Cisco Viptela SDWAN: Part 3 Access lists to check sequence counter issue
Access lists to check sequence counter issue
Access Lists you may heard about it but how we can use that to check the sequence counter issue. It is a useful and a necessary step after you look at the show bfd sessions output.
Now that the private, and public IPs and Ports are known, you can create an Access Control List (ACL) to match against the SRC_PORT, DST_PORT, SRC_IP, DST_IP. This can help you confirm whether you are receiving and sending BFD messages or not.
Fig 1.1- BFD & Access Lists |
We are taking an example creating the access list below. Before that look into the output of show tunnel statistics
we are putting access list for Local color "Silver" as below
Policy
access-list TRAFFIC_ACL
sequence 10
match
source-ip 60.60.60.1/32
destination-ip 57.45.12.11/32
!
action accept
count TRAFFICout++
!
!
sequence 20
match
source-ip 57.45.12.11/32
destination-ip 60.60.60.1/32
!
action accept
count TRAFFICin++
!
!
default-action accept
!
vpn 0
interface ge0/1
access-list TRAFFIC_ACL in
access-list TRAFFIC_ACL out
!
When you see the access list applied in the above policy, you see that we use ACL with two sequences. The sequence 10 matches the BFD messages that are sent from this vEdge to the peer. Sequence 20 does the opposite.
It matches against the source (Private) port and destination (Public) ports. If the vEdge uses NAT, ensure to check the right source and destination ports.
To check the hits on each sequence counter issue the
show policy access-list counters TRAFFIC_ACL