How to Configure following Access List on Catalyst2955

shahid_raza74 · ‎03-12-2007

Assalam-o-Alakium...

I am in trouble with implementation of Access Control List (ACL).

I have one Catalyst 2955 switch and I have Two computers with 192.168.200.60 (PC1) and 192.168.200.70 (PC2)

while Switch IP address is 192.168.200.50.

Actually when I configure Switch with any type of ACL i.e. Standard ACL or Extended ACL (even Protocol based

or MAC address based ACL), but couldn't succeded yet.

Although I restart the Switch many times but the result is the same that nothing anything implemented on Network.

I implemented following things:

Like:

1- config t

access-list 1 deny 192.168.200.60 0.0.0.0

end

wr mem

but both PCs access each other and nothing happened.

while I want to restrict PC1 to access PC2 but it is still both PCs accessing each other.

i additionally configure following command on FastEthernet1 to restrict this port only so that ACL should be implemented on Fa 0/1 but nothing happen.

int fa 0/1

ip access-group 1 in

end

wr mem

Pls. help me that I am v. much worried thaT no any type of ACL could implemented.

Actually I want to configure Switch for Packets Priority that some packets/traffic from PC1 is preferred high and some packets is preferred low.

pls. help me that how I can do this?

Regards,

Shahid

kyawzawhtut · ‎03-13-2007

Few points to take note regarding ACL on 2955

1. your IOS image must be EI to use ACL on layer 2 interface.(you can check by typing show version at privilege mode)

2. according to your access list, you are practically denying all network traffic coming into the int fa0/1 as at the end of access-list there is explicit deny statement

HTH.

Plz rate if helpful.

Thanks.

Regards

Kyaw

shahid_raza74 · ‎03-13-2007

Yes my Switch is with EI software.

One thing which I missed that I given IP address of Switch to VLAN1...so now pls. tell me how I can configure ACL for VLAN1 for restrciting PC to access other PC or will be able to stop some packets to go to another PC...

waiting...

Regards,

Shahid

kyawzawhtut · ‎03-13-2007

Hi Shahid

Supposing your PC 2 is connected to fa0/1. Configuration like below should work which is working on C2950 by the way.

[in config t]

access-list 1 deny 192.168.200.60 0.0.0.0

access-list 1 permit any

[in fa0/1]

ip access-group 1 out

By doing this, PC1 wont be able to ping/communicate to PC2. :)

shahid_raza74 · ‎03-13-2007

Thanks and I tested it...it is working. This is Standard ACL, can you give (after testing) and Extended ACL based on MAC address and TCP/UDP protocol based?

Last question is that I configured my Switch by given IP address on VLAN1 (which is by-default)...someone told me that on this VLAN1 there are some special types of ACL implemets...not these ACL which we have tested...is it true? while we have already tested yours given example as above and it working? and If yes that on VLAN1 there are some diff. ACL than what are those ACL which implements on VLAN1?

I am sure this answers will resolve my problem.

Regards,

SHahid

kyawzawhtut · ‎03-14-2007

Hi Shahid

I am not very sure about VLAN1 and different ACL implementation. What I can think of you may be able to apply all type of ACL to VLAN1 but not to layer 2 interfaces. Please refer to this URL for limitation.

http://www.cisco.com/en/US/products/hw/switches/ps628/products_configuration_guide_chapter09186a00804cc117.html#wp1082773

There are quite a few number of different types of ACL examples there as well. Try to define what exactly you want to restrict & permit before start implementation ACL.

Pls rate if helpful.

Thank you.

Regards

Kyaw