Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Access-List on 2950 switch cluster

Hi there,

I have a cluster of 4 2950 switches.

lets call them switch1-switch4.

Suppose i have a server with ip address 10.0.0.1 hanging on switch 4. Switch 1 is my command switch.

I want to set up Access-List to only allow access to this server 10.0.0.1 from a proxy 192.168.1.1 which is located on another LAN. I dont want to set up an access-list on the router, but rather i want to set it up on the switches, so that users on the 10.0.0.0 LAN cannot access it directly.

I know this is a weird scenario but can someone give me general information and some example of how my commands on the switch should look like.

Thanks,

George

4 REPLIES

Re: Access-List on 2950 switch cluster

Altough the 2950 is a layer2 switch there are several possibilities to use ip access-lists. Please check the attached chapter of the configuration guide for more details.

http://www.cisco.com/en/US/partner/products/hw/switches/ps628/products_configuration_guide_chapter09186a008007e8ed.html

Hope this solves your question.

Regards,

Leo

New Member

Re: Access-List on 2950 switch cluster

Hi,

There may be a better way of doing it, to fit your specific scenario, but can't think of any others. You can use ACLs on the 2950 on a per l-2 interfaces but only inbound. Somthing like...

ip access-list extended DENY_HOSTS

permit ip host 192.168.1.1 host 10.0.0.1

deny ip any host 10.0.0.1

permit ip any any

int g0/0

ip access-group DENY_HOSTS in

HTH

E.

New Member

Re: Access-List on 2950 switch cluster

Ok.

I have read a bit about ACLs on switches. It mentions that i can only apply ACLs on physical interfaces if i have teh EI image. I only have SI image so i guess im stack with ACLs for Management interfaces.

SO i have to apply the ACL on VLAN1.

I have a cluster of 4 switches.

If i appl the ACL on switch3 for example on VLAN1, will it take effect on all other switches as they are part of the same VLAN ???

Please shed some light into this .

Thanks,

George

New Member

Re: Access-List on 2950 switch cluster

I'm afraid you are out of luck there.

Quote from CCO

"You can create ACLs for physical interfaces or management interfaces. A management interface is defined as a management VLAN or any traffic that is going directly to the CPU, such as SNMP, Telnet, or web traffic. You can create ACLs for management interfaces with the standard software image (SI) or the enhanced software image (EI) installed on your switch. However, you must have the EI installed on your switch to apply ACLs to physical interfaces."

And to be complete you can also apply ACLs to terminal lines such as vty 0 4.

The switch is not using the management interface to route traffic, as the name says it is only for managemnt and the ACL only applies to traffic to and from the CPU, depending which direction the ACL is applied.

I don't think you can achieve your requirement with this image. You either need to upgrade or use a L-3 device to segment your LAN and apply your filtering policies.

E.

208
Views
0
Helpful
4
Replies
CreatePlease login to create content