I've created a standard ACL on a 2960G switch in which I want to limit in-bound traffic to a node connected to this switch.
The problem I'm having is once the ACl has been applied to the interface port, I can no longer send or recieve traffic from the node (the interface in which the access list was justed applied) . It's almost like the port has been locked down (i can not ping any other devices on the switch).
2960G-24 port switch
Port gi 0/4 has a node with the ip address of 192.168.100.30
Port gi 0/5 has a node with an address of 192.168.100.31
here's the ACL created:
access-list 2 deny host 192.168.100.31
access-list 2 permit any
I've applied this to interface gi 0/4
Nothing gets to or from gi 0/4. It seems to be block both on incoming and outgoing, since I'm not able to ping from 192.168.100.30 and I can't ping from any node to 192.168.100.31
Any advice would greatly be appreciated.
thanks in advance!
What do you mean "can't ping from any node to 192.168.100.31 . Seeing that you applied the acl to 192.168.100.30 it would have no impact on other devices pinging the .31 . Check and make sure you have no firewalls active on the device you are trying to ping the .31 .
Let me explain.
You are using a standard Access-List, which defines 192.168.100.31 as Source address, which is correct.
But you are not applying it in the correct direction.
It should be ip access-group 2 OUT
IN - is for traffic from G0/4
OUT - is for traffic to G0/4
Try to change to OUT instead and check your pings again.
I'm not sure exactly what you mean...
gi0/5 has a node with ip 192.168.100.31
so are you saying that by applying
access-list 2 deny host 192.168.100.31 to gi0/5, you're denying inbound traffic with that ip?
Please explain me , how access-list work on Layer 2 switch. Because Layer 2 switch work on data link layer i.e. it just check mac address not ip address & access-list required any device that work on layer 3 .
thanks in advance.
While the 2960's and equivalents are considered a layer 2 switch and normally just pass traffic at the layer 2 level and have no routing capability they can inspect packets at the layer 3 level and apply ACL's on the interfaces like a normal layer 3 device. Todays layer 2 switches need this capability not just for security ACL's but also implementing COS , QOS parameters for using IP phones on the network . There are certain restrictions when implenting on a layer 2 device usually spelled out in the config docs.For info on implementing ACL's on a layer 2 switch like the 2960 follow this link .
I test in the 3550 switch,
it works with an extended acl, under interface gi0/5 ---which you .31 stays
access-list 100 deny ip host 192.168.100.31 host 192.168.100.30
access-list 100 permit ip any any
interface FastEthernet0/2 **** connect .31 host
switchport mode dynamic desirable
ip access-group 100 in
hope it work for your switch
yes I agree, I can get the access list to work if using an Extended access list. The Standard list doesn't function as intended...