Posted on December 3, 2015 5:52 pm
 |  Asked by Roger Wilco
 |  2011 views
Tags:
RESOLVED
0
0
Print Friendly, PDF & Email

was attempting to configure ACLs and aply access-group to an interface, an sttsmpting to
stt-

Marked as spam
0
Posted by Roger Wilco
Answered on December 3, 2015 5:59 pm

Bah! I hate this split key keyboard. Long story short, I can create and access-group in the control-plane submenu. but it won’t apply on the interface level. Is there a command (like forcing VXLAN to use HER), or am I just SOL?

You cannot use hardware ACL (ip access-list, ip access-group) in vEOS.

For your VXLAN question, you may use either multicast control-plane:
!
interface Vxlan1
vxlan multicast-group 239.1.2.3
!

…or HER by removing the vxlan multicast-group and configuring instead Unicast replication (Head-end Unicast Replication / HER):
!
vxlan flood vtep 2.2.2.2 3.3.3.3
!

The above specifies the VTEPs you want to flood BUM traffic to (Broadcast/UnknownUnicast/Multicast). You may also configure the flooding per VLAN/VNI for traffic optimization (albeit heavier manual config):

!
vxlan vlan 100 flood vtep 2.2.2.2
vxlan vlan 200 flood vtep 3.3.3.3
!

Alternatively, for automated flood-list management (no manual config), and pre-provisioned MAC tables, you could use CloudVision eXchange (CVX) with a CVX instance and the following commands on your VTEP:

!
interface Vxlan1
vxlan controller-client
!
management cvx
no shutdown
server host
!

CVX, VXLAN and HER work within vEOS.

Regards,

(Alexis Dacquay at December 3, 2015 8:52 pm)
0
Posted by Alexis Dacquay
Answered on December 3, 2015 8:43 pm

Hi,

 

vEOS does not have hardware dataplane, the bridging and routing capabilities are emulated in software. Al the software features of EOS are present as-is and work, but anything relying on physical hardware such as writing forwarding rules in hardware tables (e.g. TCAM) cannot be done, except those explicitly emulated such as bridging, routing and VXLAN.

For example IP ACL, NAT, Directflow, LANZ (queue-monitor), ”platform” commands (network processor show and config commands), would not be available on vEOS.

 

vEOS-lab(config)#ip access-list TEST
vEOS-lab(config-acl-TEST)#permit ip any any
vEOS0lab(config-acl-TEST)#end
! Hardware not present. ACL(s) not programmed in the hardware.

 

The above illustrates that some commands leading to programming or rules in hardware tables would not work.

 

Regards,

0
Posted by Nahid Hassan
Answered on July 25, 2016 5:12 pm

localhost(config)#ip access-list test1

localhost(config-acl-test1)#deny ip 30.0.1.2/24 40.0.2.2/24

localhost(config-acl-test1)#deny ip 30.0.2.2/24 40.0.1.2/24

localhost(config-acl-test1)#permit ip any any

localhost(config-acl-test1)#exit

localhost(config)#control-plane

localhost(config-cp)#ip access-group test1 in

localhost(config-cp)#exit

but the rule is not working as desired

0
Posted by SANGEETH BS
Answered on January 3, 2018 8:04 am

Is there any way to enable this option in vEOS/vEOS-lab to test IP and Mac ACL?

0
Posted by Alexis Dacquay
Answered on November 22, 2018 4:15 pm

No, there is no hardware to program the rules to.
Whether it is port-ACL or control-plane ACL, the ACL resides in the hardware and filter traffic in the data-plane. The control-plane ACL filters traffic from the data-plane towards the control-plane, so it is still a data-plane feature requiring real hardware.
You would need to test these on physical switches.

Post your Answer

You must be logged in to post an answer.