Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
526
Views
0
Helpful
3
Replies

ACLs in catalyst 2948G-L3

huiming.lin
Level 1
Level 1

‎12-16-2002 02:41 AM - edited ‎03-02-2019 03:37 AM

I applyed a ACL to a ip interface which have been assigned a ip address.But I found a error message in the logs,the message is "ACL card not present for interface FastEthernet24",is that means any hardware error or any other error?Will the ACL be effective?

Labels:
0 Helpful
3 Replies 3

Prashanth Krishnappa
Cisco Employee
Cisco Employee

‎12-16-2002 05:58 AM

In a CAT2948G-L3, ACLs are supported only on Gigabit Ethernet ports and corresponding Gigabit Ethernet subinterfaces. ACLs are not supported on Bridge-Group Virtual Interface (BVI), Fast EtherChannel (FEC), Gigabit EtherChannel (GEC), and Fast Ethernet interfaces.

http://cio.cisco.com/univercd/cc/td/doc/product/l3sw/4908g_l3/ios_12/18w522a/config/acl_cnfg.htm#xtocid283371

0 Helpful

huiming.lin
Level 1
Level 1
In response to Prashanth Krishnappa

‎12-16-2002 07:29 AM

Thanks for your reply.

But I applied a ACL to a fast Ethernet port and I targed log in ACL. I find some messages about ACL in system log .

*Dec 16 11:36:21.140 PRC: %SEC-6-IPACCESSLOGP: list 110 denied tcp 61.153.233.189(4204) -> x.x.x.x(135), 1 packet

*Dec 16 11:36:27.388 PRC: %SEC-6-IPACCESSLOGP: list 110 denied tcp 61.153.233.189(3016) -> x.x.x.x(135), 1 packet

*Dec 16 11:36:31.648 PRC: %SEC-6-IPACCESSLOGP: list 110 denied tcp 61.153.233.189(3499) -> x.x.x.x(135), 1 packet

*Dec 16 11:36:33.576 PRC: %SEC-6-IPACCESSLOGP: list 110 denied tcp 61.153.233.189(3833) -> x.x.x.x(135), 1 packet

*Dec 16 11:36:35.424 PRC: %SEC-6-IPACCESSLOGP: list 110 denied tcp 61.153.233.189(3978) -> x.x.x.x(135), 1 packet

*Dec 16 11:36:36.816 PRC: %SEC-6-IPACCESSLOGP: list 110 denied tcp 61.153.233.189(4108) -> x.x.x.x(135), 1 packet

*Dec 16 11:36:48.012 PRC: %SEC-6-IPACCESSLOGP: list 110 denied tcp 61.153.233.189(3217) -> x.x.x.x(135), 1 packet

*Dec 16 11:42:17.636 PRC: %SEC-6-IPACCESSLOGP: list 110 denied tcp 61.153.233.189(3978) -> x.x.x.x(135), 1 packet

*Dec 16 19:01:27.494 PRC: %SEC-6-IPACCESSLOGP: list 110 denied tcp 210.21.113.187(1035) -> x.x.x.x(135), 1 packet

for the security I replace the destination ip address with x.x.x.x.

And here is the ACL I applied:

2948g#show ip access-lists 110

Extended IP access list 110

deny udp any any eq 1434 log (1750 matches)

deny tcp any any eq 135 log (3875 matches)

permit icmp any any (1648980 matches)

permit ip any any (380488327 matches)

So now my question is if the ACL is effective?

0 Helpful

efrahim
Level 4
Level 4
In response to huiming.lin

‎12-16-2002 08:16 PM

log mite be coming but ACL only works on the gigabit ports.

Here is the URL for your ref.

http://www.cisco.com/univercd/cc/td/doc/product/l3sw/4908g_l3/ios_12/18w522a/config/acl_cnfg.htm

Keep the following restrictions in mind when configuring ACLs on the Catalyst 2948G-L3 and 4908G-L3 switch routers:

ACLs are supported only on Gigabit Ethernet ports and corresponding Gigabit Ethernet subinterfaces.

ACLs are not supported on Bridge-Group Virtual Interface (BVI), Fast EtherChannel (FEC), Gigabit EtherChannel (GEC), and Fast Ethernet interfaces.

Reflexive and dynamic ACLs are not supported on Catalyst 2948G-L3 and 4908G-L3 switch routers.

Access violations accounting is not supported on Catalyst 2948G-L3 and 4908G-L3 switch routers.

ACL logging is supported only for packets going to the CPU, not for switched packets.

0 Helpful
Customers Also Viewed These Support Documents