08-01-2007 02:57 PM - edited 03-05-2019 05:38 PM
As an example, what I'm trying to accomplish is to prevent two hosts on the same subnet from pinging each other. I prefer to use VACL due to hardware filtering performance and the ability to ACL L2 (same subnet) and L3 traffic but the 2950 doesn't appear to support VACL. As an alternative I'm looking into using port ACL applied to chosen switch ports to mimic the L2 ACL capability of VACL.
2950-48 (standard image) 10/100 access switch
VLAN 1 192.168.1.0/24
host1 192.168.1.32
host2 192.168.1.33
access-list 100 deny icmp 192.168.1.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 100 permit ip any any
int f0/1
description host1
ip access-group 100 in
end
int f0/2
description host2
ip access-group 100 in
end
My question is of scalability of using port ACL. If I apply this to the majority of the 48 ports on a 2950-48 how will it affect forwarding performance and if it's software or hardware processed? Keep in mind ACL could be extended to restrict other traffic. Is there anything else I should be concerned with? Thank you in advance.
08-02-2007 04:40 AM
I think that you cant do anything if two
hosts will be in the same net /24....
and you cant do "ip access-droup " on the interface because it L2 swith....
08-02-2007 04:58 AM
I guess your switch is L2 therefore not able to do L3/L4 filtering at all.
Krisztian
08-03-2007 02:25 PM
Port ACL, as shown in the sample in the previous post, does work for filtering traffic to the same subnet since it's applied inbound to the switch port. I did confirm its designed behavior with a L2 switch running standard SMI image. If the ACL is modified it should theoretically work for traffic destined to other subnets. It may not be as elegant as VACL where it can be applied to VLAN(s) instead of individual switch ports but the question is of scalability and performance if applied to the majority of the 48 switch ports on a 2950 such as impact on forwarding performance and CPU utilization.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide