CISCO 2950: ACL in the VLAN

[ASergey]

Hello everybody.
I'm trying to use ACL in my main VLAN
- aim is - to permit the traffic only with part of network (servers address scope), and to deny all other traffic between PC's (udp, icmp, tcp).

1. I created the extended access-list with all rules.
2. on my interface vlan submitted access-group to this access-list.

I Tryed a lot of combinations of rules but traffic between PC (that should be canceled - one PC connected to this device and other somewhere in the network) exist. Maybe somebody had any practic like this?

thanks a lot

 

[burtsbees]

Access-lists only work at layer 3.

Burt

 

[vipergg]

See if you are missing something per this doc.

http://www.cisco.com/en/US/docs/swi...se/12.1_19_ea1/configuration/guide/swacl.html

 

[vipergg]

If you are just putting it on the layer 3 svi that won't work , that is for managing the switch only see doc to see how to apply it to individual interfaces if you want to go to that trouble otherwise this should be done at the gateway or router on the incoming interface , it would be a lot easier.

 

[baddos]

If you want to filter traffic inside a vlan you will need to implement a vlan access map or VACL depending upon which switch model you have. You can use your access that you have made with this vlan access map.

Applying a regular extended access list to a SVI will only filter traffic at the layer3 edge. So it would not affect host to host communication within the vlan.