I am trying to block ports 137-139 on a cisco 2950.
I am using these setting.
ip address 10.150.3.14 255.255.255.0
ip access-group 130 in
no ip route-cache
ip http server
access-list 130 deny tcp any any eq 137
access-list 130 deny tcp any any eq 138
access-list 130 deny tcp any any eq 139
access-list 130 deny udp any any eq 137
access-list 130 deny udp any any eq 138
access-list 130 deny udp any any eq 139
access-list 130 permit ip any any
Solved! Go to Solution.
I am still seeing microsoft netbios packets on the network using ethereal.
I don't know why it is not working. I have been told that a 2950 can't block tcp or udp ports because it is a layer 2 switch and not a layer 3.
which model of the 2950 do you have ? AFAIK, the Standard Image models do not support ACLs, while the Enhanced Image models do.
The SI models are:
So if you have any of those, ACLs are not supported...
Since these commands are taken by switch, i think the image u have will support ACLs. Even u can further confirm it by blocking icmp or telnet ports.
Could u pass the ethereal output, that can thro. more lite into this.
I think the issue here is that you are applying the access-list to the VLAN1 interface, which will only act on packets destined for the switch. You really need to apply your ACLs in an inbound direction to individual ports in order to block these packets. You do need the Enhanced Image (EI) to apply ACLs to physical interfaces.
Why don't you try applying these ACLs to a few of your physical ports to see if that helps.
You sure can. I just did a quick check and release 12.1.22-EA6 (c2950-i6q4l2-mz.121-22.EA6.bin) should do the job. You do need to have 16MB of DRAM and 8MB of flash.
Hope that helps... pls do rate helpful posts.
AFAIK, you cannot upgrade a 2950 SI to an EI. The limitation is the firmware in the switch.
[Catalyst 2950] Upgrade from Standard (SMI) to Enhanced image (EMI) on the Cisco Catalyst 2950 Series
Question: Can I upgrade from the standard to the enhanced image on the Cisco Catalyst 2950 Series?
Answer: No, this is determined by hardware.
What you are trying to achieve is not possible with the 2950 since it is a layer-2 only switch, or at least it is not possible in the way you are attempting to do it. The ACL applied to the VLAN interface (inbound or outbound) will only stop traffic to and from the actual switch itself and not to the VLAN - the 2950 doesn't route to or from the VLAN since it is Layer-2 only.
If this was a 3550 (or another L3 switch) and you were routing between VLAN's then the ACL's would be applied when routing traffic between the VLAN's but not within them.
The only way you can block traffic at Layer-2 is to apply ACL's to Physical interfaces on the 2950, this will only work if you have a 2950 that runs the EI features though, the SI-only switches don't support this.