How to Configure following Access List on Catalyst2955

Unanswered Question
Mar 12th, 2007


I am in trouble with implementation of Access Control List (ACL).

I have one Catalyst 2955 switch and I have Two computers with (PC1) and (PC2)

while Switch IP address is

Actually when I configure Switch with any type of ACL i.e. Standard ACL or Extended ACL (even Protocol based

or MAC address based ACL), but couldn't succeded yet.

Although I restart the Switch many times but the result is the same that nothing anything implemented on Network.

I implemented following things:


1- config t

access-list 1 deny


wr mem

but both PCs access each other and nothing happened.

while I want to restrict PC1 to access PC2 but it is still both PCs accessing each other.

i additionally configure following command on FastEthernet1 to restrict this port only so that ACL should be implemented on Fa 0/1 but nothing happen.

int fa 0/1

ip access-group 1 in


wr mem

Pls. help me that I am v. much worried thaT no any type of ACL could implemented.

Actually I want to configure Switch for Packets Priority that some packets/traffic from PC1 is preferred high and some packets is preferred low.

pls. help me that how I can do this?



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
kyawzawhtut Tue, 03/13/2007 - 00:39

Few points to take note regarding ACL on 2955

1. your IOS image must be EI to use ACL on layer 2 interface.(you can check by typing show version at privilege mode)

2. according to your access list, you are practically denying all network traffic coming into the int fa0/1 as at the end of access-list there is explicit deny statement


Plz rate if helpful.




shahid_raza74 Tue, 03/13/2007 - 01:48

Yes my Switch is with EI software.

One thing which I missed that I given IP address of Switch to now pls. tell me how I can configure ACL for VLAN1 for restrciting PC to access other PC or will be able to stop some packets to go to another PC...




kyawzawhtut Tue, 03/13/2007 - 02:32

Hi Shahid

Supposing your PC 2 is connected to fa0/1. Configuration like below should work which is working on C2950 by the way.

[in config t]

access-list 1 deny

access-list 1 permit any

[in fa0/1]

ip access-group 1 out

By doing this, PC1 wont be able to ping/communicate to PC2. :)

shahid_raza74 Tue, 03/13/2007 - 21:00

Thanks and I tested is working. This is Standard ACL, can you give (after testing) and Extended ACL based on MAC address and TCP/UDP protocol based?

Last question is that I configured my Switch by given IP address on VLAN1 (which is by-default)...someone told me that on this VLAN1 there are some special types of ACL implemets...not these ACL which we have it true? while we have already tested yours given example as above and it working? and If yes that on VLAN1 there are some diff. ACL than what are those ACL which implements on VLAN1?

I am sure this answers will resolve my problem.



kyawzawhtut Wed, 03/14/2007 - 00:18

Hi Shahid

I am not very sure about VLAN1 and different ACL implementation. What I can think of you may be able to apply all type of ACL to VLAN1 but not to layer 2 interfaces. Please refer to this URL for limitation.

There are quite a few number of different types of ACL examples there as well. Try to define what exactly you want to restrict & permit before start implementation ACL.

Pls rate if helpful.

Thank you.




This Discussion