Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Access-List on 2950 switch cluster

Hi there,

I have a cluster of 4 2950 switches.

lets call them switch1-switch4.

Suppose i have a server with ip address hanging on switch 4. Switch 1 is my command switch.

I want to set up Access-List to only allow access to this server from a proxy which is located on another LAN. I dont want to set up an access-list on the router, but rather i want to set it up on the switches, so that users on the LAN cannot access it directly.

I know this is a weird scenario but can someone give me general information and some example of how my commands on the switch should look like.




Re: Access-List on 2950 switch cluster

Altough the 2950 is a layer2 switch there are several possibilities to use ip access-lists. Please check the attached chapter of the configuration guide for more details.

Hope this solves your question.



New Member

Re: Access-List on 2950 switch cluster


There may be a better way of doing it, to fit your specific scenario, but can't think of any others. You can use ACLs on the 2950 on a per l-2 interfaces but only inbound. Somthing like...

ip access-list extended DENY_HOSTS

permit ip host host

deny ip any host

permit ip any any

int g0/0

ip access-group DENY_HOSTS in



New Member

Re: Access-List on 2950 switch cluster


I have read a bit about ACLs on switches. It mentions that i can only apply ACLs on physical interfaces if i have teh EI image. I only have SI image so i guess im stack with ACLs for Management interfaces.

SO i have to apply the ACL on VLAN1.

I have a cluster of 4 switches.

If i appl the ACL on switch3 for example on VLAN1, will it take effect on all other switches as they are part of the same VLAN ???

Please shed some light into this .



New Member

Re: Access-List on 2950 switch cluster

I'm afraid you are out of luck there.

Quote from CCO

"You can create ACLs for physical interfaces or management interfaces. A management interface is defined as a management VLAN or any traffic that is going directly to the CPU, such as SNMP, Telnet, or web traffic. You can create ACLs for management interfaces with the standard software image (SI) or the enhanced software image (EI) installed on your switch. However, you must have the EI installed on your switch to apply ACLs to physical interfaces."

And to be complete you can also apply ACLs to terminal lines such as vty 0 4.

The switch is not using the management interface to route traffic, as the name says it is only for managemnt and the ACL only applies to traffic to and from the CPU, depending which direction the ACL is applied.

I don't think you can achieve your requirement with this image. You either need to upgrade or use a L-3 device to segment your LAN and apply your filtering policies.


CreatePlease login to create content