cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
722
Views
0
Helpful
10
Replies

Access list ------Urgent

I have got 3 network 1)192.168.100.0, 2)192.168.200.0 ,3)192.168.300.0 on fastethernet 0/1,0/2,0/3 of 3560 switch.How can i put accesslist such that i can deny all traffic from 192.168.100.0 to 192.168.200.0 ? at the same time network 192.168.200.0 need access to 192.168.100.0 network

10 Replies 10

Hi,

an extendet ACL:

ip access-list 101 192.168.100.0 0.0.0.255 192.168.200.0 0.0.0.255

apply this acl inbound to the FastEthernet IF from where the packet comes (192.168.100.x in that case).

bvsnarayana03
Level 5
Level 5

access-lsit 101 deny ip 192.168.100.0 0.0.0.255 192.168.200.0 0.0.0.255

permit ip any any

int fa0/1

ip access-group 101 in

I had tried all these but its not giving the needed thing.

If tries to ping from 192.168.100.1 to 192.168.200.1 its giving reply.If i tries to ping from 192.168.200.1 to 192.168.100.1 its also giving reply.its not blocking any packet

One more thing does cisco 3550/3560 series switch support stateful filtering.I mean session management.

smothuku
Level 7
Level 7

Hi Vijay ,

create extended access-list ex..

access-list 101 deny ip 192.168.100.0 0.0.0.255 192.168.200.0 0.0.0.0255

access-list 101 permit ip any any

apply this access-list on f0/2

int f0/2

ip access-group 101 in.

Thnaks,

satish

You may try this ...

int fast 0/1

ip access-group 101 in

access-list 101 permit tcp 192.168.100.0 0.0.0.255 192.168.200.0 0.0.0.255 established

access-list 101 deny ip 192.168.100.0 0.0.0.255 192.168.200.0 0.0.0.255

access-list 101 permit ip any any

I had tried all these but its not giving the needed thing.

If tries to ping from 192.168.100.1 to 192.168.200.1 its giving requested timed out.If i tries to ping from 192.168.200.1 to 192.168.100.1 its giving destination host unreachable.

One more thing does cisco 3550/3560 series switch support stateful filtering.I mean session management.

If you are trying to ping from the router/switch where you have applied the ACCEESS LIST, packets will be ALWAYS allowed to go through.

ACLs are not applied to locally generated packets. The workaround is to define policy based routing and run traffic through loopback, but that's overkill.

Just try pinging from computer attached to the said network, not directly from the L3 device where ACLs are applied.

Hope this helps.

i will send you the diagram...I pinged from local pc which is connected at an ip 192.168.100.1.please go through th diagram

waiting for reply...

Can the host 192.168.200.1 ping its own default gateway??

If it pings, see the trace from this host to 100.1

Also paste the acl config that you created & "sh run interface" configs of 200.1 & 100.1

If you have applied th ACL the way the previous posters have indicated , it should not ping . I would verify your config and make sure the ports you have pc's or servers in are in the correct layer 2 vlan . If you can post the whole 3560 config perhaps we can see something.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco