ACL on a Layer 2 switch?

nb-nb- Member Posts: 40 ■■□□□□□□□□
I can't really seem to figure out why i can not configure ACL on a layer 2 switch in packet tracer? I'm using a Catalyst 2960. I'm able to create the actual ACL on the switch, but it does not recognize the command when i attempt to group it to an ethernet interface using ip access-group.
It won't even recognize the command or anything else that could come after the first word followed by a questionmark..

I tried deploying a Layer 3 switch from Packet tracer and found out i had the exact same issue.. Having spend some time searching for a fix, i notice that many others has ACL configured and working on 2960 switches, so im really curious whether it is an overall issue with physical equipment too, or whether packet tracer is just taking the piss..
Either way ill appreciate any help i can get.

While i'm at it, i'd like to ask another question too.. I've got the following network topology:


http://i42.tinypic.com/nn44tg.png

Basically i'm trying to simulate a coorporate network with a core switch and serval access layer switches on different locations and with different vlans based on location and job description. So far i have managed to setup all equipment and configure layer 3 switching between all networks. If someone knows a fix to the ACL thing above, i'd like to filter access to the servers, and eventually configure NAT and WAN access out.
I'm lost when it comes to redirecting access from the core switch to the router.. I dont know what to configure the ethernet port on the core switch with, or what IP to configure the ethernet interface on the router with.. Am i supposed to assign the fa0/1 on the router an IP address from my Management vlan?
My core switch has an address of 10.145.99.1 and is the default gateway for all my layer 2 switches. So do i give the routers FA0/1 interface an ip of 10.145.99.254 and configure my core switch with an ip default-gateway pointing to this IP?

Also how to i redistribute traffic to the internet once i establish a link between my core switch and the router? I already have a loopback interface on the router which i'm planning to use to simulate the internet.

Thank you!

Comments

  • steveyeungsteveyeung Member Posts: 44 ■■□□□□□□□□
    access list involve layer 3 protocol, port number .. which a layer 2 switch should not be able to deal with.
  • Dieg0MDieg0M Member Posts: 861
    steveyeung wrote: »
    access list involve layer 3 protocol, port number .. which a layer 2 switch should not be able to deal with.
    Access-lists can be applied to L2 switches and only extended access-lists involve protocol. Unfortunately Packet-tracer is limited in what it does and does not offer the option to apply access-list on switch ports but you are correct that usually you would be able to apply the ip access-group command to a port with some limitations depending of the switch model.
    Follow my CCDE journey at www.routingnull0.com
  • nb-nb- Member Posts: 40 ■■□□□□□□□□
    Okay thank you! So if i grabbed a physical Catalyst 2950 or 2960 i would be able to? Also does anyone have a solution for the second question? Thank you!
  • Dieg0MDieg0M Member Posts: 861
    Yes, I believe 2950 EMI switches and 2960 can use ACL per port inbound. As for your second question, if you only have a single-homed connection then just use a default static route pointing to your outbound interface. Also, be careful when you use the word "redistribute" as for network engineers it usually means to do redistribution from one protocol to another. Next time use the word "route" or even "forward".
    Follow my CCDE journey at www.routingnull0.com
Sign In or Register to comment.