Wired Intelligent Edge (Campus Switching and Routing)

Reply
Highlighted
New Contributor

Unable to Apply access-list to a Virtual interface

Hi Guys,

 

I am new to the Aruba CX platform and i am unable to apply my access-list to my virtual interface as i am currently migrating from a Cisco switch to an Aruba 8400. Can someone assist with providing me similar configuration as the below sample configuration from Cisco:

 

ip access-list extended ups_in
permit icmp any any echo
permit icmp any any echo-reply

¡

ip access-list extended ups_out
permit icmp any any echo
permit icmp any any echo-reply

¡

interface Vlan10
ip address 10.1.9.1 255.255.255.0
ip access-group ups_in in
ip access-group ups_out out

 

I would appreciate it if someone can help with similar configuration for the Aruba CX 8400 platform, thanks.

Highlighted
Aruba Employee

Re: Unable to Apply access-list to a Virtual interface

Hi,

 

The below ACL Configuration guide will help you on that

 

https://techhub.hpe.com/eginfolib/Aruba/OS-CX_10.04/5200-6689/index.html#book.html

 

And the below shows how you can map ACL to specific VLAN

 

https://techhub.hpe.com/eginfolib/Aruba/OS-CX_10.04/5200-6689/index.html#GUID-2091EDD3-3A07-4AAB-8C87-0DD677DFC7C8.html

 

Switch(config)# access-list ip TEST
Switch(config-acl-ip)# permit icmp any any
Switch(config-acl-ip)# exit


Switch(config)# vlan X
Switch(config-vlan-X)# apply access-list ip TEST
in Inbound (ingress) traffic
Switch(config-vlan-X)# apply access-list ip TEST in

 

Hope it helps

Highlighted
MVP Guru

Re: Unable to Apply access-list to a Virtual interface

Here is what is currently (AOS-CX 10.4) supported regarding applying ACL to interfaces:

 

image.png

And for policy:

image.png

 

So you can not apply ACL to SVI, but you can apply an inbound policy (that would be provide the same outcome that an ACL). or use VLAN inbound ACL as suggested.

Highlighted
Occasional Contributor II

Re: Unable to Apply access-list to a Virtual interface

This has been a big limitation for us since we started migrating to ArubaOS-CX. We had to redesign all our ACL approach to be able to do a proper migration. I wonder is SVI ACLs is in the roadmap for ArubaosCX? I've been patiently waiting for the day I read this new feature in a release note  


- Daniel Tudares (ACSP)
Highlighted
MVP Guru

Re: Unable to Apply access-list to a Virtual interface

Understood. While this is being raised to product managers, please raise the request to your local Aruba contact so appropriate priority can be set.

Highlighted
Aruba Employee

Re: Unable to Apply access-list to a Virtual interface

Thank you for the feedback everyone, greatly appreciated!  Route only VLAN ACls applied to the VLAN Interface are planned for an upcoming software release on AOS-CX, please reach out to your Aruba account team if you need timeline details. 

 

Note, current ACLs applied to VLANs will apply on both routed and switched traffic. 


Scott Koster | Product Line Manager, Core and Data Center Switching
Aruba, a Hewlett Packard Enterprise Company