ACLs on Cisco Trunk Link

By kidica ·
I am trying to figure out how ACLs applied on a Trunk port work.

We have a Core switch that is doing Inter VLAN routing, and behind that switch are numerous other regular switches. The core switch holds the routing table. This is a very basic configuration.


We applied an ACL on Switch1 going to Switch2 to allow only certain VLANs to pass through.

We tested this concept and apparently it works. My question is, how is that possible as Switch1 is only a regular Cisco switch with no routing enabled on it? The ports are being trunked.

(periods are used for space)

This conversation is currently closed to new comments.

13 total posts (Page 1 of 2)   01 | 02   Next
| Thread display: Collapse - | Expand +

All Answers

Collapse -

What does that acl

by NetMan1958 In reply to ACLs on Cisco Trunk Link

look like? I usually restrict vlans on a trunk with the "switchport trunk allowed vlan" configuration command.

Collapse -

Access list on Switch2

by kidica In reply to What does that acl

No, unfortunately we cannot do "switchport trunk allowed vlan" because we cannot restrict all the users on the vlan.

More information: we have a very flat network with no routing protocol. All the switches under the core switch are running RPVST.

Extended IP access list BLACKOUT
10 permit ip any
20 permit ip any
30 permit ip any
40 deny ip any any

interface GigabitEthernet0/1
switchport trunk encapsulation dot1q
switchport trunk native vlan 10
switchport mode trunk
ip access-group BLACKOUT in

Collapse -


by NetMan1958 In reply to Access list on Switch2

In your original post you said you applied the acl on switch1 but this post shows it on switch2. Which switch(s) are the acls applied to? Also, are any of the layer 2 switches eunning the EI (enhanced) image?
The enhanced images do support a subset of the layer 3 functions.

Collapse -

Switch2 has the ACL applied on its trunk interface

by kidica In reply to Clarification

As for enhanced image??? how do i found out? I know all the switches have routing capability, but only the CoreSwitch1 is doing the packet switching.

Collapse -

Enhanced Image

by NetMan1958 In reply to Switch2 has the ACL appli ...

To check which image a switch is running:
SW2950#sh ver
Cisco Internetwork Operating System Software
IOS (tm) C2950 Software (C2950-I6Q4L2-M), Version 12.1(22)EA6, RELEASE SOFTWARE
Copyright (c) 1986-2005 by cisco Systems, Inc.
Compiled Fri 21-Oct-05 01:59 by yenanh
Image text-base: 0x80010000, data-base: 0x80568000

ROM: Bootstrap program is C2950 boot loader

SW2950 uptime is 2 weeks, 3 days, 16 hours, 35 minutes
System returned to ROM by power-on
System image file is "flash:/c2950-i6q4l2-mz.121-22.EA6.bin"

cisco WS-C2950-12 (RC32300) processor (revision R0) with 21013K bytes of memory.
Processor board ID FOC1004Z8X6
Last reset from system-reset
Running Standard Image

As you can see by the last line above, this switch is running the standard image, if it was running the enhanced image it would state that.

Collapse -

It's Not Enhanced

by kidica In reply to Enhanced Image

It's not enhanced. but that shouldn't matter whether or not it is. Unless I'm wrong.

Collapse -


by NetMan1958 In reply to Access list on Switch2

I just took another look at that access list and noticed something. Is this the intent of the acl?
(1) allow all traffic from the subnet
(2) allow traffic from host only
(3) allow traffic from host only
(4) deny all other traffic

If so, is it working?
The reason I ask is because of the wildcard mask in the 2 lines:
20 permit ip any
30 permit ip any
Those 2 lines both have an "all ones" wildcard mask. In a wildcard mask the ones are the "I don't care" bits so technically both of thos lines should allow all traffic.

Collapse -

Yes, the ACL is working

by kidica In reply to Question

I didn't copy our ACL word by word but that is the intent.
(1) allow all traffic from the subnet
(2) allow traffic from host only
(3) allow traffic from host only
(4) deny all other traffic

What I am getting at is the CoreSwitch should be the only one doing the routing or inter-vlan routing while the regular switches should just be passing along the frames. How is it possible that when I applied the ACL on the trunk interface of Switch2 that the ACL works. Basically switches should not be able to work with ACLs when using IP's unless they are commited to routing.

Collapse -

Maybe this will explain it

by NetMan1958 In reply to Yes, the ACL is working

Lower end layer 2 switches don't support acls but some of the higher-end switches such as Cisco do. On a layer 2 switch they are "port acls" and can only be applied to the inbound packets. See this article:

Collapse -

Answered by NetMan1958 - thx

by kidica In reply to Maybe this will explain i ...

Although illogical from what I have learned about layer 2 switches. Oh well...

Port ACL
Port ACLs are similar to Router ACLs but are supported on physical interfaces and configured on Layer 2 interfaces on a switch. Port ACL supports only inbound traffic filtering. Port ACL can be configured as three type access lists: standard, extended, and MAC-extended.

Processing of the Port ACL is similar to that of the Router ACLs; the switch examines ACLs associated with features configured on a given interface and permits or denies packet forwarding based on packet-matching criteria in the ACL.

When applied to a trunk port, the ACL filters traffic on all VLANs present on the trunk port. When applied to a port with voice VLAN, the ACL filters traffic on both data and voice VLANs.

The main benefit with Port ACL is that it can filter IP traffic (using IP access lists) and non-IP traffic (using MAC access list). Both types of filtering can be achieved?that is, a Layer 2 interface can have both an IP access list and a MAC access list applied to it at the same time.


Port ACLs are not supported on EtherChannel interfaces.

Back to Networks Forum
13 total posts (Page 1 of 2)   01 | 02   Next

Related Discussions

Related Forums