three hosts have internet access only

Unanswered Question
Jul 16th, 2007

I have three hosts in a VLAN of 20 hosts that I want to prevent accessing our internal network during training.

I have two 6509 switches that are set up in a HSRP group with a standby address of

The hosts in this vlan are on another switch that trunks up to the 6509, the trunk port on the 6509 is the SVI interface of

I applied the below access-list and was still able to access the internal network from the host machine in the access-list. I appled inbound to the SVI on the 6509 switch.

Could you take a look and let me know what is wrong?

The first line is to allow the host to get to the default gatway, is this needed?

The second line will prevent telnet access to the switch, the rest are denying traffic for the host and the last line is to allow all other hosts any access.

access-list 100 permit host

access-list 100 deny tcp host host eq 23

access-list 100 deny ip host

access-list 100 deny ip host

access-list 100 deny ip host

access-list 100 deny ip host

access-list 100 deny ip host

access-list 100 permit ip any any

interface vlan 45

ip access-group 100 in

Could it be that I appled it to the interface that was not the active one in the HSRP group?

Do I need to apply the access-list to both 6509 switches?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Richard Burts Mon, 07/16/2007 - 18:23


This would seem to be the continuation of your earlier question.

Yes you need to apply this access list to both 6509 switches. Whichever switch is receiving the packets from the end stations needs to have the filter applied. And one of the essential concepts of HSRP is that either switch may wind up receiving the packets.

No you do not need the first line - unless for some reason you want those hosts to communicate directly and specifically with the switch interface. I also note that the first line has a syntax error since it has permit and has host but does not specify whether it is permitting ip or tcp or udp or whatever.

I also note that there appears to be an error in logical ordering. The second line denies telnet access to the switch interface but if it follows the first line which would have permitted ip access to the switch (I assume) then the second line would have no effect.

I also note that the 4th line (access-list 100 deny ip host is redundant since is contained within the address range of the line before it (access-list 100 deny ip host

I also note that both questions have specified that there are 3 hosts that need this restriction but that this access list only deals with 1 of them (host You would need to make copies of the lines in the access list and change them to specify the other 2 hosts. Like I said in my response to your other question, this effort can get to be tedious.




This Discussion