Solved: Catalyst 2960 switch ACL list on ports, how?

markberry666 · ‎03-23-2013

Hi

I may be looking at this wrong so all advice appreciated.

I have a Catalyst 2960 switch (layer 2 I understand) which is connected to a Cisco 2811 router

there are 5 tenants that are going to get a single port each on the switch, who all share the same internet connection via the router, and I want to apply ACL control to limit their outbound traffic ports.

each tenant has its own VLAN setup on the 2811 and are given a gateway ip address and a single switch port access pointt. they deal with their own LAN networks on the other side of that switch port.

I need to put ACLs on the switch ports if possible. To achieve this I created an ACL list fine on the switch but when I try to apply it I can only apply it on an interface using 'ip access-group 100 in" which I think means it is controlling traffic leaving the switch port not arriving at it. It will not accept 'ip access-group 100 out' as an option which is what I need. i.e. traffic arriving at the interface gets ACL list applied.

so I upgraded the switch to the latest firmware and still the same. Now I tried to apply the ACL to a VLAN ip address instead on the switch, but that also only allows ACLS on the INBOUND to the VLAN which again wont work, as it isnt intervlan traffic I am trying to control but internet bound traffic from each VLAN.

I could make complicated ACL's for each VLAN on the 2811 router and apply them seperately but I fear this may start overloading the router as I understood it is best to keep the ACL's minimal where possible.

can anyone advise of the best approach and if in fact I can set it up so I am applying an ACL to a single switch port inbound to the port/interface thereby controlling each tenants internet traffic at the point of entry which makes sense to my mind

thanks

Mark

cadet alain · ‎03-26-2013

Hi,

yes all traffic destined to another subnet either another VLAN or the WAN will enter the corresponding SVI.

Regards

Alain

Don't forget to rate helpful posts.

View solution in original post

cadet alain · ‎03-24-2013

Hi,

on L2 port you can only apply an ACL inbound (that is for traffic entering this port) whereas on a SVI( or a routed port) you can apply an ACL inbound or outbound( that is for traffic either entering or leaving this interface).

Explain further exactly what you want to achieve so that we can suggest a way of implementing it.

Regards

Alain

Don't forget to rate helpful posts.

markberry666 · ‎03-24-2013

Hi

thanks Alain for your time.

I am not sure how to be clearer about the setup. but here goes.

I wish to assign access-list 100 to traffic entering a switch port on a Cisco Catalyst 2960 S series 48 port.

I have setup the ACL 100 list on the switch.

when I try to apply it to an interface using the following

'ip access-group 100 in'

I get the error: port based ACL not supported on this image.

I upgraded to the latest image for the switch but it made no difference.

so I attempt a different approach -

from Cisco Network Assistant I try the ACL menu and I see my Access-list 100

but then all that is listed is VLAN1 and a load of VTY ports.

So I now have to assign an ip address to the relevant VLAN interface to be able to assign the ACL list to it. even then though outbound is listed, when I click modify, only inbound is available. I m not sure this is what I want anyway.

this seems to me the wrong approach as now I would be applying the ACL to the interVLAN traffic and not the port itself.

maybe it just isnt possible with this switch , it appears to be the case. Maybe there is another way to achieve this I am not aware of.

cadet alain · ‎03-25-2013

Hi,

if you want to do PACL you'll need a LAN Base image as it is not supported on LAN lite image which is surely what you've got.

Now when your clients communicate with hosts in other subnets they use the SVI as their default-gateway so applying the ACL inbound on the SVI will work too.

Regards

Alain

Don't forget to rate helpful posts.

markberry666 · ‎03-25-2013

Yes it does use the LANLite image. Is there any particular reason someone would have used that originally, resource use maybe?

ok thanks for the info.

one last question - Traffic from a VLAN with an ACL on the inbound SVI , going out to the WAN, will that be uneffected or would it be effected by an ACL applied to the inbound of the VLAN interface.

I am asking because the main purpose is also to control traffic going from VLAN's out to the WAN

cadet alain · ‎03-26-2013

Hi,

yes all traffic destined to another subnet either another VLAN or the WAN will enter the corresponding SVI.

Regards

Alain

Don't forget to rate helpful posts.

Nayan.Patel85 · ‎09-14-2018

Based on the https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960/software/release/12-2_55_se/configuration/guide/scg_2960/swacl.html#44781

you need LAN Base image for MAC ACL, you should be able to configure PACL without any issues on switch with Lanlite license.

I have cisco 2960X switch which is running lanlite image and PACL is working on that switch.

however have 2960S switch which is also running lan line image and PACL is not working on this switch

I can see the ACL in the configuration but IP dont see and matches against the ACL.