QoS and ACL over Bridge Virtual Interface (BVI)
Overview
A Bridge Virtual Interface (BVI) acts as a Layer 3 gateway for a bridged Layer 2 domain, such as a VLAN or a bridge domain. Applying Quality of Service (QoS) and Access Control Lists (ACLs) on a BVI interface allows for intelligent traffic control and filtering at the point where Layer 2 traffic transitions to Layer 3 routing.
Refer to Multi-Protocol Label Switching (MPLS) guide for details:
• For BVI Over L3VPN, see the Bridge Virtual Interface (BVI) Over L3VPN chapter
• For BVI Over 6vPE, see the Bridge Virtual Interface (BVI) Over 6vPE chapter
Limitations
• Only Q1 and Q2-based platforms are supported.
• L2 subinterfaces support only pop and pop2-tag VLAN rewrite translations and for the purpose of bridge-domain support, all member L2 subinterfaces should have relevant rewrite configurations to make sure that all traffic for bridge-domain has uniform encapsulation.
• The dot1q and dot1ad encapsulations with range are not supported for the BVI.
• BVI is a generic L3 interface and allows users to configure any / all existing OcNOS features. However, only a few of these are supported in release 6.6.0 and those are IP address related, VRF2, any routing protocol specific commands (OSPF/IS-IS/BGP related), MTU, DHCP server/relay, Ingress/Egress ACL and QoS commands related to marking.
• L3 ACL applied at BVI is only relevant for routed traffic. Bridged traffic between L2 sub-interfaces will not be subjected to L3 ACL configured at BVI.
• No Interface counters are supported for BVI Interface.
• BVI can’t be used as a network interface for all transports in MPLS core network.
• For QoS, only marking, policing and rate limiting are supported. Other queuing features are not supported at BVI level. However, existing QoS scheduling and queuing features on other interfaces can be used in conjunction with the BVI interface.
• The following restrictions apply to Q1 based systems:
• For L3 ACL for BVI only hardware profile ingress-ipv4-subif-ext is supported.
• For L3 QOS for BVI only hardware profile qos-subif-ext and qos-subif-policer is supported.
• L2 Mac ACLs are not supported for the BVI.
• More than one L2 sub interfaces belonging to the same physical interface cannot be part of the same bridge-domain if BVI is configured for the bridge-domain.
• QoS features like shaping, queueing, policing, re-marking are not supported on the BVI interface associated to VPLS.
• BVI interface internally acts as a virtual L3 interface and ACL, QOS will use the same set of cli commands as applicable for a normal L3 interface. However because of some hardware limitations, not all acl and qos features can be supported in the box. Specific hardware profiles need to be enabled to support acl and qos features on bvi interface.
Prerequisites
• After configuring the BVI, ensure that the end-to-end traffic flows without any loss.
Configuration
Topology
/images/BVIInterface.png)
QoS and ACL on BVI Interface in Topology
Configure QoS and ACL on BVI Interface in DUT1 Router
1. Configure the L2 Subinterface:
DUT1(config-if)#interface xe19.100 switchport
DUT1(config-if)#encapsulation dot1q 100
DUT1(config-if)#rewrite pop
DUT1(config-if)#commit
DUT1(config-if)#exit
2. Configure the BVI Interface:
DUT1(config)#interface bvi1
DUT1(config-if)#ip address 172.16.10.1/24
DUT1(config-if)#commit
DUT1(config-if)#exit
3. Map the BVI interface and subinterface into bridge-domain:
DUT1(config)#bridge-domain 1
DUT1(config-bridge-domain)#interface xe19.100
DUT1(config-bridge-domain)#routed-interface bvi1
DUT1(config-bridge-domain)#commit
DUT1(config-bridge-domain)#exit
4. Enable QoS and Define Policy:
DUT1(config)#qos enable
DUT1(config)#qos statistics
DUT1(config)#commit
DUT1(config)#exit
DUT1(config)#class-map type qos match-any C2
DUT1(config-qos-match-any)#match dscp af11
DUT1(config-qos-match-any)#match cos 3
DUT1(config-qos-match-any)#commit
DUT1(config-qos-match-any)#exit
DUT1(config)#policy-map type qos P2
DUT1(config-pmap-qos)#class type qos C2
DUT1(config-pmap-qos)#police cir 200 mbps eir 200 mbps
DUT1(config-pmap-qos)#commit
DUT1(config-pmap-qos)#exit
5. ACL configuration:
DUT1(config)#ip access-list test1
DUT1(config-ip-acl)#10 deny any host 172.16.10.2 host 172.16.10.1
DUT1(config-ip-acl)#20 permit any any any
DUT1(config-ip-acl)#commit
DUT1(config-ip-acl)#exit
6. Apply the ACL:
DUT1(config)#interface bvi1
DUT1(config-if)#ip access-group test1 in
DUT1(config-if)#commit
DUT1(config-if)#exit
7. Apply the QoS:
DUT1(config)#interface bvi1
DUT1(config-if)#service-policy type qos input P2
DUT1(config-if)#commit
DUT1(config-if)#exit
Configure QoS and ACL on BVI Interface in DUT2 Router
1. Configure the L2 Subinterface:
DUT2(config-if)#interface xe19.100 switchport
DUT2(config-if)#encapsulation dot1q 100
DUT2(config-if)#rewrite pop
DUT2(config-if)#load-interval 30
DUT2(config-if)#commit
DUT2(config-if)#exit
2. Configure the BVI Interface:
DUT2(config)#interface bvi1
DUT2(config-if)#ip address 172.16.10.2/24
DUT2(config-if)#commit
DUT2(config-if)#exit
3. Map the BVI interface and subinterface into bridge-domain:
DUT2(config)#bridge-domain 1
DUT2(config-bridge-domain)#interface xe19.100
DUT2(config-bridge-domain)#routed-interface bvi1
DUT2(config-bridge-domain)#commit
DUT2(config-bridge-domain)#exit
4. Enable QoS and Define Policy:
DUT2(config)#qos enable
DUT2(config)#qos statistics
DUT2(config)#commit
DUT2(config)#class-map type qos match-any C2
DUT2(config-qos-match-any)#match dscp af11
DUT2(config-qos-match-any)#match cos 3
DUT2(config-qos-match-any)#commit
DUT2(config-qos-match-any)#exit
DUT2(config)#policy-map type qos P2
DUT2(config-pmap-qos)#police cir 50 mbps eir 50 mbps
DUT2(config-pmap-qos)#commit
DUT2(config-pmap-qos)#exit
5. ACL configuration:
DUT2(config)#ip access-list test1
DUT2(config-ip-acl)#10 deny any host 172.16.10.1 host 172.16.10.2
DUT2(config-ip-acl)#20 permit any any any
DUT2(config-ip-acl)#commit
DUT2(config-ip-acl)#exit
6. Apply the ACL:
DUT2(config)#interface bvi1
DUT2(config-if)#ip access-group test1 in
DUT2(config-if)#commit
DUT2(config-if)#exit
7. Apply the QoS:
DUT2(config)#interface bvi1
DUT2(config-if)#service-policy type qos input P2
DUT2(config-if)#commit
DUT2(config-if)#exit
Running Configuration
QoS and ACL on BVI Interface in DUT1
!
interface xe19.100 switchport
encapsulation dot1q 100
rewrite pop
load-interval 30
!
!
interface bvi1
ip address 172.16.10.1/24
ip access-group test1 in
!
!
interface bvi1
ip address 172.16.10.1/24
service-policy type qos input P2
!
!
bridge-domain 1
interface xe19.100
routed-interface bvi1
!
ip access-list test
10 deny any host 172.16.10.2 host 172.16.10.1
20 permit any any any
!
qos enable
qos statistics
!
class-map type qos match-any C2
match dscp af11
match cos 3
!
policy-map type qos P2
class type qos C2
police cir 200 mbps eir 200 mbps
exit
!
interface bvi1
service-policy type qos input P2
!
QoS and ACL on BVI Interface in DUT2
!
interface xe19.100 switchport
encapsulation dot1q 100
rewrite pop
load-interval 30
!
bridge-domain 1
interface xe19.100
routed-interface bvi1
!
ip access-list test
10 deny any host 172.16.10.1 host 172.16.10.2
20 permit any any any
!
qos enable
qos statistics
!
class-map type qos match-any C2
match dscp af11
match cos 3
!
policy-map type qos P2
class type qos C2
police cir 50 mbps eir 50 mbps
exit
!
interface bvi1
service-policy type qos input P2
!
interface bvi1
ip address 172.16.10.2/24
ip access-group test1 in
!
interface bvi1
ip address 172.16.10.2/24
service-policy type qos input P2
!
Validation
DUT1
Quality of Service (QoS):
DUT1#show policy-map interface bvi1
Interface bvi1
Type QoS statistics status : enabled
Type QoS Ingress policy-map : P2
Service-policy (qos) input: P2
----------------------------
Class-map (qos): C2 (match any)
match dscp af11
match cos 3
police cir 200 mbps eir 200 mbps bc 125 kbytes be 125 kbytes
matched : 54623616 packets, 6991822848 bytes
transmitted : 25285308 packets, 3236519424 bytes
dropped : 29338308 packets, 3755303424 bytes
DUT1#
DUT1#show interface counters rate mbps
+-------------------+--------------+-------------+--------------+-------------+
| Interface | Rx mbps | Rx pps | Tx mbps | Tx pps |
+-------------------+--------------+-------------+--------------+-------------+
ce52 0.00 4 0.01 8
sa2000 0.00 4 399.36 390000
xe3 862.84 842620 0.02 15
xe19 0.01 8 0.01 12
xe20 0.00 4 399.39 390027
DUT1#
Access Control List (ACL):
DUT1#show access-lists
ip access-list test1
1 permit 23 host 172.16.10.2 host 172.16.10.1 [match=58384779]
20 deny any any any
DUT1#show interface counters rate mbps
+-------------------+--------------+-------------+--------------+-------------+
| Interface | Rx mbps | Rx pps | Tx mbps | Tx pps |
+-------------------+--------------+-------------+--------------+-------------+
ce52 0.00 4 0.01 8
sa2000 0.00 4 0.01 8
xe3 862.86 842633 0.02 15
xe19 0.01 8 0.01 12
xe20 0.00 4 0.01 8
DUT1#
DUT2
Quality of Service (QoS):
DUT2#show policy-map interface bvi1
Interface bvi1
Type QoS Egress policy-map : P2
Service-policy (qos) output: P2
----------------------------
Class-map (qos): C2 (match any)
match dscp af11
match cos 3
police cir 50 mbps eir 50 mbps bc 31 kbytes be 31 kbytes
matched : 2374198640 packets, 294400631360 bytes
transmitted : 667197196 packets, 82732452304 bytes
green (output): 41366165640 bytes
yellow (output): 41366286664 bytes
red (drop): 211668179056 bytes
DUT2#
DUT2#show interface counters rate mbps
+-------------------+--------------+-------------+--------------+-------------+
| Interface | Rx mbps | Rx pps | Tx mbps | Tx pps |
+-------------------+--------------+-------------+--------------+-------------+
xe10 0.00 1 100.52 8379
xe10.20 0.00 0 0.00 1
xe10.100 0.00 0 100.52 8379
xe19 4854.29 404532 0.01 8
xe19.100 4871.83 410921 0.00 3
xe20 0.01 8 0.01 8
Access Control List (ACL):
DUT2#show access-lists
ip access-list test1
1 permit 23 host 172.16.10.1 host 172.16.10.2 [match=58384779]
20 deny any any any
DUT2#show interface counters rate mbps
+-------------------+--------------+-------------+--------------+-------------+
| Interface | Rx mbps | Rx pps | Tx mbps | Tx pps |
+-------------------+--------------+-------------+--------------+-------------+
ce6 0.01 8 0.00 4
ce6.6 0.01 4 0.00 4
sa2000 233.03 227566 0.00 4
sa2000.20 21.34 24243 0.00 4
xe10 0.00 1 0.01 3
xe10.20 0.00 0 0.00 1
xe10.100 0.00 1 0.01 1
xe19 0.01 9 0.00 5
xe19.100 0.01 4 0.00 5
xe20 233.03 227566 0.00 4
DUT2#
Glossary
The following provides definitions for key terms or abbreviations and their meanings used throughout this document:
Key Terms/Acronym | Description |
ACL | Access Control List |
BVI | Bridge Virtual Interface |
DUT | Device Under Test |
DSCP | Differentiated Services Code Point |
LDP | Label Distribution Protocol |
MTU | Maximum Transmission Unit |
QoS | Quality of Service |