https://community.cisco.com/t5/network-security/rules-on-portchannel/m-p/4461897#M1083454 <P>Yes I was thinking about that as well <a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/330320">@Milos_Jovanovic</a> .</P> <P>It's rarely applicable since there are almost always other unique ACEs that you would want to include in the ACL for a given interface.</P> Wed, 08 Sep 2021 18:01:43 GMT Marvin Rhoads 2021-09-08T18:01:43Z https://community.cisco.com/t5/network-security/rules-on-portchannel/m-p/4461149#M1083406 <P>Hi All</P><P>&nbsp;</P><P>If you have a portchannel, with multiple sub-interfaces&nbsp; can you apply a rule to the portchannel with a view to applying that rule to ALL sub-interfaces ?</P> Tue, 07 Sep 2021 15:01:25 GMT https://community.cisco.com/t5/network-security/rules-on-portchannel/m-p/4461149#M1083406 mware444 2021-09-07T15:01:25Z https://community.cisco.com/t5/network-security/rules-on-portchannel/m-p/4461527#M1083420 <P>Hi <a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1243820">@mware444</a>,</P><P>No, it is not. Once you decide to go with subinterfaces, port-channel as an entity is just a transport medium, and it has no logical configuration (like nameif, IP address, security-level, etc.).</P><P>BR,</P><P>Milos</P> Wed, 08 Sep 2021 07:07:07 GMT https://community.cisco.com/t5/network-security/rules-on-portchannel/m-p/4461527#M1083420 Milos_Jovanovic 2021-09-08T07:07:07Z https://community.cisco.com/t5/network-security/rules-on-portchannel/m-p/4461562#M1083422 <P>You did not say which firewall you are using.</P> <P>On ASA you can add the access rule to the global access list, this will then apply to all traffic entering the ASA.</P> <P>On Firepower you would need to specify the security zones you wish to apply the rule to, otherwise you could use the any keyword and then it would apply to all security zones.</P> Wed, 08 Sep 2021 08:16:47 GMT https://community.cisco.com/t5/network-security/rules-on-portchannel/m-p/4461562#M1083422 Marius Gunnerud 2021-09-08T08:16:47Z https://community.cisco.com/t5/network-security/rules-on-portchannel/m-p/4461787#M1083443 <P>Thanks Marius</P><P>&nbsp;</P><P>It is an ASA and I didn't want to use the global option as the portchannel I am referring to, is for sub interfaces on the internal side only.</P><P>&nbsp;</P><P>Mike</P> Wed, 08 Sep 2021 15:03:30 GMT https://community.cisco.com/t5/network-security/rules-on-portchannel/m-p/4461787#M1083443 mware444 2021-09-08T15:03:30Z https://community.cisco.com/t5/network-security/rules-on-portchannel/m-p/4461880#M1083448 <P>in that case, sure. Each subinterface would have a nameif and the access-group command applies a unique access list to that interface. You typically use a unique ACL per interface (subinterface in this case).</P> Wed, 08 Sep 2021 17:43:03 GMT https://community.cisco.com/t5/network-security/rules-on-portchannel/m-p/4461880#M1083448 Marvin Rhoads 2021-09-08T17:43:03Z https://community.cisco.com/t5/network-security/rules-on-portchannel/m-p/4461884#M1083450 <P>But now that you mentioned it <a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/326046">@Marvin Rhoads</a>, a potential solution could be one ACL applied to all subinterfaces relevant to this port-channel.</P><P>Not a very common solution, but I believe it could do the trick in this case, with these requirements.</P><P>BR,</P><P>Milos</P> Wed, 08 Sep 2021 17:50:44 GMT https://community.cisco.com/t5/network-security/rules-on-portchannel/m-p/4461884#M1083450 Milos_Jovanovic 2021-09-08T17:50:44Z https://community.cisco.com/t5/network-security/rules-on-portchannel/m-p/4461897#M1083454 <P>Yes I was thinking about that as well <a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/330320">@Milos_Jovanovic</a> .</P> <P>It's rarely applicable since there are almost always other unique ACEs that you would want to include in the ACL for a given interface.</P> Wed, 08 Sep 2021 18:01:43 GMT https://community.cisco.com/t5/network-security/rules-on-portchannel/m-p/4461897#M1083454 Marvin Rhoads 2021-09-08T18:01:43Z