Wired Intelligent Edge (Campus Switching and Routing)

New Contributor

VSX AOS 10.03 and ACLs



I'm using a VSX with two 8320 in AOS 10.03 and I want to apply some access-lists on my L3 vlan interfaces.

I've seen that I couldn't apply it on interface vlan xx but I've to go on the L2 vlan configuration. But everytime I apply one access-list on a vlan I lose the ping to one of my interface L3:

Exemple I've one 8320 with a interface vlan 10, the other 8320 with interface vlan 10 and an active-gateway i apply my acl on vlan 10 and i can reach but not nor 3.


interface vlan 10

ip address

active-gateway ip mac 00:00:00:00:00:1

access-list ip TEST
10 permit any x.x.x.x/x x.x.x.x/x

vlan 10

apply access-list ip TEST in


Do I miss something?


Best Regards,


Re: VSX AOS 10.03 and ACLs

ACL are not supported on SVI.

You have 3 alternatives:

- VLAN ACL, as you selected

- Port ACL (might depend on the manageability due to nu,ber of ports)

- Policy (routed-in) on the SVI. Instead of writing an ACL, you write a class with match sequences and the policy will use drop action for the said match corresponding to a deny in the ACL.


To your point about what is missing on VLAN ACL, there is an implicit deny any any any at the end of any ACL. So you have to make sure that the traffic for different IP addresses of the given SVI is permitted before that implicit deny.

New Contributor

Re: VSX AOS 10.03 and ACLs



Thanks for your answer.

But, if I take my acl and my interface vlan

interface vlan 10

ip add


Shall I also do?

permit any


vlan 10 apply acl in?


Looks like really wierd


Thank you

Re: VSX AOS 10.03 and ACLs

Correct. You need to permit any traffic that is expected to be allowed to enter (ingress) the VLAN. It does include traffic between IP addresses of same L3 subnet shared by both VSX nodes.

I don't see that as weird as this is standard and expected behaviour of a VLAN access-list.

Search Airheads
Showing results for 
Search instead for 
Did you mean: