Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

Adding an ACL to a bridged subinterface

I was hoping someone could help determine if this is possible. I have a router on a stick configuration with several different vlans. I would like to add ACLs to the bridged sub-interfaces but not to the BVI. I wasn't sure if this is possible because I thought ACLs had to be applied to a Layer 3 interface. I tried it in a lab but was not successful in getting it to work. Sample config is below.

interface BVI1

ip address 10.1.1.1 255.255.255.0

interface GigabitEthernet0/0.10

encapsulation dot1Q 10

ip access-group 110 in

bridge-group 1

!

interface GigabitEthernet0/0.20

encapsulation dot1Q 20

ip access-group 120 in

bridge-group 1

access-list 110 deny udp any any

access-list 110 permit any any

access-list 120 deny udp any any

access-list 120 permit any any

3 REPLIES
Hall of Fame Super Silver

Re: Adding an ACL to a bridged subinterface

Hello Kevin,

I thought ACLs had to be applied to a Layer 3 interface. I tried it in a lab but was not successful in getting it to work.

on a router this is correct.

However, there are multilayer switches that can be configured with both a port acl and a vlan ACL so the idea is not wrong but it depends on real implementation of device.

Hope to help

Giuseppe

Re: Adding an ACL to a bridged subinterface

You are trying to apply layer 3/4 filtering to a layer 2 interface - last time I checked, not possible.

New Member

Re: Adding an ACL to a bridged subinterface

Thanks guys for the reply. I wasn't sure if it would work but I wanted to see if anyone had ever used something like this in production.

184
Views
0
Helpful
3
Replies
CreatePlease to create content