Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2965
Views
0
Helpful
5
Replies

ip access-group command does not exist C2960L-8PS on 15.2(7)E2

Go to solution
rmccall7331
Level 1
Level 1

‎08-31-2020 09:06 AM - edited ‎08-31-2020 09:15 AM

Hello,

 

I stood up a vlan by issuing the following commands:

 

switch(config)# ip routing

switch(config)# ip access-list extended MGMT_ACL_in

.....(OMITTED)

switch(config)# vlan 2000

switch(vlan-config)# name v2000.03.usr.vlan

switch(config)# int vlan 2000

switch(config-if)# ip address 192.168.1.1 255.255.255.0

switch(config-if)# desc v2000.03.usr.svi

switch(config-if)# no shut

switch(config-if)# exit

switch(config)# interface Gi0/8

switch(config-if)# desc end.user.ws

switch(config-if)# switchport

switch(config-if)# switchport mode access

switch(config-if)# switchport access vlan 2000

switch(config-if)# no shut

switch(config-if)# int vlan 2000

switch(config-if)#      ip access-group MGMT_ACL_in in

% Invalid input detected at '^' marker.

 

if I issue the command  "ip acc ?" I get:

% Unrecognized command

 

What am I doing wrong? This is the most basic feature of any cisco switch with SVI capabilities. These commands work on every other 2960 I've ever used. If I cannot use access-group, how am I supposed to secure my management VLAN?

 

Thank you

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
rmccall7331
Level 1
Level 1
In response to Richard Burts

‎09-01-2020 11:14 AM - edited ‎09-01-2020 11:15 AM

I've already discovered what the issue/reason is: I opened a Cisco TAC case and I was told the C2960L series does not support applying ACL's to vlans in any way shape or form. I'm sure this was done to force you to buy another, more expensive switch?

 

The only way around this that I could think of is to use 1 link for an L3 point-to-point for end user IP traffic and put an ACL on that port and use another link for an L3 point-to-multipoint, use that link to manage this switch, and put an ACL on that port. THIS SOLUTION, TO ME, IS UNACCEPTABLE.

 

Why give a 2960 routing functionality if you don't even include the most basic security controls found on even the cheapest netgear managed l2 switch?

Why give a person the ability to create VLANs, but not the ability to secure them?

Why would I want a 2960 to route anything but management traffic? Thats what CE's are for...

Why should I have to waste an additional port to management?

Why did Cisco remove this feature?

Who knows?

 

I'm tired of Cisco's antics just to squeeze another cent out of people.

 

I'm already in the process of ordering Juniper switches to replace them. I hope anyone researching the C2960L series comes across this. Thank you everyone for your replies, but this conversation is done.

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Martin L
VIP
VIP

‎08-31-2020 09:16 AM

 

interface Gi0/8 is switchport  , aka switching port, I do not think you can apply ACL on those type of ports;  you can apply ACL on routing ports like SVI interface vlan 2000.

 

Regards, ML
**Please Rate All Helpful Responses **

0 Helpful

Go to solution
rmccall7331
Level 1
Level 1
In response to Martin L

‎08-31-2020 09:28 AM - edited ‎08-31-2020 09:29 AM

Martin,

 

Please read my post in its entirety. 

 

An SVI is inherently layer 3 (which is why I assigned an IP to it...). Also note that I turned on IP routing which was one of the first commands I issued. I already tried setting Gi0/8 to a routed port via the commands "no switchport" and "ip address 192.168.1.1 255.255.255.0" and the switch takes the commands. The interface can communicate just fine, but the ip access-group command is still not found.

 

For anyone replying, I know the difference between a layer 2 port and a layer 3 port. I also know the difference between a managed L2 switch and an L3 switch. Thank you.

0 Helpful

Go to solution
Martin L
VIP
VIP
In response to rmccall7331

‎08-31-2020 09:38 AM

Sorry, did not notice you switch back to interface vlan 2000 with int vlan 2000;

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame

‎09-01-2020 07:10 AM

I find it surprising that you were apparently successful with this command

switch(config)# ip access-list extended MGMT_ACL_in

but then encounter this

if I issue the command  "ip acc ?" I get:

% Unrecognized command

In what you post there is a space before the question mark. What happens if you use the command but no space (ip acc?)

 

Perhaps it would be helpful if you post the output of these commands

show ip protocol

show ip interface brief

HTH

Rick
0 Helpful

Go to solution
rmccall7331
Level 1
Level 1
In response to Richard Burts

‎09-01-2020 11:14 AM - edited ‎09-01-2020 11:15 AM

I've already discovered what the issue/reason is: I opened a Cisco TAC case and I was told the C2960L series does not support applying ACL's to vlans in any way shape or form. I'm sure this was done to force you to buy another, more expensive switch?

 

The only way around this that I could think of is to use 1 link for an L3 point-to-point for end user IP traffic and put an ACL on that port and use another link for an L3 point-to-multipoint, use that link to manage this switch, and put an ACL on that port. THIS SOLUTION, TO ME, IS UNACCEPTABLE.

 

Why give a 2960 routing functionality if you don't even include the most basic security controls found on even the cheapest netgear managed l2 switch?

Why give a person the ability to create VLANs, but not the ability to secure them?

Why would I want a 2960 to route anything but management traffic? Thats what CE's are for...

Why should I have to waste an additional port to management?

Why did Cisco remove this feature?

Who knows?

 

I'm tired of Cisco's antics just to squeeze another cent out of people.

 

I'm already in the process of ordering Juniper switches to replace them. I hope anyone researching the C2960L series comes across this. Thank you everyone for your replies, but this conversation is done.

0 Helpful
Customers Also Viewed These Support Documents