This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Ruckus Wireless
RUCKUS Self Help |   ASK the Pack
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Unable to apply ACL on VE Interface

Go to solution
defore
New Contributor

‎05-03-2025 06:02 PM

Hello,

We have some ICX 8200 Switches. I have built a couple of ACLs and VE interfaces on the switch. When I go to apply them to the interface, I do not get an "ip access-group" option. I do see this option on physical ports. I am not sure what I am missing here.

Thanks for your help.

 

 

0 Kudos
1 ACCEPTED SOLUTION

Go to solution
Nidhi
RUCKUS Team Member

‎05-03-2025 11:06 PM - edited ‎05-03-2025 11:12 PM

Hello Defore,

Greetings!

Please find below an example from our lab demonstrating how to apply an access-group to both an interface and a VLAN.

You can apply the "access-group" to vlan and the port not on the ve interface.

Step 1: Create the Access List

ICX8200-48ZP2 Router(config)# ip access-list extended test6789
ICX8200-48ZP2 Router(config-ext-ipacl-test6789)# exit

Step 2: Apply the ACL to Interface 1/1/2

ICX8200-48ZP2 Router(config)# interface ethernet 1/1/2
ICX8200-48ZP2 Router(config-if-e1000-1/1/2)# ip access-group test6789 in
Warning: Binding of large ACL Operation may take few minutes
ICX8200-48ZP2 Router(config-if-e1000-1/1/2)# ip access-group test6789 out
Warning: Binding of large ACL Operation may take few minutes
ICX8200-48ZP2 Router(config-if-e1000-1/1/2)# exit

Step 3: Apply the ACL to VLAN 100

ICX8200-48ZP2 Router(config)# vlan 100
ICX8200-48ZP2 Router(config-vlan-100)# ip access-group test6789 in
Warning: Binding of large ACL Operation may take few minutes
ICX8200-48ZP2 Router(config-vlan-100)# ip access-group test6789 out

Step 4: Verify Using Running Configuration

Interface Configuration:

ICX8200-48ZP2 Router(config)# show run interface ethernet 1/1/2
interface ethernet 1/1/2
 ip access-group test6789 in
 ip access-group test6789 out
!

VLAN Configuration:

ICX8200-48ZP2 Router(config)# show run vlan 100
vlan 100 by port
 ip access-group test6789 in
 ip access-group test6789 out
!
!

If the above steps do not help, please provide the following:

  1. The error message or issue encountered while executing commands (include output snippet).

  2. The software version currently running on the switch.

For more details, please refer to the ACL configuration guide for ICX switches.

Looking forward to your response.

Regards,
Nidhi

View solution in original post

0 Kudos
6 REPLIES 6

Go to solution
defore
New Contributor

‎05-05-2025 01:05 PM

Hello,

Looks like my last post did not get posted. Can you assist me with how the direction on the ACL works when applying to a port instead of an RVI/SVI? When I apply my ACL in the "in" direction on my vlan 200, I am still able to access the other networks.

Extended IP access list GUEST_NETWORK: 5 entries
10: permit ip 192.168.200.0 0.0.0.255 host 192.168.200.254
20: deny ip 192.168.200.0 0.0.0.255 10.0.0.0 0.255.255.255
30: deny ip 192.168.200.0 0.0.0.255 192.168.0.0 0.0.255.255
40: deny ip 192.168.200.0 0.0.0.255 172.16.0.0 0.15.255.255
50: permit ip any any

vlan 200

ip access-group GUEST_NETWORK in

 

Thanks,

0 Kudos

Go to solution
defore
New Contributor

‎05-06-2025 11:03 AM

I managed to resolve this. My ACL was written incorrectly. Turns out this was a /23 network. Also, for anyone else looking for information about this, here is a useful video about the ACL changes for 9.0 and above.

https://www.youtube.com/watch?v=qUhnuxZfbzQ

 

Thanks,

0 Kudos
Copyright © 2025 Khoros, LLC