12-28-2005 04:45 PM - edited 03-03-2019 01:16 AM
I am trying to block ports 137-139 on a cisco 2950.
I am using these setting.
interface Vlan1
ip address 10.150.3.14 255.255.255.0
ip access-group 130 in
no ip route-cache
!
ip http server
access-list 130 deny tcp any any eq 137
access-list 130 deny tcp any any eq 138
access-list 130 deny tcp any any eq 139
access-list 130 deny udp any any eq 137
access-list 130 deny udp any any eq 138
access-list 130 deny udp any any eq 139
access-list 130 permit ip any any
Solved! Go to Solution.
12-28-2005 06:14 PM
Hi,
I'm not sure what your question is here.. Does the above config not work ? In what way does it not work ?
A bit more info would enable us to help you better.
Regards,
Paresh.
12-28-2005 06:14 PM
Hi,
I'm not sure what your question is here.. Does the above config not work ? In what way does it not work ?
A bit more info would enable us to help you better.
Regards,
Paresh.
12-28-2005 09:11 PM
I am still seeing microsoft netbios packets on the network using ethereal.
I don't know why it is not working. I have been told that a 2950 can't block tcp or udp ports because it is a layer 2 switch and not a layer 3.
12-28-2005 10:20 PM
Hello,
which model of the 2950 do you have ? AFAIK, the Standard Image models do not support ACLs, while the Enhanced Image models do.
The SI models are:
2950SX-48-SI
2950T-48-SI
2950SX-24
2950-24
2950-12
So if you have any of those, ACLs are not supported...
HTH,
GP
12-28-2005 10:52 PM
Hi,
Since these commands are taken by switch, i think the image u have will support ACLs. Even u can further confirm it by blocking icmp or telnet ports.
Could u pass the ethereal output, that can thro. more lite into this.
12-28-2005 11:01 PM
hi,
I think the issue here is that you are applying the access-list to the VLAN1 interface, which will only act on packets destined for the switch. You really need to apply your ACLs in an inbound direction to individual ports in order to block these packets. You do need the Enhanced Image (EI) to apply ACLs to physical interfaces.
Why don't you try applying these ACLs to a few of your physical ports to see if that helps.
regards,
Paresh.
12-28-2005 11:19 PM
I have a couple 2950-24. Can I purchase Enhanced Image and just upgrade my current switches?
12-28-2005 11:36 PM
You sure can. I just did a quick check and release 12.1.22-EA6 (c2950-i6q4l2-mz.121-22.EA6.bin) should do the job. You do need to have 16MB of DRAM and 8MB of flash.
Hope that helps... pls do rate helpful posts.
Regards,
Paresh.
12-29-2005 12:33 AM
Hello,
AFAIK, you cannot upgrade a 2950 SI to an EI. The limitation is the firmware in the switch.
[Catalyst 2950] Upgrade from Standard (SMI) to Enhanced image (EMI) on the Cisco Catalyst 2950 Series
Question: Can I upgrade from the standard to the enhanced image on the Cisco Catalyst 2950 Series?
Answer: No, this is determined by hardware.
HTH,
GP
12-29-2005 03:53 AM
What you are trying to achieve is not possible with the 2950 since it is a layer-2 only switch, or at least it is not possible in the way you are attempting to do it. The ACL applied to the VLAN interface (inbound or outbound) will only stop traffic to and from the actual switch itself and not to the VLAN - the 2950 doesn't route to or from the VLAN since it is Layer-2 only.
If this was a 3550 (or another L3 switch) and you were routing between VLAN's then the ACL's would be applied when routing traffic between the VLAN's but not within them.
The only way you can block traffic at Layer-2 is to apply ACL's to Physical interfaces on the 2950, this will only work if you have a 2950 that runs the EI features though, the SI-only switches don't support this.
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat2950/12122ea5/2950scg/swacl.htm
HTH
Andy
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide