Access Lists on 3750 Switches

Answered Question
Sep 6th, 2010

Does any one know if it is possible to apply an access list to an access port or a dot1q trunk port - for example to block an IP phone by its MAC address and force it in to SRST mode.

The switch I am using is a 3750 runing 12.2 IPBASE.

I understand this can be done on Cat 6500 switches with VACLs or Port based ACLS but am not sure about 3750s.

Thanks

Paul

I have this problem too.
0 votes
Correct Answer by Nagaraja Thanthry about 6 years 3 months ago

Hello,

When you are communicating between the VLANs, the destination MAC will be

the default gateway of the source VLAN. When the packet hits the source VLAN

default gateway, after routing is done, the destination VLAN will replace

the MAC portion and puts a new MAC header with source being destination VLAN

default gateway MAC and destination being the actual destination MAC.

Regards,

NT

Correct Answer by Jon Marshall about 6 years 3 months ago

paultribe wrote:

Does any one know if it is possible to apply an access list to an access port or a dot1q trunk port - for example to block an IP phone by its MAC address and force it in to SRST mode.

The switch I am using is a 3750 runing 12.2 IPBASE.

I understand this can be done on Cat 6500 switches with VACLs or Port based ACLS but am not sure about 3750s.

Thanks

Paul

Paul

3750 switches do indeed support port acls -

http://www.cisco.com/en/US/customer/docs/switches/lan/catalyst3750/software/release/12.2_40_se/configuration/guide/swacl.html#wp1599562

Note that port acls are only supported in the inbound direction.

Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Correct Answer
Jon Marshall Mon, 09/06/2010 - 09:37

paultribe wrote:

Does any one know if it is possible to apply an access list to an access port or a dot1q trunk port - for example to block an IP phone by its MAC address and force it in to SRST mode.

The switch I am using is a 3750 runing 12.2 IPBASE.

I understand this can be done on Cat 6500 switches with VACLs or Port based ACLS but am not sure about 3750s.

Thanks

Paul

Paul

3750 switches do indeed support port acls -

http://www.cisco.com/en/US/customer/docs/switches/lan/catalyst3750/software/release/12.2_40_se/configuration/guide/swacl.html#wp1599562

Note that port acls are only supported in the inbound direction.

Jon

paultribe Tue, 09/07/2010 - 02:43

Thanks for the information.

I experimeneted with both MAC and IP ACLs and the IP one works but the MAC one does not, this is when blocking a single MAC host to a single MAC host, hoewver the destination host is in another VLAN so I suppose MAC ACLs only work if hosts are in the same VLAN. It didn't really specify in the user guide.

Paul

Nagaraja Thanthry Tue, 09/07/2010 - 04:50

Hello,

When you are using MAC acl, then the source/destination need to be in the

same VLAN. If they are on different VLANs, the destination MAC will be

replaced by the MAC of the default gateway. In that case, the MAC acl

becomes useless as the access need to be controlled by the IP ACL at the

default gateway (or even the port level).

Hope this helps.

Regards,

NT

paultribe Tue, 09/07/2010 - 04:58

Thats what I thought, although interestingly I did try to block using the MAC address assigned to the destination VLAN and that did not work either.

Correct Answer
Nagaraja Thanthry Tue, 09/07/2010 - 05:03

Hello,

When you are communicating between the VLANs, the destination MAC will be

the default gateway of the source VLAN. When the packet hits the source VLAN

default gateway, after routing is done, the destination VLAN will replace

the MAC portion and puts a new MAC header with source being destination VLAN

default gateway MAC and destination being the actual destination MAC.

Regards,

NT

Actions

This Discussion