Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
539
Views
15
Helpful
5
Replies

2950 ACL question

halspuppet
Level 1
Level 1

‎05-04-2006 12:53 PM - edited ‎03-03-2019 03:05 AM

I have a 2950 switch and I want to block or drop all ip traffic on port 368. All of the ports are all on a single VLAN (eg VLAN 40). What is most efficient way to do this? VACL? If you could provide an example of the appropriate commands that would be most helpful.

Thank you.

Labels:
0 Helpful
5 Replies 5

eward15
Level 1
Level 1

‎05-04-2006 01:11 PM

It depends on where the traffic is trying to go.

If the port 368 traffic is trying to leave the vlan, then a VACL would suffice.

If you want to prevent the traffic from going to another host on the same vlan, a vlan map would be the answer. However, I don't think (or know) that the 2950 supports vlan maps. The 3550 does, and here is a link:

http://www.cisco.com/univercd/cc/td/doc/product/lan/c3550/12225see/scg/swacl.htm#wp1176911

If the later situation is needed, you may be forced to apply an ACL to the respective ports in question. There are limitations with that as well. Here is the link for the 2950:

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat2950/12122ea7/scg/swacl.htm#wp1082773

HTH,

Eugene

halspuppet
Level 1
Level 1
In response to eward15

‎05-05-2006 07:50 AM

Thanks to both for your responses. Both were very helpful to me.

If I were to apply the same ACL to multiple ports, is it possible to batch this into a single command? Or do I need to configure each port individually with the same ACL?

Best regards,

HS

0 Helpful

ankurbhasin
Level 9
Level 9
In response to halspuppet

‎05-06-2006 12:22 AM

Hi HS,

What you can do is just configure ACL and when it comes to applying on an interfaces you can use "interface range" command to configure any changes on as many interfaces as you want which you may have selected in interface range command.

Something like this

interface range fastethernet0/1 - 20

ip access-group in

Have a look at this link

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat2950/12120ea2/2950cr/cli1.htm#wp2819614

HTH, if yes please rate the post.

Ankur

halspuppet
Level 1
Level 1
In response to ankurbhasin

‎05-08-2006 05:43 PM

Thank you for your help. Much appreciated.

0 Helpful

vladrac-ccna
Level 5
Level 5

‎05-04-2006 09:00 PM

Hello,

If this was not a 2950, I would also suggest Private Vlans. But its not supported on 2950:

http://www.cisco.com/warp/public/473/63.html

Also depending on what you really need, there's a feature called Protected port.

if you set a port as protected it will not talk with another protected port (even on layer2).

but this has limit use.

http://www.cisco.com/en/US/products/hw/switches/ps628/products_configuration_guide_chapter09186a00804762f0.html#wp1158863

Vlad

Customers Also Viewed These Support Documents