Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1330
Views
0
Helpful
6
Replies

Rules on portchannel

Go to solution
mware444
Level 1
Level 1

‎09-07-2021 08:01 AM

Hi All

 

If you have a portchannel, with multiple sub-interfaces  can you apply a rule to the portchannel with a view to applying that rule to ALL sub-interfaces ?

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marius Gunnerud
VIP
VIP

‎09-08-2021 01:16 AM

You did not say which firewall you are using.

On ASA you can add the access rule to the global access list, this will then apply to all traffic entering the ASA.

On Firepower you would need to specify the security zones you wish to apply the rule to, otherwise you could use the any keyword and then it would apply to all security zones.

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Milos_Jovanovic
VIP Alumni
VIP Alumni

‎09-08-2021 12:07 AM

Hi @mware444,

No, it is not. Once you decide to go with subinterfaces, port-channel as an entity is just a transport medium, and it has no logical configuration (like nameif, IP address, security-level, etc.).

BR,

Milos

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP

‎09-08-2021 01:16 AM

You did not say which firewall you are using.

On ASA you can add the access rule to the global access list, this will then apply to all traffic entering the ASA.

On Firepower you would need to specify the security zones you wish to apply the rule to, otherwise you could use the any keyword and then it would apply to all security zones.

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
mware444
Level 1
Level 1
In response to Marius Gunnerud

‎09-08-2021 08:03 AM

Thanks Marius

 

It is an ASA and I didn't want to use the global option as the portchannel I am referring to, is for sub interfaces on the internal side only.

 

Mike

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to mware444

‎09-08-2021 10:43 AM

in that case, sure. Each subinterface would have a nameif and the access-group command applies a unique access list to that interface. You typically use a unique ACL per interface (subinterface in this case).

0 Helpful

Go to solution
Milos_Jovanovic
VIP Alumni
VIP Alumni
In response to Marvin Rhoads

‎09-08-2021 10:50 AM

But now that you mentioned it @Marvin Rhoads, a potential solution could be one ACL applied to all subinterfaces relevant to this port-channel.

Not a very common solution, but I believe it could do the trick in this case, with these requirements.

BR,

Milos

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Milos_Jovanovic

‎09-08-2021 11:01 AM

Yes I was thinking about that as well @Milos_Jovanovic .

It's rarely applicable since there are almost always other unique ACEs that you would want to include in the ACL for a given interface.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card