This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
RUCKUS Self Help |   ASK the Pack
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Unable to apply ACL on VE Interface

Go to solution
defore
New Contributor

‎05-03-2025 06:02 PM

Hello,

We have some ICX 8200 Switches. I have built a couple of ACLs and VE interfaces on the switch. When I go to apply them to the interface, I do not get an "ip access-group" option. I do see this option on physical ports. I am not sure what I am missing here.

Thanks for your help.

 

 

0 Kudos
1 ACCEPTED SOLUTION

Go to solution
Nidhi
RUCKUS Team Member

‎05-03-2025 11:06 PM - edited ‎05-03-2025 11:12 PM

Hello Defore,

Greetings!

Please find below an example from our lab demonstrating how to apply an access-group to both an interface and a VLAN.

You can apply the "access-group" to vlan and the port not on the ve interface.

Step 1: Create the Access List

ICX8200-48ZP2 Router(config)# ip access-list extended test6789
ICX8200-48ZP2 Router(config-ext-ipacl-test6789)# exit

Step 2: Apply the ACL to Interface 1/1/2

ICX8200-48ZP2 Router(config)# interface ethernet 1/1/2
ICX8200-48ZP2 Router(config-if-e1000-1/1/2)# ip access-group test6789 in
Warning: Binding of large ACL Operation may take few minutes
ICX8200-48ZP2 Router(config-if-e1000-1/1/2)# ip access-group test6789 out
Warning: Binding of large ACL Operation may take few minutes
ICX8200-48ZP2 Router(config-if-e1000-1/1/2)# exit

Step 3: Apply the ACL to VLAN 100

ICX8200-48ZP2 Router(config)# vlan 100
ICX8200-48ZP2 Router(config-vlan-100)# ip access-group test6789 in
Warning: Binding of large ACL Operation may take few minutes
ICX8200-48ZP2 Router(config-vlan-100)# ip access-group test6789 out

Step 4: Verify Using Running Configuration

Interface Configuration:

ICX8200-48ZP2 Router(config)# show run interface ethernet 1/1/2
interface ethernet 1/1/2
 ip access-group test6789 in
 ip access-group test6789 out
!

VLAN Configuration:

ICX8200-48ZP2 Router(config)# show run vlan 100
vlan 100 by port
 ip access-group test6789 in
 ip access-group test6789 out
!
!

If the above steps do not help, please provide the following:

  1. The error message or issue encountered while executing commands (include output snippet).

  2. The software version currently running on the switch.

For more details, please refer to the ACL configuration guide for ICX switches.

Looking forward to your response.

Regards,
Nidhi

View solution in original post

0 Kudos
6 REPLIES 6

Go to solution
Nidhi
RUCKUS Team Member

‎05-03-2025 11:06 PM - edited ‎05-03-2025 11:12 PM

Hello Defore,

Greetings!

Please find below an example from our lab demonstrating how to apply an access-group to both an interface and a VLAN.

You can apply the "access-group" to vlan and the port not on the ve interface.

Step 1: Create the Access List

ICX8200-48ZP2 Router(config)# ip access-list extended test6789
ICX8200-48ZP2 Router(config-ext-ipacl-test6789)# exit

Step 2: Apply the ACL to Interface 1/1/2

ICX8200-48ZP2 Router(config)# interface ethernet 1/1/2
ICX8200-48ZP2 Router(config-if-e1000-1/1/2)# ip access-group test6789 in
Warning: Binding of large ACL Operation may take few minutes
ICX8200-48ZP2 Router(config-if-e1000-1/1/2)# ip access-group test6789 out
Warning: Binding of large ACL Operation may take few minutes
ICX8200-48ZP2 Router(config-if-e1000-1/1/2)# exit

Step 3: Apply the ACL to VLAN 100

ICX8200-48ZP2 Router(config)# vlan 100
ICX8200-48ZP2 Router(config-vlan-100)# ip access-group test6789 in
Warning: Binding of large ACL Operation may take few minutes
ICX8200-48ZP2 Router(config-vlan-100)# ip access-group test6789 out

Step 4: Verify Using Running Configuration

Interface Configuration:

ICX8200-48ZP2 Router(config)# show run interface ethernet 1/1/2
interface ethernet 1/1/2
 ip access-group test6789 in
 ip access-group test6789 out
!

VLAN Configuration:

ICX8200-48ZP2 Router(config)# show run vlan 100
vlan 100 by port
 ip access-group test6789 in
 ip access-group test6789 out
!
!

If the above steps do not help, please provide the following:

  1. The error message or issue encountered while executing commands (include output snippet).

  2. The software version currently running on the switch.

For more details, please refer to the ACL configuration guide for ICX switches.

Looking forward to your response.

Regards,
Nidhi

0 Kudos

Go to solution
defore
New Contributor

‎05-04-2025 11:16 AM

Thank you for the response. So, the ACL is applied to the VLAN directly and not the VLAN Interface (RVI/SVI), like it is in the Cisco world? I think that is what was confusing me.

Thanks,

0 Kudos

Go to solution
Nidhi
RUCKUS Team Member
In response to defore

‎05-04-2025 08:41 PM

Hello Defore,

Yes, that's correct. We should apply the ACL directly to the VLAN.

Regards,

Nidhi

0 Kudos

Go to solution
defore
New Contributor

‎05-05-2025 06:51 AM

Can you help me understand the direction when applying this ACL to the port instead of the VE. When I apply my ACL to the in direction, I am still able to access the other networks. See below.

 

Extended IP access list GUEST_NETWORK

10: permit ip 192.168.200.0 0.0.0.255 host 192.168.200.254
20: deny ip 192.168.200.0 0.0.0.255 10.0.0.0 0.255.255.255
30: deny ip 192.168.200.0 0.0.0.255 192.168.0.0 0.0.255.255
40: deny ip 192.168.200.0 0.0.0.255 172.16.0.0 0.15.255.255
50: permit ip any any

 

VLAN 200

ip access-group GUEST_NETWORK in

 

Thanks,

0 Kudos
Copyright © 2025 Khoros, LLC