Velocity Reviews

Velocity Reviews (http://www.velocityreviews.com/forums/index.php)
-   Cisco (http://www.velocityreviews.com/forums/f27-cisco.html)
-   -   Dealing with ACL limitations on Catalyst 2950 switch (http://www.velocityreviews.com/forums/t952459-dealing-with-acl-limitations-on-catalyst-2950-switch.html)

Michael T. Davis 09-20-2012 04:18 PM

Dealing with ACL limitations on Catalyst 2950 switch
 
I have a Catalyst 2950 switch here running IOS v12 Enhanced Image.
As you know (if you have dealt with this particular line), while there is
ACL support, it's rather limited. I would like to set an incoming ACL on
a port (the switch's uplink) such that telnet (TCP port 23) and SNMP (UDP
port 161) are allowed from a particular external /26 subnet. The IP
address for the switch lies within a different /26 subnet. At the same
time, we need to allow all other traffic through this port. Conceptually,
the (extended IP) ACL would look something like this:

permit tcp <ext-subnet> 0.0.0.63 <int-subnet> 0.0.0.63 eq telnet
deny tcp any any eq telnet
permit udp <ext-subnet> 0.0.0.63 <int-subnet> 0.0.0.63 eq snmp
deny udp any any eq snmp
permit ip any <int-subnet> 0.0.0.63

Is there a way to implement this without encountering the limitations of
the ACL support in this switch, as indicated by the error...

%Error: The field sets of all the ACEs in an ACL on Ethernet interface
should match.

....when an attempt to apply the ACL to an interface is made? (I guess the
last ACE could use "...any any" rather than "...any <int-subnet> 0.0.0.63",
if that helps.)

Thanks,
Mike


All times are GMT. The time now is 12:04 PM.

Powered by vBulletin®. Copyright ©2000 - 2014, vBulletin Solutions, Inc.
SEO by vBSEO ©2010, Crawlability, Inc.