09-06-2010 09:34 AM - edited 03-06-2019 12:51 PM
Does any one know if it is possible to apply an access list to an access port or a dot1q trunk port - for example to block an IP phone by its MAC address and force it in to SRST mode.
The switch I am using is a 3750 runing 12.2 IPBASE.
I understand this can be done on Cat 6500 switches with VACLs or Port based ACLS but am not sure about 3750s.
Thanks
Paul
Solved! Go to Solution.
09-06-2010 09:37 AM
paultribe wrote:
Does any one know if it is possible to apply an access list to an access port or a dot1q trunk port - for example to block an IP phone by its MAC address and force it in to SRST mode.
The switch I am using is a 3750 runing 12.2 IPBASE.
I understand this can be done on Cat 6500 switches with VACLs or Port based ACLS but am not sure about 3750s.
Thanks
Paul
Paul
3750 switches do indeed support port acls -
Note that port acls are only supported in the inbound direction.
Jon
09-07-2010 05:03 AM
Hello,
When you are communicating between the VLANs, the destination MAC will be
the default gateway of the source VLAN. When the packet hits the source VLAN
default gateway, after routing is done, the destination VLAN will replace
the MAC portion and puts a new MAC header with source being destination VLAN
default gateway MAC and destination being the actual destination MAC.
Regards,
NT
09-06-2010 09:37 AM
paultribe wrote:
Does any one know if it is possible to apply an access list to an access port or a dot1q trunk port - for example to block an IP phone by its MAC address and force it in to SRST mode.
The switch I am using is a 3750 runing 12.2 IPBASE.
I understand this can be done on Cat 6500 switches with VACLs or Port based ACLS but am not sure about 3750s.
Thanks
Paul
Paul
3750 switches do indeed support port acls -
Note that port acls are only supported in the inbound direction.
Jon
09-07-2010 02:43 AM
Thanks for the information.
I experimeneted with both MAC and IP ACLs and the IP one works but the MAC one does not, this is when blocking a single MAC host to a single MAC host, hoewver the destination host is in another VLAN so I suppose MAC ACLs only work if hosts are in the same VLAN. It didn't really specify in the user guide.
Paul
09-07-2010 04:50 AM
Hello,
When you are using MAC acl, then the source/destination need to be in the
same VLAN. If they are on different VLANs, the destination MAC will be
replaced by the MAC of the default gateway. In that case, the MAC acl
becomes useless as the access need to be controlled by the IP ACL at the
default gateway (or even the port level).
Hope this helps.
Regards,
NT
09-07-2010 04:58 AM
Thats what I thought, although interestingly I did try to block using the MAC address assigned to the destination VLAN and that did not work either.
09-07-2010 05:03 AM
Hello,
When you are communicating between the VLANs, the destination MAC will be
the default gateway of the source VLAN. When the packet hits the source VLAN
default gateway, after routing is done, the destination VLAN will replace
the MAC portion and puts a new MAC header with source being destination VLAN
default gateway MAC and destination being the actual destination MAC.
Regards,
NT
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide