three hosts have internet access only

Unanswered Question
Jul 16th, 2007

I have three hosts in a VLAN of 20 hosts that I want to prevent accessing our internal network during training.

I have two 6509 switches that are set up in a HSRP group with a standby address of 10.1.45.254.

The hosts in this vlan are on another switch that trunks up to the 6509, the trunk port on the 6509 is the SVI interface of 10.1.45.254

I applied the below access-list and was still able to access the internal network from the host machine in the access-list. I appled inbound to the SVI on the 6509 switch.

Could you take a look and let me know what is wrong?

The first line is to allow the host to get to the default gatway, is this needed?

The second line will prevent telnet access to the switch, the rest are denying traffic for the host and the last line is to allow all other hosts any access.

access-list 100 permit host 10.1.45.1 10.1.45.254 0.0.0.0

access-list 100 deny tcp host 10.1.45.1 host 10.1.45.254 eq 23

access-list 100 deny ip host 10.1.45.1 10.0.0.0 0.255.255.255

access-list 100 deny ip host 10.1.45.1 10.5.0.0 0.0.255.255

access-list 100 deny ip host 10.1.45.1 172.16.0.0 0.0.255.255

access-list 100 deny ip host 10.1.45.1 192.168.0.0 0.0.255.255

access-list 100 deny ip host 10.1.45.1 199.220.0.0 0.0.255.255

access-list 100 permit ip any any

interface vlan 45

ip access-group 100 in

Could it be that I appled it to the interface that was not the active one in the HSRP group?

Do I need to apply the access-list to both 6509 switches?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Richard Burts Mon, 07/16/2007 - 18:23

Wilson

This would seem to be the continuation of your earlier question.

Yes you need to apply this access list to both 6509 switches. Whichever switch is receiving the packets from the end stations needs to have the filter applied. And one of the essential concepts of HSRP is that either switch may wind up receiving the packets.

No you do not need the first line - unless for some reason you want those hosts to communicate directly and specifically with the switch interface. I also note that the first line has a syntax error since it has permit and has host but does not specify whether it is permitting ip or tcp or udp or whatever.

I also note that there appears to be an error in logical ordering. The second line denies telnet access to the switch interface but if it follows the first line which would have permitted ip access to the switch (I assume) then the second line would have no effect.

I also note that the 4th line (access-list 100 deny ip host 10.1.45.1 10.5.0.0 0.0.255.255) is redundant since 10.5.0.0/16 is contained within the address range of the line before it (access-list 100 deny ip host 10.1.45.1 10.0.0.0 0.255.255.255)

I also note that both questions have specified that there are 3 hosts that need this restriction but that this access list only deals with 1 of them (host 10.1.45.1). You would need to make copies of the lines in the access list and change them to specify the other 2 hosts. Like I said in my response to your other question, this effort can get to be tedious.

HTH

Rick

Actions

This Discussion