[f-nsp] Extended ACLs and Route Only on FastIron

[George B.]

On Thu, Mar 3, 2011 at 2:55 AM, <lausgans at gmail.com> wrote:

> Hello.
> Every time i'm trying to disable "L2 Switching" or enable "Route Only"
> or global or per port basis, i'm getting these options disabled again
> after saving to flash and reloading of device (i'm running Base L3 layer
> firmware on FES2404).
>
> I'm interesting in these options because i want to apply extended ACL
> to one of ports on my device.
>
> I've also found that "ACL filtering based on VLAN membership or VE port
> membership (acl-per-port-per-VLAN)" feature is not supported. Does this
> mean that it's impossible to apply any ACL rule to the port that
> actually is a member of non-default VLAN group?
>

If I understand your question correctly, I think you can not apply different
layer 3 ACLs to different ports in a vlan if you have a VE as a routing
interface for that vlan.  The acls are applied to the VE and apply to all
ports in that vlan.

If you configure a port as a routing port (assign an IP address to it and it
is either in the default vlan or is the only port in a non-default vlan),
they you an define an acl per port.  So if you have 10 interfaces and want a
different acl for each one, you put each individual port in its own vlan and
configure IP and your access-list on each port.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/foundry-nsp/attachments/20110303/42400d32/attachment.html>