Hi Balaji, In order to make input ACL work on the IPv4 forwarding path, you need to set it as ip4-table on the interface or sub-interface. For your case for packets with VLAN tags, it needs to be set on sub-interface: set int input acl intfc TenGigabitEthernet1/0/0.100 ip4-table 0
The names in the CLI [ip4-table|ip6-table|l2-table] indicate which forwarding path the ACL would be applied, not which packet header ACL will be matched. The match of the packet is specified with the table/session used in the ACL. Regards, John From: vpp-dev-boun...@lists.fd.io [mailto:vpp-dev-boun...@lists.fd.io] On Behalf Of Balaji Kn Sent: Wednesday, August 02, 2017 9:41 AM To: vpp-dev@lists.fd.io Cc: l.s.abhil...@gmail.com Subject: [vpp-dev] query on L2 ACL for VLANs Hello, I am using VPP 17.07 release code (tag v17.07). DBGvpp# show int address TenGigabitEthernet1/0/0 (up): 172.27.28.5/24<http://172.27.28.5/24> TenGigabitEthernet1/0/1 (up): 172.27.29.5/24<http://172.27.29.5/24> My use case is to allow packets based on VLANs. I added an ACL rule in classify table as below. classify table mask l2 tag1 classify session acl-hit-next permit opaque-index 0 table-index 0 match l2 tag1 100 set int input acl intfc TenGigabitEthernet1/0/0 l2-table 0 Tagged packets were dropped in ethernet node. 00:08:39:270674: dpdk-input TenGigabitEthernet1/0/0 rx queue 0 buffer 0x4d67: current data 0, length 124, free-list 0, clone-count 0, totlen-nifb 0, trace 0x1 PKT MBUF: port 0, nb_segs 1, pkt_len 124 buf_len 2176, data_len 124, ol_flags 0x180, data_off 128, phys_addr 0x6de35a00 packet_type 0x291 Packet Offload Flags PKT_RX_IP_CKSUM_GOOD (0x0080) IP cksum of RX pkt. is valid PKT_RX_L4_CKSUM_GOOD (0x0100) L4 cksum of RX pkt. is valid Packet Types RTE_PTYPE_L2_ETHER (0x0001) Ethernet packet RTE_PTYPE_L3_IPV4_EXT_UNKNOWN (0x0090) IPv4 packet with or without extension headers RTE_PTYPE_L4_UDP (0x0200) UDP packet IP4: 00:10:94:00:00:01 -> 24:6e:96:32:7f:98 802.1q vlan 100 UDP: 172.27.28.6 -> 172.27.29.6 tos 0x00, ttl 255, length 106, checksum 0x2a24 fragment id 0x001c UDP: 1024 -> 1024 length 86, checksum 0xffff 00:08:39:270679: ethernet-input IP4: 00:10:94:00:00:01 -> 24:6e:96:32:7f:98 802.1q vlan 100 00:08:39:270685: error-drop ethernet-input: unknown vlan DBGvpp# Hence i created a sub-interface to allow tagged packet. create sub-interfaces TenGigabitEthernet1/0/0 100 set interface state TenGigabitEthernet1/0/0.100 up Still the packets are not hitting ACL node and still packets are dropped. This time in ip4-input node. 00:07:42:330550: dpdk-input TenGigabitEthernet1/0/0 rx queue 0 buffer 0x4d8e: current data 0, length 124, free-list 0, clone-count 0, totlen-nifb 0, trace 0x0 PKT MBUF: port 0, nb_segs 1, pkt_len 124 buf_len 2176, data_len 124, ol_flags 0x180, data_off 128, phys_addr 0x6de363c0 packet_type 0x291 Packet Offload Flags PKT_RX_IP_CKSUM_GOOD (0x0080) IP cksum of RX pkt. is valid PKT_RX_L4_CKSUM_GOOD (0x0100) L4 cksum of RX pkt. is valid Packet Types RTE_PTYPE_L2_ETHER (0x0001) Ethernet packet RTE_PTYPE_L3_IPV4_EXT_UNKNOWN (0x0090) IPv4 packet with or without extension headers RTE_PTYPE_L4_UDP (0x0200) UDP packet IP4: 00:10:94:00:00:01 -> 24:6e:96:32:7f:98 802.1q vlan 100 UDP: 172.27.28.6 -> 172.27.29.6 tos 0x00, ttl 255, length 106, checksum 0x2a25 fragment id 0x001b UDP: 1024 -> 1024 length 86, checksum 0xffff 00:07:42:330560: ethernet-input IP4: 00:10:94:00:00:01 -> 24:6e:96:32:7f:98 802.1q vlan 100 00:07:42:330572: ip4-input UDP: 172.27.28.6 -> 172.27.29.6 tos 0x00, ttl 255, length 106, checksum 0x2a25 fragment id 0x001b UDP: 1024 -> 1024 length 86, checksum 0xffff 00:07:42:330583: ip4-drop UDP: 172.27.28.6 -> 172.27.29.6 tos 0x00, ttl 255, length 106, checksum 0x2a25 fragment id 0x001b UDP: 1024 -> 1024 length 86, checksum 0xffff 00:07:42:330586: error-drop ip4-input: ip4 adjacency drop Can you help me know if i am missing any configuration so that my packets hit ACL node and then ip4-input node. Please let me know if you need any information on configurations/setup. Regards, Balaji
_______________________________________________ vpp-dev mailing list vpp-dev@lists.fd.io https://lists.fd.io/mailman/listinfo/vpp-dev
