cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1020
Views
5
Helpful
5
Replies

ACL on L2 2950

ccannon88567
Level 1
Level 1

I have come across the following;

mcr-sw_xxxxx_01#sh access-lists

Standard IP access list 5

permit 194.x.x.0, wildcard bits 0.0.0.255 (190202 matches) check=1034

permit 62.x.x.0, wildcard bits 0.0.0.255 (492 matches) check=542

permit 62.x.x.0, wildcard bits 0.0.0.255 check=542

permit 194.x.x.0, wildcard bits 0.0.0.255 check=542

permit 194.x.x.0, wildcard bits 0.0.0.255 check=542

permit x.x.8.0, wildcard bits 0.0.0.255 check=542

permit 194.x.x.0, wildcard bits 0.0.0.255 (542 matches)

Standard IP access list 6

deny any

Standard IP access list 7

These look like they are in use but the "sh ip int" does not show them on the vlans and they obviuosly are not on the l2 interfaces.

How can I find out where these are applied as they say they have matches? Very confused - help would be appreciated!

ps = "x" are for security

1 Accepted Solution

Accepted Solutions

Are they used to restrict management from certain source IP subnets/networks?

Check if they are applied to your TTY lines, SNMP or IP HTTP:

line vty 0 15

access-class 5 in

!

snmp-server community public RO 5

!

ip http access-class 5

If this is a EI capable 2950 then you can actually apply ACL's to Layer-2 interfaces to allow/deny traffic based on layer-3/4 information. However I don't think the counters work if an ACL is applied like this, hence why I suggested they are used to restrict management.

HTH

Andy

View solution in original post

5 Replies 5

Are they used to restrict management from certain source IP subnets/networks?

Check if they are applied to your TTY lines, SNMP or IP HTTP:

line vty 0 15

access-class 5 in

!

snmp-server community public RO 5

!

ip http access-class 5

If this is a EI capable 2950 then you can actually apply ACL's to Layer-2 interfaces to allow/deny traffic based on layer-3/4 information. However I don't think the counters work if an ACL is applied like this, hence why I suggested they are used to restrict management.

HTH

Andy

Yes - this has something to do with the SNMP traps;

snmp-server engineID local xxx

snmp-server community xxxxxxx RO 6

snmp-server community xxxxxxx RO 5

snmp-server community xxxxxxx RW 5

snmp-server community xxxxxxx RO 7

snmp-server trap-source Vlan999

snmp-server enable traps snmp authentication

snmp-server host 194.x.x.146 xxxxxx snmp

snmp-server host 194.x.x.201 xxxxxx snmp

This is a method I have never come across before. Do you know where I can find some info on this?

The SNMP is managed by our Service Provider.

Thanks Andrew!

Its pretty simple really. All you are doing is restricting SNMP access to the switch. For example the line:

snmp-server community public RO 6

Would only allow devices that fall within the IP ranges that ACL 6 specifies to send SNMP Read-Only requests using the community string of 'public'.

HTH

Andy

I understand. Thanks for all your help Andy.

Carlton.

jon.axe
Level 1
Level 1

If you do a sh run, you should see something such as "ip access-group 5 out" listed under the configuration for one of the configured vlans.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: