Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Standard IP Access List for 2960G

I've created a standard ACL on a 2960G switch in which I want to limit in-bound traffic to a node connected to this switch.

The problem I'm having is once the ACl has been applied to the interface port, I can no longer send or recieve traffic from the node (the interface in which the access list was justed applied) . It's almost like the port has been locked down (i can not ping any other devices on the switch).

2960G-24 port switch

Port gi 0/4 has a node with the ip address of 192.168.100.30

Port gi 0/5 has a node with an address of 192.168.100.31

here's the ACL created:

access-list 2 deny host 192.168.100.31

access-list 2 permit any

I've applied this to interface gi 0/4

Nothing gets to or from gi 0/4. It seems to be block both on incoming and outgoing, since I'm not able to ping from 192.168.100.30 and I can't ping from any node to 192.168.100.31

Any advice would greatly be appreciated.

thanks in advance!

14 REPLIES
New Member

Re: Standard IP Access List for 2960G

Show your interface configuration here also.

The direction of the access-list is important for your case.

New Member

Re: Standard IP Access List for 2960G

Sorry about that

I applied the access list to gi 0/4

Interface gi 0/4

ip access-group 2 in

Purple

Re: Standard IP Access List for 2960G

What do you mean "can't ping from any node to 192.168.100.31 . Seeing that you applied the acl to 192.168.100.30 it would have no impact on other devices pinging the .31 . Check and make sure you have no firewalls active on the device you are trying to ping the .31 .

New Member

Re: Standard IP Access List for 2960G

that should read can't ping from any node to 192.168.100.30. I've checked for firewall settings, which were turned off

New Member

Re: Standard IP Access List for 2960G

Let me explain.

You are using a standard Access-List, which defines 192.168.100.31 as Source address, which is correct.

But you are not applying it in the correct direction.

It should be ip access-group 2 OUT

IN - is for traffic from G0/4

OUT - is for traffic to G0/4

Try to change to OUT instead and check your pings again.

New Member

Re: Standard IP Access List for 2960G

OUT is not an option for ACL on the 2960G, can only filter on the IN

New Member

Re: Standard IP Access List for 2960G

Put it on the IN direction on G0/5 instead.

New Member

Re: Standard IP Access List for 2960G

Put it on the IN direction on G0/5 instead.

New Member

Re: Standard IP Access List for 2960G

I'm not sure exactly what you mean...

gi0/5 has a node with ip 192.168.100.31

so are you saying that by applying

access-list 2 deny host 192.168.100.31 to gi0/5, you're denying inbound traffic with that ip?

Purple

Re: Standard IP Access List for 2960G

You can only apply an ACL in the "in" direction on a layer 2 switch .

New Member

Re: Standard IP Access List for 2960G

Hi Glen,

Please explain me , how access-list work on Layer 2 switch. Because Layer 2 switch work on data link layer i.e. it just check mac address not ip address & access-list required any device that work on layer 3 .

thanks in advance.

Purple

Re: Standard IP Access List for 2960G

While the 2960's and equivalents are considered a layer 2 switch and normally just pass traffic at the layer 2 level and have no routing capability they can inspect packets at the layer 3 level and apply ACL's on the interfaces like a normal layer 3 device. Todays layer 2 switches need this capability not just for security ACL's but also implementing COS , QOS parameters for using IP phones on the network . There are certain restrictions when implenting on a layer 2 device usually spelled out in the config docs.For info on implementing ACL's on a layer 2 switch like the 2960 follow this link .

http://www.cisco.com/en/US/docs/switches/lan/catalyst2960/software/release/12.2_46_se/configuration/guide/swacl.html

New Member

Re: Standard IP Access List for 2960G

Hi, Jekood001,

I test in the 3550 switch,

it works with an extended acl, under interface gi0/5 ---which you .31 stays

access-list 100 deny ip host 192.168.100.31 host 192.168.100.30

access-list 100 permit ip any any

interface FastEthernet0/2 **** connect .31 host

switchport mode dynamic desirable

ip access-group 100 in

hope it work for your switch

Yang

New Member

Re: Standard IP Access List for 2960G

Hi Yang,

yes I agree, I can get the access list to work if using an Extended access list. The Standard list doesn't function as intended...

thanks

2008
Views
3
Helpful
14
Replies
CreatePlease to create content