01-31-2020 04:36 AM
access listHello Guys,
I have 2 Cisco Catalyst 3560 Layer 3 switch. I would like to know how do we configure an ip access-group on a L2 ether-channel port. I have attached the screenshot for your reference.
Thank you :)
Solved! Go to Solution.
02-03-2020 04:50 AM
01-31-2020 05:04 AM - edited 01-31-2020 05:32 AM
Hi,
You can create an access-list based on your desired policy and then apply it to port channel interface directly using ip access-group on the port channel interface. Port channel interface can be layer 2 or layer 3. When you apply it to port channel interface, it will apply to the member interfaces automatically .
If it is a layer 2 port channel the you can apply ACL in inbound direction only. This ACL is called Port ACL or PACL
Reference:
02-01-2020 09:57 AM
Hi,
Upon searching about pacl I've learned that this topic is under CCNP level and it made me more interested. Can you show me an example how to configure PACL based from my topology?
Many thanks!
02-01-2020 03:44 PM
Hi,
Usually we apply ACL's on the strategic locations like if we want to control traffic between DC and Campus or from hosts to rest of the network. For the sake of this example, i will block ICMP traffic to VLAN 130. I will apply PACL on Port channels 4 and 3 configured at Branch1#-AS2
!
Switch(config)# ip access-list extended simple-ip-acl Switch(config-ext-nacl)# deny icmp any 192.168.30.0 0.0.0.255 Switch(config-ext-nacl)# permit ip any any ! interface port-channel 4 ip access-group simple-ip-acl in ! interface port-channel 3 ip access-group simple-ip-acl in ! Regards, Awais
02-03-2020 02:39 AM
Hi Awais,
I tried to perform the following information you provided and it seems like the Layer 2 access switch does not recognize the ip access-group command. Please see the attached screenshot.
Thank you
02-03-2020 03:51 AM
02-03-2020 03:57 AM - edited 02-03-2020 03:57 AM
Hi @Mark Malone
I find below from the link you shared:
Applying ACLs to a Layer 2 Interface
To apply IP and MAC ACLs to a Layer 2 interface, perform one of these tasks:
Command
Purpose
Switch(config-if)# ip access-group ip-acl in
Applies an IP ACL to the Layer 2 interface.
Switch(config-if)# mac access-group mac-acl in
Applies a MAC ACL to the Layer 2 interface.
02-03-2020 04:06 AM
02-03-2020 04:50 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide