Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

2950 L2 ACL

As an example, what I'm trying to accomplish is to prevent two hosts on the same subnet from pinging each other. I prefer to use VACL due to hardware filtering performance and the ability to ACL L2 (same subnet) and L3 traffic but the 2950 doesn't appear to support VACL. As an alternative I'm looking into using port ACL applied to chosen switch ports to mimic the L2 ACL capability of VACL.

2950-48 (standard image) 10/100 access switch

VLAN 1 192.168.1.0/24

host1 192.168.1.32

host2 192.168.1.33

access-list 100 deny icmp 192.168.1.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 100 permit ip any any

int f0/1

description host1

ip access-group 100 in

end

int f0/2

description host2

ip access-group 100 in

end

My question is of scalability of using port ACL. If I apply this to the majority of the 48 ports on a 2950-48 how will it affect forwarding performance and if it's software or hardware processed? Keep in mind ACL could be extended to restrict other traffic. Is there anything else I should be concerned with? Thank you in advance.

3 REPLIES
New Member

Re: 2950 L2 ACL

I think that you cant do anything if two

hosts will be in the same net /24....

and you cant do "ip access-droup " on the interface because it L2 swith....

Silver

Re: 2950 L2 ACL

I guess your switch is L2 therefore not able to do L3/L4 filtering at all.

Krisztian

New Member

Re: 2950 L2 ACL

Port ACL, as shown in the sample in the previous post, does work for filtering traffic to the same subnet since it's applied inbound to the switch port. I did confirm its designed behavior with a L2 switch running standard SMI image. If the ACL is modified it should theoretically work for traffic destined to other subnets. It may not be as elegant as VACL where it can be applied to VLAN(s) instead of individual switch ports but the question is of scalability and performance if applied to the majority of the 48 switch ports on a 2950 such as impact on forwarding performance and CPU utilization.

741
Views
0
Helpful
3
Replies