Solved: Re: ACL cisco 2950

wysockib · ‎12-28-2005

I am trying to block ports 137-139 on a cisco 2950.

I am using these setting.

interface Vlan1

ip address 10.150.3.14 255.255.255.0

ip access-group 130 in

no ip route-cache

!

ip http server

access-list 130 deny tcp any any eq 137

access-list 130 deny tcp any any eq 138

access-list 130 deny tcp any any eq 139

access-list 130 deny udp any any eq 137

access-list 130 deny udp any any eq 138

access-list 130 deny udp any any eq 139

access-list 130 permit ip any any

pkhatri · ‎12-28-2005

Hi,

I'm not sure what your question is here.. Does the above config not work ? In what way does it not work ?

A bit more info would enable us to help you better.

Regards,

Paresh.

View solution in original post

pkhatri · ‎12-28-2005

Hi,

I'm not sure what your question is here.. Does the above config not work ? In what way does it not work ?

A bit more info would enable us to help you better.

Regards,

Paresh.

wysockib · ‎12-28-2005

I am still seeing microsoft netbios packets on the network using ethereal.

I don't know why it is not working. I have been told that a 2950 can't block tcp or udp ports because it is a layer 2 switch and not a layer 3.

Georg Pauwen · ‎12-28-2005

Hello,

which model of the 2950 do you have ? AFAIK, the Standard Image models do not support ACLs, while the Enhanced Image models do.

The SI models are:

2950SX-48-SI

2950T-48-SI

2950SX-24

2950-24

2950-12

So if you have any of those, ACLs are not supported...

HTH,

GP

balajitvk · ‎12-28-2005

Hi,

Since these commands are taken by switch, i think the image u have will support ACLs. Even u can further confirm it by blocking icmp or telnet ports.

Could u pass the ethereal output, that can thro. more lite into this.

pkhatri · ‎12-28-2005

hi,

I think the issue here is that you are applying the access-list to the VLAN1 interface, which will only act on packets destined for the switch. You really need to apply your ACLs in an inbound direction to individual ports in order to block these packets. You do need the Enhanced Image (EI) to apply ACLs to physical interfaces.

Why don't you try applying these ACLs to a few of your physical ports to see if that helps.

regards,

Paresh.

wysockib · ‎12-28-2005

I have a couple 2950-24. Can I purchase Enhanced Image and just upgrade my current switches?

pkhatri · ‎12-28-2005

You sure can. I just did a quick check and release 12.1.22-EA6 (c2950-i6q4l2-mz.121-22.EA6.bin) should do the job. You do need to have 16MB of DRAM and 8MB of flash.

Hope that helps... pls do rate helpful posts.

Regards,

Paresh.

Georg Pauwen · ‎12-29-2005

Hello,

AFAIK, you cannot upgrade a 2950 SI to an EI. The limitation is the firmware in the switch.

[Catalyst 2950] Upgrade from Standard (SMI) to Enhanced image (EMI) on the Cisco Catalyst 2950 Series

Question: Can I upgrade from the standard to the enhanced image on the Cisco Catalyst 2950 Series?

Answer: No, this is determined by hardware.

HTH,

GP

andrew.butterworth · ‎12-29-2005

What you are trying to achieve is not possible with the 2950 since it is a layer-2 only switch, or at least it is not possible in the way you are attempting to do it. The ACL applied to the VLAN interface (inbound or outbound) will only stop traffic to and from the actual switch itself and not to the VLAN - the 2950 doesn't route to or from the VLAN since it is Layer-2 only.

If this was a 3550 (or another L3 switch) and you were routing between VLAN's then the ACL's would be applied when routing traffic between the VLAN's but not within them.

The only way you can block traffic at Layer-2 is to apply ACL's to Physical interfaces on the 2950, this will only work if you have a 2950 that runs the EI features though, the SI-only switches don't support this.

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat2950/12122ea5/2950scg/swacl.htm

HTH

Andy