Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Need a bit of help with ACL on a Catalyst 2950 switch

Hello everyone,

I hope this is the right topic to ask in... I need a bit of help with a specific ACL I want to create on a Catalyst 2950G switch.

Here's the situation:

I have a specific workstation in the network for which I want to allow Internet access (that is it needs to be able to connect to the Linux Firewall/NAT machine) but reject all connections to the other workstations in my LAN.

This specific workstation has an IP of 10.0.2.83, the Linux gateway has an IP of 10.0.2.1, it`s a class C network (10.0.2.x).

My original thoughts on this was to do something like this:

permit ip any host 10.0.2.1

deny ip 10.0.2.0, wildcard bits 0.0.0.255 any

permit ip any any

But I get an error back when I try to enter that saying "The field sets of

all the ACEs in an ACL should match.". From this I presume all ACEs need to use the same wildcard.

Anyway, I've also tried this:

permit ip any host 10.0.2.1

permit ip host 10.0.2.1 any

deny ip any any

But this doesn’t work because it actually makes requests to internet IPs before they get forwarded to the Linux Firewall/NAT.

So can someone tell me how to write an ACL that would deny all traffic to 10.0.2.0/255.255.255.0 except 10.0.2.1 ?

Thanks for the help in advance,

Amadej.

1 ACCEPTED SOLUTION

Accepted Solutions
Bronze

Re: Need a bit of help with ACL on a Catalyst 2950 switch

Access list functionality on Cisco switches tends to correlate with how much the switch in question costs. In this case, we're talking about the bottom of the product line -- access lists on a 2950 can be a major pain.

If the 'switchport protected' command can't help you here (because, for example, the other devices on the switch need to be able to access each other as opposed to just the firewall), I believe you are stuck writing long access lists which include each individual IP.

3 REPLIES
New Member

Re: Need a bit of help with ACL on a Catalyst 2950 switch

"%Error: The field sets of all the ACEs in an ACL should match"

All the ACEs in an ACL must have the same mask. Change the ACE to have the same mask as the other ACEs in the ACL.

Try being more restrictive with your ACL's also, IE use extended instead of standard. Instead of saying, permit ip any host 10.0.2.1, try:

access-list 101 permit tcp host 10.0.2.1 any eq www

access-list 101 permit tcp host 10.0.2.1 any eq telnet

access-list 101 permit tcp host 10.0.2.1 any eq smtp

access-list 101 deny tcp any any

Hope that helps a little.

New Member

Re: Need a bit of help with ACL on a Catalyst 2950 switch

Well yes...wildcard..255.255.255.255 - mask if i`m not mistaken. :)

Well... the restrictive part comes to play with the Linux firewall (between the internet and our LAN). This is the device that filters what traffice can go trugh.

My main problem is limiting traffic from this workstation (FastEthernet0/4) to other ports. I only want it to be able to connect to FastEthernet0/1 (which is 10.0.2.1, Linux Firewall/NAT).

So basicly from what I understand, if all ACEs need to have the same netmask defined, I have to add each IP by hand.

Can someone confirm that? I hate manual work :D

Bronze

Re: Need a bit of help with ACL on a Catalyst 2950 switch

Access list functionality on Cisco switches tends to correlate with how much the switch in question costs. In this case, we're talking about the bottom of the product line -- access lists on a 2950 can be a major pain.

If the 'switchport protected' command can't help you here (because, for example, the other devices on the switch need to be able to access each other as opposed to just the firewall), I believe you are stuck writing long access lists which include each individual IP.

168
Views
0
Helpful
3
Replies
CreatePlease to create content