How To Configure Switch Port ACLs

ACLs can also be used to control traffic on VLANs. Switch port ACLs can only be applied to Layer 2 interfaces in the inbound direction, and this controls traffic via IP access Lists.

Switch port ACL application is usually effective when applied on a trunk port, be warned that, if applied on a port with voice VLAN, the ACL filters traffic on both your data and voice VLANs. The switch examines ACLs associated with features configured on a given interface and either permits or denies packet forwarding based on the criteria found in the entries of the ACL. With switch port ACLs, you can filter IP traffic by using IP access lists and non-IP traffic using MAC addresses.

We use the topology below as sample. follow me as we configure SW1 with ACLs to permit PC A to access Server A, and deny PC B from accessing the same network.

 

 

 

SW1(config)#mac access-list extended orbit123

SW1(config-ext-macl)#deny any host 000e.53ac.9b72

SW1(config-ext-macl)#permit any any

Switch(config)#int f0/3

Switch(config)#mac access-group orbit123 in

Looking at the configuration commands above, you can see that we created and extended named access list which is our only option. After creating the access list, we applied in on and interface (fa0/3). It more like the same with IP list, except that you start your command statement with mac.

Verify your configuration

Use the Show access-list command to verify your configuration.

SW1#show access-list

Extended MAC list orbit123

Deny   any host 000e.53ac.9b72

 

How to Configure Switch port Security

How to Configure VTP Pruning on a switched Network