We help IT Professionals succeed at work.

vlan access maps 2950

hi i have a 2950 switch:

- ios: c2950-i6q412-mz.121-22.ea6.bin
- ios: c2950-i6k212q4-mz.121-22.ea14.bin

i am attempting to configure vlan access maps but it appears it is not part of my ios features:

config t
ip access-list extended local-17 - successful
permit ip host 192.168.0.15 192.168.0.1 0.0.0.255 - successful
exit
vlan access-map block-17 10 - enter (unrecognised)

3550

it appears i can configure 'vlan access-maps' on my layer 3 switch:

- ios - c3550-i5q312-mz.121-22.ea2.bin

config t
vlan access-map - command recognized

question 1.  i always thought vlan access maps could be used on any layer 2 devices or is it only a feature when using a layer 3 switch due to its routing capabilities otherwise it would not be required on a layer 2, so using normal access-lists would be usual instead on a layer 2 ?
Comment
Watch Question

Instructor
Top Expert 2015
Commented:
VACL's can be applied to a layer-2 interface.  But it has to at least be a layer-3 capable switch.  IIRC, the 3560 is the lowest model switch that supports VACL's.

Author

Commented:
yes i understand that because that is what i meant, because i am aware a 3550 which is what i have is still a layer 2 device but is also a layer 3/router device due to the capability.

so what im trying to understand is, if my layer 2 switch does not have capability for (vlan maps), which also does not have layer 3 capability, does this mean i have one less layer of security or if im plugging into my asa5505 i could potentially configure something on this ?

ive done some reading but trying to get to that level of clarity.
Don JohnstonInstructor
Top Expert 2015
Commented:
It depends on what you're trying to accomplish.

VACL's allow you to filter traffic on a VLAN  (I mistakenly said "interface" before... That would be a PACL) based on layer-3 address.  If there are two devices on the same VLAN and you don't want them to communicate, then you could either use a MAC ACL or not have them in the same VLAN.

You could also use Private VLANs but I don't believe 2950's support those either.

Author

Commented:
yes i realise 'vacls' allow you to filter specifically vlans, as apposed to normal (acl) when they are used.

pacl - i presume you mean if i was to configure a switch to be (transparent) and then have to specify:

- promiscuous
- isolated
- community
Don JohnstonInstructor
Top Expert 2015
Commented:
No. PACL is a Port based ACL.  Meaning you apply the layer-3 ACL to a layer-2 interface.

Private VLANs are where you have the promiscuous, isolated and community VLANs.

Author

Commented:
oh ok, that was my first thought (port acl), ie specifying a specific port to deny or block ie 80 or a specific server using a specific application using a specific port..i asumme.

Author

Commented:
but yes i understand what you mean ie using a private vlan method, is another way of providing another type of layer security but in a different way but in this case for those companies setting up specifically a (transparent) vtp server as i believe this is only for that method.

Author

Commented:
thanks for the advice.  on another note im sure if have assisted me with an asa5505 internet issue before in the passed i think... which when configuring using the asa5505 built-in dhcp i got internet access...but now i have configured via the (cli) the same asa5505 and cannot seem to get internet through... i wonder if you could shed some light  ?

http://www.experts-exchange.com/Security/Software_Firewalls/Cisco_PIX_Firewall/Q_28649486.html

Author

Commented:
sound advice.  appreciated.
Don JohnstonInstructor
Top Expert 2015

Commented:
No. Port Based VLAN's is a poor choice of terminology.  It should be "Layer-2 Interface ACL".  The term "port" is this case has to do with the physical port not a TCP or UDP port.

Providing traffic control within a VLAN is a challenge. Other than MAC ACL's, VACL's and PACL's, I can't think of anything else.

And VTP doesn't have anything to do with controlling traffic between hosts on the same VLAN.

Author

Commented:
physical port - oh ok understood.

as for vtp yes i went off then.. as if it is (transparent) then vtp is not required.

thanks for the reminder.