IS-IS Configuration Guide for Cisco 8000 Series Routers, Cisco IOS XR Release

PDF

Layer 2 ACLs on physical and subinterfaces

Want to summarize with AI?

Log in

Describes implementing Layer 2 ACLs on physical and subinterfaces, noting configuration restrictions and providing instructions for enabling ISIS PDU rejection to enhance access security and traffic filtering.


Layer 2 ACL is a security configuration that

  • binds to Layer 2 main interfaces, subinterfaces, or bundle interfaces,

  • enables traffic filtering of ISIS packets on the ethernet port shared by these interfaces, and

  • ensures ISIS traffic is dropped regardless of whether the ACL is applied to the main or subinterface, since all share the port.

Table 1. Feature History Table

Feature Name

Release Information

Feature Description

Support for a Configurable Knob to Reject ISIS PDU on Layer 2 Interfaces

Release 25.1.1

Introduced in this release on: Fixed Systems (8700 [ASIC: K100] )(select variants only*)

*This feature is supported on the Cisco 8712-MOD-M routers.

Support for a Configurable Knob to Reject ISIS PDU on Layer 2 Interfaces

Release 24.4.1

Introduced in this release on: Fixed Systems (8200 [ASIC: P100], 8700 [ASIC: P100])(select variants only*); Modular Systems (8800 [LC ASIC: P100])(select variants only*)

*This feature is supported on:

  • 8212-48FH-M

  • 8711-32FH-M

  • 88-LC1-36EH

  • 88-LC1-12TH24FH-E

  • 88-LC1-52Y8H-EM

Support for a Configurable Knob to Reject ISIS PDU on Layer 2 Interfaces

Release 7.3.1

This feature enables you to use Layer 2 ACL to drop ISIS packets from certain ISIS destination MAC addresses. Dropping ISIS packets allows you to isolate a particular node from ISIS domain. This feature enables you to utilize the network bandwidth efficiently.

This feature introduces the ethernet-services access-list isis-drop-all-l2-pdus command

Configuring a Layer 2 ACL on either the main interface or subinterface results in ISIS packet drops for both, because the ACL operates on their shared ethernet port.

Applying a Layer 2 ACL to a Layer 3-only interface does not affect ISIS traffic on Layer 2 interfaces.

Restrictions for configuring Layer 2 ACLs on physical and subinterfaces

  • This feature is supported only in the ingress direction.

  • Per-interface statistics are not supported.

  • Layer 2 ACL modification is not supported.

  • Only remarks can be added, updated, or modified.

  • Any insertion or modification of Layer ACL access control entries (ACE) is rejected. However, deletion of an ACE is accepted because it cannot be blocked.

  • If you delete an ACE from an attached Layer 2 ACL, detach the Layer 2 ACL from all interfaces, modify the Layer 2 ACL, and reattach it to the interfaces to recover the deleted ACE.

  • Layer 2 ACL supports matching only on ISIS destination MAC addresses. It does not support any other Layer 2 fields, such as source MAC (srcMAC), PCP, etc. Configure only one of the ISIS destination MAC addresses to drop ISIS packets. Non-ISIS destination MAC configuration is rejected.

  • Hardware drops ISIS packets when you configure one of these destination MAC addresses:

    • 01:80:c2:00:00:14

    • 01:80:c2:00:00:15

    • 09:00:2b:00:00:04

    • 09:00:2b:00:00:05

    • 01:00:5e:90:00:02

    • 01:00:5e:90:00:03


Configure ISIS PDU rejection on Layer 2 interfaces

Set up Layer 2 ACLs and apply them to interfaces to drop ISIS packets based on destination MAC addresses.

This task enables you to isolate specific nodes from an ISIS domain and optimize usage of network bandwidth by filtering ISIS PDUs at Layer 2 interfaces.

Procedure

1.

Create a Layer 2 ACL to deny ISIS PDUs and permit other traffic.

Example:

Router# configure
Router(config)# ethernet-services access-list isis-drop-all-l2-pdus
Router(config)# 5 remark Drain ISIS between two routers
Router(config)# 20 deny any host 0180.c200.0015
Router(config)# 200 permit any any
2.

Apply the ACL to the relevant interfaces:

  1. For a bundle interface:

    Example:

    Router# configure
    Router(config)# interface Bundle-Ether 100 l2transport
    Router(config-if)# mtu 2000
    Router(config-if)# ethernet-services access-group isis-drop-all-l2-pdus ingress
    
  2. For a bundle subinterface:

    Example:

    Router# configure
    Router(config)# interface Bundle-Ether101.101 l2transport
    Router(config-if)# encapsulation dot1q 101
    Router(config-if)# rewrite ingress tag pop 1 symmetric
    Router(config-if)# mtu 2000
    Router(config-if)# ethernet-services access-group isis-drop-all-l2-pdus ingress
  3. For a physical interface:

    Example:

    Router# configure
    Router(config)# interface hundredGigE 0/0/0/0 l2transport
    Router(config-if)# mtu 2000
    Router(config-if)# ethernet-services access-group isis-drop-all-l2-pdus ingress
    
  4. For a physical subinterface:

    Example:

    Router# configure
    Router(config)# interface hundredGigE 0/3/0/1.100 l2transport
    Router(config-if)# encapsulation dot1q 101
    Router(config-if)# rewrite ingress tag pop 1 symmetric
    Router(config-if)# mtu 2000
    Router(config-if)# ethernet-services access-group isis-drop-all-l2-pdus ingress
3.

Use the show access-lists ethernet-services command to verify the ACL operation.

Example:

Router# show access-lists ethernet-services l2 hardware ingress location
Thu Jan 21 04:22:12.667 UTC
ethernet-services access-list l2
20 deny any host 0180.c200.0014 (1243345)
200 permit any any

Example:

Router# show access-lists ethernet-services 
Sun Feb 14 12:52:09.539 PST
ethernet-services access-list isis-drop-all-l2-pdus
5 remark Drain ISIS between two routers. 
20 deny any host 0180.c200.0015
200 permit any any

Example:

Router# show access-lists ethernet-services isis-drop-all-l2-pdus 
hardware ingress location 0/0/CPU0 
Sun Feb 14 12:52:39.620 PST
ethernet-services access-list isis-drop-all-l2-pdus
20 deny any host 0180.c200.0015
200 permit any any

Example:

Router# show access-lists ethernet-services isis-drop-all-l2-pdus 
hardware ingress detail location 0/0/CPU0 
Sun Feb 14 12:52:47.962 PST

isis-drop-all-l2-pdus Details:
Sequence Number: 20
NPU ID: 1
Number of DPA Entries: 1
ACL ID: 1
ACE Action: DENY
ACE Logging: DISABLED
Set TTL value: 0
Hit Packet Count: 0
Source MAC: 0000:0000:0000
Source MAC Mask: 0000:0000:0000
Destination MAC: 0180:C200:0015
Destination MAC Mask: FFFF:FFFF:FFFF
DPA Entry: 1
        Entry Index: 0
        DPA Handle: 0x93C84100
Sequence Number: 200
NPU ID: 1
Number of DPA Entries: 1
ACL ID: 1
ACE Action: PERMIT
ACE Logging: DISABLED
Set TTL value: 0
Source MAC: 0000:0000:0000
Source MAC Mask: 0000:0000:0000
Destination MAC: 0000:0000:0000
Destination MAC Mask: 0000:0000:0000
DPA Entry: 1
        Entry Index: 0
        DPA Handle: 0x93C84278