Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

Port based ACL on access-layer switch

Hi team,

Find something interesting but seems there is no official document to confirm.

Here is the simple setup, PC A connecting to port g1/0/15 of 3750x, PC B connecting to same switch but different port, both port are access port belong to same VLAN.

interface GigabitEthernet1/0/15
 description to_test_pc
 switchport access vlan 10
 switchport mode access
 ip access-group TEST in

What I wanted to test is put a ACL TEST under this port, and use it to filter out the TCP 3389 traffic that between the two hosts, notice they are in the same VLAN, and as per, the port based ACL should work and it's supposed to be able to look up in layer 4 traffic for inbound direction, as per testing, RDP session disconnected after apply ACL as expected.


PSS-3750(config-ext-nacl)#do show access-list TEST
Extended IP access list TEST
    1 deny tcp host host eq 3389
    2 permit tcp host host eq ftp
    10 permit ip any any (35 matches)


HOWEVER, why i don't understand is why the match/hit for ACE 1 was never showing match even I tried to initiate traffic many times?

I had tested with extended ACL, name ACL, same result.

Finally, it seems i have to put a log behind these ACE (1 and 2) in order to see those match/hit increment, but why?


Thanks for any input!




Community Member

Any input?

Any input?

CreatePlease to create content