Multivendor network development and automation from the industry expert. Only useful knowledge and skills.

Karneliuk

Access-lists (ACL) in Nokia (Alcatel-Lucent) SR and Cisco IOS XR

Anton KarneliukNetworking

Hello my friend,

In this article I’ll cover two functions of access-lists, which they have in Nokia (Alcatel-Lucent) SR OS and Cisco IOS XR: data plane protection and policy based routing. Though usually you don’t use them in lab, in real network their importance and distribution is really high.

Topology

Physical topology that we has built in previous series coupled with trunking are as good so we don’t need to change it. That’s why we’ll just recall it:

030_net_02_phy

The logical topology is very similar to the previous one, which we used for ISIS configuration:

036_net_02_logical

IPv4/OSPFv2 and IPv6/OSPFv3 is already configured. Pay attention that we have two different processes: 1 (red links on the image) and 2 (yellow links on the image). Each process has a loopback interface at each router that is announces only via this process. Two processes are needed to show you how policy routing (or more correctly access-list based forwarding – ABF) works.

Initial configuration you can find here: SR1_initial SR3_initial XR1_initial linux

Data plane protection for IPv4

The first task, which access-lists solve, is data plane security. So access-lists just filter the traffic based on desired conditions. Their logic is very straightforward:

  • Find the interesting traffic based on configured match parameters.
  • Apply the configured action (either forward traffic further or drop it).

Each entry in access-list, which is called access control entry or ACE, has a number. Access-list is checked for matched starting from lower number and continues until first match. When the match is found, then the configured action is performed and no more checks are done. That’s why it’s important to configure the more specific rules with lower numbers (on the top access-list). If there is no match, then default action is applied. Default action is drop both in Nokia (Alcatel-Lucent) SR OS and Cisco IOS XR, though you can change it Nokia (Alcatel-Lucent) SR OS. In Cisco IOS XR you also can allow all traffic just by configuring usual rule that allows all traffic.

Let’s configure the filter in such a way:

  • allow any OSPF traffic;
  • deny ICMP traffic from peer IP address at this interface (and log such packets);
  • allow any other traffic.

This access-lust should be applied at SR1 in the direction from SR3 and at XR1 in the direction from SR3. Before applying the rule it is possible to make ping from interface IP addresses at SR3:

A:SR3# ping 10.1.0.2 source 10.1.0.3
PING 10.1.0.2 56 data bytes
64 bytes from 10.1.0.2: icmp_seq=1 ttl=64 time=7.36ms.
—- 10.1.0.2 PING Statistics —-
1 packets transmitted, 1 packets received, 0.00% packet loss
round-trip min = 7.36ms, avg = 7.36ms, max = 7.36ms, stddev = 0.00ms
!
!
A:SR3# ping 10.2.0.2 source 10.2.0.3
PING 10.1.0.2 56 data bytes
64 bytes from 10.1.0.2: icmp_seq=1 ttl=64 time=7.36ms.
—- 10.1.0.2 PING Statistics —-
1 packets transmitted, 1 packets received, 0.00% packet loss
round-trip min = 7.36ms, avg = 7.36ms, max = 7.36ms, stddev = 0.00ms

Let’s configure such access-lists for mentioned routers, what involves both Nokia (Alcatel-Lucent) SR OS and Cisco IOS XR:

Nokia (Alcatel-Lucent) VSR (SR 7750) Cisco IOS XR (ASR 9000)
SR1 XR1

*A:SR1>config>filter# info
————————–
log 101 create
destination memory 500
exit
ip-filter 1 create
default-action forward
description “ACL_SR3_IN”
entry 10 create
match protocol ospf-igp
exit
action forward
exit
entry 20 create
match protocol icmp
src-ip 10.1.0.3/32
exit
log 101
action drop
exit
exit
————————–
*A:SR1>config>router# info
————————–
interface “toSR3”
ingress
filter ip 1
exit
exit
————————–

RP/0/0/CPU0:XR1(config)#show conf
ipv4 access-list ACL_SR3_IN
10 permit ospf any any
20 deny icmp host 10.2.0.3 any log
30 permit ipv4 any any
!
interface GigabitEthernet0/0/0/0.23
ipv4 access-group ACL_SR3_IN ingress
!
End

First of all you can mention that in Nokia (Alcatel-Lucent) SR OS you configure separate logging for access-lists. In the article about logging we have covered many interesting things, but not these one. In Cisco IOS XR there are no separate log streams, so they are sent to all destinations, which satisfy their severity (informational – level 6).

Also you can notice, that in Cisco IOS XR you configure the whole rule just in one line. In Nokia (Alcatel-Lucent) SR OS it is easier to correct rule as its components are configured separately.

Let’s check if configured access-lists achieve their goal:

A:SR3# ping 10.1.0.2 source 10.1.0.3 count 1
PING 10.1.0.2 56 data bytes
Request timed out. icmp_seq=1.
—- 10.1.0.2 PING Statistics —-
1 packet transmitted, 0 packets received, 100% packet loss
!
!
A:SR3# ping 10.1.0.2 source 10.1.33.1 count 1
PING 10.1.0.2 56 data bytes
64 bytes from 10.1.0.2: icmp_seq=1 ttl=64 time=4.14ms.
—- 10.1.0.2 PING Statistics —-
1 packet transmitted, 1 packet received, 0.00% packet loss
round-trip min = 4.14ms, avg = 4.14ms, max = 4.14ms, stddev = 0.000ms
!
!
A:SR3# ping 10.2.0.2 source 10.2.0.3 count 1
PING 10.2.0.2 56 data bytes
—- 10.2.0.2 PING Statistics —-
1 packet transmitted, 1 packet bounced, 0 packets received, 100% packet loss
!
!
A:SR3# ping 10.2.0.2 source 10.2.33.1 count 1
PING 10.2.0.2 56 data bytes
64 bytes from 10.2.0.2: icmp_seq=1 ttl=255 time=1.45ms.
—- 10.2.0.2 PING Statistics —-
1 packet transmitted, 1 packet received, 0.00% packet loss
round-trip min = 1.45ms, avg = 1.45ms, max = 1.45ms, stddev = 0.000ms

As you can see the ping from interface’s IP address don’t work, though it works for loopback addresses. Also you can check log for dropped packets. In Nokia (Alcatel-Lucent) VSR (SR 7750) you do it as follows:

A:SR1# show filter log 101
============================================================================
Filter Log
============================================================================
Admin state : Enabled
Description : Default filter log
Destination : Memory
Wrap        : Enabled
—————————————————————————-
Maximum entries configured : 500
Number of entries logged   : 1
—————————————————————————-
2016/09/02 15:41:20 Ip Filter: 1:20 Desc:
Interface: toSR3 Direction: Ingress Action: Drop
Src MAC: fa-ac-a6-00-03-02 Dst MAC: fa-ac-a6-00-01-02 EtherType: 0800
Src IP: 10.1.0.3 Dst IP: 10.1.0.2 Flags: 0 TOS: 00 TTL: 64 Len: 84
Protocol: ICMP Type: Echo Request Code: 0
============================================================================

In Cisco IOS XR (ASR 9000) you can see it in all logs:

RP/0/0/CPU0:XR1#show logging
Aug 4 06:52:13.102 : ipv4_acl_mgr[264]: %ACL-IPV4_ACL-6-IPACCESSLOGDP : access-list ACL_SR3_IN (20) deny icmp 10.2.0.3 -> 10.2.0.2 (8/0), 1 packet

Besides logs, you can check how does your access-lists works in terms of proceeded packets and so on. In Nokia (Alcatel-Lucent) SR OS you do it as follows:

A:SR1# show filter ip 1
============================================================================
IP Filter
============================================================================
Filter Id    : 1                               Applied         : Yes
Scope        : Template                        Def. Action     : Forward
System filter: Unchained
Entries      : 2
Description  : ACL_SR3_IN
—————————————————————————-
Filter Match Criteria : IP
—————————————————————————-
Entry        : 10
Description  : (Not Specified)
Log Id       : n/a
Src. IP      : 0.0.0.0/0
Src. Port    : n/a
Dest. IP     : 0.0.0.0/0
Dest. Port   : n/a
Protocol     : 89                               Dscp           : Undefined
ICMP Type    : Undefined                        ICMP Code      : Undefined
Fragment     : Off                              Src Route Opt  : Off
Sampling     : Off                              Int. Sampling  : On
IP-Option    : 0/0                              Multiple Option: Off
TCP-syn      : Off                              TCP-ack        : Off
Option-pres  : Off
Match action : Forward
Next Hop     : Not Specified
Ing. Matches : 218 pkts (19776 bytes)
Egr. Matches : 0 pkts
—————————————————————————-
Entry        : 20
Description  : (Not Specified)
Log Id       : 101
Src. IP      : 10.1.0.3/32
Src. Port    : n/a
Dest. IP     : 0.0.0.0/0
Dest. Port   : n/a
Protocol     : 1                               Dscp           : Undefined
ICMP Type    : Undefined                       ICMP Code      : Undefined
Fragment     : Off                             Src Route Opt  : Off
Sampling     : Off                             Int. Sampling  : On
IP-Option    : 0/0                             Multiple Option: Off
TCP-syn      : Off                             TCP-ack        : Off
Option-pres  : Off
Match action : Drop
Ing. Matches : 6 pkts (636 bytes)
Egr. Matches : 0 pkts
============================================================================
!
!
A:SR1# show filter ip 1 associations
============================================================================
IP Filter
============================================================================
Filter Id    : 1                               Applied        : Yes
Scope        : Template                        Def. Action    : Forward
System filter: Unchained
Entries      : 2
Description  : ACL_SR3_IN
—————————————————————————-
Filter Association : IP
—————————————————————————-
Router Interface toSR3 (Ingress)
—————————————————————————-
Filter associated with IOM: 1
============================================================================

At the beginning of the output above you can check, if the access-list is in use or not. Then in each entry you can see the number of matched packets and all the applied match rules. In Cisco IOS XR you have the following commands:

RP/0/0/CPU0:XR1#show access-lists ipv4
ipv4 access-list ACL_SR3_IN
10 permit ospf any any (261 matches)
20 deny icmp host 10.2.0.3 any log (4 matches)
30 permit ipv4 any any (1 match)
!
!
RP/0/0/CPU0:XR1#show access-lists ipv4 usage pfilter location all
Interface : GigabitEthernet0/0/0/0.23
Input ACL : ACL_SR3_IN
Output ACL : N/A

Data plane protection for IPv6

Let’s configure the same security rule for IPv6 data plane, as we’ve just done it for IPv4 addresses.

One exception for IPv6 traffic is that we allow NDP packets, which are ARP substitute in IPv6 world. Without NDP we are unable to make resolution of MAC addresses to IPv6.

Nokia (Alcatel-Lucent) VSR (SR 7750) Cisco IOS XR (ASR 9000)
SR1 XR1

*A:SR1>config>filter# info
————————–
log 102 create
destination memory 500
exit
ipv6-filter 1 create
default-action forward
description “ACL_SR3_IN”
entry 10 create
match next-header ospf-igp
exit
action forward
exit
entry 18 create
match next-header ipv6-icmp
icmp-type neighbor-solicitation
exit
action forward
exit
entry 19 create
match next-header ipv6-icmp
icmp-type neighbor-advertisement
exit
action forward
exit
entry 20 create
match next-header ipv6-icmp
src-ip fe80::3:1301/128
exit
log 102
action drop
exit
exit
————————–
*A:SR1>config>router# info
————————–
interface “toSR3”
ingress
filter ipv6 1
exit
exit
————————–

RP/0/0/CPU0:XR1(config)#show conf
ipv6 access-list ACL_SR3_IN
10 permit ospf any any
18 permit icmpv6 any any nd-na
19 permit icmpv6 any any nd-ns
20 deny icmpv6 host fe80::3:2301 any log
30 permit ipv6 any any
!
interface GigabitEthernet0/0/0/0.23
ipv6 access-group ACL_SR3_IN ingress
!
End

As IPv4 and IPv6 access-lists live in different name spaces, so it’s OK to use the same name. It’s up to you, whether to do it or not, but it’s possible.

The next thing is that we configure new log stream in Nokia (Alcatel-Lucent) SR OS. We can to reuse the previously configured, but new is more convenient. According to our task, we should be able to ping loopback IP addresses from another loopback IP addresses, but we shouldn’t be able to ping interconnect IP:

A:SR3# ping fe80::2:2301-“toXR1” count 1
PING fe80::2:2301-“toXR1” 56 data bytes
—- fe80::2:2301 (toXR1) PING Statistics —-
1 packet transmitted, 1 packet bounced, 0 packets received, 100% packet loss
!
!
A:SR3# ping fc00::10:2:22:1 source fc00::10:2:33:1 count 1
PING fc00::10:2:22:1 56 data bytes
64 bytes from fc00::10:2:22:1 icmp_seq=1 hlim=64 time=15.6ms.
—- fc00::10:2:22:1 PING Statistics —-
1 packet transmitted, 1 packet received, 0.00% packet loss
round-trip min = 15.6ms, avg = 15.6ms, max = 15.6ms, stddev = 0.000ms
!
!
A:SR3# ping fe80::1:1301-“toSR1” count 1
PING fe80::1:1301-“toSR1” 56 data bytes
Request timed out. icmp_seq=1.
—- fe80::1:1301 (toSR1) PING Statistics —-
1 packet transmitted, 0 packets received, 100% packet loss
!
!
A:SR3# ping fc00::10:1:11:1 source fc00::10:1:33:1 count 1
PING fc00::10:1:11:1 56 data bytes
64 bytes from fc00::10:1:11:1 icmp_seq=1 hlim=64 time=19.7ms.
—- fc00::10:1:11:1 PING Statistics —-
1 packet transmitted, 1 packet received, 0.00% packet loss
round-trip min = 19.7ms, avg = 19.7ms, max = 19.7ms, stddev = 0.000ms

It works as it should. All the show commands are the same as it were for IPv4. The only difference is that you should use “ipv6” as a keyword instead of “ipv4”.

Access-list based forwarding

Access-list based forwarding (shortly ABF) is an easiest form of policy based routing (PBR). It’s quite controversial tool, because it might makes troubleshooting of the network much more difficult. The main idea here is to send packets based on other parameter then destination IP address as it’s done in traditional routing. Let’s take a look how traffic from Lo2 at SR3 reaches the Lo2 at SR1:

A:SR3# ping 10.2.11.1 source 10.2.33.1 count 1
PING 10.2.11.1 56 data bytes
64 bytes from 10.2.11.1: icmp_seq=1 ttl=63 time=7.96ms.
—- 10.2.11.1 PING Statistics —-
1 packet transmitted, 1 packet received, 0.00% packet loss
round-trip min = 7.96ms, avg = 7.96ms, max = 7.96ms, stddev = 0.000ms
!
!
A:SR3# traceroute 10.2.11.1 source 10.2.33.1
traceroute to 10.2.11.1 from 10.2.33.1, 30 hops max, 40 byte packets
1 0.0.0.0 * * *
2 10.2.11.1 (10.2.11.1) 12.9 ms 16.2 ms 17.0 ms

It seems very weird, frankly speaking, but Cisco IOS XR isn’t reflected in the path. I’ve taken a look into wire:

036_net_03_ws

Cisco IOS XR responds to traceroute packets (UDP) with ICMP – TTL exceeded messages instead of ICMP port unreachable messages. To be honest I have ideas why it is so. It makes my task to show you ABF a little bit more complex, but I still want to do it.

Take a look in RIB at XR1:

RP/0/0/CPU0:XR1#show route ipv4 10.2.11.1/32
Routing entry for 10.2.11.1/32
Known via “ospf 2”, distance 110, metric 100, type intra area
Installed Aug 4 08:01:47.806 for 00:46:33
Routing Descriptor Blocks
10.2.0.0, from 10.2.11.1, via GigabitEthernet0/0/0/0.11
Route metric is 100
No advertising protos.

Packets to prefix 10.2.11.1/32 are sent to 10.2.0.0 via interface gi 0/0/0/0.11 at XR1. Now let’s see how packets from SR1 are sent to 10.1.22.1/32:

A:SR1# show router route-table 10.1.22.1/32
============================================================================
Route Table (Router: Base)
============================================================================
Dest Prefix[Flags]                        Type    Proto    Age       Pref
Next Hop[Interface Name]                                 Metric
—————————————————————————-
10.1.22.1/32                              Remote  OSPF(1)  00h49m17s 10
10.1.0.1                                                 101
—————————————————————————-
No. of Routes: 1

So works ordinary routing (more precisely, destination based routing). Now let’s change it. Take a look at our topology again:

We want to make the following changes in IP forwarding:

From SR3/Lo1 to XR1/Lo1 At SR1 over toXR1_p2
From SR3/Lo2 to SR1/Lo2 At XR1 over g0/0/0/0.10

All other traffic should be untouched. In order to get the desired forwarding pattern we have to add one rule to existing access-lists in direction of SR3. In order to check that traffic really comes at interesting interfaces (without ability to use traceroute), let’s create basic access-lists and attach then at interfaces SR1-XR1:

Nokia (Alcatel-Lucent) VSR (SR 7750) Cisco IOS XR (ASR 9000)
SR1 XR1

*A:SR1>config>filter# info
————————–
ip-filter 1 create
entry 30 create
match protocol icmp
dst-ip 10.1.22.1/32
src-ip 10.1.33.1/32
exit
action forward next-hop 10.2.0.1
exit
exit
ip-filter 10 create
default-action forward
entry 10 create
match
dst-ip 10.1.22.1/32
src-ip 10.1.33.1/32
exit
action forward
exit
exit
ip-filter 11 create
default-action forward
entry 10 create
match
dst-ip 10.1.0.1/32
src-ip 10.1.33.1/32
exit
action forward
exit
exit
————————–
*A:SR1>config>router# info
————————–
interface “toXR1_p1”
egress
filter ip 11
exit
exit
interface “toXR1_p2”
egress
filter ip 10
exit
exit
————————–

RP/0/0/CPU0:XR1(config)#show conf
ipv4 access-list CHECK1
10 permit ipv4 host 10.2.33.1 host 10.2.11.1
20 permit ipv4 any any
!
ipv4 access-list CHECK2
10 permit ipv4 host 10.2.33.1 host 10.2.0.0
20 permit ipv4 any any
!
ipv4 access-list ACL_SR3_IN
25 permit icmp host 10.2.33.1 host 10.2.11.1 nexthop1 ipv4 10.1.0.0
!
interface GigabitEthernet0/0/0/0.10
ipv4 access-group CHECK1 egress
!
interface GigabitEthernet0/0/0/0.11
ipv4 access-group CHECK2 egress
!
end

Let’s verify availability first of all at path SR1/Lo1 to XR1/Lo1:

PING 10.1.22.1 56 data bytes
64 bytes from 10.1.22.1: icmp_seq=1 ttl=254 time=4.63ms.
—- 10.1.22.1 PING Statistics —-
1 packet transmitted, 1 packet received, 0.00% packet loss
round-trip min = 4.63ms, avg = 4.63ms, max = 4.63ms, stddev = 0.000ms
!
!
A:SR3# ping 10.1.0.1 source 10.1.33.1 count 1
PING 10.1.0.1 56 data bytes
64 bytes from 10.1.0.1: icmp_seq=1 ttl=254 time=7.71ms.
—- 10.1.0.1 PING Statistics —-
1 packet transmitted, 1 packet received, 0.00% packet loss
round-trip min = 7.71ms, avg = 7.71ms, max = 7.71ms, stddev = 0.000ms

The connectivity isn’t broken, so it’s good. Now let’s take a look into new access-lists that have been just configured for matching traffic:

A:SR1# show filter ip 10
============================================================================
IP Filter
============================================================================
Filter Id    : 1                               Applied        : Yes
Scope        : Template                        Def. Action    : Forward
—————————————————————————-
Filter Match Criteria : IP
—————————————————————————-
Entry        : 10
Description  : (Not Specified)
Log Id       : n/a
Src. IP      : 10.1.33.1/32
Src. Port    : n/a
Dest. IP     : 10.1.22.1/32
Dest. Port   : n/a
Ing. Matches : 0 pkts
Egr. Matches : 1 pkts (84 bytes)
============================================================================
!
!
A:SR1# show filter ip 11
============================================================================
IP Filter
============================================================================
Filter Id    : 11                              Applied        : Yes
Scope        : Template                        Def. Action    : Forward
—————————————————————————-
Filter Match Criteria : IP
—————————————————————————-
Entry        : 10
Description  : (Not Specified)
Log Id       : n/a
Src. IP      : 10.1.33.1/32
Src. Port    : n/a
Dest. IP     : 10.1.0.1/32
Dest. Port   : n/a
Ing. Matches : 0 pkts
Egr. Matches : 1 pkts (84 bytes)
============================================================================

You can see that egress counters have increased by the number of sent packets. It means that our access-list based forwarding works (ABF) at least in Nokia (Alcatel-Lucent) SR OS. Let’s check, if Cisco IOS XR behaves as we have configured:

A:SR3# ping 10.2.11.1 source 10.2.33.1 count 1
PING 10.2.11.1 56 data bytes
64 bytes from 10.2.11.1: icmp_seq=1 ttl=63 time=6.88ms.
—- 10.2.11.1 PING Statistics —-
1 packet transmitted, 1 packet received, 0.00% packet loss
round-trip min = 6.88ms, avg = 6.88ms, max = 6.88ms, stddev = 0.000ms
!
!
A:SR3# ping 10.2.0.0 source 10.2.33.1 count 1
PING 10.2.0.0 56 data bytes
64 bytes from 10.2.0.0: icmp_seq=1 ttl=63 time=7.32ms.
—- 10.2.0.0 PING Statistics —-
1 packet transmitted, 1 packet received, 0.00% packet loss
round-trip min = 7.32ms, avg = 7.32ms, max = 7.32ms, stddev = 0.000ms

And here are the hits of access-lists:

RP/0/0/CPU0:XR1#show access-lists
ipv4 access-list ACL_SR3_IN
10 permit ospf any any (16 matches)
20 deny icmp host 10.2.0.3 any log
25 permit icmp host 10.2.33.1 host 10.2.11.1 nexthop1 ipv4 10.1.0.0 (1 match)
30 permit ipv4 any any (1 match)
ipv4 access-list CHECK1
10 permit ipv4 host 10.2.33.1 host 10.2.11.1
20 permit ipv4 any any
ipv4 access-list CHECK2
10 permit ipv4 host 10.2.33.1 host 10.2.0.0
20 permit ipv4 any any

Unfortunately Cisco IOS XR (or more precisely my version of Cisco IOS XRv) doesn’t show the hits for egress access-lists, but I’m quite sure that it’s just bug. As we see the counters at ingress access-lists properly increasing, I hope it works.
The main problem with ABF is that these routes aren’t visible in routing table. And as we see, there are some problems in interoperability of traceroute between Nokia (Alcatel-Lucent) SR OS and Cisco IOS XR, making troubleshooting of IP connectivity a real nightmare.
For IPv6 the configuration of ABF is pretty the same and you can find in final configuration files:

Lessons learned

Upon configuring lab for this article, I faced the problem that initially IPv6/OPSFv3 adjacency between Nokia (Alcatel-Lucent) SR OS and Cisco IOS XR haven’t come up. Debug in Nokia (Alcatel-Lucent) SR OS wasn’t informative, as I saw only outgoing packets:

34 2016/09/02 08:15:22.21 UTC MINOR: DEBUG #2001 Base OSPFv3(Inst: 2)
“OSPFv3(Inst: 2): PKT
>> Outgoing OSPF packet on I/F toXR1_p1 area 0.0.0.0
OSPF Version    : 3
Router Id       : 10.1.11.6
Area Id         : 0.0.0.0
Checksum        : 0000
InstanceID      : 1
Packet Type     : HELLO
Packet Length   : 36 “

At Cisco IOS XR I was able to see both incoming and outgoining packets:

RP/0/0/CPU0:Aug 4 02:46:24.252 : ospfv3[1030]: PKT: Recv: HLO l:36 inst:1 aid:0.0.0.0 from GigabitEthernet0/0/0/0.10 fe80::1:1001 (10.1.11.6)
RP/0/0/CPU0:Aug 4 02:46:25.852 : ospfv3[1030]: PKT: Send: HLO l:36 inst:0 aid:0.0.0.0 to GigabitEthernet0/0/0/0.10 ff02::5

I was writing this article in train, so I had no access to Internet to find the solution so I had to invent it myself, what I find very interesting task. In the log you can see with bold, that instance ID is different between Nokia (Alcatel-Lucent) SR OS and Cisco IOS XR. The reason for that is different behavior of OSPFv3 operation. When you configure in Nokia (Alcatel-Lucent) different processes of OSPFv3 they are separated by instances in the time of creation as it doesn’t have process names, as you have in Cisco. In Cisco IOS XR you can add instance to OSPFv3 configuration though it isn’t mandatory. And as you can see in the article about IPv6/OSPFv3, we haven’t configured it. In current article, where we have two separate processes, it’s needed. The following configuration was applied:

Nokia (Alcatel-Lucent) VSR (SR 7750) Cisco IOS XR (ASR 9000)
SR1 XR1

*A:SR1# configure router
*A:SR1>config>router# ospf3 1
*A:SR1>config>router# ospf3 2

RP/0/0/CPU0:XR1(config)#show conf
router ospfv3 1 <-name, not instance
instance 1
!
router ospfv3 2 <-name, not instance
instance 2
!
end

For IPv4/OSPFv2 there is no such problem, as instance ID isn’t included in hello packet.

Conclusion

Access-lists were used for a long time in networks, especially at so called border nodes, what are actually network elements that has external connections. From the security point of view it’s very simple measure (if we compare it with IPS/IDS and statefull firewalls), it’s very often used at Internet routers, which don’t have any firewall in between. From routing point of view, ABF sometimes can really help. Several times I use it myself during migration phases of real network, where it’s impossible to implement target solution at once without interruption of services. Nevertheless I don’t recommend use it as permanent solution, because troubleshooting of ABF (and I seen it myself as well) is really difficult, because if the engineer is not aware of such solution, he won’t find it very quick. Take care and good bye!

Support us






BR,
Anton Karneliuk

Anton Karneliuk

Software Development IT infrastructure (compute/network/storage) DevOps

Leave a Reply

Comment as a guest.

Read Next

© 2025 Karneliuk

Sliding Sidebar