vlan access maps 2950

hi i have a 2950 switch:

- ios: c2950-i6q412-mz.121-22.ea6.bin
- ios: c2950-i6k212q4-mz.121-22.ea14.bin

i am attempting to configure vlan access maps but it appears it is not part of my ios features:

config t
ip access-list extended local-17 - successful
permit ip host - successful
vlan access-map block-17 10 - enter (unrecognised)


it appears i can configure 'vlan access-maps' on my layer 3 switch:

- ios - c3550-i5q312-mz.121-22.ea2.bin

config t
vlan access-map - command recognized

question 1.  i always thought vlan access maps could be used on any layer 2 devices or is it only a feature when using a layer 3 switch due to its routing capabilities otherwise it would not be required on a layer 2, so using normal access-lists would be usual instead on a layer 2 ?
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Don JohnstonInstructorCommented:
VACL's can be applied to a layer-2 interface.  But it has to at least be a layer-3 capable switch.  IIRC, the 3560 is the lowest model switch that supports VACL's.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
mikey250Author Commented:
yes i understand that because that is what i meant, because i am aware a 3550 which is what i have is still a layer 2 device but is also a layer 3/router device due to the capability.

so what im trying to understand is, if my layer 2 switch does not have capability for (vlan maps), which also does not have layer 3 capability, does this mean i have one less layer of security or if im plugging into my asa5505 i could potentially configure something on this ?

ive done some reading but trying to get to that level of clarity.
Don JohnstonInstructorCommented:
It depends on what you're trying to accomplish.

VACL's allow you to filter traffic on a VLAN  (I mistakenly said "interface" before... That would be a PACL) based on layer-3 address.  If there are two devices on the same VLAN and you don't want them to communicate, then you could either use a MAC ACL or not have them in the same VLAN.

You could also use Private VLANs but I don't believe 2950's support those either.
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

mikey250Author Commented:
yes i realise 'vacls' allow you to filter specifically vlans, as apposed to normal (acl) when they are used.

pacl - i presume you mean if i was to configure a switch to be (transparent) and then have to specify:

- promiscuous
- isolated
- community
Don JohnstonInstructorCommented:
No. PACL is a Port based ACL.  Meaning you apply the layer-3 ACL to a layer-2 interface.

Private VLANs are where you have the promiscuous, isolated and community VLANs.
mikey250Author Commented:
oh ok, that was my first thought (port acl), ie specifying a specific port to deny or block ie 80 or a specific server using a specific application using a specific port..i asumme.
mikey250Author Commented:
but yes i understand what you mean ie using a private vlan method, is another way of providing another type of layer security but in a different way but in this case for those companies setting up specifically a (transparent) vtp server as i believe this is only for that method.
mikey250Author Commented:
thanks for the advice.  on another note im sure if have assisted me with an asa5505 internet issue before in the passed i think... which when configuring using the asa5505 built-in dhcp i got internet access...but now i have configured via the (cli) the same asa5505 and cannot seem to get internet through... i wonder if you could shed some light  ?

mikey250Author Commented:
sound advice.  appreciated.
Don JohnstonInstructorCommented:
No. Port Based VLAN's is a poor choice of terminology.  It should be "Layer-2 Interface ACL".  The term "port" is this case has to do with the physical port not a TCP or UDP port.

Providing traffic control within a VLAN is a challenge. Other than MAC ACL's, VACL's and PACL's, I can't think of anything else.

And VTP doesn't have anything to do with controlling traffic between hosts on the same VLAN.
mikey250Author Commented:
physical port - oh ok understood.

as for vtp yes i went off then.. as if it is (transparent) then vtp is not required.

thanks for the reminder.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Switches / Hubs

From novice to tech pro — start learning today.