Hi Dean, From what Acee mentions it doesn’t seem that IOS-XR supports matching on interface for ACLs.
When I look at Brocade I don’t see it either. Maybe someone from Brocade could provide an example of the config if it is supported ? https://github.com/YangModels/yang/blob/master/vendor/brocade/brocade-ip-access-list.yang (I also checked their user guides) I think it is more relevant to look at ACL functionality for this (not log filtering or other misc. filtering capabilities in areas outside of ACLs). I really don’t think this has widespread support and it isn’t core functionality -> assigning an ACL to an interface is how it is normally done. Regards, Jason From: EXT Dean Bogdanovic [mailto:[email protected]] Sent: Thursday, March 31, 2016 2:26 To: Sterne, Jason (Nokia - CA) Cc: netmod WG Subject: Re: [netmod] Remove input-interface (metadata) from netmod-acl-model-07 ? On Mar 30, 2016, at 9:36 PM, Sterne, Jason (Nokia - CA) <[email protected]<mailto:[email protected]>> wrote: Hi all, The ACL model is converging on a small core set of functionality that is fairly common. But I think the matching on input-interface should be removed from the model (or at the least put inside a feature flag). Matching on basic IPv4/IPv4/MAC header fields is common functionality. But having that input-interface match on metadata in the core model is out of place. It should be left to further extension drafts or vendor specific augmentations (along with whatever other metadata might be useful or vendor-specific). ACLs are typically assigned to interfaces as shown in section A.3. of the ACL draft. That is the most common use case. Actually matching on input-interface in the ACL rules themselves is not basic core ACL functionality. Nokia SR OS does not have that capability. Does IOS-XR ? Brocade ? others ? Cisco and Juniper support matching on input interface. It is useful when you want to filter on general traffic coming from interface. Cisco match input-interface match input-vlan Junos family any { filter L2_filter { term t1 { from { interface fe-0/0/0.0; } then { policer p1; count c1; } } } } Brocade supports matching based on interface, Dell supports VLAN matching, Arista supports input interface matching, Redback supports matching against input interface for logging, so it is pretty standard across multiple vendors Dean If some major implementations don’t do it, and it isn’t necessary for typical basic ACL use, then it should be removed (or feature flagged). Regards, Jason _______________________________________________ netmod mailing list [email protected]<mailto:[email protected]> https://www.ietf.org/mailman/listinfo/netmod
_______________________________________________ netmod mailing list [email protected] https://www.ietf.org/mailman/listinfo/netmod
