IP Access-Group on switchport - Cisco C1111 ISR Router

S Leigh · ‎02-26-2023

Hi all.

I am attempting to add an access group to a switch port which is located in a C1111 ISR router but the command is no longer there when using version c1100-universalk9.17.06.03a.SPA.bin
My-Router(config-if)#ip a?
admission arp auth-proxy
********************************************
But when using c1100-universalk9_ias.16.09.06.SPA.bin the command is available

R01(config)#int GigabitEthernet0/1/1
R01(config-if)#ip a?
access-group admission auth-proxy

Does anyone know of a way round this so an ACL can be attached to an interface?

interface GigabitEthernet0/1/1
ip access-group ACL-Default in

Thanks

M02@rt37 · ‎02-27-2023

Hello @S Leigh

do you have this command under interface GigabitEthernet0/1/1?

interface GigabitEthernet0/1/1
service-policy ?

If yes, one workaround is to use the "service-policy" command to apply a policy-map that includes your access-list to the interface. Here's an example configuration:

ip access-list standard MY-ACL
permit 10.10.10.0 0.0.0.255
!
class-map MY-CLASS
match access-group name MY-ACL
!
policy-map MY-POLICY
class MY-CLASS
police 1000000
!
interface GigabitEthernet0/1/1
service-policy input MY-POLICY

In the above configuration, we create a standard IP access-list called "MY-ACL" that permits traffic from the 10.10.10.0/24 subnet. We then create a class-map that matches the "MY-ACL" access-list, and a policy-map that applies a policer to that class.

Finally, we apply the "MY-POLICY" policy-map to the interface using the "service-policy" command. This will cause traffic matching the access-list to be policed on the interface.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

MHM Cisco World · ‎02-27-2023

what you meaning !!! using service-policy instead of ACL ??
that so wired

M02@rt37 · ‎02-27-2023

Hello @MHM Cisco World

yes it's wired, wired also that the command is no longer available there when using version c1100-universalk9.17.06.03a.SPA.bin....

it's a "tricky wired" solution which help me at the past lol No way to downgrade or upgrade my C1111 ISR Router.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

MHM Cisco World · ‎02-27-2023

ok, let if the interface is L3 then at least ip add must appear, are the interface accpet the IP add command ??

M02@rt37 · ‎02-27-2023

@MHM Cisco World

ok you mean, do a "no switchport" command on that interface ?

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

MHM Cisco World · ‎02-27-2023

I think so,
he enter ip then a? one of command must appear is address,
but it dont appear, I think he use L2 interface and hence ip access-group is missing
let wait his reply to confirm

S Leigh · ‎02-27-2023

Hi All.

Just to remove any confusion here.

On one of my Ciso C1111 router that has a built in switchport module of 8 ports i was able to add an access list to one of the switch ports.

Ususal way -> int gxx/xx/xx -> ip access-group ACL-Default in
I have done this on multiple switchports running version IOS - XE 16.09.06
I upgrade to 17.06.03a and the command to put in "ip access-group" is no longer there.

When reloading the router with the new ios and the saved config i get an error when looking at the console when it hits the ip access-group ACL-Default in.

MHM Cisco World · ‎02-27-2023

let start with show license
let check the IPbase status

S Leigh · ‎04-25-2023

an update it turns out that the ability to add access-lists directly to the inbuilt switch ports, (Its a active layer 3 device) is no longer their in the later releases of software, confirmed by TAC

Maybe one day the function will return

martynch1 · ‎04-25-2024

Could you not add the access-group to the VLAN interface, if configured?