https://community.ruckuswireless.com/t5/ICX-Switches/Unable-to-apply-ACL-on-VE-Interface/m-p/105090#M7361 <P>Can you help me understand the direction when applying this ACL to the port instead of the VE. When I apply my ACL to the in direction, I am still able to access the other networks. See below.</P><P>&nbsp;</P><P>Extended IP access list GUEST_NETWORK</P><P>10: permit ip 192.168.200.0 0.0.0.255 host 192.168.200.254<BR />20: deny ip 192.168.200.0 0.0.0.255 10.0.0.0 0.255.255.255<BR />30: deny ip 192.168.200.0 0.0.0.255 192.168.0.0 0.0.255.255<BR />40: deny ip 192.168.200.0 0.0.0.255 172.16.0.0 0.15.255.255<BR />50: permit ip any any</P><P>&nbsp;</P><P>VLAN 200</P><P>ip access-group GUEST_NETWORK in</P><P>&nbsp;</P><P>Thanks,</P> Mon, 05 May 2025 13:51:01 GMT defore 2025-05-05T13:51:01Z https://community.ruckuswireless.com/t5/ICX-Switches/Unable-to-apply-ACL-on-VE-Interface/m-p/105068#M7355 <P>Hello,</P><P>We have some ICX 8200 Switches. I have built a couple of ACLs and VE interfaces on the switch. When I go to apply them to the interface, I do not get an "ip access-group" option. I do see this option on physical ports. I am not sure what I am missing here.</P><P>Thanks for your help.</P><P>&nbsp;</P><P>&nbsp;</P> Sun, 04 May 2025 01:02:28 GMT https://community.ruckuswireless.com/t5/ICX-Switches/Unable-to-apply-ACL-on-VE-Interface/m-p/105068#M7355 defore 2025-05-04T01:02:28Z https://community.ruckuswireless.com/t5/ICX-Switches/Unable-to-apply-ACL-on-VE-Interface/m-p/105070#M7356 <P>Hello Defore,</P><P>Greetings!</P><P>Please find below an example from our lab demonstrating how to apply an access-group to both an interface and a VLAN.</P><P>You can apply the "access-group" to vlan and the port not on the ve interface.</P><HR /><H3><STRONG>Step 1: Create the Access List</STRONG></H3><PRE>ICX8200-48ZP2 Router(config)# ip access-list extended test6789 ICX8200-48ZP2 Router(config-ext-ipacl-test6789)# exit</PRE><HR /><H3><STRONG>Step 2: Apply the ACL to Interface 1/1/2</STRONG></H3><PRE>ICX8200-48ZP2 Router(config)# interface ethernet 1/1/2 ICX8200-48ZP2 Router(config-if-e1000-1/1/2)# ip access-group test6789 in Warning: Binding of large ACL Operation may take few minutes ICX8200-48ZP2 Router(config-if-e1000-1/1/2)# ip access-group test6789 out Warning: Binding of large ACL Operation may take few minutes ICX8200-48ZP2 Router(config-if-e1000-1/1/2)# exit</PRE><HR /><H3><STRONG>Step 3: Apply the ACL to VLAN 100</STRONG></H3><PRE>ICX8200-48ZP2 Router(config)# vlan 100 ICX8200-48ZP2 Router(config-vlan-100)# ip access-group test6789 in Warning: Binding of large ACL Operation may take few minutes ICX8200-48ZP2 Router(config-vlan-100)# ip access-group test6789 out</PRE><HR /><H3><STRONG>Step 4: Verify Using Running Configuration</STRONG></H3><P><STRONG>Interface Configuration:</STRONG></P><PRE>ICX8200-48ZP2 Router(config)# show run interface ethernet 1/1/2 interface ethernet 1/1/2 ip access-group test6789 in ip access-group test6789 out !</PRE><P><STRONG>VLAN Configuration:</STRONG></P><PRE>ICX8200-48ZP2 Router(config)# show run vlan 100 vlan 100 by port ip access-group test6789 in ip access-group test6789 out ! !</PRE><HR /><P>If the above steps do not help, please provide the following:</P><OL><LI><P>The <STRONG>error message</STRONG> or issue encountered while executing commands (include output snippet).</P></LI><LI><P>The <STRONG>software version</STRONG> currently running on the switch.</P></LI></OL><P>For more details, please refer to the <A href="https://docs.commscope.com/bundle/fastiron-10010-securityguide/page/GUID-271C4E83-0C32-4BC6-94E0-5CF304222B9D.html" target="_blank" rel="noopener">ACL configuration guide for ICX switches</A>.</P><P>Looking forward to your response.</P><P>Regards,<BR />Nidhi</P> Sun, 04 May 2025 06:12:54 GMT https://community.ruckuswireless.com/t5/ICX-Switches/Unable-to-apply-ACL-on-VE-Interface/m-p/105070#M7356 Nidhi 2025-05-04T06:12:54Z https://community.ruckuswireless.com/t5/ICX-Switches/Unable-to-apply-ACL-on-VE-Interface/m-p/105074#M7358 <P>Thank you for the response. So, the ACL is applied to the VLAN directly and not the VLAN Interface (RVI/SVI), like it is in the Cisco world? I think that is what was confusing me.</P><P>Thanks,</P> Sun, 04 May 2025 18:16:08 GMT https://community.ruckuswireless.com/t5/ICX-Switches/Unable-to-apply-ACL-on-VE-Interface/m-p/105074#M7358 defore 2025-05-04T18:16:08Z https://community.ruckuswireless.com/t5/ICX-Switches/Unable-to-apply-ACL-on-VE-Interface/m-p/105075#M7359 <P>Hello Defore,</P><P>Yes, that's correct. We should apply the ACL directly to the VLAN.</P><P>Regards,</P><P>Nidhi</P> Mon, 05 May 2025 03:41:10 GMT https://community.ruckuswireless.com/t5/ICX-Switches/Unable-to-apply-ACL-on-VE-Interface/m-p/105075#M7359 Nidhi 2025-05-05T03:41:10Z https://community.ruckuswireless.com/t5/ICX-Switches/Unable-to-apply-ACL-on-VE-Interface/m-p/105090#M7361 <P>Can you help me understand the direction when applying this ACL to the port instead of the VE. When I apply my ACL to the in direction, I am still able to access the other networks. See below.</P><P>&nbsp;</P><P>Extended IP access list GUEST_NETWORK</P><P>10: permit ip 192.168.200.0 0.0.0.255 host 192.168.200.254<BR />20: deny ip 192.168.200.0 0.0.0.255 10.0.0.0 0.255.255.255<BR />30: deny ip 192.168.200.0 0.0.0.255 192.168.0.0 0.0.255.255<BR />40: deny ip 192.168.200.0 0.0.0.255 172.16.0.0 0.15.255.255<BR />50: permit ip any any</P><P>&nbsp;</P><P>VLAN 200</P><P>ip access-group GUEST_NETWORK in</P><P>&nbsp;</P><P>Thanks,</P> Mon, 05 May 2025 13:51:01 GMT https://community.ruckuswireless.com/t5/ICX-Switches/Unable-to-apply-ACL-on-VE-Interface/m-p/105090#M7361 defore 2025-05-05T13:51:01Z https://community.ruckuswireless.com/t5/ICX-Switches/Unable-to-apply-ACL-on-VE-Interface/m-p/105121#M7362 <P>Hello,</P><P>Looks like my last post did not get posted. Can you assist me with how the direction on the ACL works when applying to a port instead of an RVI/SVI? When I apply my ACL in the "in" direction on my vlan 200, I am still able to access the other networks.</P><P>Extended IP access list GUEST_NETWORK: 5 entries<BR />10: permit ip 192.168.200.0 0.0.0.255 host 192.168.200.254<BR />20: deny ip 192.168.200.0 0.0.0.255 10.0.0.0 0.255.255.255<BR />30: deny ip 192.168.200.0 0.0.0.255 192.168.0.0 0.0.255.255<BR />40: deny ip 192.168.200.0 0.0.0.255 172.16.0.0 0.15.255.255<BR />50: permit ip any any</P><P>vlan 200</P><P>ip access-group GUEST_NETWORK in</P><P>&nbsp;</P><P>Thanks,</P> Mon, 05 May 2025 20:05:16 GMT https://community.ruckuswireless.com/t5/ICX-Switches/Unable-to-apply-ACL-on-VE-Interface/m-p/105121#M7362 defore 2025-05-05T20:05:16Z https://community.ruckuswireless.com/t5/ICX-Switches/Unable-to-apply-ACL-on-VE-Interface/m-p/105144#M7363 <P>I managed to resolve this. My ACL was written incorrectly. Turns out this was a /23 network. Also, for anyone else looking for information about this, here is a useful video about the ACL changes for 9.0 and above.<BR /><BR /><A href="https://www.youtube.com/watch?v=qUhnuxZfbzQ" target="_blank">https://www.youtube.com/watch?v=qUhnuxZfbzQ</A></P><P>&nbsp;</P><P>Thanks,</P> Tue, 06 May 2025 18:03:33 GMT https://community.ruckuswireless.com/t5/ICX-Switches/Unable-to-apply-ACL-on-VE-Interface/m-p/105144#M7363 defore 2025-05-06T18:03:33Z