ACL on a 10G Ethernet port on a VS-S720-10G Card

Unanswered Question
Aug 12th, 2010

I am trying to apply an ACL on a 10g ethernet port on a VS-S720-10G card but it's not showing on the options. Is the port ACL a supported option on the 10g ethernet port on a sup 720 card?.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
tu2pel Thu, 08/12/2010 - 16:33

The port is configured as a trunk and a L2 port. This is the configuration of the port

switchport trunk encapsulation dot1q

switchport trunk allowed vlan xxxx,xxxx,xxxx

switchport mode trunk

switchport nonegotiate

no snmp trap link-status

and these are the options I see when under the interface config (looking for ip access-group)

router2(config-if)#ip ?     

Interface IP configuration subcommands:

  admission           Apply Network Admission Control

  arp                 Configure ARP features

  auth-proxy          Apply authenticaton proxy

  dhcp                Configure DHCP parameters for this interface

  dhcp                DHCP

  header-compression  IPHC options

  igmp                IGMP interface commands

  rsvp                RSVP interface commands

  rtp                 RTP parameters

  verify              verify

  vrf                 VPN Routing/Forwarding parameters on the interface


Jon Marshall Thu, 08/12/2010 - 16:47

Can you add this to the port configuration -

int xxx

access-group mode prefer port

and then see if the "ip access-group ..." is available.


tu2pel Thu, 08/12/2010 - 18:16


There is still no option to configure ip access-group when configuring the trunk port with the access mode preferred port configuration.


kathpric Thu, 08/12/2010 - 18:30

ip access-group is for layer 3 interfaces.  Either change the layer 2 interface to layer 3 with "no switchport" or put the ACL on the SVI

tu2pel Thu, 08/12/2010 - 18:59


Thanks for the reply but as per documentation on the 6509 and on the 12.2SX IOS, Port ACL on Layer 2 is supported.


Additional information is that it is not just on the 10G ethernet port that we are not seeing the "ip access-group option". It is not also showing up on the 1 g interface ports that is configured as a trunk.

The "ip access-group" option does show up though on a 4900M Line card but configured as private-vlan trunk.


kathpric Thu, 08/12/2010 - 19:31

Sorry about that last post, you're right.  What version are you running?  From this doc it looks like you need SXI

With some exceptions, the VSS has feature parity with the standalone Catalyst 6500 series switch. Major exceptions include:

In software releases earlier than Cisco IOS Release 12.2(33)SXI2, the VSS does not support IPv6 unicast or MPLS.

In software releases earlier than Cisco IOS Release 12.2(33)SXI, port-based QoS and port ACLs (PACLs) are supported only on Layer 2 single-chassis or multichassis EtherChannel (MEC) links. Beginning with Cisco IOS Release 12.2(33)SXI, port-based QoS and PACLs can be applied to any physical port in the VSS, excluding ports in the VSL. PACLs can be applied to no more than 2046 ports in the VSS.


This Discussion