Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
You may experience some slow load times, errors, and slight inconsistencies. We ask for your patience as we finalize the launch. Thank you.

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Question: Can you use the ACL extented in 2960G in same Vlan?

Hello Everyone,

Would you please help me to solve the problem below?

I would like to configure an Extended Access-list to be used in in a stand alone 2960G switch but I am having problem.

Scenario:

All hosts are in the same VLAN 1.

Example:

-Host 1 is connect to the 2960G port 1 (ip= 10.10.10.1/24)

-Host 2 is connect to the 2960G port 2 (ip= 10.10.10.2/24)

I would like to allow host 1  ssh to host 2 (only tcp port 22) no other ports are allow.

Why the following configuration on 2960G switch is not working?

interface GigabitEthernet0/1

description host 1

interface GigabitEthernet0/2

description host 2

ip access-group ssh-only in

ip access-list extended ssh-only
  permit tcp host 10.9.9.1 host 10.9.9.2 eq ssh

_______________________________________________________________

Here is the url that talk about this.

http://www.cisco.com/en/US/docs/switches/lan/catalyst2960/software/release/12.2_37_se/configuration/guide/swacl.html

Understanding ACLs

Packet filtering can help limit network traffic and restrict  network use by certain users or devices. ACLs filter traffic as it passes  through a switch and permit or deny packets crossing specified interfaces. An  ACL is a sequential collection of permit and deny conditions that apply to  packets. When a packet is received on an interface, the switch compares the  fields in the packet against any applied ACLs to verify that the packet has the  required permissions to be forwarded, based on the criteria specified in the  access lists. One by one, it tests packets against the conditions in an access  list. The first match decides whether the switch accepts or rejects the packets.  Because the switch stops testing after the first match, the order of conditions  in the list is critical. If no conditions match, the switch rejects the packet.  If there are no restrictions, the switch forwards the packet; otherwise, the  switch drops the packet. The switch can use ACLs on all packets it forwards.

You configure access lists on a switch to provide basic  security for your network. If you do not configure ACLs, all packets passing  through the switch could be allowed onto all parts of the network. You can use  ACLs to control which hosts can access different parts of a network or to decide  which types of traffic are forwarded or blocked. For example, you can allow  e-mail traffic to be forwarded but not Telnet traffic.

An ACL contains an ordered list of access control entries  (ACEs). Each ACE specifies permit or deny and a set of conditions the packet must satisfy in  order to match the ACE. The meaning of permit or deny depends on the context in which the ACL is used.

  • LAN Switching and Routing
2 ACCEPTED SOLUTIONS

Accepted Solutions
Silver

Re: Question: Can you use the ACL extented in 2960G in same Vlan

Try changing the ACL to reflect this:


ip access-list extended ssh-only
  permit tcp host 10.10.10.2 eq 22 host 10.10.10.1



Chris

Re: Question: Can you use the ACL extented in 2960G in same Vlan

When reading the url one thinks this should indeed work as you want. I remember older posts about similar topics.

The 2950/2960 is indeed versatile... Only, in your case, the acl should be on the other interface.

The text states: "can only be applied in inbound direction" and from the description I deduced that you configured it on the other port.

The acl itself looks correct. Please check this and post your findings.

regards,

Leo

5 REPLIES
Silver

Re: Question: Can you use the ACL extented in 2960G in same Vlan

Try changing the ACL to reflect this:


ip access-list extended ssh-only
  permit tcp host 10.10.10.2 eq 22 host 10.10.10.1



Chris

New Member

Re: Question: Can you use the ACL extented in 2960G in same Vlan

Hi Chris,

Per your suggestions, it works.

Thank you  very much.

Re: Question: Can you use the ACL extented in 2960G in same Vlan

When reading the url one thinks this should indeed work as you want. I remember older posts about similar topics.

The 2950/2960 is indeed versatile... Only, in your case, the acl should be on the other interface.

The text states: "can only be applied in inbound direction" and from the description I deduced that you configured it on the other port.

The acl itself looks correct. Please check this and post your findings.

regards,

Leo

New Member

Re: Question: Can you use the ACL extented in 2960G in same Vlan

Hi Leo,

Per your suggestions, it works.

Thank you  very much.

New Member

Re: Question: Can you use the ACL extented in 2960G in same Vlan

You guys rock....

Both Chris and Leo suggestions work.


Thank you so much for your help.

Sammy

319
Views
0
Helpful
5
Replies