Hi team,

Find something interesting but seems there is no official document to confirm.

Here is the simple setup, PC A connecting to port g1/0/15 of 3750x, PC B connecting to same switch but different port, both port are access port belong to same VLAN.

interface GigabitEthernet1/0/15
 description to_test_pc
 switchport access vlan 10
 switchport mode access
 ip access-group TEST in
 

What I wanted to test is put a ACL TEST under this port, and use it to filter out the TCP 3389 traffic that between the two hosts, notice they are in the same VLAN, and as per http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3560/software/release/12-2_52_se/configuration/guide/3560scg/swacl.html#wp1689553, the port based ACL should work and it's supposed to be able to look up in layer 4 traffic for inbound direction, as per testing, RDP session disconnected after apply ACL as expected.

PSS-3750(config-ext-nacl)#do show access-list TEST
Extended IP access list TEST
    1 deny tcp host 10.33.238.201 host 10.33.238.189 eq 3389
    2 permit tcp host 10.33.238.201 host 10.33.238.189 eq ftp
    10 permit ip any any (35 matches)

HOWEVER, why i don't understand is why the match/hit for ACE 1 was never showing match even I tried to initiate traffic many times?

I had tested with extended ACL, name ACL, same result.

Finally, it seems i have to put a log behind these ACE (1 and 2) in order to see those match/hit increment, but why?

Thanks for any input!

Regards

Xie