Layer 2 Port ACLs on Cat 4500

Unanswered Question
Nov 29th, 2007

IOS 12.2(25)EWA, Config Guide page 33-4: "You cannot apply more than one IP access list and one MAC address list to a layer2 interface."

Does it really mean this, or does it mean one in each direction? If I put an ip access-group XYZ in and an ip access-group ZYX out on a switchport, which one is effective?

I have put both, and I don't seem to be getting any statistics off either, not even on the permit ip any any line.

Kevin Dorrell


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
lgijssel Thu, 11/29/2007 - 00:34

Hi Kevin,

To my best knowledge it means what you state: one in each direction. Saying this I must add that it makes little sense to permit certain ip's / mac adresses in only one direction.

Best practice is to us either an incoming or an outgoing access list.

Using an ip acl on a layer2 interface (switchport) does not do anything because the interface does not look at the ip information. This kind of acl should be used on a vlan interface or an interface that is not in switchport mode (int xx, no switchport)



Kevin Dorrell Thu, 11/29/2007 - 01:15

Thanks Leo.

Maybe I was working under a misaprehension, but I thought that port ACLs could still filter on IP, even if the port itself was not processing layer-3. After all, it is just a mask line in the ASIC.

As for both in and out ... at the end of this trunk there is a switch in VTP transparent that has a VLAN that is supposed to be isolated. The only way into this VLAN is through an application gateway on a 2-NIC-PC that is also on that switch. But I suspect that the PC is leaking packets between the supposedly-isolated VLAN and the production VLAN. That is why I am trying to block any traffic to and from addresses that should be on that isolated subnet.

Kevin Dorrell


lgijssel Thu, 11/29/2007 - 01:53

Be sure to check for native vlan mismatches regarding this leaking of packets.

Finding the cause of a problem is always better than working around it.


Kevin Dorrell Thu, 11/29/2007 - 02:04


I am fairly sure it is not a native VLAN issue. I keep all my trunks on a dummy native VLAN that is not used anywhere else, so effectively all frames are tagged. Furthermore, only one VLAN is allowed on the uplink to this switch, and that is the one on the production side of the application-gateway-PC.

I am fairly sure it is an issue within the application-gateway-PC itself, and my money would be on that horrible bridge that XP creates by default whenever a PC has more than one NIC. I have already sent the PC support guys to look at it, but I'm not sure they understood the concept. I might have to go and look myself :-(

Kevin Dorrell


Kevin Dorrell Thu, 11/29/2007 - 07:20

== Posting deleted ==

Ooops, I put the ACL on the wrong interface, which is why I wasn't seeing any stats!


This Discussion