Solved: Access Lists on 3750 Switches

paultribe · ‎09-06-2010

Does any one know if it is possible to apply an access list to an access port or a dot1q trunk port - for example to block an IP phone by its MAC address and force it in to SRST mode.

The switch I am using is a 3750 runing 12.2 IPBASE.

I understand this can be done on Cat 6500 switches with VACLs or Port based ACLS but am not sure about 3750s.

Thanks

Paul

Jon Marshall · ‎09-06-2010

paultribe wrote:

Does any one know if it is possible to apply an access list to an access port or a dot1q trunk port - for example to block an IP phone by its MAC address and force it in to SRST mode.

The switch I am using is a 3750 runing 12.2 IPBASE.

I understand this can be done on Cat 6500 switches with VACLs or Port based ACLS but am not sure about 3750s.

Thanks

Paul

3750 switches do indeed support port acls -

http://www.cisco.com/en/US/customer/docs/switches/lan/catalyst3750/software/release/12.2_40_se/configuration/guide/swacl.html#wp1599562

Note that port acls are only supported in the inbound direction.

Jon

View solution in original post

Nagaraja Thanthry · ‎09-07-2010

Hello,

When you are communicating between the VLANs, the destination MAC will be

the default gateway of the source VLAN. When the packet hits the source VLAN

default gateway, after routing is done, the destination VLAN will replace

the MAC portion and puts a new MAC header with source being destination VLAN

default gateway MAC and destination being the actual destination MAC.

Regards,

NT

View solution in original post

Jon Marshall · ‎09-06-2010

paultribe wrote:

Does any one know if it is possible to apply an access list to an access port or a dot1q trunk port - for example to block an IP phone by its MAC address and force it in to SRST mode.

The switch I am using is a 3750 runing 12.2 IPBASE.

I understand this can be done on Cat 6500 switches with VACLs or Port based ACLS but am not sure about 3750s.

Thanks

Paul

3750 switches do indeed support port acls -

http://www.cisco.com/en/US/customer/docs/switches/lan/catalyst3750/software/release/12.2_40_se/configuration/guide/swacl.html#wp1599562

Note that port acls are only supported in the inbound direction.

Jon

paultribe · ‎09-07-2010

Thanks for the information.

I experimeneted with both MAC and IP ACLs and the IP one works but the MAC one does not, this is when blocking a single MAC host to a single MAC host, hoewver the destination host is in another VLAN so I suppose MAC ACLs only work if hosts are in the same VLAN. It didn't really specify in the user guide.

Paul

Nagaraja Thanthry · ‎09-07-2010

Hello,

When you are using MAC acl, then the source/destination need to be in the

same VLAN. If they are on different VLANs, the destination MAC will be

replaced by the MAC of the default gateway. In that case, the MAC acl

becomes useless as the access need to be controlled by the IP ACL at the

default gateway (or even the port level).

Hope this helps.

Regards,

NT

paultribe · ‎09-07-2010

Thats what I thought, although interestingly I did try to block using the MAC address assigned to the destination VLAN and that did not work either.

Nagaraja Thanthry · ‎09-07-2010

Hello,

When you are communicating between the VLANs, the destination MAC will be

the default gateway of the source VLAN. When the packet hits the source VLAN

default gateway, after routing is done, the destination VLAN will replace

the MAC portion and puts a new MAC header with source being destination VLAN

default gateway MAC and destination being the actual destination MAC.

Regards,

NT