08-16-2004 09:41 AM - edited 03-02-2019 05:47 PM
Hi can somebody help me out here?????
I'm trying to apply an access list to a 2950G switch. I have compiled the access list and added it to the device, but if I apply it to the individual interface it doesn't work. If I apply it to the trunk port that connects the switch to the rest of the network it works just the way it's supposed to. Anybody got any Ideas? I'd appreciate it.
Sonny
08-16-2004 12:36 PM
Are you aware of the fact that it can only be applied to incomming traffic on an interface ?
Could you tell us what software version you are running.
What are you trying to do and what does the configured access-list look like ?
RGZ
Tom
08-16-2004 02:00 PM
yeah I already have it on the port as in, here is the config.
interface FastEthernet0/22
description external access
switchport trunk native vlan 5
switchport mode trunk
no ip address
ip access-group 101 in
duplex full
speed 100
I'm trying to lockout the unneccesary ports that I won't be using, this is what the access-list looks like, but it's only a test so that I know it's working before I bring it online.
Extended IP access list 101
deny tcp any any eq www
deny tcp any any eq 8080
permit tcp any any eq domain
permit tcp any any eq 67
permit tcp any any eq smtp
permit tcp any any eq pop3
permit tcp any any eq ftp
permit tcp any any eq telnet
permit tcp any any eq 22
permit tcp any any eq 1433
permit tcp any any eq 22222
permit tcp any any eq 64256
permit udp any any eq 1433
permit ip any any
Once I know that it's working then I can configure it to what I need for it to be practical.
this is the version on the switch
Cisco Internetwork Operating System Software
IOS (tm) C2950 Software (C2950-I6Q4L2-M), Version 12.1(13)EA1, RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2003 by cisco Systems, Inc.
Compiled Tue 04-Mar-03 02:14 by yenanh
Image text-base: 0x80010000, data-base: 0x805A8000
ROM: Bootstrap program is CALHOUN boot loader
Sonny_testing uptime is 1 week, 2 days, 23 hours, 46 minutes
System returned to ROM by power-on
System image file is "flash:/c2950-i6q4l2-mz.121-13.EA1.bin"
cisco WS-C2950G-24-EI (RC32300) processor (revision G0) with 20839K bytes of memory.
Processor board ID FHK0728X15E
Last reset from system-reset
Running Enhanced Image
24 FastEthernet/IEEE 802.3 interface(s)
2 Gigabit Ethernet/IEEE 802.3 interface(s)
32K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address: 00:0D:65:56:42:40
Motherboard assembly number: 73-7280-05
Power supply part number: 34-0965-01
Motherboard serial number: FOC07281E9R
Power supply serial number: DAB072788SK
Model revision number: G0
Motherboard revision number: A0
Model number: WS-C2950G-24-EI
System serial number: FHK0728X15E
Configuration register is 0xF
08-16-2004 07:45 PM
Hi,
I have seen the config and it is fine and should work. can u pls explain how u cam to conclusion that it doesn work on access ports. what traffic it didnt stop.
for testing, kindly make a new ACL and deny everything and apply it on a port and chekwhether u r able to pass on any data then.
Regards
Aashish C
08-17-2004 06:44 AM
I had tried that before one the same port with a default any any and it locks up the port and no data was able to pass. when I removed the access list from the port service stablized.
So as you can guess I'm kinda stumped.
Thanks Sonny
08-17-2004 10:22 AM
Since a 2950G is a layer-2 switch, why don't you apply a VLAN ACL instead of trying to apply it on a trunk port? VACLs will apply your access rules across the entire VLAN (on that switch), not just a single port.
!--- Create ACL
ip access-list extended ACL
permit tcp any any established
permit tcp any any eq 80
permit tcp any any eq 1433
deny ip any any log
!--- Map the ACL to an action (forward)
vlan access-map ACL_MAP
match ip address ACL
action forward
!--- Apply the VLAN Map to a VLAN
vlan filter ACL_MAP vlan-list 10
Also, note that with VACLs, there is no inbound/outbound parameter. Traffic entering the VLAN will be subject to the VACL, therefore a direction is not necessary.
-Tanner
08-17-2004 12:25 PM
Thankx for the help Tanner;
But i have a few ques.where do you apply the map, is it a global command or is it applied in the vlan database? I tried it in both places but it wasn't a recognized command. also could the ios version have anything to do with it?
the main reason i'm applying the acl is in case i need to restrict a certain user on one port. the acl worked when i put it on the trunk port , but ideally i want to be able to place it on indiv. ports instead of the main trunk.
by the way if this is a duplicate sorry i sent the first one a while ago but the page displayed an error so i resent the info cause i need to get this out of my hair.
thankx sonny
08-17-2004 04:53 PM
The VACL is created in global config.
The VLAN Access-map has a special submenu (switch(config-access-map)#
The VLAN Filter is applied in global config.
It could be your IOS doesn't support it (You need at least 12.1(11)AX). Perhaps this feature isn't available with 2950's? If not, sorry for the wild goose chase!
Here's a link to the VLAN Map command and what IOS it was introduced with:
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat2970/12114ea1/2970cr/cli3.htm#1906378
08-17-2004 05:17 PM
aight tanner guess my version doesn't support the command, looked for it but nothing was there, but thanks anyway.
Sonny
08-17-2004 06:09 PM
Hi Sonny,
VACLs are not supported on 2950s and lower switches. It works from 3550 an above switches.
Thanks
Aashish C
08-17-2004 06:30 PM
ok......that takes me back to square one.Thanks though, atleast i can look in another direction.
Sonny
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide