Re: IE3300 - "ip access-group DENY-ALL in" NOT accepted in c

MaErre21325 · ‎04-11-2024

Hello,

i'm configuring a IE3300 running 17.06.03 and i'm not able to attach the "ip access-group DENY-ALL in" under a vlan interface:

inv-r545# conf t
Enter configuration commands, one per line. End with CNTL/Z.
inv-r545(config)#interface Vlan58
inv-r545(config-if)#ip access-group DENY-ALL in
^
% Invalid input detected at '^' marker.

the corrensponding acl is correctly present in configuration:

ip access-list standard DENY-ALL
10 deny any

Why the i'm not able to configure the command? It only happens with IE3300 with the other switches i don't have this issue.
How can i attach that command?

Thank you

Regards

marce1000 · ‎04-11-2024

- Ref : https://www.cisco.com/c/en/us/support/docs/ip/access-lists/218248-troubleshoot-access-lists-on-ie3x00.html
>...On layer 3 ACL, Non-IP ACL is not supported.

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

MaErre21325 · ‎04-11-2024

hi @marce1000 ,

but accordingly to the linked documentation it's possibile to use the "ip access-group":

IE3300#show ip access-list 103
Extended IP access list 103
    10 permit udp any any eq 2222
    20 permit udp any eq 2222 any

Which is applied to different interfaces.

IE3300#show run interface GigabitEthernet 1/4
Building configuration...

Current configuration : 60 bytes
!
interface GigabitEthernet1/4
 ip access-group 103 in
end

marce1000 · ‎04-11-2024

- Or it might not be allowed on a vlan interface on the particular platform , you could try this by applying it on a regular interface instead and check if that works ,

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

MaErre21325 · ‎04-15-2024

Hi,

unfortunatly i need to apply it on the vlan interface...... i'm gonna open a TAC because this issue is blocking my nac deployment

marce1000 · ‎04-15-2024

- Ok , if possible you may give feedback from that here , too : always happy to learn!

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

kurt_faeh · ‎06-16-2024

Hello,

I wondered if you have any new information about the issue.
We are migrating from the IE2000U hardware to the IE3300 with IOS XE Version 17.9.4a and are confronted with the same problem.
I am trying to apply an access list to a Layer 3 Vlan Interface but the command "ip access-group" is not supported on VLAN interfaces only on real hardware interfaces.
Since that works on a Catalyst 9x00 with the same IOS XE version I wondered if it is really not supportetd on the IE3300 platform.

Thanks and all the best kurt

kurt_faeh · ‎06-16-2024

Sorry, I forgot to mention that it did work on the IE2000U Switches as well.

Cheers kurt

Georg Pauwen · ‎04-15-2024

Hello,

I don't have an IE3300 available, but does the command:

access-class DENY-ALL in

work ?

MaErre21325 · ‎04-15-2024

Hello @Georg Pauwen ,

i'm unble to apply "access-class DENY-ALL", i only have this option for access-

inv-r545(config-if)#access?
access-session

seems that no access-list or access-group or access-class could be issued

thank you

pworsham · ‎07-03-2024

I have the same issue. If it is not supported then this is really disappointing as this feature worked fine on the IE3000 platform.

IE3300 - "ip access-group DENY-ALL in" NOT accepted in configuration