cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3113
Views
3
Helpful
14
Replies

Standard IP Access List for 2960G

jekood001
Level 1
Level 1

I've created a standard ACL on a 2960G switch in which I want to limit in-bound traffic to a node connected to this switch.

The problem I'm having is once the ACl has been applied to the interface port, I can no longer send or recieve traffic from the node (the interface in which the access list was justed applied) . It's almost like the port has been locked down (i can not ping any other devices on the switch).

2960G-24 port switch

Port gi 0/4 has a node with the ip address of 192.168.100.30

Port gi 0/5 has a node with an address of 192.168.100.31

here's the ACL created:

access-list 2 deny host 192.168.100.31

access-list 2 permit any

I've applied this to interface gi 0/4

Nothing gets to or from gi 0/4. It seems to be block both on incoming and outgoing, since I'm not able to ping from 192.168.100.30 and I can't ping from any node to 192.168.100.31

Any advice would greatly be appreciated.

thanks in advance!

14 Replies 14

platinum_jem
Level 1
Level 1

Show your interface configuration here also.

The direction of the access-list is important for your case.

Sorry about that

I applied the access list to gi 0/4

Interface gi 0/4

ip access-group 2 in

glen.grant
VIP Alumni
VIP Alumni

What do you mean "can't ping from any node to 192.168.100.31 . Seeing that you applied the acl to 192.168.100.30 it would have no impact on other devices pinging the .31 . Check and make sure you have no firewalls active on the device you are trying to ping the .31 .

that should read can't ping from any node to 192.168.100.30. I've checked for firewall settings, which were turned off

platinum_jem
Level 1
Level 1

Let me explain.

You are using a standard Access-List, which defines 192.168.100.31 as Source address, which is correct.

But you are not applying it in the correct direction.

It should be ip access-group 2 OUT

IN - is for traffic from G0/4

OUT - is for traffic to G0/4

Try to change to OUT instead and check your pings again.

OUT is not an option for ACL on the 2960G, can only filter on the IN

Put it on the IN direction on G0/5 instead.

Put it on the IN direction on G0/5 instead.

I'm not sure exactly what you mean...

gi0/5 has a node with ip 192.168.100.31

so are you saying that by applying

access-list 2 deny host 192.168.100.31 to gi0/5, you're denying inbound traffic with that ip?

You can only apply an ACL in the "in" direction on a layer 2 switch .

Hi Glen,

Please explain me , how access-list work on Layer 2 switch. Because Layer 2 switch work on data link layer i.e. it just check mac address not ip address & access-list required any device that work on layer 3 .

thanks in advance.

While the 2960's and equivalents are considered a layer 2 switch and normally just pass traffic at the layer 2 level and have no routing capability they can inspect packets at the layer 3 level and apply ACL's on the interfaces like a normal layer 3 device. Todays layer 2 switches need this capability not just for security ACL's but also implementing COS , QOS parameters for using IP phones on the network . There are certain restrictions when implenting on a layer 2 device usually spelled out in the config docs.For info on implementing ACL's on a layer 2 switch like the 2960 follow this link .

http://www.cisco.com/en/US/docs/switches/lan/catalyst2960/software/release/12.2_46_se/configuration/guide/swacl.html

YANGCCIE4
Level 1
Level 1

Hi, Jekood001,

I test in the 3550 switch,

it works with an extended acl, under interface gi0/5 ---which you .31 stays

access-list 100 deny ip host 192.168.100.31 host 192.168.100.30

access-list 100 permit ip any any

interface FastEthernet0/2 **** connect .31 host

switchport mode dynamic desirable

ip access-group 100 in

hope it work for your switch

Yang

Hi Yang,

yes I agree, I can get the access list to work if using an Extended access list. The Standard list doesn't function as intended...

thanks

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: