Access list ------Urgent

Unanswered Question
Dec 4th, 2007
User Badges:

I have got 3 network 1)192.168.100.0, 2)192.168.200.0 ,3)192.168.300.0 on fastethernet 0/1,0/2,0/3 of 3560 switch.How can i put accesslist such that i can deny all traffic from 192.168.100.0 to 192.168.200.0 ? at the same time network 192.168.200.0 need access to 192.168.100.0 network

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Martin Schoenbacher Tue, 12/04/2007 - 23:35
User Badges:

Hi,


an extendet ACL:


ip access-list 101 192.168.100.0 0.0.0.255 192.168.200.0 0.0.0.255


apply this acl inbound to the FastEthernet IF from where the packet comes (192.168.100.x in that case).

bvsnarayana03 Tue, 12/04/2007 - 23:44
User Badges:
  • Silver, 250 points or more

access-lsit 101 deny ip 192.168.100.0 0.0.0.255 192.168.200.0 0.0.0.255

permit ip any any




int fa0/1

ip access-group 101 in

vijayakumartt2004 Wed, 12/05/2007 - 02:13
User Badges:

I had tried all these but its not giving the needed thing.


If tries to ping from 192.168.100.1 to 192.168.200.1 its giving reply.If i tries to ping from 192.168.200.1 to 192.168.100.1 its also giving reply.its not blocking any packet

One more thing does cisco 3550/3560 series switch support stateful filtering.I mean session management.

smothuku Tue, 12/04/2007 - 23:46
User Badges:
  • Silver, 250 points or more

Hi Vijay ,


create extended access-list ex..


access-list 101 deny ip 192.168.100.0 0.0.0.255 192.168.200.0 0.0.0.0255

access-list 101 permit ip any any


apply this access-list on f0/2


int f0/2

ip access-group 101 in.


Thnaks,

satish

christian-luecke Wed, 12/05/2007 - 00:40
User Badges:

You may try this ...


int fast 0/1

ip access-group 101 in


access-list 101 permit tcp 192.168.100.0 0.0.0.255 192.168.200.0 0.0.0.255 established

access-list 101 deny ip 192.168.100.0 0.0.0.255 192.168.200.0 0.0.0.255

access-list 101 permit ip any any

vijayakumartt2004 Wed, 12/05/2007 - 02:11
User Badges:

I had tried all these but its not giving the needed thing.


If tries to ping from 192.168.100.1 to 192.168.200.1 its giving requested timed out.If i tries to ping from 192.168.200.1 to 192.168.100.1 its giving destination host unreachable.

One more thing does cisco 3550/3560 series switch support stateful filtering.I mean session management.

Pavel Bykov Wed, 12/05/2007 - 02:18
User Badges:
  • Silver, 250 points or more

If you are trying to ping from the router/switch where you have applied the ACCEESS LIST, packets will be ALWAYS allowed to go through.


ACLs are not applied to locally generated packets. The workaround is to define policy based routing and run traffic through loopback, but that's overkill.


Just try pinging from computer attached to the said network, not directly from the L3 device where ACLs are applied.


Hope this helps.

vijayakumartt2004 Wed, 12/05/2007 - 02:50
User Badges:

i will send you the diagram...I pinged from local pc which is connected at an ip 192.168.100.1.please go through th diagram



waiting for reply...



Attachment: 
bvsnarayana03 Wed, 12/05/2007 - 04:59
User Badges:
  • Silver, 250 points or more

Can the host 192.168.200.1 ping its own default gateway??


If it pings, see the trace from this host to 100.1


Also paste the acl config that you created & "sh run interface" configs of 200.1 & 100.1

glen.grant Wed, 12/05/2007 - 05:11
User Badges:
  • Purple, 4500 points or more

If you have applied th ACL the way the previous posters have indicated , it should not ping . I would verify your config and make sure the ports you have pc's or servers in are in the correct layer 2 vlan . If you can post the whole 3560 config perhaps we can see something.

Actions

This Discussion