Re: ACL on Cat 2924

slytell · ‎07-02-2003

All responses are welcomed!

I have a Cat 2924 with a basic configuration running Version 12.0(5.1)XP. I am trying to limit access to our payroll server. Only the default VLAN is configured. After applying the following ACL, PCs other than the ones listed in the permit statements were able to ping the server. Can anyone explain what I am doing wrong or give me some direction to look for a correct configuration?

access-list 101 remark Limits access to the Payroll server

access-list 101 permit ip host 172.16.1.179 host 172.16.1.35

access-list 101 permit ip host 172.16.1.169 host 172.16.1.35

access-list 101 permit ip host 172.16.1.130 host 172.16.1.35

access-list 101 permit ip host 172.16.1.180 host 172.16.1.35

access-list 101 permit ip host 172.16.1.172 host 172.16.1.35

access-list 101 permit ip host 172.16.1.145 host 172.16.1.35

access-list 101 permit ip host 172.16.1.171 host 172.16.1.35

access-list 101 permit ip host 172.16.1.29 host 172.16.1.35

access-list 101 deny ip any host 172.16.1.35

access-list 101 permit ip any any

!

int vlan 1

ip access-group 101 in

!

Thanks in advance for any and all responses!

Steve

Prashanth Krishnappa · ‎07-02-2003

Access-lists are not supported on the XL series switches. The CLI might accept the commands but they will not work

slytell · ‎07-02-2003

Thank you for your quick response! I guess that's why it didn't work...but does not explain my missing hair. :-)

Steve

milan.kulik · ‎08-31-2003

Hi,

to be exact:

Access list DO work on Cat2924.

But you can assign them only to virtual MANAGEMENT INTERFACE (int VLAN1 e.g.).

So you can limit the access to the switch management interface and allow only your management station to telnet to it, e.g.

BUT you can't limit access from a device inside VLAN1 to another device based on IP addresses. This is an L3 functionality not provided by Cat2924.

Regards,

Milan

eschwartz · ‎08-31-2003

If you don't want to allow for pings, you must implicitly deny ICMP packets...