Adding an ACL to a bridged subinterface

kmiller · ‎07-10-2009

I was hoping someone could help determine if this is possible. I have a router on a stick configuration with several different vlans. I would like to add ACLs to the bridged sub-interfaces but not to the BVI. I wasn't sure if this is possible because I thought ACLs had to be applied to a Layer 3 interface. I tried it in a lab but was not successful in getting it to work. Sample config is below.

interface BVI1

ip address 10.1.1.1 255.255.255.0

interface GigabitEthernet0/0.10

encapsulation dot1Q 10

ip access-group 110 in

bridge-group 1

!

interface GigabitEthernet0/0.20

encapsulation dot1Q 20

ip access-group 120 in

bridge-group 1

access-list 110 deny udp any any

access-list 110 permit any any

access-list 120 deny udp any any

access-list 120 permit any any

Giuseppe Larosa · ‎07-10-2009

Hello Kevin,

I thought ACLs had to be applied to a Layer 3 interface. I tried it in a lab but was not successful in getting it to work.

on a router this is correct.

However, there are multilayer switches that can be configured with both a port acl and a vlan ACL so the idea is not wrong but it depends on real implementation of device.

Hope to help

Giuseppe

andrew.prince · ‎07-10-2009

You are trying to apply layer 3/4 filtering to a layer 2 interface - last time I checked, not possible.

kmiller · ‎07-10-2009

Thanks guys for the reply. I wasn't sure if it would work but I wanted to see if anyone had ever used something like this in production.