andrew.prince@m... Mon, 10/19/2009 - 05:25

An extended ACL allows you to define,

1) Protocol (Layer3/4)

2) Source IP

3) Source udp/tcp port

4) Destination IP

5) Destination udp/tcp port

So what exactly are you trying to block 100.4.4.4 from doing??

sourabh1000_2 Mon, 10/19/2009 - 20:13

hi,

i want to just issolate 100.4.4.4 for 100.5.5.5

for e.g

in standard access-list

----R5---

access-list 1 deny 100.4.4.4 0.0.0.0

access-list 1 permit any any

int s0/0

ip access-group 1 in

#ping 100.4.4.4

..............

Jon Marshall Mon, 10/19/2009 - 20:32

access-list 101 deny ip host 100.4.4.4 host 100.5.5.5

access-list 101 permit ip any any

int s0/0

ip access-group 101 in

Jon

sourabh1000_2 Mon, 10/19/2009 - 21:08

hello,

pls find attached updated network diagram as per my existing topology

EIGRP is running between all routers.

i want to isolate 100.2.2.2 from R5 from all services using extended access-list

i am applying access-list as follows

---R2----

access-list 100 deny ip host 100.2.2.2 host 100.5.5.5

access-list 100 permit ip any any

int s0/2

ip access-group 100 in

but still i am able to ping 100.2.2.2 from R5

Jon Marshall Mon, 10/19/2009 - 21:36

Your acl is wrong -

access-list 100 deny ip host 100.2.2.2 host 100.5.5.5

access-list 100 permit ip any any

should be -

access-list 100 deny ip host 100.5.5.5 host 100.2.2.2

access-list 100 permit ip any any

Jon

sourabh1000_2 Mon, 10/19/2009 - 21:59

Hi,

i am applying this access-list on R2 as per new updated diagram, but still its on working

Thanks and Regards,

sourabh

Jon Marshall Mon, 10/19/2009 - 22:10

Are you using an extended ping specifying 100.5.5.5 as the source address ?

Jon

sourabh1000_2 Mon, 10/19/2009 - 22:18

hello,

i want to isolate R2 100.2.2.2 from R5 means i want to stop getting ping of 100.2.2.2 from R5.

Jon Marshall Mon, 10/19/2009 - 22:34

I understand what you want but if you want to stop ping from R5 then you need to include all R5's ip addresses or at least the IP address connecting to R2 (sorry but your diagram is not very helpful).

So just do this

access-list 101 deny icmp host host 10.2.2.2

access-list 101 deny icmp host

host 10.2.2.2

where R5 IP address = each IP address configured on R5.

Then apply the acl to the interface on R2 that the packets would be coming in on

ie.

int s0/0

ip access-group 101 in

Jon

sourabh1000_2 Mon, 10/19/2009 - 22:53

hello,

still i am able to ping R2's loopback from R5

pls find reqd diagram

also i do want to just stop denying icmp but also stop providing all the services to 100.2.2.2 just need to isolate R2 from R5

thanks and regards

sourabh

Attachment: 
Jon Marshall Mon, 10/19/2009 - 23:10

Please post

"sh ip int br" from R5

"sh ip int br" from R2

+ the current access-list you are using.

Jon

Jon Marshall Mon, 10/19/2009 - 23:34

access-list 101 deny ip host 1.1.1.5 host 100.2.2.2

access-list 101 deny ip host 100.5.5.5 host 100.2.2.2

access-list 101 permit ip any any

R2

int s0/2 <---- NOTE - not s0/0 as in your configs

ip access-group 101 in

the above will stop any address on R5 being able to ping 100.2.2.2 on R2. If you want to stop any address on R2 being pingable from R5 then you need to add this to acl -

access-list 101 deny ip host 1.1.1.5 host 100.2.2.2

access-list 101 deny ip host 100.5.5.5 host 100.2.2.2

access-list 101 deny ip host 1.1.1.5 host 6.1.1.2

access-list 101 deny ip host 100.5.5.5 host 6.1.1.2

access-list 101 permit ip any any

Jon

sourabh1000_2 Mon, 10/19/2009 - 23:57

hello

thanks a lot for your efforts

issue is resolved

thanks and regards

sourabh

Actions

This Discussion