12-04-2007 11:02 PM - edited 03-05-2019 07:49 PM
I have got 3 network 1)192.168.100.0, 2)192.168.200.0 ,3)192.168.300.0 on fastethernet 0/1,0/2,0/3 of 3560 switch.How can i put accesslist such that i can deny all traffic from 192.168.100.0 to 192.168.200.0 ? at the same time network 192.168.200.0 need access to 192.168.100.0 network
12-04-2007 11:35 PM
Hi,
an extendet ACL:
ip access-list 101 192.168.100.0 0.0.0.255 192.168.200.0 0.0.0.255
apply this acl inbound to the FastEthernet IF from where the packet comes (192.168.100.x in that case).
12-04-2007 11:44 PM
access-lsit 101 deny ip 192.168.100.0 0.0.0.255 192.168.200.0 0.0.0.255
permit ip any any
int fa0/1
ip access-group 101 in
12-05-2007 02:13 AM
I had tried all these but its not giving the needed thing.
If tries to ping from 192.168.100.1 to 192.168.200.1 its giving reply.If i tries to ping from 192.168.200.1 to 192.168.100.1 its also giving reply.its not blocking any packet
One more thing does cisco 3550/3560 series switch support stateful filtering.I mean session management.
12-04-2007 11:46 PM
Hi Vijay ,
create extended access-list ex..
access-list 101 deny ip 192.168.100.0 0.0.0.255 192.168.200.0 0.0.0.0255
access-list 101 permit ip any any
apply this access-list on f0/2
int f0/2
ip access-group 101 in.
Thnaks,
satish
12-05-2007 12:40 AM
You may try this ...
int fast 0/1
ip access-group 101 in
access-list 101 permit tcp 192.168.100.0 0.0.0.255 192.168.200.0 0.0.0.255 established
access-list 101 deny ip 192.168.100.0 0.0.0.255 192.168.200.0 0.0.0.255
access-list 101 permit ip any any
12-05-2007 02:11 AM
I had tried all these but its not giving the needed thing.
If tries to ping from 192.168.100.1 to 192.168.200.1 its giving requested timed out.If i tries to ping from 192.168.200.1 to 192.168.100.1 its giving destination host unreachable.
One more thing does cisco 3550/3560 series switch support stateful filtering.I mean session management.
12-05-2007 02:18 AM
If you are trying to ping from the router/switch where you have applied the ACCEESS LIST, packets will be ALWAYS allowed to go through.
ACLs are not applied to locally generated packets. The workaround is to define policy based routing and run traffic through loopback, but that's overkill.
Just try pinging from computer attached to the said network, not directly from the L3 device where ACLs are applied.
Hope this helps.
12-05-2007 02:50 AM
12-05-2007 04:59 AM
Can the host 192.168.200.1 ping its own default gateway??
If it pings, see the trace from this host to 100.1
Also paste the acl config that you created & "sh run interface" configs of 200.1 & 100.1
12-05-2007 05:11 AM
If you have applied th ACL the way the previous posters have indicated , it should not ping . I would verify your config and make sure the ports you have pc's or servers in are in the correct layer 2 vlan . If you can post the whole 3560 config perhaps we can see something.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: