Solved: ip access-group doesn't work on C1000-8P-2G-L

josue-espogeira · ‎02-10-2025

Hi,

I have a C1000-8P-2G-L switch running 15.2(7)E11 C1000-UNIVERSALK9-M version and I am trying to add the below access-list into a vlan interface 597.

ip access-list extended GUEST-SVI-IN
deny ip any any
ip access-list extended GUEST-SVI-OUT
permit tcp any eq www any
deny ip any any
!

And when I try to add it into the interface Vlan597 I get the below output:

sw_reserva(config)#interface Vlan597
sw_reserva(config-if)#ip access-group GUEST-SVI-IN in
^
% Invalid input detected at '^' marker.

sw_reserva(config-if)#ip access-group GUEST-SVI-OUT out
^
% Invalid input detected at '^' marker.

It doesn't accept the command, how its possible to add an ACL into a SVI in C1000?

Thanks.

Flavio Miranda · ‎02-10-2025

This is due platform limitation. If you check the datasheet, you can see

"● Port-based ACLs for Layer 2 interfaces to allow security policies to be applied on individual switch ports."

Similar discussion here

Flavio Miranda · ‎02-10-2025

This is due platform limitation. If you check the datasheet, you can see

"● Port-based ACLs for Layer 2 interfaces to allow security policies to be applied on individual switch ports."

Similar discussion here