02-09-2006 11:56 PM - edited 03-03-2019 01:46 AM
Hi there,
I have a cluster of 4 2950 switches.
lets call them switch1-switch4.
Suppose i have a server with ip address 10.0.0.1 hanging on switch 4. Switch 1 is my command switch.
I want to set up Access-List to only allow access to this server 10.0.0.1 from a proxy 192.168.1.1 which is located on another LAN. I dont want to set up an access-list on the router, but rather i want to set it up on the switches, so that users on the 10.0.0.0 LAN cannot access it directly.
I know this is a weird scenario but can someone give me general information and some example of how my commands on the switch should look like.
Thanks,
George
02-10-2006 12:16 AM
Altough the 2950 is a layer2 switch there are several possibilities to use ip access-lists. Please check the attached chapter of the configuration guide for more details.
Hope this solves your question.
Regards,
Leo
02-12-2006 09:32 AM
Hi,
There may be a better way of doing it, to fit your specific scenario, but can't think of any others. You can use ACLs on the 2950 on a per l-2 interfaces but only inbound. Somthing like...
ip access-list extended DENY_HOSTS
permit ip host 192.168.1.1 host 10.0.0.1
deny ip any host 10.0.0.1
permit ip any any
int g0/0
ip access-group DENY_HOSTS in
HTH
E.
02-13-2006 01:28 AM
Ok.
I have read a bit about ACLs on switches. It mentions that i can only apply ACLs on physical interfaces if i have teh EI image. I only have SI image so i guess im stack with ACLs for Management interfaces.
SO i have to apply the ACL on VLAN1.
I have a cluster of 4 switches.
If i appl the ACL on switch3 for example on VLAN1, will it take effect on all other switches as they are part of the same VLAN ???
Please shed some light into this .
Thanks,
George
02-13-2006 12:51 PM
I'm afraid you are out of luck there.
Quote from CCO
"You can create ACLs for physical interfaces or management interfaces. A management interface is defined as a management VLAN or any traffic that is going directly to the CPU, such as SNMP, Telnet, or web traffic. You can create ACLs for management interfaces with the standard software image (SI) or the enhanced software image (EI) installed on your switch. However, you must have the EI installed on your switch to apply ACLs to physical interfaces."
And to be complete you can also apply ACLs to terminal lines such as vty 0 4.
The switch is not using the management interface to route traffic, as the name says it is only for managemnt and the ACL only applies to traffic to and from the CPU, depending which direction the ACL is applied.
I don't think you can achieve your requirement with this image. You either need to upgrade or use a L-3 device to segment your LAN and apply your filtering policies.
E.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide