Cisco Viptela SDWAN: Part 3 Access lists to check sequence counter issue

Access lists to check sequence counter issue

Access Lists you may heard about it but how we can use that to check the sequence counter issue. It is a useful and a necessary step after you look at the show bfd sessions output. 

Now that the private, and public IPs and Ports are known, you can create an Access Control List (ACL) to match against the SRC_PORT, DST_PORT, SRC_IP, DST_IP. This can help you confirm whether you are receiving and sending BFD messages or not.

Fig 1.1- BFD & Access Lists

We are taking an example creating the access list below. Before that look into the output of show tunnel statistics

we are putting access list for Local color "Silver" as below

Policy
access-list TRAFFIC_ACL
  sequence 10
   match
    source-ip      60.60.60.1/32    
    destination-ip 57.45.12.11/32
   !
   action accept
    count TRAFFICout++
   !
  !
  sequence 20
   match
    source-ip      57.45.12.11/32
    destination-ip 60.60.60.1/32 
   !
   action accept
    count TRAFFICin++
   !
  !
  default-action accept
!
vpn 0
interface ge0/1
access-list TRAFFIC_ACL in
access-list TRAFFIC_ACL out
!

When you see the access list applied in the above policy, you see that we use ACL with two sequences. The sequence 10 matches the BFD messages that are sent from this vEdge to the peer. Sequence 20 does the opposite. 

It matches against the source (Private) port and destination (Public) ports. If the vEdge uses NAT, ensure to check the right source and destination ports. 

To check the hits on each sequence counter issue the 
show policy access-list counters TRAFFIC_ACL