After a nice vacation, here I come again with a new post, this time about several ACL types that are supported on 3560 and 3750 series switches. As you will see, each type has its own features and restrictions. This post is the first part covering Port ACLs and Router ACLs.

Have a look at this overview:

ACLs Supported on 3560 & 3750 Switches

As you can see in the above chart, there are 3 types of ACLs supported on these switches:

  • Port ACLs
  • Router ACLs
  • VLAN ACLs (VLAN Maps)

Let's take them one by one.

1. Port ACLs

Port ACLs are ACLs that are applied to Layer 2 interfaces on a switch.
They are supported only on physical interfaces (not on EtherChannel interfaces) and can be applied only in the inbound direction.

  • if you apply a port ACL to a trunk port, the ACL filters traffic on all VLANs present on the trunk port
  • if you apply a port ACL to a port with voice VLAN, the ACL filters traffic on both data and voice VLANs

Here is how you can use them:

Numbered Standard IP ACL (ACL numbers 1-99, 1300-1999)

(config)# access-list 5 deny host 192.168.1.1
(config)# access-list 5 permit any

(ACL numbers 100-199, 2000-2699)

(config)# access-list 105 deny tcp 192.168.1.0 0.0.0.255 172.16.1.0 0.0.0.255 eq telnet
(config)# access-list 105 deny udp 192.168.1.0 0.0.0.255 172.16.1.0 0.0.0.255
(config)# access-list 105 permit ip any any

Named Standard and Extended ACLs

(config)# ip access-list standard Stnd_ACL
(config-ext-nacl)# permit 192.168.1.1
(config)# ip access-list extended Extd_ACL
(config-ext-nacl)# deny tcp 192.168.1.0 0.0.0.255 172.16.1.0 0.0.0.255 eq telnet
(config-ext-nacl)# deny udp 192.168.1.0 0.0.0.255 172.16.1.0 0.0.0.255
(config-ext-nacl)# permit ip any any

Named MAC Extended ACLs

As for the non-IPv4 traffic, this can be filtered using either a VLAN (VLAN Maps - see part II) or with a Port ACL applied to the Layer 2 interface by using named MAC extended ACLs.
The procedure is similar to that of configuring other extended named ACLs.
* You cannot apply named MAC extended ACLs to Layer 3 interfaces.
* You cannot use mac access-group command on EtherChannel ports

(config)# mac access-list extended ACL_MAC
(config-ext-macl)# permit any host 00c0.00a0.03fa netbios
(config-ext-macl)# deny any any 0x4321 0

(config)# interface gigabitethernet1/0/2
(config-if)# mac access-group ACL_MAC in

2. Router ACLs

There are not so many things to be said about the Router ACLs. Take a look to the above section and you'll see how to create standard or extended, numbered or named ACLs.

The important differences that you need to remember are:

Router ACLs (vs. Port ACLs):
  • control traffic that is routed between VLANs (SVIs) or L3 interfaces
  • may be applied in both direction (inbound and outbound)

The last section, VLAN ACLs, will be discussed in next post: ACLs Supported on 3560 & 3750 Switches - Part II (VLAN Maps)