Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
314
Views
0
Helpful
2
Replies

ACL on switch ports

Go to solution
sprocket10
Level 2
Level 2

‎01-20-2014 05:35 AM - edited ‎03-07-2019 05:40 PM

Hi

I have 2 switches available to use, a 2960 or 2950. Ideally I wish to use the 2950 if possible.

What I want to achive is for a few ports to be limted to Internet only traffic, and dns lookups from a selected internal dns server. So when a machine is plugged into one of these ports the user cannot see any of the internal network.

The setup of the site I need this for prevents me from using multiple vlans as everyone must be on the same /27 subnet.

Can this be done on a 2950 or 2960?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎01-20-2014 05:46 AM

You can use the 2950 but there are quite a few limitations in terms of how many entries you can have in the acl. However  your acl could be very simple eg.

assuming your subnet was 192.168.5.0 255.255.255.224

access-list 101 permit udp host host eq 53

access-list 101 deny ip host 192.168.5.0 0.0.0.31

access-list 101 permit ip host any

then you apply it to the physical port -

int fa0/1

ip access-group 101 in

you should refer to this document for full details including all the restrictions/limitations -

http://www.cisco.com/en/US/docs/switches/lan/catalyst2950/software/release/12.1_22_ea11x/configuration/guide/swacl.html#wp1082773

Jon

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎01-20-2014 05:46 AM

You can use the 2950 but there are quite a few limitations in terms of how many entries you can have in the acl. However  your acl could be very simple eg.

assuming your subnet was 192.168.5.0 255.255.255.224

access-list 101 permit udp host host eq 53

access-list 101 deny ip host 192.168.5.0 0.0.0.31

access-list 101 permit ip host any

then you apply it to the physical port -

int fa0/1

ip access-group 101 in

you should refer to this document for full details including all the restrictions/limitations -

http://www.cisco.com/en/US/docs/switches/lan/catalyst2950/software/release/12.1_22_ea11x/configuration/guide/swacl.html#wp1082773

Jon

0 Helpful

Go to solution
sprocket10
Level 2
Level 2
In response to Jon Marshall

‎01-20-2014 07:17 AM

Worked a treat, thank you

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card