Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ACL on switch ports

Hi

I have 2 switches available to use, a 2960 or 2950. Ideally I wish to use the 2950 if possible.

What I want to achive is for a few ports to be limted to Internet only traffic, and dns lookups from a selected internal dns server. So when a machine is plugged into one of these ports the user cannot see any of the internal network.

The setup of the site I need this for prevents me from using multiple vlans as everyone must be on the same /27 subnet.

Can this be done on a 2950 or 2960?

Everyone's tags (2)
1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Blue

Re: ACL on switch ports

You can use the 2950 but there are quite a few limitations in terms of how many entries you can have in the acl. However  your acl could be very simple eg.

assuming your subnet was 192.168.5.0 255.255.255.224

access-list 101 permit udp host host eq 53

access-list 101 deny ip host 192.168.5.0 0.0.0.31

access-list 101 permit ip host any

then you apply it to the physical port -

int fa0/1

ip access-group 101 in

you should refer to this document for full details including all the restrictions/limitations -

http://www.cisco.com/en/US/docs/switches/lan/catalyst2950/software/release/12.1_22_ea11x/configuration/guide/swacl.html#wp1082773

Jon

2 REPLIES
Hall of Fame Super Blue

Re: ACL on switch ports

You can use the 2950 but there are quite a few limitations in terms of how many entries you can have in the acl. However  your acl could be very simple eg.

assuming your subnet was 192.168.5.0 255.255.255.224

access-list 101 permit udp host host eq 53

access-list 101 deny ip host 192.168.5.0 0.0.0.31

access-list 101 permit ip host any

then you apply it to the physical port -

int fa0/1

ip access-group 101 in

you should refer to this document for full details including all the restrictions/limitations -

http://www.cisco.com/en/US/docs/switches/lan/catalyst2950/software/release/12.1_22_ea11x/configuration/guide/swacl.html#wp1082773

Jon

New Member

Re: ACL on switch ports

Worked a treat, thank you

102
Views
0
Helpful
2
Replies