09-16-2010 06:25 AM - edited 03-06-2019 01:00 PM
Hi ,
I need to apply this to an interface on 2950 switch.
access-list 100 deny ip 192.168.1.0 0.0.0.255 192.168.99.0 0.0.0.255
access-list 100 deny ip 192.168.1.0 0.0.0.255 192.168.199.0 0.0.0.255
access-list 100 deny ip 192.168.99.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 100 deny ip 192.168.199.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
access-list 100 permit ip any 192.168.1.0 0.0.0.255
access-list 100 permit ip 192.168.99.0 0.0.0.255 192.168.99.0 0.0.0.255
access-list 100 permit ip 192.168.99.0 0.0.0.255 192.168.199.0 0.0.0.255
access-list 100 permit ip 192.168.199.0 0.0.0.255 192.168.99.0 0.0.0.255
access-list 100 permit ip 192.168.199.0 0.0.0.255 192.168.199.0 0.0.0.255
However when I try to apply it to the port I get the following
%Error: The field sets of all the ACEs in an ACL on Ethernet interface should match.
I'm pertty new to all of this so any help is appreiciated
Graham
09-16-2010 07:34 AM
You're applying this ACL to the interface VLAN or to a layer 2 port on the 2950?
Federico.
09-16-2010 07:40 AM
hi,
on to a layer 2 port
can and how I apply it to a vlan?
Graham
09-16-2010 07:45 AM
grahamhyland wrote:
hi,
on to a layer 2 port
can and how I apply it to a vlan?
Graham
You can apply it to a vlan ie.
int vlan x
ip access-group 100
but we need to understand your layout because the L3 vlan interface you have on the 2950 will probably not be the vlan interface you need to apply it to if this is trying to filter user traffic.
Jon
09-16-2010 07:50 AM
Are you using the ip access-group command to apply the ACL?
I don't have access to a 2950 but you should be able to apply the access-group to the management interface (interface VLAN).
According to this:
All ACEs in an ACL must have the same user-defined mask. However, ACEs can have different rules that use the same mask. On a given interface, only one type of user-defined mask is allowed
Federico.
09-16-2010 07:43 AM
Graham
This is a limitation when you apply an acl to a physical interface on the 2950. Your widlcard masks eg. 0.0.0.255 must be the same for all entries in the acl but you have not only use 0.0.0.255 but also "any".
This restriction does not apply to a L3 vlan interface so you may be able to apply this to the L3 vlan inetrface which may well be on another switch (if you have a L3 switch).
Perhaps you could provide some more details of your switch/router layout and exactly whay you are trying to achieve ?
Jon
09-17-2010 01:54 AM
Thanks for the reply guys,
I'll attempt to describe what I'm trying to acheive
I have 2 virtual switches on a vmware server one each switch has a number of clients both different subnets 192.168.99.0 & 192.168.199.0.
These vSwitches are patched into my 4510 production LAN which is 192.168.1.0 ( VLAN101) I have created 2 vlans on the 4510 for the vSwitch Traffic. VLAN99 & VLAN199 and assigned palced each vSwitch into the corresponding vlan I gave each vlan an ip address on *.1
(the 4510 is our WAN core switch)
I also have a 2950 which connect to a test lab this is hanging off the 4510 on VLAN101
Here I have physical hosts on both all 3 vlans
I need all to isolate the 192.168.99.0 & 192.168.199.0 from the rest of the WAN
I hope this makes sense
Graham
09-17-2010 05:38 AM
Graham
Then you can apply your acl(s) the L3 vlan interfaces on the 4510.
Jon
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide