 4.2.0 I think.
>>>
>>> --chip
>>>
>>> On Thu, Jul 19, 2012 at 12:39 PM, Aaron <aaron1 [at] gvtc> wrote:
>>>> Are acl's supported on BVI's ?
>>>>
>>>> I have a phy int g0/0/0/1 with a flow point (sub int) g0/0/0/1.10
>>>> l2transport config'd and put into l2vpn bg:bd with a routed int
>>>> inside that bg:bd as bvi 10
>>>>
>>>>
>>>>
>>>> I would think that the appropriate location to place an ipv4
>>>> access-list would be on the L3 interface , that being the bvi. But
>>>> I don't see the command "ipv4 access-list" under the bvi.
>>>>
>>>>
>>>>
>>>> What am I missing here ?
>>>>
>>>>
>>>>
>>>> Aaron
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> cisco-nsp mailing list cisco-nsp [at] puck
>>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>>
>>>
>>
>>
>
>
>
> --
> Just my $.02, your mileage may vary, batteries not included, etc....
>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp [at] puck
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

_______________________________________________
cisco-nsp mailing list cisco-nsp [at] puck
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

aaron1 at gvtc

Jul 19, 2012, 11:56 AM

Post #8 of 28 (1503 views)
Permalink

Re: acl on bvi in ios xr (9k) 4.1.2 [In reply to]

Do you work for cisco? ...own stock?

:)

Aaron

-----Original Message-----
From: Jared Mauch [mailto:jared [at] puck]
Sent: Thursday, July 19, 2012 1:55 PM
To: Aaron
Cc: 'chip'; cisco-nsp [at] puck
Subject: Re: [c-nsp] acl on bvi in ios xr (9k) 4.1.2

I'm still unclear why so many people want to make something built as a
router do BVI. Ethernet switches aren't that expensive in my experience :)

- Jared

On Jul 19, 2012, at 2:50 PM, Aaron wrote:

> Thanks Chip
>
> Yeah, with some of this newer gear and software, it seems like Cisco
> is still learning about Cisco :)
>
> Aaron
>
> -----Original Message-----
> From: chip [mailto:chip.gwyn [at] gmail]
> Sent: Thursday, July 19, 2012 12:56 PM
> To: Aaron
> Cc: Tassos Chatzithomaoglou; cisco-nsp [at] puck
> Subject: Re: [c-nsp] acl on bvi in ios xr (9k) 4.1.2
>
> Ok, so looking at the release notes. Only 4.2.1 supports acl's on BVI
> interfaces and only in the egress direction. Looks like you can
> apply it, but it may not work:
>
> http://www.cisco.com/en/US/partner/docs/routers/asr9000/software/asr9k
> _r4.2/
> general/release/notes/reln_a9k_421.html#concept_641E24E225D747C08099E2
> 0F3AFA
> A93A
>
> The router snippet I displayed was from a 4.2.0 ASR9006 with a RSP440
> and my testing indicates that the ACL*WILL* drop packets according to
> the ACL's rules.
>
> I've found that there's still a lack of clarity wrt to 9k's and XR
> within Cisco and its getting a bit frustrating.
>
> --chip
>
> On Thu, Jul 19, 2012 at 1:47 PM, Aaron <aaron1 [at] gvtc> wrote:
>> Thanks Tassos et al, But that list you just sent is in a config doc
>> for 4.2.x
>>
>> So are those bvi limitation in 4.2.x ? chip said that he thinks that
>> bvi acl is supported in 4.2.0 and my SE just told me that too. (she
>> also told me that bvi acl support in 4.2.0 requires the new line
>> cards ! ugh)
>>
>> So I'm confused with that list of bvi limitations within the 4.2.x
>> config
> doc.
>>
>> Aaron
>>
>> -----Original Message-----
>> From: Tassos Chatzithomaoglou [mailto:achatz [at] forthnetgroup]
>> Sent: Thursday, July 19, 2012 12:18 PM
>> To: cisco-nsp [at] puck
>> Cc: chip; Aaron
>> Subject: Re: [c-nsp] acl on bvi in ios xr (9k) 4.1.2
>>
>> Many things missing....
>>
>>
>>
>> http://www.cisco.com/en/US/docs/routers/asr9000/software/asr9k_r4.2/i
>> n
>> terfaces/configuration/guide/hc42irb.html#wp1011723
>>
>> The following areas are /not/ supported on the BVI:
>>
>> -Access Control Lists (ACLs). However, Layer 2 ACLs can be configured
>> on
> each Layer 2 port of the bridge domain.
>>
>> -IP fast reroute (FRR)
>>
>> -NetFlow
>>
>> -MoFRR
>>
>> -MPLS label switching
>>
>> -mVPNv4
>>
>> -Quality of Service (QoS)
>>
>> -Traffic mirroring
>>
>> -Unnumbered interface for BVI
>>
>> -Video monitoring (Vidmon)
>>
>>
>>
>> --
>> Tassos
>>
>> chip wrote on 19/7/2012 19:45:
>>> interface BVI101
>>> description cust-bgp-1 vlan 101
>>> ipv4 address x.x.x.x 255.255.255.252
>>> ipv4 access-group cust-bgp-1-out-acl egress
>>>
>>> This is gained support in 4.2.0 I think.
>>>
>>> --chip
>>>
>>> On Thu, Jul 19, 2012 at 12:39 PM, Aaron <aaron1 [at] gvtc> wrote:
>>>> Are acl's supported on BVI's ?
>>>>
>>>> I have a phy int g0/0/0/1 with a flow point (sub int) g0/0/0/1.10
>>>> l2transport config'd and put into l2vpn bg:bd with a routed int
>>>> inside that bg:bd as bvi 10
>>>>
>>>>
>>>>
>>>> I would think that the appropriate location to place an ipv4
>>>> access-list would be on the L3 interface , that being the bvi. But
>>>> I don't see the command "ipv4 access-list" under the bvi.
>>>>
>>>>
>>>>
>>>> What am I missing here ?
>>>>
>>>>
>>>>
>>>> Aaron
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> cisco-nsp mailing list cisco-nsp [at] puck
>>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>>
>>>
>>
>>
>
>
>
> --
> Just my $.02, your mileage may vary, batteries not included, etc....
>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp [at] puck
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

_______________________________________________
cisco-nsp mailing list cisco-nsp [at] puck
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

jared at puck

Jul 19, 2012, 11:58 AM

Post #9 of 28 (1508 views)
Permalink

Re: acl on bvi in ios xr (9k) 4.1.2 [In reply to]

Neither.

(Unless there's some through a 401k fund i'm
unaware of).

I think my point is.. If you are buying an asr9k
you can likely afford an ethernet switch vs using an
expensive router port.

- Jared

On Thu, Jul 19, 2012 at 01:56:33PM -0500, Aaron wrote:
> Do you work for cisco? ...own stock?
>
> :)
>
> Aaron
>
> -----Original Message-----
> From: Jared Mauch [mailto:jared [at] puck]
> Sent: Thursday, July 19, 2012 1:55 PM
> To: Aaron
> Cc: 'chip'; cisco-nsp [at] puck
> Subject: Re: [c-nsp] acl on bvi in ios xr (9k) 4.1.2
>
> I'm still unclear why so many people want to make something built as a
> router do BVI. Ethernet switches aren't that expensive in my experience :)
>
> - Jared
>
> On Jul 19, 2012, at 2:50 PM, Aaron wrote:
>
> > Thanks Chip
> >
> > Yeah, with some of this newer gear and software, it seems like Cisco
> > is still learning about Cisco :)
> >
> > Aaron
> >
> > -----Original Message-----
> > From: chip [mailto:chip.gwyn [at] gmail]
> > Sent: Thursday, July 19, 2012 12:56 PM
> > To: Aaron
> > Cc: Tassos Chatzithomaoglou; cisco-nsp [at] puck
> > Subject: Re: [c-nsp] acl on bvi in ios xr (9k) 4.1.2
> >
> > Ok, so looking at the release notes. Only 4.2.1 supports acl's on BVI
> > interfaces and only in the egress direction. Looks like you can
> > apply it, but it may not work:
> >
> > http://www.cisco.com/en/US/partner/docs/routers/asr9000/software/asr9k
> > _r4.2/
> > general/release/notes/reln_a9k_421.html#concept_641E24E225D747C08099E2
> > 0F3AFA
> > A93A
> >
> > The router snippet I displayed was from a 4.2.0 ASR9006 with a RSP440
> > and my testing indicates that the ACL*WILL* drop packets according to
> > the ACL's rules.
> >
> > I've found that there's still a lack of clarity wrt to 9k's and XR
> > within Cisco and its getting a bit frustrating.
> >
> > --chip
> >
> > On Thu, Jul 19, 2012 at 1:47 PM, Aaron <aaron1 [at] gvtc> wrote:
> >> Thanks Tassos et al, But that list you just sent is in a config doc
> >> for 4.2.x
> >>
> >> So are those bvi limitation in 4.2.x ? chip said that he thinks that
> >> bvi acl is supported in 4.2.0 and my SE just told me that too. (she
> >> also told me that bvi acl support in 4.2.0 requires the new line
> >> cards ! ugh)
> >>
> >> So I'm confused with that list of bvi limitations within the 4.2.x
> >> config
> > doc.
> >>
> >> Aaron
> >>
> >> -----Original Message-----
> >> From: Tassos Chatzithomaoglou [mailto:achatz [at] forthnetgroup]
> >> Sent: Thursday, July 19, 2012 12:18 PM
> >> To: cisco-nsp [at] puck
> >> Cc: chip; Aaron
> >> Subject: Re: [c-nsp] acl on bvi in ios xr (9k) 4.1.2
> >>
> >> Many things missing....
> >>
> >>
> >>
> >> http://www.cisco.com/en/US/docs/routers/asr9000/software/asr9k_r4.2/i
> >> n
> >> terfaces/configuration/guide/hc42irb.html#wp1011723
> >>
> >> The following areas are /not/ supported on the BVI:
> >>
> >> -Access Control Lists (ACLs). However, Layer 2 ACLs can be configured
> >> on
> > each Layer 2 port of the bridge domain.
> >>
> >> -IP fast reroute (FRR)
> >>
> >> -NetFlow
> >>
> >> -MoFRR
> >>
> >> -MPLS label switching
> >>
> >> -mVPNv4
> >>
> >> -Quality of Service (QoS)
> >>
> >> -Traffic mirroring
> >>
> >> -Unnumbered interface for BVI
> >>
> >> -Video monitoring (Vidmon)
> >>
> >>
> >>
> >> --
> >> Tassos
> >>
> >> chip wrote on 19/7/2012 19:45:
> >>> interface BVI101
> >>> description cust-bgp-1 vlan 101
> >>> ipv4 address x.x.x.x 255.255.255.252
> >>> ipv4 access-group cust-bgp-1-out-acl egress
> >>>
> >>> This is gained support in 4.2.0 I think.
> >>>
> >>> --chip
> >>>
> >>> On Thu, Jul 19, 2012 at 12:39 PM, Aaron <aaron1 [at] gvtc> wrote:
> >>>> Are acl's supported on BVI's ?
> >>>>
> >>>> I have a phy int g0/0/0/1 with a flow point (sub int) g0/0/0/1.10
> >>>> l2transport config'd and put into l2vpn bg:bd with a routed int
> >>>> inside that bg:bd as bvi 10
> >>>>
> >>>>
> >>>>
> >>>> I would think that the appropriate location to place an ipv4
> >>>> access-list would be on the L3 interface , that being the bvi. But
> >>>> I don't see the command "ipv4 access-list" under the bvi.
> >>>>
> >>>>
> >>>>
> >>>> What am I missing here ?
> >>>>
> >>>>
> >>>>
> >>>> Aaron
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>> _______________________________________________
> >>>> cisco-nsp mailing list cisco-nsp [at] puck
> >>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
> >>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
> >>>
> >>>
> >>
> >>
> >
> >
> >
> > --
> > Just my $.02, your mileage may vary, batteries not included, etc....
> >
> > _______________________________________________
> > cisco-nsp mailing list cisco-nsp [at] puck
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/

--
Jared Mauch | pgp key available via finger from jared [at] puck
clue++; | http://puck.nether.net/~jared/ My statements are only mine.
_______________________________________________
cisco-nsp mailing list cisco-nsp [at] puck
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

mack.mcbride at viawest

Jul 19, 2012, 12:45 PM

Post #10 of 28 (1508 views)
Permalink

Re: acl on bvi in ios xr (9k) 4.1.2 [In reply to]

Unfortunately there are good reasons to combine switching and routing.
Otherwise you are stuck with a router on a stick configuration.
I have made my complaints about the lack of support for switching on any device that can handle a full routing table for the next five years.
Our sales guys have relayed those to the technical teams but there hasn't been any feedback or visible movement.
If cisco deploys FIB compression it might solve some of those concerns but the feedback is that the development on that has stopped or is at least not on the road map.

The ASR 9K is a great box but without decent switching support and rapid-pvst it doesn't work well in a managed services/colocation environment.
The Nexus 7K is stuck at the same place the 6500 and 7600 are routing table wise and lack of MPLS support is still a concern.
The Juniper MX series can handle switching and rapid-pvst and upwards to 4 million routes (usual division of IPv4/IPv6 applies but is dynamic)
and we are currently testing it for a replacement for the 6500/7600.

LR Mack McBride
Network Architect

-----Original Message-----
From: cisco-nsp-bounces [at] puck [mailto:cisco-nsp-bounces [at] puck] On Behalf Of Jared Mauch
Sent: Thursday, July 19, 2012 12:55 PM
To: Aaron
Cc: cisco-nsp [at] puck
Subject: Re: [c-nsp] acl on bvi in ios xr (9k) 4.1.2

I'm still unclear why so many people want to make something built as a router do BVI. Ethernet switches aren't that expensive in my experience :)

- Jared

On Jul 19, 2012, at 2:50 PM, Aaron wrote:

> Thanks Chip
>
> Yeah, with some of this newer gear and software, it seems like Cisco
> is still learning about Cisco :)
>
> Aaron
>
> -----Original Message-----
> From: chip [mailto:chip.gwyn [at] gmail]
> Sent: Thursday, July 19, 2012 12:56 PM
> To: Aaron
> Cc: Tassos Chatzithomaoglou; cisco-nsp [at] puck
> Subject: Re: [c-nsp] acl on bvi in ios xr (9k) 4.1.2
>
> Ok, so looking at the release notes. Only 4.2.1 supports acl's on BVI
> interfaces and only in the egress direction. Looks like you can
> apply it, but it may not work:
>
> http://www.cisco.com/en/US/partner/docs/routers/asr9000/software/asr9k
> _r4.2/
> general/release/notes/reln_a9k_421.html#concept_641E24E225D747C08099E2
> 0F3AFA
> A93A
>
> The router snippet I displayed was from a 4.2.0 ASR9006 with a RSP440
> and my testing indicates that the ACL*WILL* drop packets according to
> the ACL's rules.
>
> I've found that there's still a lack of clarity wrt to 9k's and XR
> within Cisco and its getting a bit frustrating.
>
> --chip
>
> On Thu, Jul 19, 2012 at 1:47 PM, Aaron <aaron1 [at] gvtc> wrote:
>> Thanks Tassos et al, But that list you just sent is in a config doc
>> for 4.2.x
>>
>> So are those bvi limitation in 4.2.x ? chip said that he thinks that
>> bvi acl is supported in 4.2.0 and my SE just told me that too. (she
>> also told me that bvi acl support in 4.2.0 requires the new line
>> cards ! ugh)
>>
>> So I'm confused with that list of bvi limitations within the 4.2.x
>> config
> doc.
>>
>> Aaron
>>
>> -----Original Message-----
>> From: Tassos Chatzithomaoglou [mailto:achatz [at] forthnetgroup]
>> Sent: Thursday, July 19, 2012 12:18 PM
>> To: cisco-nsp [at] puck
>> Cc: chip; Aaron
>> Subject: Re: [c-nsp] acl on bvi in ios xr (9k) 4.1.2
>>
>> Many things missing....
>>
>>
>>
>> http://www.cisco.com/en/US/docs/routers/asr9000/software/asr9k_r4.2/i
>> n
>> terfaces/configuration/guide/hc42irb.html#wp1011723
>>
>> The following areas are /not/ supported on the BVI:
>>
>> -Access Control Lists (ACLs). However, Layer 2 ACLs can be configured
>> on
> each Layer 2 port of the bridge domain.
>>
>> -IP fast reroute (FRR)
>>
>> -NetFlow
>>
>> -MoFRR
>>
>> -MPLS label switching
>>
>> -mVPNv4
>>
>> -Quality of Service (QoS)
>>
>> -Traffic mirroring
>>
>> -Unnumbered interface for BVI
>>
>> -Video monitoring (Vidmon)
>>
>>
>>
>> --
>> Tassos
>>
>> chip wrote on 19/7/2012 19:45:
>>> interface BVI101
>>> description cust-bgp-1 vlan 101
>>> ipv4 address x.x.x.x 255.255.255.252
>>> ipv4 access-group cust-bgp-1-out-acl egress
>>>
>>> This is gained support in 4.2.0 I think.
>>>
>>> --chip
>>>
>>> On Thu, Jul 19, 2012 at 12:39 PM, Aaron <aaron1 [at] gvtc> wrote:
>>>> Are acl's supported on BVI's ?
>>>>
>>>> I have a phy int g0/0/0/1 with a flow point (sub int) g0/0/0/1.10
>>>> l2transport config'd and put into l2vpn bg:bd with a routed int
>>>> inside that bg:bd as bvi 10
>>>>
>>>>
>>>>
>>>> I would think that the appropriate location to place an ipv4
>>>> access-list would be on the L3 interface , that being the bvi. But
>>>> I don't see the command "ipv4 access-list" under the bvi.
>>>>
>>>>
>>>>
>>>> What am I missing here ?
>>>>
>>>>
>>>>
>>>> Aaron
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> cisco-nsp mailing list cisco-nsp [at] puck
>>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>>
>>>
>>
>>
>
>
>
> --
> Just my $.02, your mileage may vary, batteries not included, etc....
>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp [at] puck
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

_______________________________________________
cisco-nsp mailing list cisco-nsp [at] puck https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

_______________________________________________
cisco-nsp mailing list cisco-nsp [at] puck
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

adam.vitkovsky at swan

Jul 20, 2012, 12:23 AM

Post #11 of 28 (1483 views)
Permalink

Re: acl on bvi in ios xr (9k) 4.1.2 [In reply to]

>Unfortunately there are good reasons to combine switching and routing.
>Otherwise you are stuck with a router on a stick configuration.

I believe A9Ks where not meant to be an access layer devices (the ports are
way too expensive) so you'd have at least an access layer infrastructure
doing .1q, QinQ towards the A9Ks than form there you can start the L2/L3-VPN
magic

adam

-----Original Message-----
From: cisco-nsp-bounces [at] puck
[mailto:cisco-nsp-bounces [at] puck] On Behalf Of Mack McBride
Sent: Thursday, July 19, 2012 9:46 PM
To: Jared Mauch; Aaron
Cc: cisco-nsp [at] puck
Subject: Re: [c-nsp] acl on bvi in ios xr (9k) 4.1.2

I have made my complaints about the lack of support for switching on any
device that can handle a full routing table for the next five years.
Our sales guys have relayed those to the technical teams but there hasn't
been any feedback or visible movement.
If cisco deploys FIB compression it might solve some of those concerns but
the feedback is that the development on that has stopped or is at least not
on the road map.

The ASR 9K is a great box but without decent switching support and
rapid-pvst it doesn't work well in a managed services/colocation
environment.
The Nexus 7K is stuck at the same place the 6500 and 7600 are routing table
wise and lack of MPLS support is still a concern.
The Juniper MX series can handle switching and rapid-pvst and upwards to 4
million routes (usual division of IPv4/IPv6 applies but is dynamic) and we
are currently testing it for a replacement for the 6500/7600.

LR Mack McBride
Network Architect

-----Original Message-----
From: cisco-nsp-bounces [at] puck
[mailto:cisco-nsp-bounces [at] puck] On Behalf Of Jared Mauch
Sent: Thursday, July 19, 2012 12:55 PM
To: Aaron
Cc: cisco-nsp [at] puck
Subject: Re: [c-nsp] acl on bvi in ios xr (9k) 4.1.2

I'm still unclear why so many people want to make something built as a
router do BVI. Ethernet switches aren't that expensive in my experience :)

- Jared

On Jul 19, 2012, at 2:50 PM, Aaron wrote:

> Thanks Chip
>
> Yeah, with some of this newer gear and software, it seems like Cisco
> is still learning about Cisco :)
>
> Aaron
>
> -----Original Message-----
> From: chip [mailto:chip.gwyn [at] gmail]
> Sent: Thursday, July 19, 2012 12:56 PM
> To: Aaron
> Cc: Tassos Chatzithomaoglou; cisco-nsp [at] puck
> Subject: Re: [c-nsp] acl on bvi in ios xr (9k) 4.1.2
>
> Ok, so looking at the release notes. Only 4.2.1 supports acl's on BVI
> interfaces and only in the egress direction. Looks like you can
> apply it, but it may not work:
>
> http://www.cisco.com/en/US/partner/docs/routers/asr9000/software/asr9k
> _r4.2/
> general/release/notes/reln_a9k_421.html#concept_641E24E225D747C08099E2
> 0F3AFA
> A93A
>
> The router snippet I displayed was from a 4.2.0 ASR9006 with a RSP440
> and my testing indicates that the ACL*WILL* drop packets according to
> the ACL's rules.
>
> I've found that there's still a lack of clarity wrt to 9k's and XR
> within Cisco and its getting a bit frustrating.
>
> --chip
>
> On Thu, Jul 19, 2012 at 1:47 PM, Aaron <aaron1 [at] gvtc> wrote:
>> Thanks Tassos et al, But that list you just sent is in a config doc
>> for 4.2.x
>>
>> So are those bvi limitation in 4.2.x ? chip said that he thinks that
>> bvi acl is supported in 4.2.0 and my SE just told me that too. (she
>> also told me that bvi acl support in 4.2.0 requires the new line
>> cards ! ugh)
>>
>> So I'm confused with that list of bvi limitations within the 4.2.x
>> config
> doc.
>>
>> Aaron
>>
>> -----Original Message-----
>> From: Tassos Chatzithomaoglou [mailto:achatz [at] forthnetgroup]
>> Sent: Thursday, July 19, 2012 12:18 PM
>> To: cisco-nsp [at] puck
>> Cc: chip; Aaron
>> Subject: Re: [c-nsp] acl on bvi in ios xr (9k) 4.1.2
>>
>> Many things missing....
>>
>>
>>
>> http://www.cisco.com/en/US/docs/routers/asr9000/software/asr9k_r4.2/i
>> n
>> terfaces/configuration/guide/hc42irb.html#wp1011723
>>
>> The following areas are /not/ supported on the BVI:
>>
>> -Access Control Lists (ACLs). However, Layer 2 ACLs can be configured
>> on
> each Layer 2 port of the bridge domain.
>>
>> -IP fast reroute (FRR)
>>
>> -NetFlow
>>
>> -MoFRR
>>
>> -MPLS label switching
>>
>> -mVPNv4
>>
>> -Quality of Service (QoS)
>>
>> -Traffic mirroring
>>
>> -Unnumbered interface for BVI
>>
>> -Video monitoring (Vidmon)
>>
>>
>>
>> --
>> Tassos
>>
>> chip wrote on 19/7/2012 19:45:
>>> interface BVI101
>>> description cust-bgp-1 vlan 101
>>> ipv4 address x.x.x.x 255.255.255.252
>>> ipv4 access-group cust-bgp-1-out-acl egress
>>>
>>> This is gained support in 4.2.0 I think.
>>>
>>> --chip
>>>
>>> On Thu, Jul 19, 2012 at 12:39 PM, Aaron <aaron1 [at] gvtc> wrote:
>>>> Are acl's supported on BVI's ?
>>>>
>>>> I have a phy int g0/0/0/1 with a flow point (sub int) g0/0/0/1.10
>>>> l2transport config'd and put into l2vpn bg:bd with a routed int
>>>> inside that bg:bd as bvi 10
>>>>
>>>>
>>>>
>>>> I would think that the appropriate location to place an ipv4
>>>> access-list would be on the L3 interface , that being the bvi. But
>>>> I don't see the command "ipv4 access-list" under the bvi.
>>>>
>>>>
>>>>
>>>> What am I missing here ?
>>>>
>>>>
>>>>
>>>> Aaron
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> cisco-nsp mailing list cisco-nsp [at] puck
>>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>>
>>>
>>
>>
>
>
>
> --
> Just my $.02, your mileage may vary, batteries not included, etc....
>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp [at] puck
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

_______________________________________________
cisco-nsp mailing list cisco-nsp [at] puck
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

_______________________________________________
cisco-nsp mailing list cisco-nsp [at] puck
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

_______________________________________________
cisco-nsp mailing list cisco-nsp [at] puck
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

achatz at forthnetgroup

Jul 20, 2012, 2:26 AM

Post #12 of 28 (1477 views)
Permalink

Re: acl on bvi in ios xr (9k) 4.1.2 [In reply to]

That's exactly what we also did.
MPLS & ACLs work fine with IRB on MX, so we switched to them.
Probably the new ASR9k RSP/LCs (will) support it, but they are way too expensive to proceed with a replacement.

--
Tassos

Mack McBride wrote on 19/07/2012 22:45:
> Unfortunately there are good reasons to combine switching and routing.
> Otherwise you are stuck with a router on a stick configuration.
> I have made my complaints about the lack of support for switching on any device that can handle a full routing table for the next five years.
> Our sales guys have relayed those to the technical teams but there hasn't been any feedback or visible movement.
> If cisco deploys FIB compression it might solve some of those concerns but the feedback is that the development on that has stopped or is at least not on the road map.
>
> The ASR 9K is a great box but without decent switching support and rapid-pvst it doesn't work well in a managed services/colocation environment.
> The Nexus 7K is stuck at the same place the 6500 and 7600 are routing table wise and lack of MPLS support is still a concern.
> The Juniper MX series can handle switching and rapid-pvst and upwards to 4 million routes (usual division of IPv4/IPv6 applies but is dynamic)
> and we are currently testing it for a replacement for the 6500/7600.
>
> LR Mack McBride
> Network Architect
>
> -----Original Message-----
> From: cisco-nsp-bounces [at] puck [mailto:cisco-nsp-bounces [at] puck] On Behalf Of Jared Mauch
> Sent: Thursday, July 19, 2012 12:55 PM
> To: Aaron
> Cc: cisco-nsp [at] puck
> Subject: Re: [c-nsp] acl on bvi in ios xr (9k) 4.1.2
>
> I'm still unclear why so many people want to make something built as a router do BVI. Ethernet switches aren't that expensive in my experience :)
>
> - Jared
>
> On Jul 19, 2012, at 2:50 PM, Aaron wrote:
>
>> Thanks Chip
>>
>> Yeah, with some of this newer gear and software, it seems like Cisco
>> is still learning about Cisco :)
>>
>> Aaron
>>
>> -----Original Message-----
>> From: chip [mailto:chip.gwyn [at] gmail]
>> Sent: Thursday, July 19, 2012 12:56 PM
>> To: Aaron
>> Cc: Tassos Chatzithomaoglou; cisco-nsp [at] puck
>> Subject: Re: [c-nsp] acl on bvi in ios xr (9k) 4.1.2
>>
>> Ok, so looking at the release notes. Only 4.2.1 supports acl's on BVI
>> interfaces and only in the egress direction. Looks like you can
>> apply it, but it may not work:
>>
>> http://www.cisco.com/en/US/partner/docs/routers/asr9000/software/asr9k
>> _r4.2/
>> general/release/notes/reln_a9k_421.html#concept_641E24E225D747C08099E2
>> 0F3AFA
>> A93A
>>
>> The router snippet I displayed was from a 4.2.0 ASR9006 with a RSP440
>> and my testing indicates that the ACL*WILL* drop packets according to
>> the ACL's rules.
>>
>> I've found that there's still a lack of clarity wrt to 9k's and XR
>> within Cisco and its getting a bit frustrating.
>>
>> --chip
>>
>> On Thu, Jul 19, 2012 at 1:47 PM, Aaron <aaron1 [at] gvtc> wrote:
>>> Thanks Tassos et al, But that list you just sent is in a config doc
>>> for 4.2.x
>>>
>>> So are those bvi limitation in 4.2.x ? chip said that he thinks that
>>> bvi acl is supported in 4.2.0 and my SE just told me that too. (she
>>> also told me that bvi acl support in 4.2.0 requires the new line
>>> cards ! ugh)
>>>
>>> So I'm confused with that list of bvi limitations within the 4.2.x
>>> config
>> doc.
>>> Aaron
>>>
>>> -----Original Message-----
>>> From: Tassos Chatzithomaoglou [mailto:achatz [at] forthnetgroup]
>>> Sent: Thursday, July 19, 2012 12:18 PM
>>> To: cisco-nsp [at] puck
>>> Cc: chip; Aaron
>>> Subject: Re: [c-nsp] acl on bvi in ios xr (9k) 4.1.2
>>>
>>> Many things missing....
>>>
>>>
>>>
>>> http://www.cisco.com/en/US/docs/routers/asr9000/software/asr9k_r4.2/i
>>> n
>>> terfaces/configuration/guide/hc42irb.html#wp1011723
>>>
>>> The following areas are /not/ supported on the BVI:
>>>
>>> -Access Control Lists (ACLs). However, Layer 2 ACLs can be configured
>>> on
>> each Layer 2 port of the bridge domain.
>>> -IP fast reroute (FRR)
>>>
>>> -NetFlow
>>>
>>> -MoFRR
>>>
>>> -MPLS label switching
>>>
>>> -mVPNv4
>>>
>>> -Quality of Service (QoS)
>>>
>>> -Traffic mirroring
>>>
>>> -Unnumbered interface for BVI
>>>
>>> -Video monitoring (Vidmon)
>>>
>>>
>>>
>>> --
>>> Tassos
>>>
>>> chip wrote on 19/7/2012 19:45:
>>>> interface BVI101
>>>> description cust-bgp-1 vlan 101
>>>> ipv4 address x.x.x.x 255.255.255.252
>>>> ipv4 access-group cust-bgp-1-out-acl egress
>>>>
>>>> This is gained support in 4.2.0 I think.
>>>>
>>>> --chip
>>>>
>>>> On Thu, Jul 19, 2012 at 12:39 PM, Aaron <aaron1 [at] gvtc> wrote:
>>>>> Are acl's supported on BVI's ?
>>>>>
>>>>> I have a phy int g0/0/0/1 with a flow point (sub int) g0/0/0/1.10
>>>>> l2transport config'd and put into l2vpn bg:bd with a routed int
>>>>> inside that bg:bd as bvi 10
>>>>>
>>>>>
>>>>>
>>>>> I would think that the appropriate location to place an ipv4
>>>>> access-list would be on the L3 interface , that being the bvi. But
>>>>> I don't see the command "ipv4 access-list" under the bvi.
>>>>>
>>>>>
>>>>>
>>>>> What am I missing here ?
>>>>>
>>>>>
>>>>>
>>>>> Aaron
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> cisco-nsp mailing list cisco-nsp [at] puck
>>>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>>>
>>>
>>
>>
>> --
>> Just my $.02, your mileage may vary, batteries not included, etc....
>>
>> _______________________________________________
>> cisco-nsp mailing list cisco-nsp [at] puck
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp [at] puck https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp [at] puck
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

_______________________________________________
cisco-nsp mailing list cisco-nsp [at] puck
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

gert at greenie

Jul 20, 2012, 4:08 AM

Post #13 of 28 (1485 views)
Permalink

Re: acl on bvi in ios xr (9k) 4.1.2 [In reply to]

Hi,

On Thu, Jul 19, 2012 at 02:58:58PM -0400, Jared Mauch wrote:
> I think my point is.. If you are buying an asr9k
> you can likely afford an ethernet switch vs using an
> expensive router port.

Sometimes BVI are the poor man's multi-chassis etherchannel to
get redundant links to downstream switches...

gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany gert [at] greenie
fax: +49-89-35655025 gert [at] net

aledm at qix

Jul 20, 2012, 4:12 AM

Post #14 of 28 (1486 views)
Permalink

Re: acl on bvi in ios xr (9k) 4.1.2 [In reply to]

On 20 July 2012 12:08, Gert Doering <gert [at] greenie> wrote:

>
> Sometimes BVI are the poor man's multi-chassis etherchannel to
> get redundant links to downstream switches...
>
>
Yes indeed.

It is equally frustrating that neither HSRP nor VRRP are supported on
ASR1k/IOS-XE BDI interfaces.

Aled
_______________________________________________
cisco-nsp mailing list cisco-nsp [at] puck
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

lukasz at bromirski

Jul 21, 2012, 8:27 AM

Post #15 of 28 (1459 views)
Permalink

Re: acl on bvi in ios xr (9k) 4.1.2 [In reply to]

On 7/19/12 9:45 PM, Mack McBride wrote:

> If cisco deploys FIB compression it might solve some of those
> concerns but the feedback is that the development on that has stopped
> or is at least not on the road map.

Why? FIB compression is bad. For convergence, for scalability, for
anything other than synthetic testing. Some competitors learned this
in a hard way, customers also.

> The ASR 9K is a great box but without decent switching support and
> rapid-pvst it doesn't work well in a managed services/colocation
> environment.

"decent switching support" means...?

ASR 9k supports MST which uses the RSTP. You can also do multi-chassis
LAG for redundancy if needed to external boxes.

> The Nexus 7K is stuck at the same place the 6500 and 7600 are
> routing table wise and lack of MPLS support is still a concern.

7k offers MPLS support:
http://www.cisco.com/en/US/docs/switches/datacenter/sw/5_x/nx-os/mpls/configuration/guide/mp_mpls_overview.html

In terms of FIB size, what is the size you need?

> The Juniper MX series can handle switching and rapid-pvst and upwards to 4 million routes (usual division of IPv4/IPv6 applies but is dynamic)
> and we are currently testing it for a replacement for the 6500/7600.

Good luck.

--
"There's no sense in being precise when | �ukasz Bromirski
you don't know what you're talking | jid:lbromirski [at] jabber
about." John von Neumann | http://lukasz.bromirski.net
_______________________________________________
cisco-nsp mailing list cisco-nsp [at] puck
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

lukasz at bromirski

Jul 22, 2012, 3:20 PM

Post #16 of 28 (1441 views)
Permalink

Re: acl on bvi in ios xr (9k) 4.1.2 [In reply to]

On 7/20/12 1:08 PM, Gert Doering wrote:

> On Thu, Jul 19, 2012 at 02:58:58PM -0400, Jared Mauch wrote:
>> I think my point is.. If you are buying an asr9k
>> you can likely afford an ethernet switch vs using an
>> expensive router port.
> Sometimes BVI are the poor man's multi-chassis etherchannel to
> get redundant links to downstream switches...

On ASR9k you can configure MC-LAG, which is present for that kind of
scenarios, and you don't need to use BVI to build some tricky
workarounds.

--
"There's no sense in being precise when | �ukasz Bromirski
you don't know what you're talking | jid:lbromirski [at] jabber
about." John von Neumann | http://lukasz.bromirski.net
_______________________________________________
cisco-nsp mailing list cisco-nsp [at] puck
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

gert at greenie

Jul 22, 2012, 11:52 PM

Post #17 of 28 (1425 views)
Permalink

Re: acl on bvi in ios xr (9k) 4.1.2 [In reply to]

Hi,

On Mon, Jul 23, 2012 at 12:20:37AM +0200, ?ukasz Bromirski wrote:
> On 7/20/12 1:08 PM, Gert Doering wrote:
>
> >On Thu, Jul 19, 2012 at 02:58:58PM -0400, Jared Mauch wrote:
> >> I think my point is.. If you are buying an asr9k
> >>you can likely afford an ethernet switch vs using an
> >>expensive router port.
> >Sometimes BVI are the poor man's multi-chassis etherchannel to
> >get redundant links to downstream switches...
>
> On ASR9k you can configure MC-LAG, which is present for that kind of
> scenarios, and you don't need to use BVI to build some tricky
> workarounds.

Maybe I do not understand what MC-LAG does, but I'm not sure how it would
help here?

The scenario described is "one router, two different switches, both
switches are standalone and have no multi-chassis capabilities". So you
can do BVI on the router, some sort of "backup interface", or...?

gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany gert [at] greenie
fax: +49-89-35655025 gert [at] net

adam.vitkovsky at swan

Jul 23, 2012, 1:14 AM

Post #18 of 28 (1428 views)
Permalink

Re: acl on bvi in ios xr (9k) 4.1.2 [In reply to]

>"one router, two different switches, both switches are standalone and have
no multi-chassis capabilities".
If there's the same VLAN running of the two switches you could terminate it
on two separate L3 sub-interfaces on the ASR9K /breaking the VLAN subnet in
two -loosing 4 addresses
Or instead of the BVI you could use a PW to aggregate the L2 traffic form
the disjoint VLAN and terminate the PW at ASR9K running L3 for the
aggregation ring
Or you can use the already mentioned L2 switch to aggregate the VLANS from
the two switches and connect it via trunk to ASR9K

adam

-----Original Message-----
From: cisco-nsp-bounces [at] puck
[mailto:cisco-nsp-bounces [at] puck] On Behalf Of Gert Doering
Sent: Monday, July 23, 2012 8:53 AM
To: ?ukasz Bromirski
Cc: cisco-nsp [at] puck
Subject: Re: [c-nsp] acl on bvi in ios xr (9k) 4.1.2

Hi,

On Mon, Jul 23, 2012 at 12:20:37AM +0200, ?ukasz Bromirski wrote:
> On 7/20/12 1:08 PM, Gert Doering wrote:
>
> >On Thu, Jul 19, 2012 at 02:58:58PM -0400, Jared Mauch wrote:
> >> I think my point is.. If you are buying an asr9k you can likely
> >>afford an ethernet switch vs using an expensive router port.
> >Sometimes BVI are the poor man's multi-chassis etherchannel to get
> >redundant links to downstream switches...
>
> On ASR9k you can configure MC-LAG, which is present for that kind of
> scenarios, and you don't need to use BVI to build some tricky
> workarounds.

Maybe I do not understand what MC-LAG does, but I'm not sure how it would
help here?

The scenario described is "one router, two different switches, both switches
are standalone and have no multi-chassis capabilities". So you can do BVI
on the router, some sort of "backup interface", or...?

gert
--
USENET is *not* the non-clickable part of WWW!

//www.muc.de/~gert/
Gert Doering - Munich, Germany
gert [at] greenie
fax: +49-89-35655025
gert [at] net

_______________________________________________
cisco-nsp mailing list cisco-nsp [at] puck
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

peter at rathlev

Jul 23, 2012, 1:43 AM

Post #19 of 28 (1424 views)
Permalink

Re: acl on bvi in ios xr (9k) 4.1.2 [In reply to]

On Mon, 2012-07-23 at 10:14 +0200, adam vitkovsky wrote:
> > one router, two different switches, both switches are standalone and have
> > no multi-chassis capabilities.
>
> If there's the same VLAN running of the two switches you could
> terminate it on two separate L3 sub-interfaces on the ASR9K /breaking
> the VLAN subnet in two -loosing 4 addresses
> Or instead of the BVI you could use a PW to aggregate the L2 traffic
> form the disjoint VLAN and terminate the PW at ASR9K running L3 for
> the aggregation ring
> Or you can use the already mentioned L2 switch to aggregate the VLANS
> from the two switches and connect it via trunk to ASR9K

This is the scenario:

+----------+
| Router |
+----------+
| |
+----------+ +----------+
| Switch 1 | | Switch 2 |
+----------+ +----------+

Suggestion 1, using two different subinterfaces and 2 networks, would
exclude connecting to the same VLAN (not just ID) on the other side.
Imagine the two switches running e.g. HSRP on a SVI.

Suggestion 2 does not fall into the category "simple solution". And I
fail to see how it introduces redundancy for the ASR9k, but that's
probably because I'm not familiar with that way of doing it.

Suggestion 3 does not introduce redundancy for the ASR9k.

Summa summarum: There's no simple way to do it other than BVI. One might
say that this kind of redundancy is irrelevant for a router of that
size, but that's beside the point here.

--
Peter

_______________________________________________
cisco-nsp mailing list cisco-nsp [at] puck
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

tim at haitabu

Jul 23, 2012, 2:15 AM

Post #20 of 28 (1426 views)
Permalink

Re: acl on bvi in ios xr (9k) 4.1.2 [In reply to]

On 19.07.2012 6:39 PM, Aaron wrote:
> Are acl's supported on BVI's ?
>
> I have a phy int g0/0/0/1 with a flow point (sub int) g0/0/0/1.10
> l2transport config'd and put into l2vpn bg:bd with a routed int inside that
> bg:bd as bvi 10
>
>
>
> I would think that the appropriate location to place an ipv4 access-list
> would be on the L3 interface , that being the bvi. But I don't see the
> command "ipv4 access-list" under the bvi.

We habe a case where two physical interfaces are in a local l2-vpn,
there you can put the ipv4 access-list on the physical interface:

interface GigabitEthernet0/0/0/2
l2transport
ipv4 access-group foo-out egress
!
interface GigabitEthernet0/0/0/3
l2transport
ipv4 access-group foo-out egress
!
interface BVI1
ipv4 address 192.0.2.1/28
!
l2vpn
bridge group EDFA
bridge-domain EDFA
interface GigabitEthernet0/0/0/2
interface GigabitEthernet0/0/0/3
!
!
!
(ASR 9006, IOS XR 4.1.1)

Not intuitive, but works.

In your scenario you can try to put the access-list under int g0/0/0/1.10.

HTH,
Tim
_______________________________________________
cisco-nsp mailing list cisco-nsp [at] puck
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

gert at greenie

Jul 23, 2012, 2:19 AM

Post #21 of 28 (1427 views)
Permalink

Re: acl on bvi in ios xr (9k) 4.1.2 [In reply to]

Hi,

On Mon, Jul 23, 2012 at 10:14:10AM +0200, adam vitkovsky wrote:
> >"one router, two different switches, both switches are standalone and have
> no multi-chassis capabilities".
> If there's the same VLAN running of the two switches you could terminate it
> on two separate L3 sub-interfaces on the ASR9K /breaking the VLAN subnet in
> two -loosing 4 addresses

Which give you twice the amount of single-point-of-failure, instead of
the desired goal: redundant links to the same L2 network.

> Or instead of the BVI you could use a PW to aggregate the L2 traffic form
> the disjoint VLAN and terminate the PW at ASR9K running L3 for the
> aggregation ring

I'm not sure I understand that, but it doesn't sound any simpler than
a BVI... (but as long as VPLS is mentioned, it must be great)

> Or you can use the already mentioned L2 switch to aggregate the VLANS from
> the two switches and connect it via trunk to ASR9K

There's no "single L2 switch". Which is the point of the excercise.

gert

--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany gert [at] greenie
fax: +49-89-35655025 gert [at] net

adam.vitkovsky at swan

Jul 23, 2012, 5:45 AM

Post #22 of 28 (1420 views)
Permalink

Re: acl on bvi in ios xr (9k) 4.1.2 [In reply to]

Yes I admit solution #1 is bad
And I also see that there's really no simple solution to replace BVI

> Suggestion 3 does not introduce redundancy for the ASR9k

Well in your picture there's only one ASR9k so if that one fails than it's game over anyways
and yes I understand that putting additional SW (an active device for that matter) in front of the ASR9k would increase the overall probability of failure

If there are two ASR9Ks than each would have to have an aggregation SW in from of it (aggregation SW would be inter-connected back to back and connected via trunk to ASR9k running L3 EFP per VLAN)
Than each switch from your picture would be connected to both of these aggregation switches

adam
-----Original Message-----
From: Peter Rathlev [mailto:peter [at] rathlev]
Sent: Monday, July 23, 2012 10:43 AM
To: adam vitkovsky
Cc: cisco-nsp [at] puck
Subject: Re: [c-nsp] acl on bvi in ios xr (9k) 4.1.2

On Mon, 2012-07-23 at 10:14 +0200, adam vitkovsky wrote:
> > one router, two different switches, both switches are standalone and
> > have no multi-chassis capabilities.
>
> If there's the same VLAN running of the two switches you could
> terminate it on two separate L3 sub-interfaces on the ASR9K /breaking
> the VLAN subnet in two -loosing 4 addresses Or instead of the BVI you
> could use a PW to aggregate the L2 traffic form the disjoint VLAN and
> terminate the PW at ASR9K running L3 for the aggregation ring Or you
> can use the already mentioned L2 switch to aggregate the VLANS from
> the two switches and connect it via trunk to ASR9K

This is the scenario:

+----------+
| Router |
+----------+
| |
+----------+ +----------+
| Switch 1 | | Switch 2 |
+----------+ +----------+

Suggestion 1, using two different subinterfaces and 2 networks, would exclude connecting to the same VLAN (not just ID) on the other side.
Imagine the two switches running e.g. HSRP on a SVI.

Suggestion 2 does not fall into the category "simple solution". And I fail to see how it introduces redundancy for the ASR9k, but that's probably because I'm not familiar with that way of doing it.

Suggestion 3 does not introduce redundancy for the ASR9k.

Summa summarum: There's no simple way to do it other than BVI. One might say that this kind of redundancy is irrelevant for a router of that size, but that's beside the point here.

--
Peter

_______________________________________________
cisco-nsp mailing list cisco-nsp [at] puck
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

aaron1 at gvtc

Jul 23, 2012, 6:16 AM

Post #23 of 28 (1422 views)
Permalink

Re: acl on bvi in ios xr (9k) 4.1.2 [In reply to]

Hi Tim, et al, why don't you have your bvi1 listed as a routed interface
within that bg:bd ?

l2vpn
bridge group EDFA
bridge-domain EDFA
? interface BVI1 ?

Also, have you tested real traffic via those foo-out egress acls on those l2
interfaces? I tried that the other day on my gig0/0/0/1.10 and I don't
recall them working. Am I the only one that thinks it's strange to add
layer 3 packet filter acl's to a layer 2 transport/bridging interface?

Aaron

-----Original Message-----
From: cisco-nsp-bounces [at] puck
[mailto:cisco-nsp-bounces [at] puck] On Behalf Of tim
Sent: Monday, July 23, 2012 4:15 AM
To: cisco-nsp [at] puck
Subject: Re: [c-nsp] acl on bvi in ios xr (9k) 4.1.2

On 19.07.2012 6:39 PM, Aaron wrote:
> Are acl's supported on BVI's ?
>
> I have a phy int g0/0/0/1 with a flow point (sub int) g0/0/0/1.10
> l2transport config'd and put into l2vpn bg:bd with a routed int inside
> that bg:bd as bvi 10
>
>
>
> I would think that the appropriate location to place an ipv4
> access-list would be on the L3 interface , that being the bvi. But I
> don't see the command "ipv4 access-list" under the bvi.

We habe a case where two physical interfaces are in a local l2-vpn, there
you can put the ipv4 access-list on the physical interface:

interface GigabitEthernet0/0/0/2
l2transport
ipv4 access-group foo-out egress
!
interface GigabitEthernet0/0/0/3
l2transport
ipv4 access-group foo-out egress
!
interface BVI1
ipv4 address 192.0.2.1/28
!
l2vpn
bridge group EDFA
bridge-domain EDFA
interface GigabitEthernet0/0/0/2
interface GigabitEthernet0/0/0/3
!
!
!
(ASR 9006, IOS XR 4.1.1)

Not intuitive, but works.

In your scenario you can try to put the access-list under int g0/0/0/1.10.

HTH,
Tim
_______________________________________________
cisco-nsp mailing list cisco-nsp [at] puck
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

_______________________________________________
cisco-nsp mailing list cisco-nsp [at] puck
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

adam.vitkovsky at swan

Jul 23, 2012, 6:43 AM

Post #24 of 28 (1418 views)
Permalink

Re: acl on bvi in ios xr (9k) 4.1.2 [In reply to]

Regarding my second suggestion,
It's certainly more complex than BVI
It's used in metro aggregation rings running MPLS
On ring-access boxes you can bridge the traffic from ports in bridge-domain
into PWs running to ring-aggregation boxes where the PWs are terminated -on
these you can bridge the PWs traffic into qinq/802.1ad/(802.1ah) trunks
running to L3 boxes (PEs)

I'm also missing a virtual outgoing interface on which I could terminate the
L2 PW and bridge the traffic from this virtual interface onto a L3 interface
all on a single box

adam
-----Original Message-----
From: Gert Doering [mailto:gert [at] greenie]
Sent: Monday, July 23, 2012 11:20 AM
To: adam vitkovsky
Cc: 'Gert Doering'; '?ukasz Bromirski'; cisco-nsp [at] puck
Subject: Re: [c-nsp] acl on bvi in ios xr (9k) 4.1.2

Hi,

On Mon, Jul 23, 2012 at 10:14:10AM +0200, adam vitkovsky wrote:
> >"one router, two different switches, both switches are standalone and
> >have
> no multi-chassis capabilities".
> If there's the same VLAN running of the two switches you could
> terminate it on two separate L3 sub-interfaces on the ASR9K /breaking
> the VLAN subnet in two -loosing 4 addresses

Which give you twice the amount of single-point-of-failure, instead of the
desired goal: redundant links to the same L2 network.

> Or instead of the BVI you could use a PW to aggregate the L2 traffic
> form the disjoint VLAN and terminate the PW at ASR9K running L3 for
> the aggregation ring

I'm not sure I understand that, but it doesn't sound any simpler than a
BVI... (but as long as VPLS is mentioned, it must be great)

> Or you can use the already mentioned L2 switch to aggregate the VLANS
> from the two switches and connect it via trunk to ASR9K

There's no "single L2 switch". Which is the point of the excercise.

gert

--
USENET is *not* the non-clickable part of WWW!

//www.muc.de/~gert/
Gert Doering - Munich, Germany
gert [at] greenie
fax: +49-89-35655025
gert [at] net

_______________________________________________
cisco-nsp mailing list cisco-nsp [at] puck
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

tim at haitabu

Jul 23, 2012, 6:58 AM

Post #25 of 28 (1423 views)
Permalink

Re: acl on bvi in ios xr (9k) 4.1.2 [In reply to]

Hi Aaron,

On 23.07.2012 3:16 PM, Aaron wrote:
> Hi Tim, et al, why don't you have your bvi1 listed as a routed interface
> within that bg:bd ?
>
> l2vpn
> bridge group EDFA
> bridge-domain EDFA
> ? interface BVI1 ?

Sorry, copy and paste error. Of course, the bvi1 interface is also in
the bridge-domain as "routed interface BVI1".

l2vpn
bridge group EDFA
bridge-domain EDFA
interface GigabitEthernet0/0/0/2
!
interface GigabitEthernet0/0/0/3
!
routed interface BVI1
!
!
!

> Also, have you tested real traffic via those foo-out egress acls on those l2
> interfaces?

Yes, it works. (But we have this setup only for management networks,
therefore I cannot say if there are strange caveats)

> I tried that the other day on my gig0/0/0/1.10 and I don't
> recall them working. Am I the only one that thinks it's strange to add
> layer 3 packet filter acl's to a layer 2 transport/bridging interface?

I think that is strange, too, but it works...

-tim
_______________________________________________
cisco-nsp mailing list cisco-nsp [at] puck
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

1 2

View All

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads