Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3431
Views
3
Helpful
14
Replies

Standard IP Access List for 2960G

jekood001
Level 1
Level 1

‎09-16-2009 06:13 AM - edited ‎03-06-2019 07:45 AM

I've created a standard ACL on a 2960G switch in which I want to limit in-bound traffic to a node connected to this switch.

The problem I'm having is once the ACl has been applied to the interface port, I can no longer send or recieve traffic from the node (the interface in which the access list was justed applied) . It's almost like the port has been locked down (i can not ping any other devices on the switch).

2960G-24 port switch

Port gi 0/4 has a node with the ip address of 192.168.100.30

Port gi 0/5 has a node with an address of 192.168.100.31

here's the ACL created:

access-list 2 deny host 192.168.100.31

access-list 2 permit any

I've applied this to interface gi 0/4

Nothing gets to or from gi 0/4. It seems to be block both on incoming and outgoing, since I'm not able to ping from 192.168.100.30 and I can't ping from any node to 192.168.100.31

Any advice would greatly be appreciated.

thanks in advance!

Labels:
0 Helpful
14 Replies 14

platinum_jem
Level 1
Level 1

‎09-16-2009 07:02 AM

Show your interface configuration here also.

The direction of the access-list is important for your case.

0 Helpful

jekood001
Level 1
Level 1
In response to platinum_jem

‎09-16-2009 07:08 AM

Sorry about that

I applied the access list to gi 0/4

Interface gi 0/4

ip access-group 2 in

0 Helpful

glen.grant
VIP Alumni
VIP Alumni

‎09-16-2009 09:00 AM

What do you mean "can't ping from any node to 192.168.100.31 . Seeing that you applied the acl to 192.168.100.30 it would have no impact on other devices pinging the .31 . Check and make sure you have no firewalls active on the device you are trying to ping the .31 .

0 Helpful

jekood001
Level 1
Level 1
In response to glen.grant

‎09-16-2009 09:32 AM

that should read can't ping from any node to 192.168.100.30. I've checked for firewall settings, which were turned off

0 Helpful

platinum_jem
Level 1
Level 1

‎09-16-2009 09:51 AM

Let me explain.

You are using a standard Access-List, which defines 192.168.100.31 as Source address, which is correct.

But you are not applying it in the correct direction.

It should be ip access-group 2 OUT

IN - is for traffic from G0/4

OUT - is for traffic to G0/4

Try to change to OUT instead and check your pings again.

0 Helpful

jekood001
Level 1
Level 1
In response to platinum_jem

‎09-16-2009 09:56 AM

OUT is not an option for ACL on the 2960G, can only filter on the IN

platinum_jem
Level 1
Level 1
In response to jekood001

‎09-16-2009 09:57 AM

Put it on the IN direction on G0/5 instead.

0 Helpful

platinum_jem
Level 1
Level 1
In response to jekood001

‎09-16-2009 10:00 AM

Put it on the IN direction on G0/5 instead.

0 Helpful

jekood001
Level 1
Level 1
In response to platinum_jem

‎09-16-2009 10:09 AM

I'm not sure exactly what you mean...

gi0/5 has a node with ip 192.168.100.31

so are you saying that by applying

access-list 2 deny host 192.168.100.31 to gi0/5, you're denying inbound traffic with that ip?

0 Helpful

glen.grant
VIP Alumni
VIP Alumni
In response to jekood001

‎09-16-2009 10:48 AM

You can only apply an ACL in the "in" direction on a layer 2 switch .

0 Helpful

suryakant.chavan
Level 1
Level 1
In response to glen.grant

‎09-16-2009 11:23 AM

Hi Glen,

Please explain me , how access-list work on Layer 2 switch. Because Layer 2 switch work on data link layer i.e. it just check mac address not ip address & access-list required any device that work on layer 3 .

thanks in advance.

0 Helpful

glen.grant
VIP Alumni
VIP Alumni
In response to suryakant.chavan

‎09-16-2009 01:23 PM

While the 2960's and equivalents are considered a layer 2 switch and normally just pass traffic at the layer 2 level and have no routing capability they can inspect packets at the layer 3 level and apply ACL's on the interfaces like a normal layer 3 device. Todays layer 2 switches need this capability not just for security ACL's but also implementing COS , QOS parameters for using IP phones on the network . There are certain restrictions when implenting on a layer 2 device usually spelled out in the config docs.For info on implementing ACL's on a layer 2 switch like the 2960 follow this link .

http://www.cisco.com/en/US/docs/switches/lan/catalyst2960/software/release/12.2_46_se/configuration/guide/swacl.html

0 Helpful

YANGCCIE4
Level 1
Level 1

‎09-19-2009 11:15 AM

Hi, Jekood001,

I test in the 3550 switch,

it works with an extended acl, under interface gi0/5 ---which you .31 stays

access-list 100 deny ip host 192.168.100.31 host 192.168.100.30

access-list 100 permit ip any any

interface FastEthernet0/2 **** connect .31 host

switchport mode dynamic desirable

ip access-group 100 in

hope it work for your switch

Yang

0 Helpful

jekood001
Level 1
Level 1
In response to YANGCCIE4

‎09-21-2009 02:52 AM

Hi Yang,

yes I agree, I can get the access list to work if using an Extended access list. The Standard list doesn't function as intended...

thanks

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card