07-10-2009 06:21 AM - edited 03-06-2019 06:41 AM
I was hoping someone could help determine if this is possible. I have a router on a stick configuration with several different vlans. I would like to add ACLs to the bridged sub-interfaces but not to the BVI. I wasn't sure if this is possible because I thought ACLs had to be applied to a Layer 3 interface. I tried it in a lab but was not successful in getting it to work. Sample config is below.
interface BVI1
ip address 10.1.1.1 255.255.255.0
interface GigabitEthernet0/0.10
encapsulation dot1Q 10
ip access-group 110 in
bridge-group 1
!
interface GigabitEthernet0/0.20
encapsulation dot1Q 20
ip access-group 120 in
bridge-group 1
access-list 110 deny udp any any
access-list 110 permit any any
access-list 120 deny udp any any
access-list 120 permit any any
07-10-2009 06:40 AM
Hello Kevin,
I thought ACLs had to be applied to a Layer 3 interface. I tried it in a lab but was not successful in getting it to work.
on a router this is correct.
However, there are multilayer switches that can be configured with both a port acl and a vlan ACL so the idea is not wrong but it depends on real implementation of device.
Hope to help
Giuseppe
07-10-2009 06:41 AM
You are trying to apply layer 3/4 filtering to a layer 2 interface - last time I checked, not possible.
07-10-2009 06:48 AM
Thanks guys for the reply. I wasn't sure if it would work but I wanted to see if anyone had ever used something like this in production.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: