Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
422
Views
0
Helpful
4
Replies

Access-List on 2950 switch cluster

dukenukem
Level 1
Level 1

‎02-09-2006 11:56 PM - edited ‎03-03-2019 01:46 AM

Hi there,

I have a cluster of 4 2950 switches.

lets call them switch1-switch4.

Suppose i have a server with ip address 10.0.0.1 hanging on switch 4. Switch 1 is my command switch.

I want to set up Access-List to only allow access to this server 10.0.0.1 from a proxy 192.168.1.1 which is located on another LAN. I dont want to set up an access-list on the router, but rather i want to set it up on the switches, so that users on the 10.0.0.0 LAN cannot access it directly.

I know this is a weird scenario but can someone give me general information and some example of how my commands on the switch should look like.

Thanks,

George

Labels:
0 Helpful
4 Replies 4

lgijssel
Level 9
Level 9

‎02-10-2006 12:16 AM

Altough the 2950 is a layer2 switch there are several possibilities to use ip access-lists. Please check the attached chapter of the configuration guide for more details.

http://www.cisco.com/en/US/partner/products/hw/switches/ps628/products_configuration_guide_chapter09186a008007e8ed.html

Hope this solves your question.

Regards,

Leo

0 Helpful

ekiriakos
Level 1
Level 1

‎02-12-2006 09:32 AM

Hi,

There may be a better way of doing it, to fit your specific scenario, but can't think of any others. You can use ACLs on the 2950 on a per l-2 interfaces but only inbound. Somthing like...

ip access-list extended DENY_HOSTS

permit ip host 192.168.1.1 host 10.0.0.1

deny ip any host 10.0.0.1

permit ip any any

int g0/0

ip access-group DENY_HOSTS in

HTH

E.

0 Helpful

dukenukem
Level 1
Level 1
In response to ekiriakos

‎02-13-2006 01:28 AM

Ok.

I have read a bit about ACLs on switches. It mentions that i can only apply ACLs on physical interfaces if i have teh EI image. I only have SI image so i guess im stack with ACLs for Management interfaces.

SO i have to apply the ACL on VLAN1.

I have a cluster of 4 switches.

If i appl the ACL on switch3 for example on VLAN1, will it take effect on all other switches as they are part of the same VLAN ???

Please shed some light into this .

Thanks,

George

0 Helpful

ekiriakos
Level 1
Level 1
In response to dukenukem

‎02-13-2006 12:51 PM

I'm afraid you are out of luck there.

Quote from CCO

"You can create ACLs for physical interfaces or management interfaces. A management interface is defined as a management VLAN or any traffic that is going directly to the CPU, such as SNMP, Telnet, or web traffic. You can create ACLs for management interfaces with the standard software image (SI) or the enhanced software image (EI) installed on your switch. However, you must have the EI installed on your switch to apply ACLs to physical interfaces."

And to be complete you can also apply ACLs to terminal lines such as vty 0 4.

The switch is not using the management interface to route traffic, as the name says it is only for managemnt and the ACL only applies to traffic to and from the CPU, depending which direction the ACL is applied.

I don't think you can achieve your requirement with this image. You either need to upgrade or use a L-3 device to segment your LAN and apply your filtering policies.

E.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents