07-16-2007 05:36 PM - edited 03-05-2019 05:19 PM
I have three hosts in a VLAN of 20 hosts that I want to prevent accessing our internal network during training.
I have two 6509 switches that are set up in a HSRP group with a standby address of 10.1.45.254.
The hosts in this vlan are on another switch that trunks up to the 6509, the trunk port on the 6509 is the SVI interface of 10.1.45.254
I applied the below access-list and was still able to access the internal network from the host machine in the access-list. I appled inbound to the SVI on the 6509 switch.
Could you take a look and let me know what is wrong?
The first line is to allow the host to get to the default gatway, is this needed?
The second line will prevent telnet access to the switch, the rest are denying traffic for the host and the last line is to allow all other hosts any access.
access-list 100 permit host 10.1.45.1 10.1.45.254 0.0.0.0
access-list 100 deny tcp host 10.1.45.1 host 10.1.45.254 eq 23
access-list 100 deny ip host 10.1.45.1 10.0.0.0 0.255.255.255
access-list 100 deny ip host 10.1.45.1 10.5.0.0 0.0.255.255
access-list 100 deny ip host 10.1.45.1 172.16.0.0 0.0.255.255
access-list 100 deny ip host 10.1.45.1 192.168.0.0 0.0.255.255
access-list 100 deny ip host 10.1.45.1 199.220.0.0 0.0.255.255
access-list 100 permit ip any any
interface vlan 45
ip access-group 100 in
Could it be that I appled it to the interface that was not the active one in the HSRP group?
Do I need to apply the access-list to both 6509 switches?
07-16-2007 06:23 PM
Wilson
This would seem to be the continuation of your earlier question.
Yes you need to apply this access list to both 6509 switches. Whichever switch is receiving the packets from the end stations needs to have the filter applied. And one of the essential concepts of HSRP is that either switch may wind up receiving the packets.
No you do not need the first line - unless for some reason you want those hosts to communicate directly and specifically with the switch interface. I also note that the first line has a syntax error since it has permit and has host but does not specify whether it is permitting ip or tcp or udp or whatever.
I also note that there appears to be an error in logical ordering. The second line denies telnet access to the switch interface but if it follows the first line which would have permitted ip access to the switch (I assume) then the second line would have no effect.
I also note that the 4th line (access-list 100 deny ip host 10.1.45.1 10.5.0.0 0.0.255.255) is redundant since 10.5.0.0/16 is contained within the address range of the line before it (access-list 100 deny ip host 10.1.45.1 10.0.0.0 0.255.255.255)
I also note that both questions have specified that there are 3 hosts that need this restriction but that this access list only deals with 1 of them (host 10.1.45.1). You would need to make copies of the lines in the access list and change them to specify the other 2 hosts. Like I said in my response to your other question, this effort can get to be tedious.
HTH
Rick
07-16-2007 07:15 PM
thanks
07-17-2007 02:22 AM
Wilson
You are welcome. Thanks for the rating.
HTH
Rick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide