Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

2950 ACL question

I have a 2950 switch and I want to block or drop all ip traffic on port 368. All of the ports are all on a single VLAN (eg VLAN 40). What is most efficient way to do this? VACL? If you could provide an example of the appropriate commands that would be most helpful.

Thank you.

New Member

Re: 2950 ACL question

It depends on where the traffic is trying to go.

If the port 368 traffic is trying to leave the vlan, then a VACL would suffice.

If you want to prevent the traffic from going to another host on the same vlan, a vlan map would be the answer. However, I don't think (or know) that the 2950 supports vlan maps. The 3550 does, and here is a link:

If the later situation is needed, you may be forced to apply an ACL to the respective ports in question. There are limitations with that as well. Here is the link for the 2950:



New Member

Re: 2950 ACL question

Thanks to both for your responses. Both were very helpful to me.

If I were to apply the same ACL to multiple ports, is it possible to batch this into a single command? Or do I need to configure each port individually with the same ACL?

Best regards,


Re: 2950 ACL question

Hi HS,

What you can do is just configure ACL and when it comes to applying on an interfaces you can use "interface range" command to configure any changes on as many interfaces as you want which you may have selected in interface range command.

Something like this

interface range fastethernet0/1 - 20

ip access-group in

Have a look at this link

HTH, if yes please rate the post.


New Member

Re: 2950 ACL question

Thank you for your help. Much appreciated.

Re: 2950 ACL question


If this was not a 2950, I would also suggest Private Vlans. But its not supported on 2950:

Also depending on what you really need, there's a feature called Protected port.

if you set a port as protected it will not talk with another protected port (even on layer2).

but this has limit use.


CreatePlease login to create content