Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ACL on L2 2950

I have come across the following;

mcr-sw_xxxxx_01#sh access-lists

Standard IP access list 5

permit 194.x.x.0, wildcard bits 0.0.0.255 (190202 matches) check=1034

permit 62.x.x.0, wildcard bits 0.0.0.255 (492 matches) check=542

permit 62.x.x.0, wildcard bits 0.0.0.255 check=542

permit 194.x.x.0, wildcard bits 0.0.0.255 check=542

permit 194.x.x.0, wildcard bits 0.0.0.255 check=542

permit x.x.8.0, wildcard bits 0.0.0.255 check=542

permit 194.x.x.0, wildcard bits 0.0.0.255 (542 matches)

Standard IP access list 6

deny any

Standard IP access list 7

These look like they are in use but the "sh ip int" does not show them on the vlans and they obviuosly are not on the l2 interfaces.

How can I find out where these are applied as they say they have matches? Very confused - help would be appreciated!

ps = "x" are for security

1 ACCEPTED SOLUTION

Accepted Solutions

Re: ACL on L2 2950

Are they used to restrict management from certain source IP subnets/networks?

Check if they are applied to your TTY lines, SNMP or IP HTTP:

line vty 0 15

access-class 5 in

!

snmp-server community public RO 5

!

ip http access-class 5

If this is a EI capable 2950 then you can actually apply ACL's to Layer-2 interfaces to allow/deny traffic based on layer-3/4 information. However I don't think the counters work if an ACL is applied like this, hence why I suggested they are used to restrict management.

HTH

Andy

5 REPLIES

Re: ACL on L2 2950

Are they used to restrict management from certain source IP subnets/networks?

Check if they are applied to your TTY lines, SNMP or IP HTTP:

line vty 0 15

access-class 5 in

!

snmp-server community public RO 5

!

ip http access-class 5

If this is a EI capable 2950 then you can actually apply ACL's to Layer-2 interfaces to allow/deny traffic based on layer-3/4 information. However I don't think the counters work if an ACL is applied like this, hence why I suggested they are used to restrict management.

HTH

Andy

New Member

Re: ACL on L2 2950

Yes - this has something to do with the SNMP traps;

snmp-server engineID local xxx

snmp-server community xxxxxxx RO 6

snmp-server community xxxxxxx RO 5

snmp-server community xxxxxxx RW 5

snmp-server community xxxxxxx RO 7

snmp-server trap-source Vlan999

snmp-server enable traps snmp authentication

snmp-server host 194.x.x.146 xxxxxx snmp

snmp-server host 194.x.x.201 xxxxxx snmp

This is a method I have never come across before. Do you know where I can find some info on this?

The SNMP is managed by our Service Provider.

Thanks Andrew!

Re: ACL on L2 2950

Its pretty simple really. All you are doing is restricting SNMP access to the switch. For example the line:

snmp-server community public RO 6

Would only allow devices that fall within the IP ranges that ACL 6 specifies to send SNMP Read-Only requests using the community string of 'public'.

HTH

Andy

New Member

Re: ACL on L2 2950

I understand. Thanks for all your help Andy.

Carlton.

New Member

Re: ACL on L2 2950

If you do a sh run, you should see something such as "ip access-group 5 out" listed under the configuration for one of the configured vlans.

252
Views
5
Helpful
5
Replies
CreatePlease to create content