cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
559
Views
0
Helpful
3
Replies

ACL not working on 3750 Switch Stack on a trunk port

Mark Gross
Level 1
Level 1

I cannot figure out why the ACL is not working on a 3750 running 12.2 (55)SE on a trunk port.  For testing, there is 1 x IP (10.101.15.13) that should be denied to all VLANs on the trunk.  I have tried standard and extended list, but neither seem to work.

 

What am I doing wrong?

 

Access-List:

Standard IP access list 10
    10 deny   10.101.15.13 log
    20 permit any log

Access-List Interface:

interface GigabitEthernet7/0/10
 description ESX Trunk
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,2,60-63
 switchport mode trunk
 ip access-group 10 in

Mac-Address on the Switch Port:

63    0050.569a.6d9f    DYNAMIC     Gi7/0/10

Windows Machine MAC:

Description . . . . . . . . . . . : vmxnet3 Ethernet Adapter #4
Physical Address. . . . . . . . . : 00-50-56-9A-6D-9F

Windows Connection (which should be denied):

 TCP    10.20.63.4:3389        10.101.15.13:21289     ESTABLISHED     InHost

3 Replies 3

Mark Gross
Level 1
Level 1

bump.

 

Must be a real nutcracker.  No responses.

PACL only apply to an L2 interface.  On an L2 interface the only direction that can be applied is INBOUND.  On an L3 interface INBOUND or OUTBOUND can be specified.

 

In any case, I have worked around the issue by applying VACLs. Marking this as resolved.

 

jonasvanraes1
Level 1
Level 1

Maybe it's because your ACL is inbound, he only looks at the traffic coming from that trunk line?