How to add ACLs to Port channel?
This article explain the steps to add Access Lists to a port channel.
It may very well be required that the port channel be untrusted so that the administrator can control the kind of traffic exchanged between devices without compromising on the bandwidth. This can be achieved by configuring ACLs within a port channel.
Port channels can be configured in two ways –
- Static – By configuring port channel and manually adding individual interfaces to it
- Dynamic – By implementing LACP so that the LACP peers (actor and partner) negotiate the link bundling between them by sending LACP Data Units (LACPDU) and in the process create a Link Aggregation Group (LAG).
In this article, we will create a static port channel and apply the ACL to it.
Environment: This article applies to AOS version 3.0 and higher.
To create a static port channel, execute the following commands on both the controllers:
(Aruba3400) (config) #interface port-channel 1
(Aruba3400) (config-channel)#add gigabitethernet 1/0 //To add GE1/0 to pc-1
(Aruba3400) (config-channel)#add gigabitethernet 1/1 //To add GE1/1 to pc-1
Likewise, you can add more ports to the port channel
To create a ACL:
Please note, you need to have PEFNG (AOS version 5.0 onwards) or PEF (AOS version prior to 5.0) license installed on the controller to be able to create an ACL.
(Aruba3200) #Configure terminal
(Aruba3200) (config) #ip access-list session Deny-ICPM
(Aruba3200) (config-sess-Deny-ICPM)# any any svc-icmp deny
To verify the created ACL:
(Aruba3200) #show ip access-list Deny-ICPM
ip access-list session Deny-ICPM
Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6
-------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------
1 any any svc-icmp deny Low 4
To map the created ACL to the Port Channel:
(Aruba3200) (config) #interface port-channel 1
(Aruba3200) (config-channel)#ip access-group ?
<name> Name or Number of ACL
(Aruba3200) (config-channel)#ip access-group Deny-ICPM
(Aruba3200) (config-channel)#ip access-group Deny-ICPM session
Note: In port channel, ACLs after they are applied will take effect only on the new sessions, old sessions won’t be honored.