CVID ACL Match Criteria

This feature adds support for the EXOS ACL (Access Control List) match criteria "cvid." It provides the ability to specify access-lists that filter on the inner-VLAN (Virtual LAN)-id field of a double tagged packet, the customer VLAN id field of a single tagged packet entering a VMAN UNI/CEP port, or the port-cvid inserted into an untagged packet entering a VMAN UNI port. You can use this feature to perform service-level, or customer-level (cvid) rate-limiting and accounting.

You can utilize this match criteria in the following scenarios:

Tagged VMAN ports: installing an ACL matching "cvid" on ingress or egress will match the inner vlan-id of a double tagged packet on a tagged VMAN port.
Untagged VMAN ports: installing an ACL matching "cvid" on ingress or egress will match the single VLAN tag on an untagged VMAN port.
CEP VMAN ports (with or without VPLS): installing an ACL matching "cvid" on ingress or egress will match the single VLAN tag on a CEP VMAN port (without translation).

CEP VMAN ports with cvid translation (with or without translation): installing an ACL matching "cvid" on ingress will match the post-translation cvid. Installing an ACL matching "cvid" on egress will match the post-translation cvid.

As an example of CEP VMAN ports, consider the following configuration:

create vman vm1 tag 100 
config vman vm1 add port 1 cep cvid 7 translate 8 
config vman vm1 add port 2 tag

Now consider the following ACL policy applied to "access" port 1:

     test.pol:            
     entry one {                 
       if {                    
          cvid 7;                 
         } then {                    
            count count7;                 
         }            
     }            
     entry two {                 
        if {                    
           cvid 8;                 
         } then {                    
            count count8;                 
         }            
     }             
     config access-list test port 1            
     config access-list test port 1 egress

This results in "count8" incrementing for ingress, and "count7" incrementing on egress.

Here is another example policy:

entry one {    
           if{       
             cvid 7;       
             vlan-id 100;   #SVID    
           } then {       
              count foo;    
           }
         }

And here's an example that allow you to perform service-level, or customer-level (cvid) rate-limiting and accounting:

doubletag.pol: 
               entry customer1 {    
                 if{       
                   cvid 8;    
                 } then{       
                    count cust1;    
                 }
               } 
create vman vm1 tag 100
config vman vm1 add port 21
config vman vm1 add port 22 tag
config access-list doubletag port 21
config access-list doubletag port 21 egress

Limitations

The CVID ACL match criteria support has the following limitations:

Any platform that does not support egress ACLs will not support this match criteria on egress.
Using "cvid" with an egress ACL will not match egress packets matching the port-cvid (since the cvid will be stripped).
Using "cvid" does not provide symmetrical results when you apply them to VMAN CEP ports that also enable cvid translation. Ingress ACLs match the CVID after ingress translation, while egress ACLs also match the CVID after egress translation.

Supported Platforms

CVID ACl match criteria is supported on all platforms.

Published March 2020prev | next

Email this topic

Print this page Print this page

Leave feedback Feedback