Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
1509
Views
0
Helpful
4
Comments

3850 Layer 2 access interface ACL?

Larry Sullivan
Level 3
Level 3

on ‎12-17-2019 02:07 PM

Hi,

 

I'm trying to add an ACL to a WAN layer 2 access port interface.  The Public IP is on a SVI and the interface is lets say g0/2.  The ACL is to prevent private IPs and SNMP packets.  I've applied the extended ACL to the physical interface g0/2 with a permit any any at the bottom.  This ACL has been applied to routers at other locations and hit logs confirm this is working on those, but on this layer 2 interface with the ACL, there are no hit logs like there are on the others.  This is one of our busiest interfaces.  Is this ACL not working?  Sanitized configs below.

 

Extended IP access list xxx
10 deny udp any any eq snmp
20 deny udp any any eq snmptrap
30 deny ip 10.0.0.0 0.255.255.255 any
40 deny ip 172.16.0.0 0.15.255.255 any
50 deny ip 192.168.0.0 0.0.255.255 any
100 permit ip any any

 

int g0/2

ip access-group xxx in.

 

0 Helpful
Comments
Larry Sullivan
Level 3
Level 3
‎12-17-2019 04:29 PM

I read over the below a few times too before implementing.  Can I assume if the command is not supported it's because logs don't work?

 

"PACL does not support the access-list log and reflect/evaluate keywords. These keywords are ignored if you add them to the access list for a PACL."

salemmahara
Level 3
Level 3
‎12-18-2019 03:02 AM

Hi Larry,

ACLs are checked in hardware on 3850 series. So, you are not able to see any match hint.

If you want to have them, add Log keyword at the end of each line, but keep in mind:

 

1. ACLs with Log at end will be processed by CPU which a massive amount of them may result in more CPU utilization.

2. Although it's rational, but I am going to emphasize on some bugs that many users have reported before. Sometimes you will see Match Hints without Log keyword, and sometimes you can't see them even with put Log keyword at the end of lines :)))) 

 

Regards

iswift
Level 1
Level 1
‎12-18-2019 09:40 AM

An IP access list needs to be applied to an L3 interface.

either an L3 interface on a L3 switch or router, or the SVI or BDI that relates to the physical port.

if your Gi0/2, say, is your WAN port are you sure it’s a Layer 2 port as you say ?

Try applying the ACL to the L3 instance relating to that phys. port.

Larry Sullivan
Level 3
Level 3
‎12-18-2019 10:44 AM

Seems this was moved to some area where I can't reply directly to people.

@iswift ACLs can be applied to layer 2 interfaces.  It's called a PACL.  Yes the WAN port is layer 2.  It's an access port on a specific VLAN.  If I apply the ACL to the SVI my concern is it will deny traffic from private IPs coming from the inside instead of just the WAN interface.

 

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card