2950 L2 ACL

Unanswered Question
Aug 1st, 2007

As an example, what I'm trying to accomplish is to prevent two hosts on the same subnet from pinging each other. I prefer to use VACL due to hardware filtering performance and the ability to ACL L2 (same subnet) and L3 traffic but the 2950 doesn't appear to support VACL. As an alternative I'm looking into using port ACL applied to chosen switch ports to mimic the L2 ACL capability of VACL.

2950-48 (standard image) 10/100 access switch




access-list 100 deny icmp

access-list 100 permit ip any any

int f0/1

description host1

ip access-group 100 in


int f0/2

description host2

ip access-group 100 in


My question is of scalability of using port ACL. If I apply this to the majority of the 48 ports on a 2950-48 how will it affect forwarding performance and if it's software or hardware processed? Keep in mind ACL could be extended to restrict other traffic. Is there anything else I should be concerned with? Thank you in advance.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
andrey.v.tyurin Thu, 08/02/2007 - 04:40

I think that you cant do anything if two

hosts will be in the same net /24....

and you cant do "ip access-droup " on the interface because it L2 swith....

lbhoang Fri, 08/03/2007 - 14:25

Port ACL, as shown in the sample in the previous post, does work for filtering traffic to the same subnet since it's applied inbound to the switch port. I did confirm its designed behavior with a L2 switch running standard SMI image. If the ACL is modified it should theoretically work for traffic destined to other subnets. It may not be as elegant as VACL where it can be applied to VLAN(s) instead of individual switch ports but the question is of scalability and performance if applied to the majority of the 48 switch ports on a 2950 such as impact on forwarding performance and CPU utilization.


This Discussion