Cisco Support Community

Unable to configure an Access Control List (ACL) on the Catalyst 2950 Switch

Core issue

The issue is due to hardware limitations. It is not possible to enter more than 75 Access Control Entries (ACEs) in the first eight ports.

When applying ACLs to physical interfaces, follow these configuration guidelines:

  • Only one ACL with these limitations can be attached to an interface.

  • Gigabit Ethernet ports support up to 100 ACEs per one ACL per port.

  • Fast Ethernet ports support up to 75 ACEs per one ACL across a range of eight Fast Ethernet ports. This means that ports 1 to 8 support a combined total of 75 ACEs, ports 9 to 16 support a combined total of 75 ACEs, and so on.

  • All ACEs in an ACL must have the same user-defined mask. However, ACEs can have different rules that use the same mask.

The Catalyst 2950 Switch does not support these Cisco IOS® router ACL-related features:

  • Non-IP protocol ACLs
  • Bridge-group ACLs
  • IP accounting
  • ACL support on the outbound direction
  • Inbound and outbound rate limiting (except with Quality of Service [QoS] ACLs)
    • IP packets that have a header length of less than 5 bytes
    • Reflexive ACLs
    • Dynamic ACLs (except for certain specialized dynamic ACLs used by the switch clustering feature)
    • Internet Control Message Protocol (ICMP)-based filtering
    • Interior Gateway Routing Protocol (IGRP)-based filtering


    These limitations of the Catalyst 2950 can be overcome by upgrading the switch to a higher platform such as the Catalyst 3500, Catalyst 3550, Catalyst 3750, Catalyst 4500 or Catalyst 6500.

    For more information, refer to Configuring Network Security with ACLs in Catalyst 2950 Series Switches.