Hi Carlito,
What does the packet trace (as per
https://wiki.fd.io/view/VPP/How_To_Use_The_Packet_Generator_and_Packet_Tracer)
look like and which version of VPP are you running ?
--a
> On 20 Apr 2018, at 05:00, Carlito Nueno <carlitonu...@gmail.com> wrote:
>
> Thanks John.
>
> Routing between VLANs is working. But I can't get the ACLs quite
> right. I am trying to block all communication between device A
> (192.168.3.16) on VLAN 3 and device B (192.168.2.181) on VLAN 2.
>
> vat# acl_add_replace ipv4 deny src 192.168.3.16/32 dst 192.168.2.181/32
> vat# acl_dump
> vl_api_acl_details_t_handler:194: acl_index: 1, count: 1
> tag {}
> ipv4 action 0 src 192.168.3.16/32 dst 192.168.2.181/32 proto 0
> sport 0-65535 dport 0-65535 tcpflags 0 mask 0
>
> # VLAN on subinterface GigabitEthernet0/14/0.2
> vat# acl_interface_set_acl_list sw_if_index 11 input 1 output 1
>
> # VLAN on subinterface GigabitEthernet0/14/0.3
> vat# acl_interface_set_acl_list sw_if_index 14 input 1 output 1
>
> vat# acl_interface_list_dump
> vl_api_acl_interface_list_details_t_handler:153: sw_if_index: 11,
> count: 2, n_input: 1
> input 1
> output 1
> vl_api_acl_interface_list_details_t_handler:153: sw_if_index: 14,
> count: 2, n_input: 1
> input 1
> output 1
>
> I am still able to ping from 192.168.3.16 to 192.168.2.181 after above
> commands.
>
> Thanks
>
>> On Thu, Apr 19, 2018 at 3:55 PM, John Lo (loj) <l...@cisco.com> wrote:
>> One more comment - unless there are more VLAN 1 and VLAN 2 sub-interfaces
>> you need to put into BDs 1 and 2, then you may just configure IP addresses
>> on the sub-interfaces to route directly, as suggested by Andrew. It would be
>> a lot more efficient than going through two BDs and route via BVIs. -John
>>
>> -----Original Message-----
>> From: vpp-dev@lists.fd.io <vpp-dev@lists.fd.io> On Behalf Of John Lo (loj)
>> Sent: Thursday, April 19, 2018 4:48 PM
>> To: carlito nueno <carlitonu...@gmail.com>; Andrew Yourtchenko
>> <ayour...@gmail.com>
>> Cc: vpp-dev@lists.fd.io
>> Subject: Re: [vpp-dev] VLAN to VLAN
>>
>> The config looks correct and should work, assuming the following:
>> 1. The devices connected to GigabitEthernet0/14/0.2 have IP addresses in the
>> 192.168.2.1/24 subnet with default gateway set to that of the BVI IP address
>> of 192.168.2.1.
>> 2. The devices connected to GigabitEthernet0/14/0.3 have IP addresses in the
>> 192.168.3.1/24 subnet with default gateway set to that of the BVI IP address
>> of 192.168.3.1.
>>
>> One improvement is to put the BVI interfaces into their own VRF by setting
>> loop0 and loop1 into a specific ip table to not use the global routing
>> table. For example, set the following before assigning IP address to loop0
>> and loop1:
>> set int ip table loop0 4
>> set int ip table loop1 4
>> This will make the routing between BD-VLANs 2 and 3 private and more secure.
>>
>> Regards,
>> John
>>
>> -----Original Message-----
>> From: vpp-dev@lists.fd.io <vpp-dev@lists.fd.io> On Behalf Of carlito nueno
>> Sent: Thursday, April 19, 2018 4:15 PM
>> To: Andrew Yourtchenko <ayour...@gmail.com>
>> Cc: vpp-dev@lists.fd.io
>> Subject: Re: [vpp-dev] VLAN to VLAN
>>
>> My current VLAN config:
>>
>> loopback create
>> set int l2 bridge loop1 2 bvi
>> set int ip address loop1 192.168.2.1/24
>> set int state loop1 up
>>
>> create sub GigabitEthernet0/14/0 2
>> set int l2 bridge GigabitEthernet0/14/0.2 2 set int l2 tag-rewrite
>> GigabitEthernet0/14/0.2 pop 1 set int state GigabitEthernet0/14/0.2 up
>>
>>
>> loopback create
>> set int l2 bridge loop2 3 bvi
>> set int ip address loop2 192.168.3.1/24
>> set int state loop2 up
>>
>> create sub GigabitEthernet0/14/0 3
>> set int l2 bridge GigabitEthernet0/14/0.3 3 set int l2 tag-rewrite
>> GigabitEthernet0/14/0.3 pop 1 set int state GigabitEthernet0/14/0.3 up
>>
>>
>> So this should route traffic between VLAN 2 and VLAN 3, correct?
>>
>> Thanks
>>
>>> On Thu, Apr 19, 2018 at 12:52 PM, Andrew Yourtchenko <ayour...@gmail.com>
>>> wrote:
>>>
>>> hi Carlito,
>>>
>>> you can configure subinterfaces with tags and assign the ip addresses
>>> so the VPP does routing and then either use vnet ACLs or acl plugin to
>>> restrict the traffic.
>>>
>>> —a
>>>
>>> On 19 Apr 2018, at 21:07, Dave Barach <dbar...@cisco.com> wrote:
>>>
>>> Begin forwarded message:
>>>
>>> From: Carlito Nueno <carlitonu...@gmail.com>
>>> Date: April 19, 2018 at 9:03:51 AM HST
>>> To: dbar...@cisco.com
>>> Subject: VLAN to VLAN
>>>
>>> Hi Dave,
>>>
>>> How can I enable VLAN to VLAN communication? I want to have devices on
>>> one VLAN talk to devices on another VLAN, if possible constrain the
>>> devices by MAC or IP address.
>>>
>>> For example, only device with MAC (aa:aa:bb:80:90) or IP address
>>> (192.168.2.20) on VLAN 100 can talk to devices on VLAN 200
>>> (192.168.3.0/24).
>>>
>>> Thanks
>>>
>>>
>>
>>
>>
>>
>>
>>
