I have three hosts in a VLAN of 20 hosts that I want to prevent accessing our internal network during training.
I have two 6509 switches that are set up in a HSRP group with a standby address of 10.1.45.254.
The hosts in this vlan are on another switch that trunks up to the 6509, the trunk port on the 6509 is the SVI interface of 10.1.45.254
I applied the below access-list and was still able to access the internal network from the host machine in the access-list. I appled inbound to the SVI on the 6509 switch.
Could you take a look and let me know what is wrong?
The first line is to allow the host to get to the default gatway, is this needed?
The second line will prevent telnet access to the switch, the rest are denying traffic for the host and the last line is to allow all other hosts any access.
access-list 100 permit host 10.1.45.1 10.1.45.254 0.0.0.0
access-list 100 deny tcp host 10.1.45.1 host 10.1.45.254 eq 23
access-list 100 deny ip host 10.1.45.1 10.0.0.0 0.255.255.255
access-list 100 deny ip host 10.1.45.1 10.5.0.0 0.0.255.255
access-list 100 deny ip host 10.1.45.1 172.16.0.0 0.0.255.255
access-list 100 deny ip host 10.1.45.1 192.168.0.0 0.0.255.255
access-list 100 deny ip host 10.1.45.1 220.127.116.11 0.0.255.255
access-list 100 permit ip any any
interface vlan 45
ip access-group 100 in
Could it be that I appled it to the interface that was not the active one in the HSRP group?
Do I need to apply the access-list to both 6509 switches?