Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3213
Views
5
Helpful
3
Replies

ACLs & port-channels

Go to solution
Rosa Ladera
Level 1
Level 1

‎11-17-2017 09:29 AM - edited ‎03-08-2019 12:47 PM

working with a NX7000 sw version 6.2(16)
using a ethernet interface with port-channel

Can not configure an acl on an port-channel inteface

 

interface port-channel75
switchport mode trunk

interface Ethernet1/26
description To - Cisco Nexus 5020-wc0
switchport mode trunk
channel-group 75
no shutdown

interface Ethernet1/28
description To - Cisco Nexus 5020-wc0
switchport mode trunk
channel-group 75
no shutdown

IP access list pt-ch-75_in
10 permit udp 10.1.2/32 10.10.55.240/32 eq domain
30 permit ip any any log

nx7000-wc0(config)# interface port-channel 75
nx7000-wc0(config-if)# ip access-group pt-ch-75_in in
ERROR: RACL policies can be configured only on Layer-3 interface which is not a port-channel member. Note that port-channel members use the ACL policies applied on port-channel interface.
nx7000-wc0(config-if)# exit


nx7000-wc0(config)# interface eth 1/26
nx7000-wc0(config-if)# ip access-group ?
nx7000-wc0(config-if)# ip access-group pt-ch-75_in in
ERROR: Cannot apply acl to a port-channel member.
nx7000-wc0(config-if)# exit
nx7000-wc0(config)# exit

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Richard Burts
Hall of Fame
Hall of Fame

‎11-17-2017 11:19 AM

I believe that fundamentally your problem is that your port channel is set as a trunk, so it is a layer 2 interface and you are attempting to assign a layer 3 ACL on a layer 2 interface. It would seem that you could solve this by either applying ACL to the layer 3 SVIs carried in the trunk or by configuring your port channel as a layer 3 (not trunk) interface.

 

HTH

 

Rick

HTH

Rick

View solution in original post

3 Replies 3

Go to solution
Richard Burts
Hall of Fame
Hall of Fame

‎11-17-2017 11:19 AM

I believe that fundamentally your problem is that your port channel is set as a trunk, so it is a layer 2 interface and you are attempting to assign a layer 3 ACL on a layer 2 interface. It would seem that you could solve this by either applying ACL to the layer 3 SVIs carried in the trunk or by configuring your port channel as a layer 3 (not trunk) interface.

 

HTH

 

Rick

HTH

Rick

Go to solution
Rosa Ladera
Level 1
Level 1
In response to Richard Burts

‎11-21-2017 04:24 AM

Thanks Richard.

I understand, but in this architecture it is not possible change for SVI or L3 interface.

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to Rosa Ladera

‎11-21-2017 06:34 AM

You know your environment and I do not, so I accept your statement that it is not possible to configure an SVI or L3 interface for the vlans carried in this trunk. And if that is the case then I do not see how your NX7000 can apply an IP access list to that traffic. To do layer 3 filtering of traffic the device must be processing that traffic on a layer 3 interface.

 

If it is not possible to apply the IP access list on the NX7000 would it perhaps be possible to apply that ACL on whatever device does have layer 3 interfaces for these vlans?

 

HTH

 

Rick

HTH

Rick
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card