Dean/Acee, Is this a relevant example of ACL being configured on an interface?
http://www.cisco.com/c/en/us/td/docs/routers/asr9000/software/asr9k_r4-2/addr_serv/configuration/guide/b_ipaddr_cg42a9k/b_ipaddr_cg42a9k_chapter_01.html#task_1049371 Talking to implementers, the feature is very much desired. Mahesh Jethanandani [email protected] > On Apr 2, 2016, at 4:39 AM, Dean Bogdanovic <[email protected]> wrote: > > Hi Acee, > >> On Mar 31, 2016, at 8:17 AM, Acee Lindem (acee) <[email protected]> wrote: >> >> Hi Dean, >> >> From: netmod <[email protected]> on behalf of Dean Bogdanovic >> <[email protected]> >> Date: Thursday, March 31, 2016 at 5:26 AM >> To: "Sterne, Jason (Nokia - CA)" <[email protected]> >> Cc: netmod WG <[email protected]> >> Subject: Re: [netmod] Remove input-interface (metadata) from >> netmod-acl-model-07 ? >> >> >>> On Mar 30, 2016, at 9:36 PM, Sterne, Jason (Nokia - CA) >>> <[email protected]> wrote: >>> >>> Hi all, >>> >>> The ACL model is converging on a small core set of functionality that is >>> fairly common. >>> >>> But I think the matching on input-interface should be removed from the >>> model (or at the least put inside a feature flag). >>> >>> Matching on basic IPv4/IPv4/MAC header fields is common functionality. But >>> having that input-interface match on metadata in the core model is out of >>> place. It should be left to further extension drafts or vendor specific >>> augmentations (along with whatever other metadata might be useful or >>> vendor-specific). >>> >>> ACLs are typically assigned to interfaces as shown in section A.3. of the >>> ACL draft. That is the most common use case. >>> >>> Actually matching on input-interface in the ACL rules themselves is not >>> basic core ACL functionality. Nokia SR OS does not have that capability. >>> Does IOS-XR ? Brocade ? others ? >> >> Cisco and Juniper support matching on input interface. It is useful when you >> want to filter on general traffic coming from interface. >> >> Cisco >> match input-interface >> match input-vlan >> >> These are “class-map” sub-commands - not “access-list" sub-commands. So you >> are referring to the general functionality rather than specifically >> functionality supported by access-list? > > According to the Cisco website > (http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750x_3560x/software/release/12-2_55_se/configuration/guide/3750xscg/swacl.html) > > Note The ACL must be an extended named ACL. > > –<blank.gif> match input-interface interface-id-list > –<blank.gif> match ip dscp dscp-list > –<blank.gif> match ip precedence ip-precedence-list > >> >> >> >> Junos >> family any { >> filter L2_filter { >> term t1 { >> from { >> interface fe-0/0/0.0; >> } >> then { >> policer p1; >> count c1; >> } >> } >> } >> } >> >> Brocade supports matching based on interface, Dell supports VLAN matching, >> Arista supports input interface matching, Redback supports matching against >> input interface for logging, >> >> If you are referring to “log-input”, this indicates to include the >> input-interface in the log message. Cisco supports this as well. >> >> Thanks, >> Acee >> >> >> so it is pretty standard across multiple vendors >> >> Dean >> >>> If some major implementations don’t do it, and it isn’t necessary for >>> typical basic ACL use, then it should be removed (or feature flagged). >>> >>> Regards, >>> Jason >>> >>> _______________________________________________ >>> netmod mailing list >>> [email protected] >>> https://www.ietf.org/mailman/listinfo/netmod > > _______________________________________________ > netmod mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/netmod
_______________________________________________ netmod mailing list [email protected] https://www.ietf.org/mailman/listinfo/netmod
