Dealing with ACL limitations on Catalyst 2950 switch

Discussion in 'Cisco' started by Michael T. Davis, Sep 20, 2012.

  1. I have a Catalyst 2950 switch here running IOS v12 Enhanced Image.
    As you know (if you have dealt with this particular line), while there is
    ACL support, it's rather limited. I would like to set an incoming ACL on
    a port (the switch's uplink) such that telnet (TCP port 23) and SNMP (UDP
    port 161) are allowed from a particular external /26 subnet. The IP
    address for the switch lies within a different /26 subnet. At the same
    time, we need to allow all other traffic through this port. Conceptually,
    the (extended IP) ACL would look something like this:

    permit tcp <ext-subnet> 0.0.0.63 <int-subnet> 0.0.0.63 eq telnet
    deny tcp any any eq telnet
    permit udp <ext-subnet> 0.0.0.63 <int-subnet> 0.0.0.63 eq snmp
    deny udp any any eq snmp
    permit ip any <int-subnet> 0.0.0.63

    Is there a way to implement this without encountering the limitations of
    the ACL support in this switch, as indicated by the error...

    %Error: The field sets of all the ACEs in an ACL on Ethernet interface
    should match.

    ....when an attempt to apply the ACL to an interface is made? (I guess the
    last ACE could use "...any any" rather than "...any <int-subnet> 0.0.0.63",
    if that helps.)

    Thanks,
    Mike
     
    Michael T. Davis, Sep 20, 2012
    #1
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.