Thanks John.
Routing between VLANs is working. But I can't get the ACLs quite
right. I am trying to block all communication between device A
(192.168.3.16) on VLAN 3 and device B (192.168.2.181) on VLAN 2.
vat# acl_add_replace ipv4 deny src 192.168.3.16/32 dst 192.168.2.181/32
vat# acl_dump
vl_api_acl_details_t_handler:194: acl_index: 1, count: 1
tag {}
ipv4 action 0 src 192.168.3.16/32 dst 192.168.2.181/32 proto 0
sport 0-65535 dport 0-65535 tcpflags 0 mask 0
# VLAN on subinterface GigabitEthernet0/14/0.2
vat# acl_interface_set_acl_list sw_if_index 11 input 1 output 1
# VLAN on subinterface GigabitEthernet0/14/0.3
vat# acl_interface_set_acl_list sw_if_index 14 input 1 output 1
vat# acl_interface_list_dump
vl_api_acl_interface_list_details_t_handler:153: sw_if_index: 11,
count: 2, n_input: 1
input 1
output 1
vl_api_acl_interface_list_details_t_handler:153: sw_if_index: 14,
count: 2, n_input: 1
input 1
output 1
I am still able to ping from 192.168.3.16 to 192.168.2.181 after above commands.
Thanks
On Thu, Apr 19, 2018 at 3:55 PM, John Lo (loj) <l...@cisco.com> wrote:
> One more comment - unless there are more VLAN 1 and VLAN 2 sub-interfaces you
> need to put into BDs 1 and 2, then you may just configure IP addresses on the
> sub-interfaces to route directly, as suggested by Andrew. It would be a lot
> more efficient than going through two BDs and route via BVIs. -John
>
> -----Original Message-----
> From: vpp-dev@lists.fd.io <vpp-dev@lists.fd.io> On Behalf Of John Lo (loj)
> Sent: Thursday, April 19, 2018 4:48 PM
> To: carlito nueno <carlitonu...@gmail.com>; Andrew Yourtchenko
> <ayour...@gmail.com>
> Cc: vpp-dev@lists.fd.io
> Subject: Re: [vpp-dev] VLAN to VLAN
>
> The config looks correct and should work, assuming the following:
> 1. The devices connected to GigabitEthernet0/14/0.2 have IP addresses in the
> 192.168.2.1/24 subnet with default gateway set to that of the BVI IP address
> of 192.168.2.1.
> 2. The devices connected to GigabitEthernet0/14/0.3 have IP addresses in the
> 192.168.3.1/24 subnet with default gateway set to that of the BVI IP address
> of 192.168.3.1.
>
> One improvement is to put the BVI interfaces into their own VRF by setting
> loop0 and loop1 into a specific ip table to not use the global routing table.
> For example, set the following before assigning IP address to loop0 and
> loop1:
> set int ip table loop0 4
> set int ip table loop1 4
> This will make the routing between BD-VLANs 2 and 3 private and more secure.
>
> Regards,
> John
>
> -----Original Message-----
> From: vpp-dev@lists.fd.io <vpp-dev@lists.fd.io> On Behalf Of carlito nueno
> Sent: Thursday, April 19, 2018 4:15 PM
> To: Andrew Yourtchenko <ayour...@gmail.com>
> Cc: vpp-dev@lists.fd.io
> Subject: Re: [vpp-dev] VLAN to VLAN
>
> My current VLAN config:
>
> loopback create
> set int l2 bridge loop1 2 bvi
> set int ip address loop1 192.168.2.1/24
> set int state loop1 up
>
> create sub GigabitEthernet0/14/0 2
> set int l2 bridge GigabitEthernet0/14/0.2 2 set int l2 tag-rewrite
> GigabitEthernet0/14/0.2 pop 1 set int state GigabitEthernet0/14/0.2 up
>
>
> loopback create
> set int l2 bridge loop2 3 bvi
> set int ip address loop2 192.168.3.1/24
> set int state loop2 up
>
> create sub GigabitEthernet0/14/0 3
> set int l2 bridge GigabitEthernet0/14/0.3 3 set int l2 tag-rewrite
> GigabitEthernet0/14/0.3 pop 1 set int state GigabitEthernet0/14/0.3 up
>
>
> So this should route traffic between VLAN 2 and VLAN 3, correct?
>
> Thanks
>
> On Thu, Apr 19, 2018 at 12:52 PM, Andrew Yourtchenko <ayour...@gmail.com>
> wrote:
>>
>> hi Carlito,
>>
>> you can configure subinterfaces with tags and assign the ip addresses
>> so the VPP does routing and then either use vnet ACLs or acl plugin to
>> restrict the traffic.
>>
>> —a
>>
>> On 19 Apr 2018, at 21:07, Dave Barach <dbar...@cisco.com> wrote:
>>
>> Begin forwarded message:
>>
>> From: Carlito Nueno <carlitonu...@gmail.com>
>> Date: April 19, 2018 at 9:03:51 AM HST
>> To: dbar...@cisco.com
>> Subject: VLAN to VLAN
>>
>> Hi Dave,
>>
>> How can I enable VLAN to VLAN communication? I want to have devices on
>> one VLAN talk to devices on another VLAN, if possible constrain the
>> devices by MAC or IP address.
>>
>> For example, only device with MAC (aa:aa:bb:80:90) or IP address
>> (192.168.2.20) on VLAN 100 can talk to devices on VLAN 200
>> (192.168.3.0/24).
>>
>> Thanks
>>
>>
>
>
>
>
>
>
-=-=-=-=-=-=-=-=-=-=-=-
Links:
You receive all messages sent to this group.
View/Reply Online (#9005): https://lists.fd.io/g/vpp-dev/message/9005
View All Messages In Topic (6): https://lists.fd.io/g/vpp-dev/topic/17639114
Mute This Topic: https://lists.fd.io/mt/17639114/21656
New Topic: https://lists.fd.io/g/vpp-dev/post
Change Your Subscription: https://lists.fd.io/g/vpp-dev/editsub/21656
Group Home: https://lists.fd.io/g/vpp-dev
Contact Group Owner: vpp-dev+ow...@lists.fd.io
Terms of Service: https://lists.fd.io/static/tos
Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub
-=-=-=-=-=-=-=-=-=-=-=-
