Re: just can't understand why!!!!!

sonny_spoon · ‎08-16-2004

Hi can somebody help me out here?????

I'm trying to apply an access list to a 2950G switch. I have compiled the access list and added it to the device, but if I apply it to the individual interface it doesn't work. If I apply it to the trunk port that connects the switch to the rest of the network it works just the way it's supposed to. Anybody got any Ideas? I'd appreciate it.

Sonny

Tsasbrink · ‎08-16-2004

Are you aware of the fact that it can only be applied to incomming traffic on an interface ?

Could you tell us what software version you are running.

What are you trying to do and what does the configured access-list look like ?

RGZ

Tom

sonny_spoon · ‎08-16-2004

yeah I already have it on the port as in, here is the config.

interface FastEthernet0/22

description external access

switchport trunk native vlan 5

switchport mode trunk

no ip address

ip access-group 101 in

duplex full

speed 100

I'm trying to lockout the unneccesary ports that I won't be using, this is what the access-list looks like, but it's only a test so that I know it's working before I bring it online.

Extended IP access list 101

deny tcp any any eq www

deny tcp any any eq 8080

permit tcp any any eq domain

permit tcp any any eq 67

permit tcp any any eq smtp

permit tcp any any eq pop3

permit tcp any any eq ftp

permit tcp any any eq telnet

permit tcp any any eq 22

permit tcp any any eq 1433

permit tcp any any eq 22222

permit tcp any any eq 64256

permit udp any any eq 1433

permit ip any any

Once I know that it's working then I can configure it to what I need for it to be practical.

this is the version on the switch

Cisco Internetwork Operating System Software

IOS (tm) C2950 Software (C2950-I6Q4L2-M), Version 12.1(13)EA1, RELEASE SOFTWARE (fc1)

Compiled Tue 04-Mar-03 02:14 by yenanh

Image text-base: 0x80010000, data-base: 0x805A8000

ROM: Bootstrap program is CALHOUN boot loader

Sonny_testing uptime is 1 week, 2 days, 23 hours, 46 minutes

System returned to ROM by power-on

System image file is "flash:/c2950-i6q4l2-mz.121-13.EA1.bin"

cisco WS-C2950G-24-EI (RC32300) processor (revision G0) with 20839K bytes of memory.

Processor board ID FHK0728X15E

Last reset from system-reset

Running Enhanced Image

24 FastEthernet/IEEE 802.3 interface(s)

2 Gigabit Ethernet/IEEE 802.3 interface(s)

32K bytes of flash-simulated non-volatile configuration memory.

Base ethernet MAC Address: 00:0D:65:56:42:40

Motherboard assembly number: 73-7280-05

Power supply part number: 34-0965-01

Motherboard serial number: FOC07281E9R

Power supply serial number: DAB072788SK

Model revision number: G0

Motherboard revision number: A0

Model number: WS-C2950G-24-EI

System serial number: FHK0728X15E

Configuration register is 0xF

aashish.c · ‎08-16-2004

Hi,

I have seen the config and it is fine and should work. can u pls explain how u cam to conclusion that it doesn work on access ports. what traffic it didnt stop.

for testing, kindly make a new ACL and deny everything and apply it on a port and chekwhether u r able to pass on any data then.

Regards

Aashish C

sonny_spoon · ‎08-17-2004

I had tried that before one the same port with a default any any and it locks up the port and no data was able to pass. when I removed the access list from the port service stablized.

So as you can guess I'm kinda stumped.

Thanks Sonny

thiland · ‎08-17-2004

Since a 2950G is a layer-2 switch, why don't you apply a VLAN ACL instead of trying to apply it on a trunk port? VACLs will apply your access rules across the entire VLAN (on that switch), not just a single port.

!--- Create ACL

ip access-list extended ACL

permit tcp any any established

permit tcp any any eq 80

permit tcp any any eq 1433

deny ip any any log

!--- Map the ACL to an action (forward)

vlan access-map ACL_MAP

match ip address ACL

action forward

!--- Apply the VLAN Map to a VLAN

vlan filter ACL_MAP vlan-list 10

Also, note that with VACLs, there is no inbound/outbound parameter. Traffic entering the VLAN will be subject to the VACL, therefore a direction is not necessary.

-Tanner

sonny_spoon · ‎08-17-2004

Thankx for the help Tanner;

But i have a few ques.where do you apply the map, is it a global command or is it applied in the vlan database? I tried it in both places but it wasn't a recognized command. also could the ios version have anything to do with it?

the main reason i'm applying the acl is in case i need to restrict a certain user on one port. the acl worked when i put it on the trunk port , but ideally i want to be able to place it on indiv. ports instead of the main trunk.

by the way if this is a duplicate sorry i sent the first one a while ago but the page displayed an error so i resent the info cause i need to get this out of my hair.

thankx sonny

thiland · ‎08-17-2004

The VACL is created in global config.

The VLAN Access-map has a special submenu (switch(config-access-map)#

The VLAN Filter is applied in global config.

It could be your IOS doesn't support it (You need at least 12.1(11)AX). Perhaps this feature isn't available with 2950's? If not, sorry for the wild goose chase!

Here's a link to the VLAN Map command and what IOS it was introduced with:

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat2970/12114ea1/2970cr/cli3.htm#1906378

sonny_spoon · ‎08-17-2004

aight tanner guess my version doesn't support the command, looked for it but nothing was there, but thanks anyway.

Sonny

aashish.c · ‎08-17-2004

Hi Sonny,

VACLs are not supported on 2950s and lower switches. It works from 3550 an above switches.

Thanks

Aashish C

sonny_spoon · ‎08-17-2004

ok......that takes me back to square one.Thanks though, atleast i can look in another direction.

Sonny