10-19-2009 04:30 AM - edited 03-04-2019 06:25 AM
hello,
pls find attached diagram
issue--->
i am able to block 100.4.4.4 from R5 with STANDARD ACCESS-LIST but i am not able to do it with
EXTENDED ACCESS-LIST
can u pls explain, how to do it with ext access-list
10-19-2009 05:25 AM
An extended ACL allows you to define,
1) Protocol (Layer3/4)
2) Source IP
3) Source udp/tcp port
4) Destination IP
5) Destination udp/tcp port
So what exactly are you trying to block 100.4.4.4 from doing??
10-19-2009 08:13 PM
hi,
i want to just issolate 100.4.4.4 for 100.5.5.5
for e.g
in standard access-list
----R5---
access-list 1 deny 100.4.4.4 0.0.0.0
access-list 1 permit any any
int s0/0
ip access-group 1 in
#ping 100.4.4.4
..............
10-19-2009 08:32 PM
access-list 101 deny ip host 100.4.4.4 host 100.5.5.5
access-list 101 permit ip any any
int s0/0
ip access-group 101 in
Jon
10-19-2009 09:08 PM
hello,
pls find attached updated network diagram as per my existing topology
EIGRP is running between all routers.
i want to isolate 100.2.2.2 from R5 from all services using extended access-list
i am applying access-list as follows
---R2----
access-list 100 deny ip host 100.2.2.2 host 100.5.5.5
access-list 100 permit ip any any
int s0/2
ip access-group 100 in
but still i am able to ping 100.2.2.2 from R5
10-19-2009 09:36 PM
Your acl is wrong -
access-list 100 deny ip host 100.2.2.2 host 100.5.5.5
access-list 100 permit ip any any
should be -
access-list 100 deny ip host 100.5.5.5 host 100.2.2.2
access-list 100 permit ip any any
Jon
10-19-2009 09:59 PM
Hi,
i am applying this access-list on R2 as per new updated diagram, but still its on working
Thanks and Regards,
sourabh
10-19-2009 10:10 PM
Are you using an extended ping specifying 100.5.5.5 as the source address ?
Jon
10-19-2009 10:18 PM
hello,
i want to isolate R2 100.2.2.2 from R5 means i want to stop getting ping of 100.2.2.2 from R5.
10-19-2009 10:34 PM
I understand what you want but if you want to stop ping from R5 then you need to include all R5's ip addresses or at least the IP address connecting to R2 (sorry but your diagram is not very helpful).
So just do this
access-list 101 deny icmp host
access-list 101 deny icmp host
host 10.2.2.2
where R5 IP address = each IP address configured on R5.
Then apply the acl to the interface on R2 that the packets would be coming in on
ie.
int s0/0
ip access-group 101 in
Jon
10-19-2009 10:53 PM
10-19-2009 11:10 PM
Please post
"sh ip int br" from R5
"sh ip int br" from R2
+ the current access-list you are using.
Jon
10-19-2009 11:21 PM
10-19-2009 11:34 PM
access-list 101 deny ip host 1.1.1.5 host 100.2.2.2
access-list 101 deny ip host 100.5.5.5 host 100.2.2.2
access-list 101 permit ip any any
R2
int s0/2 <---- NOTE - not s0/0 as in your configs
ip access-group 101 in
the above will stop any address on R5 being able to ping 100.2.2.2 on R2. If you want to stop any address on R2 being pingable from R5 then you need to add this to acl -
access-list 101 deny ip host 1.1.1.5 host 100.2.2.2
access-list 101 deny ip host 100.5.5.5 host 100.2.2.2
access-list 101 deny ip host 1.1.1.5 host 6.1.1.2
access-list 101 deny ip host 100.5.5.5 host 6.1.1.2
access-list 101 permit ip any any
Jon
10-19-2009 11:57 PM
hello
thanks a lot for your efforts
issue is resolved
thanks and regards
sourabh
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: