Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1243
Views
0
Helpful
2
Replies

Port ACL filters voice and data Vlan !!?

mohammed hashim
Level 1
Level 1

‎09-27-2016 09:35 AM - edited ‎03-08-2019 07:35 AM

hi,

Cisco Document says:

When you apply a port ACL to a port with voice VLAN, the ACL filters traffic on both data and voice VLANs

can someone please give me an example of this?

I did not find any good example or topology explain this

thanks,

Labels:
0 Helpful
2 Replies 2

Austin Sabio
Level 4
Level 4

‎09-27-2016 02:54 PM

  • Port ACLs are similar to Router ACLs but are supported on physical interfaces and configured on Layer 2 interfaces on a switch. Port ACL supports only inbound traffic filtering. Port ACL can be configured as three type access lists: standard, extended, and MAC-extended.

  • Processing of the Port ACL is similar to that of the Router ACLs; the switch examines ACLs associated with features configured on a given interface and permits or denies packet forwarding based on packet-matching criteria in the ACL.

  • When applied to a trunk port, the ACL filters traffic on all VLANs present on the trunk port. When applied to a port with voice VLAN, the ACL filters traffic on both data and voice VLANs.

  • The main benefit with Port ACL is that it can filter IP traffic (using IP access lists) and non-IP traffic (using MAC access list). Both types of filtering can be achieved—that is, a Layer 2 interface can have both an IP access list and a MAC access list applied to it at the same time.

  • NOTE Port ACLs are not supported on EtherChannel interfaces.

Switch(config)# interface vlan 20

Switch(config-if)# description data_vlan

Switch(config-if)# ip address 192.168.20.1 255.255.255.0

Switch(config)# interface vlan 120

Switch(config-if)# description voip_vlan

Switch(config-if)# ip address 192.168.120.1 255.255.255.0

Switch(config)# ip access-list extended NO-ICMP

Switch(config-ext-nacl)# deny icmp host 192.168.50.1 any

Switch(config-ext-nacl)# permit ip any any

switch(config)# interface gigabitEthernet 1/0/1

switch(config-if)# switchport mode access

switch(config-if)# switchport access vlan 20 ---------------(workstation)

switch(config-if)# switchport voice vlan 120 ---------------(voip_phone)

Switch(config-if)# ip access-group NO-ICMP in

This means host 192.168.50.1 will be denied from reaching both clients workstation+voip_phone (data and voice) that are connected to interface Gi1/0/1 by NO-ICMP ACL. NO-ICMP ACL is applied on int Gi1/0/1 for both traffics ---data and voice. 

For complete review see: https://www.youtube.com/watch?v=YsSmx9TsH7Y

Please rate, if helpful.

Thank you.

0 Helpful

mohammed hashim
Level 1
Level 1
In response to Austin Sabio

‎09-29-2016 11:20 AM

hi, thanks for reply.

but usually the IP phone has different IP than the Computer, when you filter IP 192.168.50.1 inbound, it only will filter that IP,

means if 192.168.50.1 was the PC IP, then the phone could have 192.168.50.2

this is what I understood from your configuration,

also the video on youtube does not cover this as I saw the topology explanation part 

0 Helpful
Customers Also Viewed These Support Documents