cancel
Showing results for 
Search instead for 
Did you mean: 

ICX 7850 egress ACL not supported with untagged vlans?

howardtopher
New Contributor II

Can anyone explain why this is the case?  From the 08.0.92e documentation: 

On ICX 7850 devices only, configuration of egress ACLs is blocked on any virtual interface with an associated VLAN that contains an untagged port.

And sure enough, when I try:

(config-vif-1234)# ip access-group acl-name out
Error: Egress ACL on VE is not supported when vlan has untagged ports

It works fine on all other models we have (7450, 7650, 7750) as this is a normal thing for us.  Why not here?

1 ACCEPTED SOLUTION

BenBeck
Moderator
Moderator

I do not have a definitive answer for you, but it seems like some kind of technical limitation on initial support for ICX7850. I can see that note in 8090 and 8092 documentation. 8095 has a pretty large re-write from an ACL standpoint and I do not see that limitation mentioned in 8095 documentation. ACLs will generally be applied at the vlan level starting from 8095 forward. It may be worth giving 8095d a shot for this specific use case. 

Ben Beck, RCNA, RCNI, Principal Technical Support Engineer
support.ruckuswireless.com/contact-us

View solution in original post

2 REPLIES 2

BenBeck
Moderator
Moderator

I do not have a definitive answer for you, but it seems like some kind of technical limitation on initial support for ICX7850. I can see that note in 8090 and 8092 documentation. 8095 has a pretty large re-write from an ACL standpoint and I do not see that limitation mentioned in 8095 documentation. ACLs will generally be applied at the vlan level starting from 8095 forward. It may be worth giving 8095d a shot for this specific use case. 

Ben Beck, RCNA, RCNI, Principal Technical Support Engineer
support.ruckuswireless.com/contact-us

Thanks for this.  We try to run the same version of code everywhere so we're on 8092e on around 900 switches right now.  However, this case is a new install and doesn't have production traffic on it yet so I just installed 8095d.  You're correct that the ACL is now in the vlan and not the router interface, but it accepted the "out" direction ACL.  Once I get a server connected to the switch I'll be able to test it, but looks good so far.