sourabh1000_2 Mon, 10/19/2009 - 20:13
User Badges:

hi,


i want to just issolate 100.4.4.4 for 100.5.5.5


for e.g

in standard access-list


----R5---

access-list 1 deny 100.4.4.4 0.0.0.0

access-list 1 permit any any

int s0/0

ip access-group 1 in


#ping 100.4.4.4

..............


Jon Marshall Mon, 10/19/2009 - 20:32
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

access-list 101 deny ip host 100.4.4.4 host 100.5.5.5

access-list 101 permit ip any any


int s0/0

ip access-group 101 in


Jon

sourabh1000_2 Mon, 10/19/2009 - 21:08
User Badges:

hello,


pls find attached updated network diagram as per my existing topology


EIGRP is running between all routers.


i want to isolate 100.2.2.2 from R5 from all services using extended access-list


i am applying access-list as follows


---R2----


access-list 100 deny ip host 100.2.2.2 host 100.5.5.5

access-list 100 permit ip any any


int s0/2

ip access-group 100 in


but still i am able to ping 100.2.2.2 from R5



Jon Marshall Mon, 10/19/2009 - 21:36
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Your acl is wrong -


access-list 100 deny ip host 100.2.2.2 host 100.5.5.5

access-list 100 permit ip any any



should be -


access-list 100 deny ip host 100.5.5.5 host 100.2.2.2

access-list 100 permit ip any any


Jon

sourabh1000_2 Mon, 10/19/2009 - 21:59
User Badges:

Hi,


i am applying this access-list on R2 as per new updated diagram, but still its on working


Thanks and Regards,

sourabh

Jon Marshall Mon, 10/19/2009 - 22:10
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Are you using an extended ping specifying 100.5.5.5 as the source address ?


Jon

sourabh1000_2 Mon, 10/19/2009 - 22:18
User Badges:

hello,


i want to isolate R2 100.2.2.2 from R5 means i want to stop getting ping of 100.2.2.2 from R5.

Jon Marshall Mon, 10/19/2009 - 22:34
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

I understand what you want but if you want to stop ping from R5 then you need to include all R5's ip addresses or at least the IP address connecting to R2 (sorry but your diagram is not very helpful).


So just do this


access-list 101 deny icmp host host 10.2.2.2

access-list 101 deny icmp host

host 10.2.2.2


where R5 IP address = each IP address configured on R5.


Then apply the acl to the interface on R2 that the packets would be coming in on


ie.


int s0/0

ip access-group 101 in


Jon

sourabh1000_2 Mon, 10/19/2009 - 22:53
User Badges:

hello,


still i am able to ping R2's loopback from R5


pls find reqd diagram

also i do want to just stop denying icmp but also stop providing all the services to 100.2.2.2 just need to isolate R2 from R5


thanks and regards

sourabh



Attachment: 
Jon Marshall Mon, 10/19/2009 - 23:10
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Please post


"sh ip int br" from R5

"sh ip int br" from R2


+ the current access-list you are using.


Jon

Jon Marshall Mon, 10/19/2009 - 23:34
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

access-list 101 deny ip host 1.1.1.5 host 100.2.2.2

access-list 101 deny ip host 100.5.5.5 host 100.2.2.2

access-list 101 permit ip any any


R2


int s0/2 <---- NOTE - not s0/0 as in your configs

ip access-group 101 in


the above will stop any address on R5 being able to ping 100.2.2.2 on R2. If you want to stop any address on R2 being pingable from R5 then you need to add this to acl -


access-list 101 deny ip host 1.1.1.5 host 100.2.2.2

access-list 101 deny ip host 100.5.5.5 host 100.2.2.2

access-list 101 deny ip host 1.1.1.5 host 6.1.1.2

access-list 101 deny ip host 100.5.5.5 host 6.1.1.2

access-list 101 permit ip any any


Jon

sourabh1000_2 Mon, 10/19/2009 - 23:57
User Badges:

hello


thanks a lot for your efforts


issue is resolved


thanks and regards

sourabh


Actions

This Discussion