cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1192
Views
0
Helpful
3
Replies

2950 L2 ACL

lbhoang
Level 1
Level 1

As an example, what I'm trying to accomplish is to prevent two hosts on the same subnet from pinging each other. I prefer to use VACL due to hardware filtering performance and the ability to ACL L2 (same subnet) and L3 traffic but the 2950 doesn't appear to support VACL. As an alternative I'm looking into using port ACL applied to chosen switch ports to mimic the L2 ACL capability of VACL.

2950-48 (standard image) 10/100 access switch

VLAN 1 192.168.1.0/24

host1 192.168.1.32

host2 192.168.1.33

access-list 100 deny icmp 192.168.1.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 100 permit ip any any

int f0/1

description host1

ip access-group 100 in

end

int f0/2

description host2

ip access-group 100 in

end

My question is of scalability of using port ACL. If I apply this to the majority of the 48 ports on a 2950-48 how will it affect forwarding performance and if it's software or hardware processed? Keep in mind ACL could be extended to restrict other traffic. Is there anything else I should be concerned with? Thank you in advance.

3 Replies 3

andrey.v.tyurin
Level 1
Level 1

I think that you cant do anything if two

hosts will be in the same net /24....

and you cant do "ip access-droup " on the interface because it L2 swith....

I guess your switch is L2 therefore not able to do L3/L4 filtering at all.

Krisztian

Port ACL, as shown in the sample in the previous post, does work for filtering traffic to the same subnet since it's applied inbound to the switch port. I did confirm its designed behavior with a L2 switch running standard SMI image. If the ACL is modified it should theoretically work for traffic destined to other subnets. It may not be as elegant as VACL where it can be applied to VLAN(s) instead of individual switch ports but the question is of scalability and performance if applied to the majority of the 48 switch ports on a 2950 such as impact on forwarding performance and CPU utilization.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco