05-06-2008 05:37 PM - edited 03-05-2019 10:47 PM
I do not obtain to apply a access-list extended in a physical interface. Command IP access-group does not appear inside of the physical interface.
05-06-2008 06:40 PM
The 2950 series switch is only a layer 2 switch.
You can only apply an ACL to areas like VTY, SNMP access.. etc on layer 2 switches. You cannot apply ACL's to physical interfaces on this switch.
Mark
05-08-2008 06:15 AM
It should work. Including Vlans,
Which IOS is been used on the switch.
sh version
Cisco Internetwork Operating System Software
IOS (tm) C2950 Software (C2950-I6Q4L2-M), Version 12.1(11)EA1a, RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2002 by cisco Systems, Inc.
Compiled Thu 17-Oct-02 23:49 by xxxx
Image text-base: 0x80010000, data-base: 0x80528000
ROM: Bootstrap program is CALHOUN boot loader
xxxxxxx uptime is 37 weeks, 6 hours, 15 minutes
System returned to ROM by power-on
System image file is "flash:c2950-i6q4l2-mz.121-11.EA1a.bin"
switch(config-if)#ip access-group ?
<1-199> IP access list (standard or extended)
<1300-2699> IP expanded access list (standard or extended)
WORD Access-list name
switch(config-if)#int gi0/2
switch(config-if)#ip access
switch(config-if)#ip access-group ?
<1-199> IP access list (standard or extended)
<1300-2699> IP expanded access list (standard or extended)
WORD Access-list name
05-08-2008 10:08 AM
Hi pravinxyz,
when I try to aplly this command inside of the interface phisical, not apears access-goup. Inside of Vlan1, a address not matche on the access-list.
This is a IOS c2950-i6k2l2q4-mz.121-22.EA11.bin used and Model of machine is: C2950-24.
05-08-2008 10:12 AM
can you give an example of the output and what you are trying to do plz.
05-08-2008 11:46 AM
I have the following working configuration:
System image file is "flash:c2950-i6k2l2q4-mz.121-22.EA10a.bin"
cisco WS-C2950T-24 (RC32300) processor (revision B0) with 19918K bytes of memory.
interface FastEthernet0/11
ip access-group std-sec-in in
ip access-list extended std-sec-in
remark Std. Security for at-risk ports. Log keyword not supported.
deny udp any any eq netbios-dgm
deny udp any any eq netbios-ns
deny udp any any eq netbios-ss
deny tcp any any eq smtp
deny tcp any any eq telnet
deny tcp any any eq 22
permit ip any any
I'm not sure what you are trying to convey when you say: "Inside of Vlan1, a address not matche on the access-list."
Are you trying to use the "log" keyword?
Perhaps an "acceptable" ACL needs to exist before the access-group command becomes available.
The 2950 series is very limited in the user-define ACL masks that it will support.
I suggest you read the "Configuring Network Security with ACLs" section of the Software Configuration Guide.
05-10-2008 04:35 AM
From the "Cisco Catalyst 2950 Series Switches with Enhanced Image Software" data sheet:
The Cisco Catalyst 2950SX-48-SI, 2950T-48-SI, 2950SX-24, 2950-24 and 2950-12 are standalone,
fixed-configuration, managed 10/100 switches providing basic workgroup connectivity for small to medium-sized companies.
These wire-speed desktop switches come with Cisco Standard Image software features and offer Cisco IOS® Software functions for basic data, video, and voice services at the edge of the network.
Yours (2950-24) is among them.
In contrast:
Cisco Catalyst 2950 Series switches consist of the following devices, which are only available with Enhanced Image software for the Cisco Catalyst 2950 Series.
⢠Cisco Catalyst 2950G-48-48 10/100 ports and 2 Gigabit Interface Converter (GBIC)-based Gigabit Ethernet ports
⢠Cisco Catalyst 2950G-24-24 10/100 ports and 2 GBIC ports
⢠Cisco Catalyst 2950G-24-DC-24 10/ 100 ports, 2 GBIC ports, DC power
⢠Cisco Catalyst 2950G-12-12 10/100 ports 2 GBIC ports
⢠Cisco Catalyst 2950T-24-24 10/100 ports and 2 fixed 10/100/1000BASE-T uplink ports
⢠Cisco Catalyst 2950C-24-24 10/100 ports and 2 fixed 100BASE-FX uplink ports
Mine (2950T-24) was among these.
This explains the difference in command support between the two devices indicated in an earlier response.
05-08-2008 10:11 AM
Hi Mark,
I belive what this happens only on the model: 2950-24. I make this commands in the catalyst 2950-48-EI and works fine.
05-08-2008 09:28 PM
I think I may have commented before understanding your question fully. I think that the enterprise image has the capabilities of creating ACL's to physical interfaces. Because it is primarily a layer two switch it is not capable of full blown ACL's like other multilayer switches, and routers. Do you have an enterprise IOS on the 2950-24 switch?
05-10-2008 01:41 AM
Hi,
Here's the answer for you.
You are running "c2950-i6k2l2q4-mz.121-22.EA11" image. It can not be determined if this is a SMI switch or EMI switch, by the file name but by the model number of the switch you can definitely identigy this. IF its "WS-C2950-24" then its SMI "WS-C2950G-48-EI" then its EMI.
Port based ACLs, one which you are trying to conigure is supported only on the EMI images.
So check if what you are having is a SMI switch or not. My guess is that its a SMI swithc.
Also note that you can not upgrade SMI 2950 switch to EMI.
-> Sushil
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide