Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Attention: The Cisco Support Community site will be in read only mode on Dec14, 2017 from 12:01am PST to 11:30am for standard maintenance. Sorry for the inconvenience.

New Member

ACL's on trunk ports?

hi out there

I have been looking a bit on PACL and VACL but I am not sure I am looking at the right technology here. I was trying to figure out if I could apply a ACL so that I only permit a specific protocol to be trunc'et through a trunc between two interfaces. It is a pvlan interface which is only used for net-backup so I would like to ensure that we only have these protocols flowing between the switches. I have a nexus 5020 in the one end and a CAT3750 in the other - can I ensure this through some sort of ACL applied to a trunk interface?

best regards /ti


ACL's on trunk ports?

Well ACLs are typically used on [Inbound|Outbound] parts of interface vlans or interfaces with ip addresses associated with them. I know that you can use a VACL for permit and or deny specific protocols from the same vlan, since you can't use a regular ACL to create this. Is there a backup server that is responsible for backing up certain systems, and are all the other systmes on the same vlan or different vlans?

New Member

Re: ACL's on trunk ports?

hi again

the backup-server is assigned to the host-port (pvlan 550) on the pvlan on another switch (in fact 2-3 switches away) - so to stop traffic from flowing into the traffic-path as close as possibly to the originating system I would see if I could apply a acl only permitting the needed protocols on the trunk interconnecting this switch with the rest - try to see the sketch here below:

client >---------------->switch #1 >--------------------->switch #2 >--------------> switch #3 -------------> backupserver

client (isolated pvlan 551->primary pvlan 550) -> pvlan trunk (is this needed to be defined as pvlan trunk?)

-> ordinary trunk sw2------> ordinary trunk sw3 --------> prim. pvlan 550 host port --> backupserver

best regards /ti

ACL's on trunk ports?

What kind of PVLAN if your backup server on? Is it on a community port, isolated port, or promiscous port? I'm

assumimng you have a promiscous port configured. You could just create an extended access-list specifying the port that you need.

This link may help you out.

I forgot about PACLs, LOL. Been so long since I've configured one of those.

Sounds like, you should be able to configure a PACL, apply it ot the trunk interface on your switch inbound, and

you should be good to go. Of course pay attention to the PACL so you don't block anything you want going out.

CreatePlease to create content