Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1874
Views
15
Helpful
7
Replies

Catalyst 1000 X Series Switch -- IP Access-Group Command missing?

ITAdmin2022
Level 1
Level 1

‎06-07-2022 09:53 AM

C1000-48T-4X-L -- IOS 5.2(7)E6 -- C1000-UNIVERSALK9-M

 

Just bought this switch and created an extend ACL, and just noticed, I can't apply them, there is no ip access-group command when trying to associate my ACL to an SVI?   Any Idea's, I'm stunned right now!  Is this actually a license upgrade?

Labels:
7 Replies 7

MHM Cisco World
VIP
VIP

‎06-07-2022 10:01 AM

do you add VLAN to SW?

0 Helpful

ITAdmin2022
Level 1
Level 1
In response to MHM Cisco World

‎06-07-2022 10:11 AM

Correct. 

 

VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
12 ComputerLab active

 

Vlan12 10.10.1.126 YES manual up up

 

interface Vlan12
description ** Computer Lab
ip address 10.10.1.126 255.255.255.224

 

sh ip access-lists

Extended IP access list VLan-12-IN-ComputerLab

 

Then I go to add the Extended ACL to the Vlan SVI and no access-group available!

tcc-is01n(config)#int vlan 12
tcc-is01n(config-if)#ip ?
Interface IP configuration subcommands:
  accounting                   Enable IP accounting on this interface
  address                       Set the IP address of an interface
  admission                    Apply Network Admission Control
  broadcast-address      Set the broadcast address of an interface
  cef                               Cisco Express Forwarding interface commands

.......

reccon
Level 1
Level 1

‎06-07-2022 10:27 AM

according to the C1000 datasheet:

 

"Port-based ACLs for Layer 2 interfaces to allow security policies to be applied on individual switch ports."

 

SVI interfaces are layer 3.

That could be the reason.

0 Helpful

ITAdmin2022
Level 1
Level 1
In response to reccon

‎06-07-2022 10:40 AM

https://www.cisco.com/c/en/us/products/collateral/switches/catalyst-1000-series-switches/nb-06-cat1k-ser-switch-ds-cte-en.html

 

Scroll down to Network security

 

Access Control Lists (ACLS) for IPv6 and IPv4 security and Quality-of-Service (QoS) ACL elements (ACEs).

and ...

Port-based ACLs for Layer 2 interfaces to allow security policies to be applied on individual switch ports.

 

That would leave me to believe that i can do IP base ACL's, I can apply an access-class no problem to the Line vty or con!

 

 

0 Helpful

MHM Cisco World
VIP
VIP
In response to ITAdmin2022

‎06-07-2022 10:49 AM

I read same data sheets you mentioned but 

Port acl work with acl ipv4 ipv6

So here it meaning that port acl can use acl ipv4 acl ipv6 but there is no any hit that it support under l3 port or under svi.

Sorry.

 

 

0 Helpful

ITAdmin2022
Level 1
Level 1
In response to Flavio Miranda

‎06-07-2022 11:05 AM

That is not an answer I wanted to hear, for a Cisco Switch that is like selling a car with no tires...  the advertisement is a bit deceptive as my interpretation of

 

Access Control Lists (ACLS) for IPv6 and IPv4 security and Quality-of-Service (QoS) ACL elements (ACEs).

 

 

was IPv4 ACL which can be on anything.. SVI, , gosh I wasn't expecting OSPF, or EIGRP would be there, but this is very basic to me.. 101 level stuff cheaper switches have that.. So yeah I'm quite disappointed..  

 

I'll have to RMA the switch and get something else..  

 

Thanks for the response..

Customers Also Viewed These Support Documents