05-04-2006 12:53 PM - edited 03-03-2019 03:05 AM
I have a 2950 switch and I want to block or drop all ip traffic on port 368. All of the ports are all on a single VLAN (eg VLAN 40). What is most efficient way to do this? VACL? If you could provide an example of the appropriate commands that would be most helpful.
Thank you.
05-04-2006 01:11 PM
It depends on where the traffic is trying to go.
If the port 368 traffic is trying to leave the vlan, then a VACL would suffice.
If you want to prevent the traffic from going to another host on the same vlan, a vlan map would be the answer. However, I don't think (or know) that the 2950 supports vlan maps. The 3550 does, and here is a link:
http://www.cisco.com/univercd/cc/td/doc/product/lan/c3550/12225see/scg/swacl.htm#wp1176911
If the later situation is needed, you may be forced to apply an ACL to the respective ports in question. There are limitations with that as well. Here is the link for the 2950:
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat2950/12122ea7/scg/swacl.htm#wp1082773
HTH,
Eugene
05-05-2006 07:50 AM
Thanks to both for your responses. Both were very helpful to me.
If I were to apply the same ACL to multiple ports, is it possible to batch this into a single command? Or do I need to configure each port individually with the same ACL?
Best regards,
HS
05-06-2006 12:22 AM
Hi HS,
What you can do is just configure ACL and when it comes to applying on an interfaces you can use "interface range" command to configure any changes on as many interfaces as you want which you may have selected in interface range command.
Something like this
interface range fastethernet0/1 - 20
ip access-group
Have a look at this link
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat2950/12120ea2/2950cr/cli1.htm#wp2819614
HTH, if yes please rate the post.
Ankur
05-08-2006 05:43 PM
Thank you for your help. Much appreciated.
05-04-2006 09:00 PM
Hello,
If this was not a 2950, I would also suggest Private Vlans. But its not supported on 2950:
http://www.cisco.com/warp/public/473/63.html
Also depending on what you really need, there's a feature called Protected port.
if you set a port as protected it will not talk with another protected port (even on layer2).
but this has limit use.
Vlad
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide