Standard IP Access List for 2960G

Unanswered Question
Sep 16th, 2009

I've created a standard ACL on a 2960G switch in which I want to limit in-bound traffic to a node connected to this switch.

The problem I'm having is once the ACl has been applied to the interface port, I can no longer send or recieve traffic from the node (the interface in which the access list was justed applied) . It's almost like the port has been locked down (i can not ping any other devices on the switch).

2960G-24 port switch

Port gi 0/4 has a node with the ip address of

Port gi 0/5 has a node with an address of

here's the ACL created:

access-list 2 deny host

access-list 2 permit any

I've applied this to interface gi 0/4

Nothing gets to or from gi 0/4. It seems to be block both on incoming and outgoing, since I'm not able to ping from and I can't ping from any node to

Any advice would greatly be appreciated.

thanks in advance!

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
platinum_jem Wed, 09/16/2009 - 07:02

Show your interface configuration here also.

The direction of the access-list is important for your case.

jekood001 Wed, 09/16/2009 - 07:08

Sorry about that

I applied the access list to gi 0/4

Interface gi 0/4

ip access-group 2 in

glen.grant Wed, 09/16/2009 - 09:00

What do you mean "can't ping from any node to . Seeing that you applied the acl to it would have no impact on other devices pinging the .31 . Check and make sure you have no firewalls active on the device you are trying to ping the .31 .

jekood001 Wed, 09/16/2009 - 09:32

that should read can't ping from any node to I've checked for firewall settings, which were turned off

platinum_jem Wed, 09/16/2009 - 09:51

Let me explain.

You are using a standard Access-List, which defines as Source address, which is correct.

But you are not applying it in the correct direction.

It should be ip access-group 2 OUT

IN - is for traffic from G0/4

OUT - is for traffic to G0/4

Try to change to OUT instead and check your pings again.

jekood001 Wed, 09/16/2009 - 09:56

OUT is not an option for ACL on the 2960G, can only filter on the IN

jekood001 Wed, 09/16/2009 - 10:09

I'm not sure exactly what you mean...

gi0/5 has a node with ip

so are you saying that by applying

access-list 2 deny host to gi0/5, you're denying inbound traffic with that ip?

glen.grant Wed, 09/16/2009 - 10:48

You can only apply an ACL in the "in" direction on a layer 2 switch .

suryakant.chavan Wed, 09/16/2009 - 11:23

Hi Glen,

Please explain me , how access-list work on Layer 2 switch. Because Layer 2 switch work on data link layer i.e. it just check mac address not ip address & access-list required any device that work on layer 3 .

thanks in advance.

glen.grant Wed, 09/16/2009 - 13:23

While the 2960's and equivalents are considered a layer 2 switch and normally just pass traffic at the layer 2 level and have no routing capability they can inspect packets at the layer 3 level and apply ACL's on the interfaces like a normal layer 3 device. Todays layer 2 switches need this capability not just for security ACL's but also implementing COS , QOS parameters for using IP phones on the network . There are certain restrictions when implenting on a layer 2 device usually spelled out in the config docs.For info on implementing ACL's on a layer 2 switch like the 2960 follow this link .

YANGCCIE4 Sat, 09/19/2009 - 11:15

Hi, Jekood001,

I test in the 3550 switch,

it works with an extended acl, under interface gi0/5 ---which you .31 stays

access-list 100 deny ip host host

access-list 100 permit ip any any

interface FastEthernet0/2 **** connect .31 host

switchport mode dynamic desirable

ip access-group 100 in

hope it work for your switch


jekood001 Mon, 09/21/2009 - 02:52

Hi Yang,

yes I agree, I can get the access list to work if using an Extended access list. The Standard list doesn't function as intended...



This Discussion