need single ip block through extended access-list on interface in cisco 3550

Unanswered Question
Apr 18th, 2010

Dear Experts,

I am using Cisco 3550 Switch. my pc  connected with Cisco 3550 interface fast 0/22 ok, my ip address 172.16.1.2 i need deny only single ip which is 192.168.1.22 on this port through extended access-list .

e. g . ip access-list extended abc

        deny   ip 192.168.1.22 0.0.0.0 any

        permit ip any any

apply on int fas0/22

     ip access-group abc in .

my above config is it right ??? to deny this perticular ip on my port ?? or need to any chante.

please guide me.

Thanks in ADV,

Vaib...

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Sun, 04/18/2010 - 01:24

csawest.dc wrote:

Dear Experts,

I am using Cisco 3550 Switch. my pc  connected with Cisco 3550 interface fast 0/22 ok, my ip address 172.16.1.2 i need deny only single ip which is 192.168.1.22 on this port through extended access-list .

e. g . ip access-list extended abc

        deny   ip 192.168.1.22 0.0.0.0 any

        permit ip any any

apply on int fas0/22

     ip access-group abc in .

my above config is it right ??? to deny this perticular ip on my port ?? or need to any chante.

please guide me.

Thanks in ADV,

Vaib...

Vaib

your acl will stop 192.168.1.22 from sending traffic if the device with the 192.168.1.22 address is connected to fa0/22. Is that what you want ?

If you want to block 192.168.1.22 from sending traffic to your pc which is connected to fa0/22 then this won't work. Also you can only apply port acls inbound so you would need to use an acl on the L3 SVI for your pc's vlan and it would need to be applied outbound -

access-list 101 deny ip host 192.168.1.22 host 172.16.1.2

access-list 101 permit ip any any

int vlan

ip access-group 101 out

but as i say it's not clear what you are trying to do.

Jon

csawest.dc Sun, 04/18/2010 - 05:32

Dear Jon,

Thanks for your early reply ,

Actually we are using cisco 3550 48P switch., in this switch 1st two ports are uplink from billing authentication server to autheticat our users then access to internet.

our users connected from intface 3 to 48  ( more than 50 users connected each port). all the interface access same vlan include both uplink port ( port 1 & 2 also) vlan 2.

we are allowted port wise ip pool.

e.g interface 3 ( ip pool 172.16.45.0/24 and 172.16.46.0/24

       interface 4 ( ip pool 172.16.101.0/24 and 192.169.1.22 only single ip Some users have only single ip in all acccess interface which is port 3 to 48.

each interface users authenticat to both billing authienticat server which is connected port 1 & 2 ).

we need extended access-list , cause so many access-list we need to make by area wise ( we allowted area wise port that's why)

Please see my bellow config of extended access-list for port 3 ,4 ,5 ( these port ip pool in  same area) ,

Please let me know is it right or need to any change ??

ip access-list extended abc-area                              
deny   ip any 172.16.2.0 0.0.0.255
deny   ip any 172.16.21.0 0.0.0.255
deny   ip any 172.16.25.0 0.0.0.255
deny   ip any 172.16.29.0 0.0.0.255
deny   ip any 172.16.23.0 0.0.0.255
deny   ip any 172.16.27.0 0.0.0.255
deny   ip any 172.16.71.0 0.0.0.255
deny   ip any 172.16.8.0 0.0.0.255
deny   ip any 172.16.32.0 0.0.0.255
deny   ip any 172.16.19.0 0.0.0.255
deny   ip any 172.16.49.0 0.0.0.255
deny   ip 223.225.59.248 0.0.0.0 any
deny   ip any 172.16.30.0 0.0.0.255
deny   ip any 172.16.31.0 0.0.0.255
deny   ip any 172.16.47.0 0.0.0.255
deny   ip any 172.16.1.128 0.0.0.31
deny   ip any 172.16.17.0 0.0.0.255
deny   ip any 172.16.39.0 0.0.0.255
deny   ip any 172.16.41.0 0.0.0.255
deny   ip any 172.16.43.0 0.0.0.255
deny   ip 223.225.149.78 0.0.0.0 any
deny   ip 223.225.152.249 0.0.0.0 any
deny   ip 220.225.59.245 0.0.0.0 any
deny   ip 121.235.72.105 0.0.0.0 any
deny   ip 121.235.72.108 0.0.0.0 any
deny   ip 121.235.73.13 0.0.0.0 any
deny   ip 121.235.73.4 0.0.0.0 any
deny   ip 223.225.149.87 0.0.0.0 any
deny   ip 121.235.73.7 0.0.0.0 any
deny   ip any 172.16.34.0 0.0.0.255
deny   ip any 172.16.51.0 0.0.0.255
deny   ip any 172.16.70.0 0.0.0.255
deny   ip any 172.16.181.0 0.0.0.255
deny   ip 223.225.59.225 0.0.0.0 any
deny   ip 223.225.59.244 0.0.0.0 any
deny   ip any 172.16.38.0 0.0.0.255
deny   ip any 172.16.55.0 0.0.0.255
deny   ip 223.225.152.248 0.0.0.0 any
deny   ip any 172.16.0.128 0.0.0.128
deny   ip any 172.16.40.0 0.0.0.255
deny   ip any 172.16.57.0 0.0.0.255
deny   ip any 172.16.11.0 0.0.0.255
deny   ip 223.225.59.126 0.0.0.0 any
deny   ip 121.235.72.101 0.0.0.0 any
deny   ip 121.235.73.5 0.0.0.0 any
deny   ip any 172.16.42.0 0.0.0.255
deny   ip any 172.16.59.0 0.0.0.255
deny   ip 223.225.149.82 0.0.0.0 any
deny   ip 223.225.149.76 0.0.0.0 any
deny   ip 121.235.73.9 0.0.0.0 any
deny   ip 121.235.73.2 0.0.0.0 any
deny   ip any 172.16.46.0 0.0.0.255
deny   ip any 172.16.44.0 0.0.0.255
deny   ip any 172.16.63.0 0.0.0.255
permit ip any any

  interface fas 0/3 -5

  ip access-group abc-area in

Please guide me .

Thanks in ADV,

Vaib...

Actions

This Discussion