Re: ACL and different Port Types

salemmahara · ‎08-01-2018

Hello all

As you know, we can not apply ACL to L2 Etherchannel interfaces ! ( ON 3850 series )

So what is your solution if you want to do it? Can we apply ACL to member ports one by one rather than applying it to Port-channel interface? Does it work? There should be a way because we can apply IP Access-group on physical L2 interfaces! I really don't understand way we can apply ACL to L2 physical interfaces but not to L2 etherchannel interfaces.

Collin Clark · ‎08-01-2018

What type of traffic are you trying to block? If it's L3/L4 type traffic you would apply and ACL at the SVI. If it's L2 traffic it would be a VACL at the port level.

salemmahara · ‎08-03-2018

Hello collin

Thanks for replying.

VACL is useful when we're planned to filter traffic within a vlan not traffic arriving a VLAN. It's actually the best way if we want to filter Layer2 traffic at access switch only. Ex. When we want to restrict users in a broadcast domain to use SMB. We can also filter traffic at the first switch in the path using VACL using standard or extended ACLs.

But now, for some reasons, I have to filter traffic which are coming or leaving Trunk Etherchannel ports.

Let me make it more clear. I want to filter traffic before it arrives to SVI ! SO I need a Port ACL

Marvin Rhoads · ‎08-04-2018

This seems like a very artificial requirement.

Is there an actual real business case for this or is it an academic exercise?

salemmahara · ‎08-04-2018

Hello Marvin

It's a real case.

I just want to know, does it make any problem or is it wrong if we apply ACL directly to physical member of an etherchannel? Something like this:

int port-channel 10

switchport mode trunk

--> we are not allowed to use ip access-group here, so:

int gig 1/0/1

switchport mode trunk

channel-group 10 mod active

ip access-group 100 in

int gig 1/0/1

switchport mode trunk

channel-group 10 mod active

ip access-group 100 in

Collin Clark · ‎08-08-2018

You're applying a L3/L4 access list to an L2 port...won't work. If you need to filter traffic before it hits the default gateway you can either apply a VACL or (maybe) use private VLAN's.

salemmahara · ‎08-11-2018

Hey Collin

Are you sure? But you can apply ACL to L2 ports without any problem, even extended ones (only IN direction).

I've already set-upped some.

Rob Ingram · ‎08-04-2018

Hi, as you are using 3850's you could look to implement TrustSec enforcement. SGT's (tag's) can be assigned dynamically via ISE or statically on the switch. SGACL's can be used for enforcement and permit/deny traffic between users/computers in the same VLAN on the same switch. If you using ISE to assign the tags to users/computers and deploy the SGACL, this becomes more scalable and easier to manage than managing VACLs per switch.

HTH

salemmahara · ‎08-04-2018

Hi RJI

Traffic in this scenario is coming from different switches.

SW1========SW2========SW3

Imagine SW2 is going to filter VLAN 2 traffic from SW1 but not from SW3 ! So if we are going to filter traffic in SVI mode, it will filter all traffics. So we have to filter traffic at trunk interfaces rather than SVI.

salemmahara · ‎08-05-2018

@Giuseppe Larosa Could you please join us ?