0 Replies Latest reply: Aug 12, 2019 2:34 PM by labs.awardsolutions.com RSS

    IOSvL2: Port ACL on trunk ports

    labs.awardsolutions.com

      I can do port ACLs on access mode ports, but can't seem to get them to work on trunk mode ports. I define an ACL that denies "ip any any," but the switch ignores it. Packets flow just fine.

       

      For other IOS-based switches, I see references that say you need to run the "access-group mode prefer port" command to use PACLs on trunk ports. IOSvL2 doesn't seem to support that command.

       

      Is this just a software limitation?

       

      switch#sh version

      Cisco IOS Software, vios_l2 Software (vios_l2-ADVENTERPRISEK9-M), Experimental Version 15.2(20170321:233949) [mmen 101]

      Copyright (c) 1986-2017 by Cisco Systems, Inc.

      Compiled Wed 22-Mar-17 08:38 by mmen

       

      switch#sh run int gi2/1

      interface GigabitEthernet2/1

      description to nortel_box

      switchport trunk allowed vlan 2,300,500

      switchport trunk encapsulation dot1q

      switchport mode trunk

      ip access-group TMP in

      media-type rj45

      negotiation auto

      end

       

      switch#sh ip access-lists int gi2/1

      Extended IP access list TMP

          10 deny ip any any

       

      switch#conf t

      Enter configuration commands, one per line.  End with CNTL/Z.

      switch(config)#int gi2/0

      switch(config-if)#access-group mode prefer port

                                   ^

      % Invalid input detected at '^' marker.