Showing results for 
Search instead for 
Did you mean: 

Added port to VLAN, existing access-group wasn't applied to port

New Contributor III

ver 09.0.10T213

Existing configuration (snippets):

vlan 81 name untrusted-no-outbound by port
 tagged ethe 3/1/6 
 untagged ethe 1/1/6 
 ip access-group untrusted-no-outbound in

interface ve 81
 ip address
 ip helper-address 1
 ip helper-address 2

ip access-list extended untrusted-no-outbound
 sequence 10 permit tcp any established 
 sequence 20 permit icmp any any 
 sequence 50 permit udp any host eq ntp 
 sequence 70 deny tcp any 
 sequence 80 deny udp any

With this configuration in place, the devices attached to 1/1/6 and 3/1/6 were able to send DHCP requests (and obtain addresses) via VLAN 81.

I added port 4/1/1 (also tagged) to VLAN 81, but the device attached that port was unable to get an address via DHCP. Setting up a monitor on port 4/1/1 showed the DHCP 'discover' arriving (with VLAN id 81) from the device, but it was not forwarded to the ip-helper addresses attached to 'interface ve 81'.

Removing the 'ip access-group' from 'vlan 81' and then re-adding it cured the problem; traffic from port 4/1/1 on vlan 81 began flowing. It appears that adding the port to the VLAN, with an existing access-group, did not result in the access-group's rules being applied to that port.


New Contributor III

Sorry, forgot to include device information: this is a 4-unit stack of ICX7150-C12Ps.

New Contributor III

I added another rule to that access-list today, and again it was not applied to the port I was using to test. It appears that this is a more pervasive problem than what I originally thought. I had to remove and re-apply the access-group to get traffic flowing via the new rule I had added.


Hey Kevin, 

I would recommend opening a support case for this type of item. It likely needs a proper investigation. One of our TAC engineers would be best-suited to assist you. 

Ben Beck, RCNA, RCNI, Principal Technical Support Engineer

New Contributor III

I would be happy if I could do that, but I can't purchase a support contract because I bought my ICX devices 'used'. Too bad.