Re: Switchport mode access command

bijan.kianifard · ‎05-07-2005

What is the following command good for?

switchport mode access

Do I have to execute it on every interface that is member of a vlan to enable filtering through ACL that is applied to vlan?

bijan.kianifard · ‎05-07-2005

By the way my switch is catalyst 2950

Prashanth Krishnappa · ‎05-07-2005

It has nothing to do with ACL filtering. All this command does is, it makes a port an access port meaning, it turns off trunking capabilities.

bijan.kianifard · ‎05-07-2005

OK,

So why my ACL doesn't work?

I have created a standard ACL and applied it to interface vlan1 of the switch.But it doesn't do any filtering.Do I have to do something else except creating an ACL and applying it to interface vlan1 to filter all incoming traffic to my switch?

The switch has an EI (Enhanced Image) installed

Georg Pauwen · ‎05-07-2005

Hello,

can you post your configuration, including the access list ?

Regards,

GP

bijan.kianifard · ‎05-07-2005

OK

This is my switch configuration

Current configuration : 3727 bytes

!

version 12.1

no service pad

service timestamps debug uptime

service timestamps log uptime

service password-encryption

!

hostname switch1

!

enable secret xxx

enable password xxx

!

ip subnet-zero

!

spanning-tree extend system-id

!

interface FastEthernet0/1

no ip address

!

interface FastEthernet0/2

no ip address

.

!

interface FastEthernet0/47

no ip address

!

interface FastEthernet0/48

switchport mode access

no ip address

!

interface GigabitEthernet0/1

no ip address

!

interface GigabitEthernet0/2

no ip address

!

interface Vlan1

ip address 192.168.100.13 255.255.255.0

ip access-group 1 in

!

ip http server

!

access-list 1 permit 192.168.100.0 0.0.0.255

access-list 1 permit 192.168.101.0 0.0.0.255

access-list 1 permit 192.168.102.0 0.0.0.255

access-list 1 permit 196.38.151.0 0.0.0.255

access-list 1 permit host 222.x.x.58

access-list 1 permit host 222.x.x.59

access-list 1 permit host 222.x.x.81

access-list 1 permit host 222.x.x.145

access-list 1 permit host 222.x.x.147

access-list 1 permit host 222.x.x.148

access-list 1 permit host 222.x.x.168

access-list 1 permit host 222.x.x.242

access-list 1 permit host 222.x.x.9

access-list 1 permit host 222.x.x.144

access-list 1 permit host 222.x.x.218

access-list 1 permit host 222.x.x.225

snmp-server engineID local xxx

snmp-server community public RO

!

line con 0

line vty 0 4

password xxx

login

line vty 5 15

password 7xxx

login

!

end

bijan.kianifard · ‎05-07-2005

One more point:

I'm beginner in working by cisco switches.So it's possible for me to forget simple and obvious points.

Kind regards

Bijan

Georg Pauwen · ‎05-07-2005

Hello Bijan,

AFAIK, access lists applied to the management interface, which is VLAN 1 by default, have the following restrictions:

If you apply ACLs to a management interface, the ACL only filters packets that are intended for the CPU, such as SNMP, Telnet, or web traffic.

So in order for your access list to work, you either have to apply it to another VLAN, or change the management VLAN to something different from VLAN 1...

Regards,

GP

bijan.kianifard · ‎05-07-2005

Thank you GP,

Let me check.If it doesn't work then I will talk with you again.

Best Regards,

Bijan

milan.kulik · ‎05-09-2005

Hi,

AFAIK, you have to apply an ACL to a physical interface, if you want to filter user traffic.

See http://www.cisco.com/univercd/cc/td/doc/product/lan/cat2950/12122ea2/2950scg/swacl.htm#wp1092483

Regards,

Milan

bijan.kianifard · ‎05-09-2005

Thank you Milan for your help,

But in the first paragraph of the text you sent me its link mentioned that ACLs can be applied to management interfaces.

What happens if I remove IP from vlan 1 and fix it on another vlan and then apply ACL to the vlan 1?

I know that if I remove IP address from vlan 1 it won't be a management interface anymore.

milan.kulik · ‎05-09-2005

Once more:

You can't apply an ACL to VLAN1.

You can only apply it to "int VLAN 1", which is a confusing name of Cisco switch virtual management interface (L3).

If you remove IP address from int vlan 1 and make another int VLAN x a management interface, the int VLAN 1 will be down and ACL applied on it will have no effect.

There is no way how to apply an ACL on all ports in VLAN 1, you have to apply an ACL on physical interfaces if you want to filter user traffic.

Regards,

Milan

bijan.kianifard · ‎05-10-2005

I'm completely confused

You mean that when we enter "interface vlan1" it's different from "interface vlan 1"?

If it is,do I have to create vlan 1 or it is present by default?

milan.kulik · ‎05-10-2005

No,

what I'm saying is:

There is a difference between VLAN1 and "int VLAN1".

int VLAN1 is a virtual L3 interface used for switch management.

You can create another int VLANx and use it as management interface, but int VLAN1 is a default one.

See http://www.cisco.com/univercd/cc/td/doc/product/lan/cat2950/12122ea2/2950cr/cli1.htm#wp1021813

for details.

Regards,

Milan

bijan.kianifard · ‎05-10-2005

So,

If I want to filter all inbound traffic to my switch

on all of switch interfaces what must I do?

Regards

Bijan