How to add ACLs to Port channel?

Aruba Employee
Aruba Employee

This article explain the steps to add Access Lists to a port channel.


It may very well be required that the port channel be untrusted so that the administrator can control the kind of traffic exchanged between devices without compromising on the bandwidth. This can be achieved by configuring ACLs within a port channel.

 Port channels can be configured in two ways –

  1. Static – By configuring port channel and manually adding individual interfaces to it
  2. Dynamic – By implementing LACP so that the LACP peers (actor and partner) negotiate the link bundling between them by sending LACP Data Units (LACPDU) and in the process create a Link Aggregation Group (LAG).

In this article, we will create a static port channel and apply the ACL to it. 


Environment: This article applies to AOS version 3.0 and higher.


To create a static port channel, execute the following commands on both the controllers:


(Aruba3400) (config) #interface port-channel 1
(Aruba3400) (config-channel)#add gigabitethernet 1/0 //To add GE1/0 to pc-1
(Aruba3400) (config-channel)#add gigabitethernet 1/1 //To add GE1/1 to pc-1

Likewise, you can add more ports to the port channel

To create a ACL:

Please note, you need to have PEFNG (AOS version 5.0 onwards) or PEF (AOS version prior to 5.0) license installed on the controller to be able to create an ACL.

(Aruba3200) #Configure terminal            
(Aruba3200) (config) #ip access-list session Deny-ICPM
(Aruba3200) (config-sess-Deny-ICPM)#  any any svc-icmp deny
To verify the created ACL:
(Aruba3200) #show ip access-list Deny-ICPM
ip access-list session Deny-ICPM
Priority  Source  Destination  Service   Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6
--------  ------  -----------  -------   ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------
1         any     any          svc-icmp  deny                             Low                                                           4
(Aruba3200) #
To map the created ACL to the Port Channel:
(Aruba3200) (config) #interface port-channel 1
(Aruba3200) (config-channel)#ip access-group ?
<name>                  Name or Number of ACL
(Aruba3200) (config-channel)#ip access-group Deny-ICPM
(Aruba3200) (config-channel)#ip access-group Deny-ICPM session

Note: In port channel, ACLs after they are applied will take effect only on the new sessions, old sessions won’t be honored. 

Version history
Revision #:
5 of 5
Last update:
‎11-19-2014 05:22 AM
Updated by:
Labels (1)

Given the age of this article it should be noted this process does not function as written on controllers running 8.x code and above.

Search Airheads
Showing results for 
Search instead for 
Did you mean: