Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Access Lists on 3750 Switches

Does any one know if it is possible to apply an access list to an access port or a dot1q trunk port - for example to block an IP phone by its MAC address and force it in to SRST mode.

The switch I am using is a 3750 runing 12.2 IPBASE.

I understand this can be done on Cat 6500 switches with VACLs or Port based ACLS but am not sure about 3750s.

Thanks

Paul

2 ACCEPTED SOLUTIONS

Accepted Solutions
Hall of Fame Super Blue

Re: Access Lists on 3750 Switches

paultribe wrote:

Does any one know if it is possible to apply an access list to an access port or a dot1q trunk port - for example to block an IP phone by its MAC address and force it in to SRST mode.

The switch I am using is a 3750 runing 12.2 IPBASE.

I understand this can be done on Cat 6500 switches with VACLs or Port based ACLS but am not sure about 3750s.

Thanks

Paul

Paul

3750 switches do indeed support port acls -

http://www.cisco.com/en/US/customer/docs/switches/lan/catalyst3750/software/release/12.2_40_se/configuration/guide/swacl.html#wp1599562

Note that port acls are only supported in the inbound direction.

Jon

Cisco Employee

Re: Access Lists on 3750 Switches

Hello,

When you are communicating between the VLANs, the destination MAC will be

the default gateway of the source VLAN. When the packet hits the source VLAN

default gateway, after routing is done, the destination VLAN will replace

the MAC portion and puts a new MAC header with source being destination VLAN

default gateway MAC and destination being the actual destination MAC.

Regards,

NT

5 REPLIES
Hall of Fame Super Blue

Re: Access Lists on 3750 Switches

paultribe wrote:

Does any one know if it is possible to apply an access list to an access port or a dot1q trunk port - for example to block an IP phone by its MAC address and force it in to SRST mode.

The switch I am using is a 3750 runing 12.2 IPBASE.

I understand this can be done on Cat 6500 switches with VACLs or Port based ACLS but am not sure about 3750s.

Thanks

Paul

Paul

3750 switches do indeed support port acls -

http://www.cisco.com/en/US/customer/docs/switches/lan/catalyst3750/software/release/12.2_40_se/configuration/guide/swacl.html#wp1599562

Note that port acls are only supported in the inbound direction.

Jon

New Member

Re: Access Lists on 3750 Switches

Thanks for the information.

I experimeneted with both MAC and IP ACLs and the IP one works but the MAC one does not, this is when blocking a single MAC host to a single MAC host, hoewver the destination host is in another VLAN so I suppose MAC ACLs only work if hosts are in the same VLAN. It didn't really specify in the user guide.

Paul

Cisco Employee

Re: Access Lists on 3750 Switches

Hello,

When you are using MAC acl, then the source/destination need to be in the

same VLAN. If they are on different VLANs, the destination MAC will be

replaced by the MAC of the default gateway. In that case, the MAC acl

becomes useless as the access need to be controlled by the IP ACL at the

default gateway (or even the port level).

Hope this helps.

Regards,

NT

New Member

Re: Access Lists on 3750 Switches

Thats what I thought, although interestingly I did try to block using the MAC address assigned to the destination VLAN and that did not work either.

Cisco Employee

Re: Access Lists on 3750 Switches

Hello,

When you are communicating between the VLANs, the destination MAC will be

the default gateway of the source VLAN. When the packet hits the source VLAN

default gateway, after routing is done, the destination VLAN will replace

the MAC portion and puts a new MAC header with source being destination VLAN

default gateway MAC and destination being the actual destination MAC.

Regards,

NT

1431
Views
0
Helpful
5
Replies
CreatePlease to create content