cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
705
Views
5
Helpful
14
Replies

extended access-list

sourabh1000_2
Level 1
Level 1

hello,

pls find attached diagram

issue--->

i am able to block 100.4.4.4 from R5 with STANDARD ACCESS-LIST but i am not able to do it with

EXTENDED ACCESS-LIST

can u pls explain, how to do it with ext access-list

14 Replies 14

andrew.prince
Level 10
Level 10

An extended ACL allows you to define,

1) Protocol (Layer3/4)

2) Source IP

3) Source udp/tcp port

4) Destination IP

5) Destination udp/tcp port

So what exactly are you trying to block 100.4.4.4 from doing??

hi,

i want to just issolate 100.4.4.4 for 100.5.5.5

for e.g

in standard access-list

----R5---

access-list 1 deny 100.4.4.4 0.0.0.0

access-list 1 permit any any

int s0/0

ip access-group 1 in

#ping 100.4.4.4

..............

access-list 101 deny ip host 100.4.4.4 host 100.5.5.5

access-list 101 permit ip any any

int s0/0

ip access-group 101 in

Jon

hello,

pls find attached updated network diagram as per my existing topology

EIGRP is running between all routers.

i want to isolate 100.2.2.2 from R5 from all services using extended access-list

i am applying access-list as follows

---R2----

access-list 100 deny ip host 100.2.2.2 host 100.5.5.5

access-list 100 permit ip any any

int s0/2

ip access-group 100 in

but still i am able to ping 100.2.2.2 from R5

Your acl is wrong -

access-list 100 deny ip host 100.2.2.2 host 100.5.5.5

access-list 100 permit ip any any

should be -

access-list 100 deny ip host 100.5.5.5 host 100.2.2.2

access-list 100 permit ip any any

Jon

Hi,

i am applying this access-list on R2 as per new updated diagram, but still its on working

Thanks and Regards,

sourabh

Are you using an extended ping specifying 100.5.5.5 as the source address ?

Jon

hello,

i want to isolate R2 100.2.2.2 from R5 means i want to stop getting ping of 100.2.2.2 from R5.

I understand what you want but if you want to stop ping from R5 then you need to include all R5's ip addresses or at least the IP address connecting to R2 (sorry but your diagram is not very helpful).

So just do this

access-list 101 deny icmp host host 10.2.2.2

access-list 101 deny icmp host

host 10.2.2.2

where R5 IP address = each IP address configured on R5.

Then apply the acl to the interface on R2 that the packets would be coming in on

ie.

int s0/0

ip access-group 101 in

Jon

hello,

still i am able to ping R2's loopback from R5

pls find reqd diagram

also i do want to just stop denying icmp but also stop providing all the services to 100.2.2.2 just need to isolate R2 from R5

thanks and regards

sourabh

Please post

"sh ip int br" from R5

"sh ip int br" from R2

+ the current access-list you are using.

Jon

hello,

pls find attached file for the same

Thanks and regards

sourabh

access-list 101 deny ip host 1.1.1.5 host 100.2.2.2

access-list 101 deny ip host 100.5.5.5 host 100.2.2.2

access-list 101 permit ip any any

R2

int s0/2 <---- NOTE - not s0/0 as in your configs

ip access-group 101 in

the above will stop any address on R5 being able to ping 100.2.2.2 on R2. If you want to stop any address on R2 being pingable from R5 then you need to add this to acl -

access-list 101 deny ip host 1.1.1.5 host 100.2.2.2

access-list 101 deny ip host 100.5.5.5 host 100.2.2.2

access-list 101 deny ip host 1.1.1.5 host 6.1.1.2

access-list 101 deny ip host 100.5.5.5 host 6.1.1.2

access-list 101 permit ip any any

Jon

hello

thanks a lot for your efforts

issue is resolved

thanks and regards

sourabh

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco