cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
728
Views
0
Helpful
10
Replies

IE3300 - "ip access-group DENY-ALL in" NOT accepted in configuration

MaErre21325
Level 1
Level 1

Hello,

i'm configuring a IE3300 running 17.06.03 and i'm not able to attach the "ip access-group DENY-ALL in" under a vlan interface:

inv-r545# conf t
Enter configuration commands, one per line. End with CNTL/Z.
inv-r545(config)#interface Vlan58
inv-r545(config-if)#ip access-group DENY-ALL in
^
% Invalid input detected at '^' marker.

the corrensponding acl is correctly present in configuration:

ip access-list standard DENY-ALL
10 deny any

Why the i'm not able to configure the command? It only happens with IE3300 with the other switches i don't have this issue.
How can i attach that command?

Thank you

Regards

10 Replies 10

marce1000
VIP
VIP

 

 - Ref : https://www.cisco.com/c/en/us/support/docs/ip/access-lists/218248-troubleshoot-access-lists-on-ie3x00.html
          >...On layer 3 ACL, Non-IP ACL is not supported.

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

hi @marce1000 ,

but accordingly to the linked documentation  it's possibile to use the  "ip access-group":

IE3300#show ip access-list 103
Extended IP access list 103
    10 permit udp any any eq 2222
    20 permit udp any eq 2222 any

Which is applied to different interfaces.

IE3300#show run interface GigabitEthernet 1/4
Building configuration...

Current configuration : 60 bytes
!
interface GigabitEthernet1/4
 ip access-group 103 in
end

 

 - Or it might not be allowed on a vlan interface on the particular platform , you could try this by applying it on a regular interface instead and check if that works , 

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Hi,

unfortunatly i need to apply it on the vlan interface...... i'm gonna open a TAC because this issue is blocking my nac deployment

 

         - Ok , if possible you may give feedback from that here , too : always happy to learn!

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Hello,

I wondered if you have any new information about the issue.
We are migrating from the IE2000U hardware to the IE3300 with IOS XE Version 17.9.4a and are confronted with the same problem.
I am trying to apply an access list to a Layer 3 Vlan Interface but the command "ip access-group" is not supported on VLAN interfaces only on real hardware interfaces.
Since that works on a Catalyst 9x00 with the same IOS XE version I wondered if it is really not supportetd on the IE3300 platform.

Thanks and all the best    kurt

Sorry, I forgot to mention that it did work on the IE2000U Switches as well.

Cheers    kurt

Hello,

I don't have an IE3300 available, but does the command:

access-class DENY-ALL in

work ?

Hello @Georg Pauwen ,

i'm unble to apply "access-class DENY-ALL", i only have this option for access-

inv-r545(config-if)#access?
access-session

seems that no access-list or access-group or access-class could be issued

 

thank you

pworsham
Level 1
Level 1

I have the same issue.  If it is not supported then this is really disappointing as this feature worked fine on the IE3000 platform.

Review Cisco Networking for a $25 gift card