Posted on August 10, 2020 7:23 am
 |  Asked by jaxk Panther
 |  100 views
Tags:
RESOLVED
0
0
Print Friendly, PDF & Email

Hi Guys,

Probably simple question to anyone who know how ACL on Arista works.
I tried to config simple ACL but it shows on me that config has been applied but inactive.  See an attach ,

Attachments:
0
Answered on August 10, 2020 8:15 am

Hi Jaxk,

Thank you for contacting Arista.

From your query, I understand that when you tried applying ACL in ingress direction on int et3,4 and on int vlan 3514 the ACL gets applied only on vlan3514 but not on et3,4.

Could you please confirm if interfaces et3,4 are part of vlan3514 or et3,4 are separate interfaces which are not part of vlan3514?

Also when I tested this in my lab setup, I could see the ACL getting applied on all the three interfaces.Below is the snippet of the same:(Here interfaces et29,45 are part of vlan123).

switch(conf)#sh ip access-lists summary

IPV4 ACL test1
Total rules configured: 1
Configured on Ingress: Et29,45,Vl123
Active on Ingress: Et29,45,Vl123

Could you please provide us the tech-support log from the concerned device in order to check what platform model it is and the configurations wrt rules applied.

show tech-support | no

 

Thanks,

Bhavana.

0
Posted by jaxk Panther
Answered on August 11, 2020 1:35 am

Hi Bhavana

I found out that an interface 3 and 4 were a part of port channel and looks like ACL doesn't work if We don't apply it on Port-channel. Suppose that Switch is doing Port-channel as physical port and don't care a member port.

0
Answered on August 11, 2020 2:33 am

Hi Jaxk,

Yes , you are correct.

If interfaces et3,4 are member interfaces part 0f a port-channel then the ACL would take effect only if we apply the ACL on port-channel.Otherwise if we apply ACL only on member interfaces i.e on et3,4 then it wouldn't take effect and ACL would be inactive.This is because Port-channel configuration overrides member interfaces configuration.

Let's say if we have applied 'test1' ACL under member interfaces et3,4 and different ACL 'test123' under port-channel , we can see that only ACL test123 would be active and gets programmed.

Sample output for the lab test:

interface Ethernet29
switchport mode trunk
channel-group 1000 mode active
ip access-group test1 in

interface Ethernet45
switchport mode trunk
channel-group 1000 mode active
ip access-group test1 in

interface Port-Channel1000
ip address 21.21.21.21/24
ip access-group test123 in

IPV4 ACL test1
Total rules configured: 1
Configured on Ingress: Et29,45 --->ACL configured on et29,45 is inactive.

IPV4 ACL test123
Total rules configured: 1
Configured on Ingress: Po1000
Active on Ingress: Po1000 ----->ACL configured on Po1000 is active.

This is because Port-channel configuration overrides member interfaces configuration.

Thanks,

Bhavana.

Post your Answer

You must be logged in to post an answer.