Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
334
Views
0
Helpful
1
Replies

Software-Limitations for Catalyst 2950 and 2970

mwertejuk
Level 1
Level 1

‎02-17-2004 12:18 PM - edited ‎03-02-2019 01:39 PM

Hello *,

I want to establish a setup at a customer location with enhanced security features, especially Layer2 access lists.

I hoped it would be possible to define access groups with specific ACLs to only allow known MAC addresses access to the network.

Applying these groups to VLANs doesn't seem possible because, if I'm not mistaken, these could only be applied to physical interfaces but this limitation seems acceptable as we are not going to use VMPS and have to configure VLAN changes manually, so we can also change the access group membership manually.

Using 802.1x is not (yet) desirable.

I was hardly looking to find some details according limits, as for example maximum number of access groups, layer2 acls or other limitations which might interfere with my desired setup.

There will be one access group per vlan and each port will get an access group assigned to prevent "untrusted" access to the network (in fact, trusting on mac addresses is not very secure either but nevertheless it's better than nothing)

One known limitation on layer3 (!) ACLs is the subnet mask which has to be the same for all ACLs on a single physical interface but this is not of interest for the described setup.

Perhaps someone has tried something similar and wants to tell about his/her experiences.

Regards,

Marco

Labels:
0 Helpful
1 Reply 1

tbaranski
Level 4
Level 4

‎02-18-2004 07:58 AM

Layer-3 ACLs on the 2950 series are extremely limited in nature; I'd guess the same is true on 2970s but I've never used one of them. If you want to configure MAC address restrictions to prevent unauthorized hosts, your best bet is port security, which 2950s support just fine. See http://www.cisco.com/en/US/products/hw/switches/ps628/products_configuration_guide_chapter09186a00801cde7f.html#1038501

0 Helpful
Customers Also Viewed These Support Documents