It should work. Including Vlans,

Which IOS is been used on the switch.

sh version

Cisco Internetwork Operating System Software

IOS (tm) C2950 Software (C2950-I6Q4L2-M), Version 12.1(11)EA1a, RELEASE SOFTWARE (fc1)

Copyright (c) 1986-2002 by cisco Systems, Inc.

Compiled Thu 17-Oct-02 23:49 by xxxx

Image text-base: 0x80010000, data-base: 0x80528000

ROM: Bootstrap program is CALHOUN boot loader

xxxxxxx uptime is 37 weeks, 6 hours, 15 minutes

System returned to ROM by power-on

System image file is "flash:c2950-i6q4l2-mz.121-11.EA1a.bin"

switch(config-if)#ip access-group ?

<1-199> IP access list (standard or extended)

<1300-2699> IP expanded access list (standard or extended)

WORD Access-list name

switch(config-if)#int gi0/2

switch(config-if)#ip access

switch(config-if)#ip access-group ?

<1-199> IP access list (standard or extended)

<1300-2699> IP expanded access list (standard or extended)

WORD Access-list name

Hi pravinxyz,

when I try to aplly this command inside of the interface phisical, not apears access-goup. Inside of Vlan1, a address not matche on the access-list.

This is a IOS c2950-i6k2l2q4-mz.121-22.EA11.bin used and Model of machine is: C2950-24.

can you give an example of the output and what you are trying to do plz.

I have the following working configuration:

System image file is "flash:c2950-i6k2l2q4-mz.121-22.EA10a.bin"

cisco WS-C2950T-24 (RC32300) processor (revision B0) with 19918K bytes of memory.

interface FastEthernet0/11

ip access-group std-sec-in in

ip access-list extended std-sec-in

remark Std. Security for at-risk ports. Log keyword not supported.

deny udp any any eq netbios-dgm

deny udp any any eq netbios-ns

deny udp any any eq netbios-ss

deny tcp any any eq smtp

deny tcp any any eq telnet

deny tcp any any eq 22

permit ip any any

I'm not sure what you are trying to convey when you say: "Inside of Vlan1, a address not matche on the access-list."

Are you trying to use the "log" keyword?

Perhaps an "acceptable" ACL needs to exist before the access-group command becomes available.

The 2950 series is very limited in the user-define ACL masks that it will support.

I suggest you read the "Configuring Network Security with ACLs" section of the Software Configuration Guide.

From the "Cisco Catalyst 2950 Series Switches with Enhanced Image Software" data sheet:

The Cisco Catalyst 2950SX-48-SI, 2950T-48-SI, 2950SX-24, 2950-24 and 2950-12 are standalone,

fixed-configuration, managed 10/100 switches providing basic workgroup connectivity for small to medium-sized companies.

These wire-speed desktop switches come with Cisco Standard Image software features and offer Cisco IOS® Software functions for basic data, video, and voice services at the edge of the network.

Yours (2950-24) is among them.

In contrast:

Cisco Catalyst 2950 Series switches consist of the following devices, which are only available with Enhanced Image software for the Cisco Catalyst 2950 Series.

• Cisco Catalyst 2950G-48-48 10/100 ports and 2 Gigabit Interface Converter (GBIC)-based Gigabit Ethernet ports

• Cisco Catalyst 2950G-24-24 10/100 ports and 2 GBIC ports

• Cisco Catalyst 2950G-24-DC-24 10/ 100 ports, 2 GBIC ports, DC power

• Cisco Catalyst 2950G-12-12 10/100 ports 2 GBIC ports

• Cisco Catalyst 2950T-24-24 10/100 ports and 2 fixed 10/100/1000BASE-T uplink ports

• Cisco Catalyst 2950C-24-24 10/100 ports and 2 fixed 100BASE-FX uplink ports

Mine (2950T-24) was among these.

This explains the difference in command support between the two devices indicated in an earlier response.

Hi Mark,

I belive what this happens only on the model: 2950-24. I make this commands in the catalyst 2950-48-EI and works fine.

I think I may have commented before understanding your question fully. I think that the enterprise image has the capabilities of creating ACL's to physical interfaces. Because it is primarily a layer two switch it is not capable of full blown ACL's like other multilayer switches, and routers. Do you have an enterprise IOS on the 2950-24 switch?