Access list problem

grahamhyland · ‎09-16-2010

Hi ,

I need to apply this to an interface on 2950 switch.

access-list 100 deny ip 192.168.1.0 0.0.0.255 192.168.99.0 0.0.0.255
access-list 100 deny ip 192.168.1.0 0.0.0.255 192.168.199.0 0.0.0.255
access-list 100 deny ip 192.168.99.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 100 deny ip 192.168.199.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
access-list 100 permit ip any 192.168.1.0 0.0.0.255
access-list 100 permit ip 192.168.99.0 0.0.0.255 192.168.99.0 0.0.0.255
access-list 100 permit ip 192.168.99.0 0.0.0.255 192.168.199.0 0.0.0.255
access-list 100 permit ip 192.168.199.0 0.0.0.255 192.168.99.0 0.0.0.255
access-list 100 permit ip 192.168.199.0 0.0.0.255 192.168.199.0 0.0.0.255

However when I try to apply it to the port I get the following

%Error: The field sets of all the ACEs in an ACL on Ethernet interface should match.

I'm pertty new to all of this so any help is appreiciated

Graham

Federico Coto Fajardo · ‎09-16-2010

You're applying this ACL to the interface VLAN or to a layer 2 port on the 2950?

Federico.

grahamhyland · ‎09-16-2010

hi,

on to a layer 2 port

can and how I apply it to a vlan?

Graham

Jon Marshall · ‎09-16-2010

grahamhyland wrote:

hi,

on to a layer 2 port

can and how I apply it to a vlan?

Graham

You can apply it to a vlan ie.

int vlan x

ip access-group 100

but we need to understand your layout because the L3 vlan interface you have on the 2950 will probably not be the vlan interface you need to apply it to if this is trying to filter user traffic.

Jon

Federico Coto Fajardo · ‎09-16-2010

Are you using the ip access-group command to apply the ACL?

I don't have access to a 2950 but you should be able to apply the access-group to the management interface (interface VLAN).

According to this:

http://www.cisco.com/en/US/docs/switches/lan/catalyst2950/software/release/12.1_9_ea1/configuration/guide/swacl.html#wp1050558

All ACEs in an ACL must have the same user-defined mask. However, ACEs can have different rules that use the same mask. On a given interface, only one type of user-defined mask is allowed

Federico.

Jon Marshall · ‎09-16-2010

Graham

This is a limitation when you apply an acl to a physical interface on the 2950. Your widlcard masks eg. 0.0.0.255 must be the same for all entries in the acl but you have not only use 0.0.0.255 but also "any".

This restriction does not apply to a L3 vlan interface so you may be able to apply this to the L3 vlan inetrface which may well be on another switch (if you have a L3 switch).

Perhaps you could provide some more details of your switch/router layout and exactly whay you are trying to achieve ?

Jon

grahamhyland · ‎09-17-2010

Thanks for the reply guys,

I'll attempt to describe what I'm trying to acheive

I have 2 virtual switches on a vmware server one each switch has a number of clients both different subnets 192.168.99.0 & 192.168.199.0.

These vSwitches are patched into my 4510 production LAN which is 192.168.1.0 ( VLAN101) I have created 2 vlans on the 4510 for the vSwitch Traffic. VLAN99 & VLAN199 and assigned palced each vSwitch into the corresponding vlan I gave each vlan an ip address on *.1

(the 4510 is our WAN core switch)

I also have a 2950 which connect to a test lab this is hanging off the 4510 on VLAN101

Here I have physical hosts on both all 3 vlans

I need all to isolate the 192.168.99.0 & 192.168.199.0 from the rest of the WAN

I hope this makes sense

Graham

Jon Marshall · ‎09-17-2010

Graham

Then you can apply your acl(s) the L3 vlan interfaces on the 4510.

Jon