Cisco WS-C2950-24 IOS 12.1(14)EA1a

Discussion in 'Cisco' started by Marc Tessier, Feb 9, 2004.

  1. Marc Tessier

    Marc Tessier Guest

    Hi!

    I've recently acquired one of the above mentioned Catalyst switches
    for the office. I'm trying to lock down some physical interfaces
    using Extended IP access-lists, but it doesn't seem like this switch
    has the ip access-group command. I know i've used it before on
    customer switches and the Cisco.com documentation mentions it for this
    IOS Version, so I don't see why this switch would be crippled. This
    is the output I get for the ip command in interface configuration mode
    :

    Marklar#conf t
    Enter configuration commands, one per line. End with CNTL/Z.
    Marklar(config)#int f0/1
    Marklar(config-if)#ip ?
    Interface IP configuration subcommands:
    address Set the IP address of an interface
    igmp IGMP interface commands

    This is the show version output :

    Cisco Internetwork Operating System Software
    IOS (tm) C2950 Software (C2950-I6Q4L2-M), Version 12.1(14)EA1a,
    RELEASE SOFTWARE (fc1)
    Copyright (c) 1986-2003 by cisco Systems, Inc.
    Compiled Tue 02-Sep-03 03:33 by antonino
    Image text-base: 0x80010000, data-base: 0x805C0000

    ROM: Bootstrap program is CALHOUN boot loader

    Marklar uptime is 22 minutes
    System returned to ROM by power-on
    System image file is "flash:/c2950-i6q4l2-mz.121-14.EA1a.bin"

    cisco WS-C2950-24 (RC32300) processor (revision M0) with 20710K bytes
    of memory.
    Processor board ID FOC0745Z0BP
    Last reset from system-reset
    Running Standard Image
    24 FastEthernet/IEEE 802.3 interface(s)

    32K bytes of flash-simulated non-volatile configuration memory.


    Anyone know why these commands don't show up ?
    Marc Tessier, Feb 9, 2004
    #1
    1. Advertising

  2. Marc Tessier

    Brian V Guest

    Marc,

    The 2950 is a layer 2 switch. You cannot do access lists in the ethernet
    interfaces. With the ei version you can apply them to vlan interfaces...not
    sure if that will only effect switch management tho.

    -Brian
    "Marc Tessier" <> wrote in message
    news:...
    > Hi!
    >
    > I've recently acquired one of the above mentioned Catalyst switches
    > for the office. I'm trying to lock down some physical interfaces
    > using Extended IP access-lists, but it doesn't seem like this switch
    > has the ip access-group command. I know i've used it before on
    > customer switches and the Cisco.com documentation mentions it for this
    > IOS Version, so I don't see why this switch would be crippled. This
    > is the output I get for the ip command in interface configuration mode
    > :
    >
    > Marklar#conf t
    > Enter configuration commands, one per line. End with CNTL/Z.
    > Marklar(config)#int f0/1
    > Marklar(config-if)#ip ?
    > Interface IP configuration subcommands:
    > address Set the IP address of an interface
    > igmp IGMP interface commands
    >
    > This is the show version output :
    >
    > Cisco Internetwork Operating System Software
    > IOS (tm) C2950 Software (C2950-I6Q4L2-M), Version 12.1(14)EA1a,
    > RELEASE SOFTWARE (fc1)
    > Copyright (c) 1986-2003 by cisco Systems, Inc.
    > Compiled Tue 02-Sep-03 03:33 by antonino
    > Image text-base: 0x80010000, data-base: 0x805C0000
    >
    > ROM: Bootstrap program is CALHOUN boot loader
    >
    > Marklar uptime is 22 minutes
    > System returned to ROM by power-on
    > System image file is "flash:/c2950-i6q4l2-mz.121-14.EA1a.bin"
    >
    > cisco WS-C2950-24 (RC32300) processor (revision M0) with 20710K bytes
    > of memory.
    > Processor board ID FOC0745Z0BP
    > Last reset from system-reset
    > Running Standard Image
    > 24 FastEthernet/IEEE 802.3 interface(s)
    >
    > 32K bytes of flash-simulated non-volatile configuration memory.
    >
    >
    > Anyone know why these commands don't show up ?
    Brian V, Feb 10, 2004
    #2
    1. Advertising

  3. In article <x_WVb.12692$032.44869@attbi_s53>,
    Brian V <> wrote:
    :The 2950 is a layer 2 switch. You cannot do access lists in the ethernet
    :interfaces. With the ei version you can apply them to vlan interfaces...not
    :sure if that will only effect switch management tho.

    http://www.cisco.com/en/US/products..._reference_chapter09186a0080150b7b.html#77762

    access-list (IP extended)

    This command is available on physical interfaces only if your switch is
    running the enhanced software image (EI).

    http://www.cisco.com/en/US/products...figuration_guide_chapter09186a00801cde58.html

    "Configuring Network Security with ACLs"

    You can create ACLs for physical interfaces or management
    interfaces. A management interface is defined as a management VLAN
    or any traffic that is going directly to the CPU, such as SNMP,
    Telnet, or web traffic. You can create ACLs for management
    interfaces with the standard software image (SI) or the enhanced
    software image (EI) installed on your switch. However, you must
    have the EI installed on your switch to apply ACLs to physical
    interfaces.


    In short: with SI you can only do the management interfaces.
    With EI you can put access-lists on the ethernet ports.


    However:

    In an IP extended ACL (both named and numbered), a Layer 4
    system-defined mask cannot precede a Layer 3 user-defined mask. For
    example, a Layer 4 system-defined mask such as permit tcp any any
    or deny udp any any cannot precede a Layer 3 user-defined mask such
    as permit ip 10.1.1.1 any. If you configure this combination, the
    ACL is not allowed on a Layer 2 interface. All other combinations
    of system-defined and user-defined masks are allowed in security
    ACLs. [...]


    Only four user-defined masks can be defined for the entire system.
    These can be used for either security or quality of service (QoS)
    but cannot be shared by QoS and security. You can configure as many
    ACLs as you require. However, a system error message appears if
    ACLs with more than four different masks are applied to
    interfaces. [...]


    All ACEs in an ACL must have the same user-defined mask. However,
    ACEs can have different rules that use the same mask. On a given
    interface, only one type of user-defined mask is allowed, but you
    can apply any number of system-defined masks
    --
    "WHEN QUINED, YIELDS A TORTOISE'S LOVE-SONG"
    WHEN QUINED, YIELDS A TORTOISE'S LOVE-SONG. (GEB)
    Walter Roberson, Feb 10, 2004
    #3
  4. Marc Tessier

    Brian V Guest

    so I thought too...

    Here's my 2950 running ei software:

    Brian_2950#conf t
    Enter configuration commands, one per line. End with CNTL/Z.
    Brian_2950(config)#access-list 101 permit ip any any
    Brian_2950(config)#int f0/1
    Brian_2950(config-if)#ip access-group 101 in
    ^
    % Invalid input detected at '^' marker.

    Brian_2950(config-if)#ip ?
    Interface IP configuration subcommands:
    address Set the IP address of an interface
    igmp IGMP interface commands

    Brian_2950(config-if)#int vlan 1
    Brian_2950(config-if)#ip access-group 101 in
    Brian_2950(config-if)#^Z
    Brian_2950#

    "Walter Roberson" <-cnrc.gc.ca> wrote in message
    news:c09i7h$44b$...
    > In article <x_WVb.12692$032.44869@attbi_s53>,
    > Brian V <> wrote:
    > :The 2950 is a layer 2 switch. You cannot do access lists in the ethernet
    > :interfaces. With the ei version you can apply them to vlan

    interfaces...not
    > :sure if that will only effect switch management tho.
    >
    >

    http://www.cisco.com/en/US/products..._reference_chapter09186a0080150b7b.html#77762
    >
    > access-list (IP extended)
    >
    > This command is available on physical interfaces only if your switch is
    > running the enhanced software image (EI).
    >
    >

    http://www.cisco.com/en/US/products...figuration_guide_chapter09186a00801cde58.html
    >
    > "Configuring Network Security with ACLs"
    >
    > You can create ACLs for physical interfaces or management
    > interfaces. A management interface is defined as a management VLAN
    > or any traffic that is going directly to the CPU, such as SNMP,
    > Telnet, or web traffic. You can create ACLs for management
    > interfaces with the standard software image (SI) or the enhanced
    > software image (EI) installed on your switch. However, you must
    > have the EI installed on your switch to apply ACLs to physical
    > interfaces.
    >
    >
    > In short: with SI you can only do the management interfaces.
    > With EI you can put access-lists on the ethernet ports.
    >
    >
    > However:
    >
    > In an IP extended ACL (both named and numbered), a Layer 4
    > system-defined mask cannot precede a Layer 3 user-defined mask. For
    > example, a Layer 4 system-defined mask such as permit tcp any any
    > or deny udp any any cannot precede a Layer 3 user-defined mask such
    > as permit ip 10.1.1.1 any. If you configure this combination, the
    > ACL is not allowed on a Layer 2 interface. All other combinations
    > of system-defined and user-defined masks are allowed in security
    > ACLs. [...]
    >
    >
    > Only four user-defined masks can be defined for the entire system.
    > These can be used for either security or quality of service (QoS)
    > but cannot be shared by QoS and security. You can configure as many
    > ACLs as you require. However, a system error message appears if
    > ACLs with more than four different masks are applied to
    > interfaces. [...]
    >
    >
    > All ACEs in an ACL must have the same user-defined mask. However,
    > ACEs can have different rules that use the same mask. On a given
    > interface, only one type of user-defined mask is allowed, but you
    > can apply any number of system-defined masks
    > --
    > "WHEN QUINED, YIELDS A TORTOISE'S LOVE-SONG"
    > WHEN QUINED, YIELDS A TORTOISE'S LOVE-SONG. (GEB)
    Brian V, Feb 10, 2004
    #4
  5. In article <9eZVb.266632$xy6.1375863@attbi_s02>,
    Brian V <> wrote:
    :so I thought too...

    :Here's my 2950 running ei software:

    :Brian_2950(config)#int f0/1
    :Brian_2950(config-if)#ip access-group 101 in

    I just noticed from your Subject line that you are running 12.1(14)EA1a .
    I did not cross-check to see how far back ACLs on physical interfaces
    are supported: I might have been giving information about 12.1(19).
    --
    Live it up, rip it up, why so lazy?
    Give it out, dish it out, let's go crazy, yeah!
    -- Supertramp (The USENET Song)
    Walter Roberson, Feb 10, 2004
    #5
  6. Marc Tessier

    Marc Tessier Guest

    "Brian V" <> wrote in message news:<x_WVb.12692$032.44869@attbi_s53>...
    > Marc,
    >
    > The 2950 is a layer 2 switch. You cannot do access lists in the ethernet
    > interfaces. With the ei version you can apply them to vlan interfaces...not
    > sure if that will only effect switch management tho.


    Hi!

    Thanks for the reply, I noticed just after posting that our customer
    switches are running the EI. I hadn't noticed the paragraph about
    applying access-lists to physical interface was only available on the
    EI. Anyway, to answer the rest of the thread, the ip access-group
    function is available since 12.1(6) on physical interfaces. It does
    have some pretty severe limitations as far as access-lists goes (only
    1 mask can be defined for an access list and has to be re-used for
    every rule), but it still has its uses.

    Also, applying access-lists to the vlan interfaces only affects
    switch management, and not traffic actually switched through the
    vlans. It's pretty much useless unless you want to make sure only 1
    box can talk to the switch.
    Marc Tessier, Feb 10, 2004
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. VolatileAcid
    Replies:
    1
    Views:
    799
  2. crandler
    Replies:
    2
    Views:
    2,589
    crandler
    Nov 15, 2005
  3. Mike Rahl
    Replies:
    1
    Views:
    1,208
    Trendkill
    May 30, 2007
  4. Replies:
    2
    Views:
    1,325
  5. Replies:
    8
    Views:
    690
Loading...

Share This Page