03-10-2015 09:01 AM - edited 03-07-2019 11:01 PM
I cannot figure out why the ACL is not working on a 3750 running 12.2 (55)SE on a trunk port. For testing, there is 1 x IP (10.101.15.13) that should be denied to all VLANs on the trunk. I have tried standard and extended list, but neither seem to work.
What am I doing wrong?
Access-List:
Standard IP access list 10
10 deny 10.101.15.13 log
20 permit any log
Access-List Interface:
interface GigabitEthernet7/0/10
description ESX Trunk
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,2,60-63
switchport mode trunk
ip access-group 10 in
Mac-Address on the Switch Port:
63 0050.569a.6d9f DYNAMIC Gi7/0/10
Windows Machine MAC:
Description . . . . . . . . . . . : vmxnet3 Ethernet Adapter #4
Physical Address. . . . . . . . . : 00-50-56-9A-6D-9F
Windows Connection (which should be denied):
TCP 10.20.63.4:3389 10.101.15.13:21289 ESTABLISHED InHost
03-17-2015 07:40 AM
bump.
Must be a real nutcracker. No responses.
04-02-2015 07:31 AM
PACL only apply to an L2 interface. On an L2 interface the only direction that can be applied is INBOUND. On an L3 interface INBOUND or OUTBOUND can be specified.
In any case, I have worked around the issue by applying VACLs. Marking this as resolved.
04-02-2015 01:23 AM
Maybe it's because your ACL is inbound, he only looks at the traffic coming from that trunk line?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide