Solved: Re: Can ACL block source and dest IP on layer 2 interface?

after1111 · ‎10-25-2010

I want to allow only a few subnets across the trunk link switch.

Can ACL block source and dest IP on a layer 2 interface? e.g

int Gi0/1

switchport trunk encapsulation dot1q
switchport mode trunk
switchport trunk allowed vlan 3, 4
ip acces-group ACL-LIST in
!

OR

ACL can only block traffic on layer 3 interface? e.g

interface vlan 100

ip add 10.10.10.10 255.0.0.0.0

ip acces-group ACL-LIST in

cheers

Jon Marshall · ‎10-25-2010

after1111 wrote:

Hi Jon,

3750.

I was told you cant apply ACL on a layer 2 interface because its only read frame, not IP, is this true?

No it's not true. The 3750 supports normal IP access-lists on L2 ports and L2 trunk ports, the main restriction being it can only be applied in the inbound direction -

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_50_se/configuration/guide/swacl.html#wp1667255

Jon

View solution in original post

Jon Marshall · ‎10-25-2010

which switch ?

Jon

after1111 · ‎10-25-2010

Hi Jon,

3750.

I was told you cant apply ACL on a layer 2 interface because its only read frame, not IP, is this true?

Jon Marshall · ‎10-25-2010

after1111 wrote:

Hi Jon,

3750.

I was told you cant apply ACL on a layer 2 interface because its only read frame, not IP, is this true?

No it's not true. The 3750 supports normal IP access-lists on L2 ports and L2 trunk ports, the main restriction being it can only be applied in the inbound direction -

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_50_se/configuration/guide/swacl.html#wp1667255

Jon