11-17-2017 09:29 AM - edited 03-08-2019 12:47 PM
working with a NX7000 sw version 6.2(16)
using a ethernet interface with port-channel
Can not configure an acl on an port-channel inteface
interface port-channel75
switchport mode trunk
interface Ethernet1/26
description To - Cisco Nexus 5020-wc0
switchport mode trunk
channel-group 75
no shutdown
interface Ethernet1/28
description To - Cisco Nexus 5020-wc0
switchport mode trunk
channel-group 75
no shutdown
IP access list pt-ch-75_in
10 permit udp 10.1.2/32 10.10.55.240/32 eq domain
30 permit ip any any log
nx7000-wc0(config)# interface port-channel 75
nx7000-wc0(config-if)# ip access-group pt-ch-75_in in
ERROR: RACL policies can be configured only on Layer-3 interface which is not a port-channel member. Note that port-channel members use the ACL policies applied on port-channel interface.
nx7000-wc0(config-if)# exit
nx7000-wc0(config)# interface eth 1/26
nx7000-wc0(config-if)# ip access-group ?
nx7000-wc0(config-if)# ip access-group pt-ch-75_in in
ERROR: Cannot apply acl to a port-channel member.
nx7000-wc0(config-if)# exit
nx7000-wc0(config)# exit
Solved! Go to Solution.
11-17-2017 11:19 AM
I believe that fundamentally your problem is that your port channel is set as a trunk, so it is a layer 2 interface and you are attempting to assign a layer 3 ACL on a layer 2 interface. It would seem that you could solve this by either applying ACL to the layer 3 SVIs carried in the trunk or by configuring your port channel as a layer 3 (not trunk) interface.
HTH
Rick
11-17-2017 11:19 AM
I believe that fundamentally your problem is that your port channel is set as a trunk, so it is a layer 2 interface and you are attempting to assign a layer 3 ACL on a layer 2 interface. It would seem that you could solve this by either applying ACL to the layer 3 SVIs carried in the trunk or by configuring your port channel as a layer 3 (not trunk) interface.
HTH
Rick
11-21-2017 04:24 AM
Thanks Richard.
I understand, but in this architecture it is not possible change for SVI or L3 interface.
11-21-2017 06:34 AM
You know your environment and I do not, so I accept your statement that it is not possible to configure an SVI or L3 interface for the vlans carried in this trunk. And if that is the case then I do not see how your NX7000 can apply an IP access list to that traffic. To do layer 3 filtering of traffic the device must be processing that traffic on a layer 3 interface.
If it is not possible to apply the IP access list on the NX7000 would it perhaps be possible to apply that ACL on whatever device does have layer 3 interfaces for these vlans?
HTH
Rick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide