Cisco Support Community
Community Member

IP ACL on L2 port on 3750

Hello All,

I need to make sure that on 1 trunk port all DHCP request/responses will not pass. In the documentation for 3750 they say that extended ip ACL can be assigned to L2 port as input ACL, if the port is trunk then traffic for all VLANs will be filtered. To prove it I created following ip extended ACL:

permit udp any eq bootps any

permit ip any any

and I assigned it as ip access-group ACL on L2 trunk port.

However I can not see any match and also permit ip any any hits are far away from all incoming packets counter that interface. Am I missing something?

Thanks and Regards,



Re: IP ACL on L2 port on 3750


I suspect that the counters are not reliable because most of the processing is being done in the ASIC. I know, for example, that if you put a service policy on an interface and do a show policy-map interface, the counters are rubbish.

I don't know how you would get round this. Perhaps do a service policy with a drop on DHCP class, and then use the QoS accounting tools to view the counters.

Kevin Dorrell


Community Member

Re: IP ACL on L2 port on 3750


Thanks, but I do not really care about the counters, I just need confirmation that assigning IP acl to L2 trunk interface with right deny (deny udp any bootps any bootpc) will filter DHCP responses from server on that port.


Community Member

Re: IP ACL on L2 port on 3750

I've had success blocking NetBIOS like this on Catalyst 2940, 2960, and 3560 switches.

Another option specific to DHCP might be to turn on DHCP snooping and make the specific port untrusted (thus allowing DHCP requests to come from the port, but not DHCP assignments). Hopefully I'm understanding your scenario correctly.

CreatePlease to create content