Wired Intelligent Edge

last person joined: 2 days ago 

Bring performance and reliability to your network with the HPE Aruba Networking Core, Aggregation, and Access layer switches. Discuss the latest features and functionality of your switching devices, and find ways to improve security across your network to bring together a mobile-first solution
Back to discussions
Expand all | Collapse all

Unable to Apply access-list to a Virtual interface

This thread has been viewed 27 times

  • 1.  Unable to Apply access-list to a Virtual interface

    Posted Apr 28, 2020 02:51 PM

    Hi Guys,

     

    I am new to the Aruba CX platform and i am unable to apply my access-list to my virtual interface as i am currently migrating from a Cisco switch to an Aruba 8400. Can someone assist with providing me similar configuration as the below sample configuration from Cisco:

     

    ip access-list extended ups_in
    permit icmp any any echo
    permit icmp any any echo-reply

    ¡

    ip access-list extended ups_out
    permit icmp any any echo
    permit icmp any any echo-reply

    ¡

    interface Vlan10
    ip address 10.1.9.1 255.255.255.0
    ip access-group ups_in in
    ip access-group ups_out out

     

    I would appreciate it if someone can help with similar configuration for the Aruba CX 8400 platform, thanks.



  • 2.  RE: Unable to Apply access-list to a Virtual interface

    EMPLOYEE
    Posted Apr 28, 2020 09:39 PM

    Hi,

     

    The below ACL Configuration guide will help you on that

     

    https://techhub.hpe.com/eginfolib/Aruba/OS-CX_10.04/5200-6689/index.html#book.html

     

    And the below shows how you can map ACL to specific VLAN

     

    https://techhub.hpe.com/eginfolib/Aruba/OS-CX_10.04/5200-6689/index.html#GUID-2091EDD3-3A07-4AAB-8C87-0DD677DFC7C8.html

     

    Switch(config)# access-list ip TEST
    Switch(config-acl-ip)# permit icmp any any
    Switch(config-acl-ip)# exit


    Switch(config)# vlan X
    Switch(config-vlan-X)# apply access-list ip TEST
    in Inbound (ingress) traffic
    Switch(config-vlan-X)# apply access-list ip TEST in

     

    Hope it helps



  • 3.  RE: Unable to Apply access-list to a Virtual interface

    EMPLOYEE
    Posted May 04, 2020 04:49 AM

    Here is what is currently (AOS-CX 10.4) supported regarding applying ACL to interfaces:

     

    image.png

    And for policy:

    image.png

     

    So you can not apply ACL to SVI, but you can apply an inbound policy (that would be provide the same outcome that an ACL). or use VLAN inbound ACL as suggested.



  • 4.  RE: Unable to Apply access-list to a Virtual interface

    Posted May 04, 2020 11:21 AM

    This has been a big limitation for us since we started migrating to ArubaOS-CX. We had to redesign all our ACL approach to be able to do a proper migration. I wonder is SVI ACLs is in the roadmap for ArubaosCX? I've been patiently waiting for the day I read this new feature in a release note  



  • 5.  RE: Unable to Apply access-list to a Virtual interface

    EMPLOYEE
    Posted May 04, 2020 11:26 AM

    Understood. While this is being raised to product managers, please raise the request to your local Aruba contact so appropriate priority can be set.



  • 6.  RE: Unable to Apply access-list to a Virtual interface

    EMPLOYEE
    Posted May 04, 2020 11:37 AM

    Thank you for the feedback everyone, greatly appreciated!  Route only VLAN ACls applied to the VLAN Interface are planned for an upcoming software release on AOS-CX, please reach out to your Aruba account team if you need timeline details. 

     

    Note, current ACLs applied to VLANs will apply on both routed and switched traffic. 



  • 7.  RE: Unable to Apply access-list to a Virtual interface

    Posted Oct 13, 2022 02:46 PM

    I found updated table here
    https://www.arubanetworks.com/techdocs/AOS-CX/10.10/PDF/cli_6200.pdf p81
    ?

    1. I am using aruba virtual cx 10.10. it belong to what switch on table

    is it 6300, 6400, 832x or 8400
    tq


    Original Message