Access list ------Urgent

Unanswered Question
Dec 4th, 2007

I have got 3 network 1)192.168.100.0, 2)192.168.200.0 ,3)192.168.300.0 on fastethernet 0/1,0/2,0/3 of 3560 switch.How can i put accesslist such that i can deny all traffic from 192.168.100.0 to 192.168.200.0 ? at the same time network 192.168.200.0 need access to 192.168.100.0 network

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Martin Schoenbacher Tue, 12/04/2007 - 23:35

Hi,

an extendet ACL:

ip access-list 101 192.168.100.0 0.0.0.255 192.168.200.0 0.0.0.255

apply this acl inbound to the FastEthernet IF from where the packet comes (192.168.100.x in that case).

bvsnarayana03 Tue, 12/04/2007 - 23:44

access-lsit 101 deny ip 192.168.100.0 0.0.0.255 192.168.200.0 0.0.0.255

permit ip any any

int fa0/1

ip access-group 101 in

vijayakumartt2004 Wed, 12/05/2007 - 02:13

I had tried all these but its not giving the needed thing.

If tries to ping from 192.168.100.1 to 192.168.200.1 its giving reply.If i tries to ping from 192.168.200.1 to 192.168.100.1 its also giving reply.its not blocking any packet

One more thing does cisco 3550/3560 series switch support stateful filtering.I mean session management.

smothuku Tue, 12/04/2007 - 23:46

Hi Vijay ,

create extended access-list ex..

access-list 101 deny ip 192.168.100.0 0.0.0.255 192.168.200.0 0.0.0.0255

access-list 101 permit ip any any

apply this access-list on f0/2

int f0/2

ip access-group 101 in.

Thnaks,

satish

christian-luecke Wed, 12/05/2007 - 00:40

You may try this ...

int fast 0/1

ip access-group 101 in

access-list 101 permit tcp 192.168.100.0 0.0.0.255 192.168.200.0 0.0.0.255 established

access-list 101 deny ip 192.168.100.0 0.0.0.255 192.168.200.0 0.0.0.255

access-list 101 permit ip any any

vijayakumartt2004 Wed, 12/05/2007 - 02:11

I had tried all these but its not giving the needed thing.

If tries to ping from 192.168.100.1 to 192.168.200.1 its giving requested timed out.If i tries to ping from 192.168.200.1 to 192.168.100.1 its giving destination host unreachable.

One more thing does cisco 3550/3560 series switch support stateful filtering.I mean session management.

Pavel Bykov Wed, 12/05/2007 - 02:18

If you are trying to ping from the router/switch where you have applied the ACCEESS LIST, packets will be ALWAYS allowed to go through.

ACLs are not applied to locally generated packets. The workaround is to define policy based routing and run traffic through loopback, but that's overkill.

Just try pinging from computer attached to the said network, not directly from the L3 device where ACLs are applied.

Hope this helps.

vijayakumartt2004 Wed, 12/05/2007 - 02:50

i will send you the diagram...I pinged from local pc which is connected at an ip 192.168.100.1.please go through th diagram

waiting for reply...

Attachment: 
bvsnarayana03 Wed, 12/05/2007 - 04:59

Can the host 192.168.200.1 ping its own default gateway??

If it pings, see the trace from this host to 100.1

Also paste the acl config that you created & "sh run interface" configs of 200.1 & 100.1

glen.grant Wed, 12/05/2007 - 05:11

If you have applied th ACL the way the previous posters have indicated , it should not ping . I would verify your config and make sure the ports you have pc's or servers in are in the correct layer 2 vlan . If you can post the whole 3560 config perhaps we can see something.

Actions

This Discussion