Hi Mahesh, From: Mahesh Jethanandani <[email protected]> Date: Thursday, June 9, 2016 at 10:35 AM To: Dean Bogdanovic <[email protected]> Cc: Acee Lindem <[email protected]>, netmod WG <[email protected]> Subject: Re: [netmod] Remove input-interface (metadata) from netmod-acl-model-07 ?
>Dean/Acee, > > I initially misread this as “Dear Acee” ;^) > >Is this a relevant example of ACL being configured on an interface? > >http://www.cisco.com/c/en/us/td/docs/routers/asr9000/software/asr9k_r4-2/a >ddr_serv/configuration/guide/b_ipaddr_cg42a9k/b_ipaddr_cg42a9k_chapter_01. >html#task_1049371 > > In the same way I misread your salutation, I think you’ve misinterpreted this example as it applies to including interface in the ACL model. If you examine the referenced configuration html closely, you’ll see that the ACL is a reusable packet-matching policy that is applied to an interface rather than the interface being included in the ACL rules themselves. In IOS-XR, the command to apply the ACL to an interface is “{ipv4 | ipv6} access-group <acl-name>” specified in interface configuration submode. Is there something in the text that I’m missing? > >Talking to implementers, the feature is very much desired. > > As the initial implementor of the function on Redback SEOS (now Ericsson IPOS), I can confirm that attaching an ACL to an interface is, indeed, an essential function. Thanks, Acee > > >Mahesh Jethanandani >[email protected] > > >On Apr 2, 2016, at 4:39 AM, Dean Bogdanovic <[email protected]> wrote: > > > >Hi Acee, > > >On Mar 31, 2016, at 8:17 AM, Acee Lindem (acee) <[email protected]> wrote: > >Hi Dean, > >From: netmod <[email protected]> on behalf of Dean Bogdanovic ><[email protected]> >Date: Thursday, March 31, 2016 at 5:26 AM >To: "Sterne, Jason (Nokia - CA)" <[email protected]> >Cc: netmod WG <[email protected]> >Subject: Re: [netmod] Remove input-interface (metadata) from >netmod-acl-model-07 ? > > >> >> >>On Mar 30, 2016, at 9:36 PM, Sterne, Jason (Nokia - CA) >><[email protected]> wrote: >> >>Hi all, >> >>The ACL model is converging on a small core set of functionality that is >>fairly common. >> >>But I think the matching on input-interface should be removed from the >>model (or at the least put inside a feature flag). >> >>Matching on basic IPv4/IPv4/MAC header fields is common functionality. >>But having that input-interface match on metadata in the core model is >>out of place. It should be left to further extension drafts or vendor >>specific augmentations (along >> with whatever other metadata might be useful or vendor-specific). >> >> >> >>ACLs are typically assigned to interfaces as shown in section A.3. of >>the ACL draft. That is the most common use case. >> >>Actually matching on input-interface in the ACL rules themselves is not >>basic core ACL functionality. Nokia SR OS does not have that >>capability. Does IOS-XR ? Brocade ? others ? >> >> >> >> >>Cisco and Juniper support matching on input interface. It is useful when >>you want to filter on general traffic coming from interface. >> >>Cisco >>match input-interface >>match input-vlan >> >> >> >> > >These are “class-map” sub-commands - not “access-list" sub-commands. So >you are referring to the general functionality rather than specifically >functionality supported by access-list? > > > > > >According to the Cisco website >(http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750x_3560x/sof >tware/release/12-2_55_se/configuration/guide/3750xscg/swacl.html) > >Note The ACL must be an extended named ACL. >________________________________________ > > >–<blank.gif> match input-interface interface-id-list >–<blank.gif> match ip dscp dscp-list >–<blank.gif> match ip precedence ip-precedence-list > > > >> >> >>Junos >>family any { >>filter L2_filter { >>term t1 { >>from { >>interface fe-0/0/0.0; >>} >>then { >>policer p1; >>count c1; >>} >>} >>} >>} >> >>Brocade supports matching based on interface, Dell supports VLAN >>matching, Arista supports input interface matching, Redback supports >>matching against input interface for logging, >> >> >> >> >> > >If you are referring to “log-input”, this indicates to include the >input-interface in the log message. Cisco supports this as well. > >Thanks, >Acee > > >>so it is pretty standard across multiple vendors >> >>Dean >> >> >> >> If some major implementations don’t do it, and it isn’t necessary >>for typical basic ACL use, then it should be removed (or feature >>flagged). >> >>Regards, >>Jason >> >>_______________________________________________ >>netmod >> mailing list >>[email protected] >>https://www.ietf.org/mailman/listinfo/netmod >> >> >> >> >> >> >> > > > > > > > > > > >_______________________________________________ >netmod mailing list >[email protected] >https://www.ietf.org/mailman/listinfo/netmod _______________________________________________ netmod mailing list [email protected] https://www.ietf.org/mailman/listinfo/netmod
