05-25-2010 09:01 AM - edited 03-04-2019 08:35 AM
Hi,
I am a little bit confused on the difference between a Router based Access List (RACL) and a Vlan Acccess Control List (VACL). What is the typical case where we should used a VACL.
Question 1:
Can we applied an RACL under a VLAN interface on a 2950 and expect that it can prevent some specific hosts to access a server with layer 3 Access-list if every hosts and server are using the same VLAN or should we used a VACL.
Question 2:
Where can we used a layer 3 access-list on a 2950. My understanding is that we cannot put a layer 3 access-list on a switchport but can we put a layer 3 access-list on a switchport. Can we put it on a Trunk Port or on the Gigi Port of a 2950 and expect a similar behavior as a router.
Thanks
Stéphane
Solved! Go to Solution.
05-25-2010 09:24 AM
Hello Stephane,
be aware that a C2950 is a L2 LAN switch only it cannot perform L3 switching.
As a result of this, you have no router ACL option (n routed traffic to process between Vlans) on SVIs on it and I doubt also about VACL support
However, Some support of ACLs is present see
The switch does not support these Cisco IOS router ACL-related features:
•Non-IP protocol ACLs (see Table 28-2)
•Bridge-group ACLs
•IP accounting
•ACL support on the outbound direction
•Inbound and outbound rate limiting (except with QoS ACLs)
•IP packets that have a header length of less than 5 bytes
•Reflexive ACLs
•Dynamic ACLs (except for certain specialized dynamic ACLs used by the switch clustering feature)
•ICMP-based filtering
•Interior Gateway Routing Protocol (IGMP)-based filtering
you can apply a "router" ACL to a L2 port:
>>>>The interface must be a Layer 2 or management interface or a management interface VLAN ID.
(only one SVI is supported for management purposes)
Hope to help
Giuseppe
05-25-2010 09:24 AM
Hello Stephane,
be aware that a C2950 is a L2 LAN switch only it cannot perform L3 switching.
As a result of this, you have no router ACL option (n routed traffic to process between Vlans) on SVIs on it and I doubt also about VACL support
However, Some support of ACLs is present see
The switch does not support these Cisco IOS router ACL-related features:
•Non-IP protocol ACLs (see Table 28-2)
•Bridge-group ACLs
•IP accounting
•ACL support on the outbound direction
•Inbound and outbound rate limiting (except with QoS ACLs)
•IP packets that have a header length of less than 5 bytes
•Reflexive ACLs
•Dynamic ACLs (except for certain specialized dynamic ACLs used by the switch clustering feature)
•ICMP-based filtering
•Interior Gateway Routing Protocol (IGMP)-based filtering
you can apply a "router" ACL to a L2 port:
>>>>The interface must be a Layer 2 or management interface or a management interface VLAN ID.
(only one SVI is supported for management purposes)
Hope to help
Giuseppe
05-25-2010 02:03 PM
Hi Giusepe,
Thanks for the answer.
Done a quick test on a 2950 & ME-3400 and you can put a layer 3 access-list on a port that is defined as a switch port. Can you confirm my conclusions:
You can prevent any user from connecting via a switchport (layer 2) to access a server with an access-group in comand under the interface and with a proper layer 3 Access-list.
VLAN access-list are more like an hardware Layer 2 or 3 access-list on higher platform like the Catalyst 6000.
Question:
What is the utilisation of putting an access-list under a VLAN interface. Could you used an access-list under a VLAN interface to prevent a list of users from pinging the switch
Thanks
Stéphane
05-25-2010 02:08 PM
Steph1963 wrote:
Hi Giusepe,
Thanks for the answer.
Done a quick test on a 2950 & ME-3400 and you can put a layer 3 access-list on a port that is defined as a switch port. Can you confirm my conclusions:
You can prevent any user from connecting via a switchport (layer 2) to access a server with an access-group in comand under the interface and with a proper layer 3 Access-list.
VLAN access-list are more like an hardware Layer 2 or 3 access-list on higher platform like the Catalyst 6000.
Question:
What is the utilisation of putting an access-list under a VLAN interface. Could you used an access-list under a VLAN interface to prevent a list of users from pinging the switch
Thanks
Stéphane
Stephane
Yes you can use a L3 access-list on a switchport to restrict traffic in the inbound direction on that port although you need to read all the restrictions eg. on the 2950 the subnet mask used must be the same for all entries in the access-list.
Vlan access-lists are more concerned with controlling traffic within a vlan ie. from a host in the same vlan to another in the same vlan rather than controlling traffic between vlans which is where racls are usually used.
You can use an access-list on a L2 switch under the vlan interface to control who can connect to the actual switch or ping it etc.. Utilisation should not be that great.
Jon
05-31-2010 07:07 AM
Hi,
Is there any special restrictions on the utilisation of access-list on the outbond direction of a 2950.
Thanks
Stéphane
05-31-2010 12:21 PM
Hello Stephane,
between the known restrictions of ACLs over a C2950 there is the fact that outbound ACLs are not supported on a switch port
>> •ACL support on the outbound direction
see my first post on this thread, so if you are facing issues attempting to apply an ACL outbound this is a known limitation
Hope to help
Giuseppe
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: