I can do port ACLs on access mode ports, but can't seem to get them to work on trunk mode ports. I define an ACL that denies "ip any any," but the switch ignores it. Packets flow just fine.
For other IOS-based switches, I see references that say you need to run the "access-group mode prefer port" command to use PACLs on trunk ports. IOSvL2 doesn't seem to support that command.
Is this just a software limitation?
Cisco IOS Software, vios_l2 Software (vios_l2-ADVENTERPRISEK9-M), Experimental Version 15.2(20170321:233949) [mmen 101]
Copyright (c) 1986-2017 by Cisco Systems, Inc.
Compiled Wed 22-Mar-17 08:38 by mmen
switch#sh run int gi2/1
description to nortel_box
switchport trunk allowed vlan 2,300,500
switchport trunk encapsulation dot1q
switchport mode trunk
ip access-group TMP in
switch#sh ip access-lists int gi2/1
Extended IP access list TMP
10 deny ip any any
Enter configuration commands, one per line. End with CNTL/Z.
switch(config-if)#access-group mode prefer port
% Invalid input detected at '^' marker.