Solved: Re: How to configure IP access-group on Layer 2 or Layer 3 port-channel

NoelAdrianGatchalian5946 · ‎01-31-2020

access listHello Guys,

I have 2 Cisco Catalyst 3560 Layer 3 switch. I would like to know how do we configure an ip access-group on a L2 ether-channel port. I have attached the screenshot for your reference.

Thank you :)

Mark Malone · ‎02-03-2020

hmm i thought that was only if the switchport was capable of being layer3 either ,
a pure layer 2 port wont take an IP command , ie cisco 800 , some 2960s running lan lite etc

pure l2 800 series
int f3
(config-if)#ip acc
(config-if)#ip acc?
% Unrecognized command

l2/l3 3650 works
#int g1/0/29
(config-if)#swit
(config-if)#switchport
(config-if)#ip access-group ?
<1-199> IP access list (standard or extended)

View solution in original post

Muhammad Awais Khan · ‎01-31-2020

Hi,

You can create an access-list based on your desired policy and then apply it to port channel interface directly using ip access-group on the port channel interface. Port channel interface can be layer 2 or layer 3. When you apply it to port channel interface, it will apply to the member interfaces automatically .

If it is a layer 2 port channel the you can apply ACL in inbound direction only. This ACL is called Port ACL or PACL

Reference:

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/configuration/guide/book/vacl.html#94974

NoelAdrianGatchalian5946 · ‎02-01-2020

Hi,

Upon searching about pacl I've learned that this topic is under CCNP level and it made me more interested. Can you show me an example how to configure PACL based from my topology?

Many thanks!

Muhammad Awais Khan · ‎02-01-2020

Hi,

Usually we apply ACL's on the strategic locations like if we want to control traffic between DC and Campus or from hosts to rest of the network. For the sake of this example, i will block ICMP traffic to VLAN 130. I will apply PACL on Port channels 4 and 3 configured at Branch1#-AS2

!

Switch(config)# ip access-list extended simple-ip-acl Switch(config-ext-nacl)# deny icmp any 192.168.30.0 0.0.0.255 Switch(config-ext-nacl)# permit ip any any ! interface port-channel 4 ip access-group simple-ip-acl in ! interface port-channel 3 ip access-group simple-ip-acl in ! Regards, Awais

NoelAdrianGatchalian5946 · ‎02-03-2020

Hi Awais,

I tried to perform the following information you provided and it seems like the Layer 2 access switch does not recognize the ip access-group command. Please see the attached screenshot.

Thank you

Mark Malone · ‎02-03-2020

Hi
of course it doesnt , your trying to use a layer 3 command IP on a layer 2 port it wont work , wpont take as you see

If you want to lock down switch ports use VACLs or PACLs for layer 2

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/configuration/guide/book/vacl.html

Muhammad Awais Khan · ‎02-03-2020

Hi @Mark Malone

I find below from the link you shared:

Applying ACLs to a Layer 2 Interface

To apply IP and MAC ACLs to a Layer 2 interface, perform one of these tasks:

Command
Purpose
Switch(config-if)# ip access-group ip-acl in
Applies an IP ACL to the Layer 2 interface.

Switch(config-if)# mac access-group mac-acl in
Applies a MAC ACL to the Layer 2 interface.

Muhammad Awais Khan · ‎02-03-2020

Hi,

I am not sure which switch you have, i just rechecked in my switches, check the attached.

Mark Malone · ‎02-03-2020

hmm i thought that was only if the switchport was capable of being layer3 either ,
a pure layer 2 port wont take an IP command , ie cisco 800 , some 2960s running lan lite etc

pure l2 800 series
int f3
(config-if)#ip acc
(config-if)#ip acc?
% Unrecognized command

l2/l3 3650 works
#int g1/0/29
(config-if)#swit
(config-if)#switchport
(config-if)#ip access-group ?
<1-199> IP access list (standard or extended)