05-07-2005 01:46 AM - edited 03-02-2019 10:41 PM
What is the following command good for?
switchport mode access
Do I have to execute it on every interface that is member of a vlan to enable filtering through ACL that is applied to vlan?
05-07-2005 02:46 AM
By the way my switch is catalyst 2950
05-07-2005 04:17 AM
It has nothing to do with ACL filtering. All this command does is, it makes a port an access port meaning, it turns off trunking capabilities.
05-07-2005 04:34 AM
OK,
So why my ACL doesn't work?
I have created a standard ACL and applied it to interface vlan1 of the switch.But it doesn't do any filtering.Do I have to do something else except creating an ACL and applying it to interface vlan1 to filter all incoming traffic to my switch?
The switch has an EI (Enhanced Image) installed
05-07-2005 04:56 AM
Hello,
can you post your configuration, including the access list ?
Regards,
GP
05-07-2005 05:06 AM
OK
This is my switch configuration
Current configuration : 3727 bytes
!
version 12.1
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname switch1
!
enable secret xxx
enable password xxx
!
ip subnet-zero
!
spanning-tree extend system-id
!
!
interface FastEthernet0/1
no ip address
!
interface FastEthernet0/2
no ip address
.
.
.
!
interface FastEthernet0/47
no ip address
!
interface FastEthernet0/48
switchport mode access
no ip address
!
interface GigabitEthernet0/1
no ip address
!
interface GigabitEthernet0/2
no ip address
!
interface Vlan1
ip address 192.168.100.13 255.255.255.0
ip access-group 1 in
!
ip http server
!
access-list 1 permit 192.168.100.0 0.0.0.255
access-list 1 permit 192.168.101.0 0.0.0.255
access-list 1 permit 192.168.102.0 0.0.0.255
access-list 1 permit 196.38.151.0 0.0.0.255
access-list 1 permit host 222.x.x.58
access-list 1 permit host 222.x.x.59
access-list 1 permit host 222.x.x.81
access-list 1 permit host 222.x.x.145
access-list 1 permit host 222.x.x.147
access-list 1 permit host 222.x.x.148
access-list 1 permit host 222.x.x.168
access-list 1 permit host 222.x.x.242
access-list 1 permit host 222.x.x.9
access-list 1 permit host 222.x.x.144
access-list 1 permit host 222.x.x.218
access-list 1 permit host 222.x.x.225
snmp-server engineID local xxx
snmp-server community public RO
!
line con 0
line vty 0 4
password xxx
login
line vty 5 15
password 7xxx
login
!
end
05-07-2005 05:11 AM
One more point:
I'm beginner in working by cisco switches.So it's possible for me to forget simple and obvious points.
Kind regards
Bijan
05-07-2005 05:29 AM
Hello Bijan,
AFAIK, access lists applied to the management interface, which is VLAN 1 by default, have the following restrictions:
If you apply ACLs to a management interface, the ACL only filters packets that are intended for the CPU, such as SNMP, Telnet, or web traffic.
So in order for your access list to work, you either have to apply it to another VLAN, or change the management VLAN to something different from VLAN 1...
Regards,
GP
05-07-2005 05:36 AM
Thank you GP,
Let me check.If it doesn't work then I will talk with you again.
Best Regards,
Bijan
05-09-2005 01:09 AM
Hi,
AFAIK, you have to apply an ACL to a physical interface, if you want to filter user traffic.
See http://www.cisco.com/univercd/cc/td/doc/product/lan/cat2950/12122ea2/2950scg/swacl.htm#wp1092483
Regards,
Milan
05-09-2005 09:11 PM
Thank you Milan for your help,
But in the first paragraph of the text you sent me its link mentioned that ACLs can be applied to management interfaces.
What happens if I remove IP from vlan 1 and fix it on another vlan and then apply ACL to the vlan 1?
I know that if I remove IP address from vlan 1 it won't be a management interface anymore.
05-09-2005 11:47 PM
Once more:
You can't apply an ACL to VLAN1.
You can only apply it to "int VLAN 1", which is a confusing name of Cisco switch virtual management interface (L3).
If you remove IP address from int vlan 1 and make another int VLAN x a management interface, the int VLAN 1 will be down and ACL applied on it will have no effect.
There is no way how to apply an ACL on all ports in VLAN 1, you have to apply an ACL on physical interfaces if you want to filter user traffic.
Regards,
Milan
05-10-2005 01:19 AM
I'm completely confused
You mean that when we enter "interface vlan1" it's different from "interface vlan 1"?
If it is,do I have to create vlan 1 or it is present by default?
05-10-2005 01:50 AM
No,
what I'm saying is:
There is a difference between VLAN1 and "int VLAN1".
int VLAN1 is a virtual L3 interface used for switch management.
You can create another int VLANx and use it as management interface, but int VLAN1 is a default one.
See http://www.cisco.com/univercd/cc/td/doc/product/lan/cat2950/12122ea2/2950cr/cli1.htm#wp1021813
for details.
Regards,
Milan
05-10-2005 02:24 AM
So,
If I want to filter all inbound traffic to my switch
on all of switch interfaces what must I do?
Regards
Bijan
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide