04-18-2010 12:47 AM - edited 03-06-2019 10:40 AM
Dear Experts,
I am using Cisco 3550 Switch. my pc connected with Cisco 3550 interface fast 0/22 ok, my ip address 172.16.1.2 i need deny only single ip which is 192.168.1.22 on this port through extended access-list .
e. g . ip access-list extended abc
deny ip 192.168.1.22 0.0.0.0 any
permit ip any any
apply on int fas0/22
ip access-group abc in .
my above config is it right ??? to deny this perticular ip on my port ?? or need to any chante.
please guide me.
Thanks in ADV,
Vaib...
04-18-2010 01:24 AM
csawest.dc wrote:
Dear Experts,
I am using Cisco 3550 Switch. my pc connected with Cisco 3550 interface fast 0/22 ok, my ip address 172.16.1.2 i need deny only single ip which is 192.168.1.22 on this port through extended access-list .
e. g . ip access-list extended abc
deny ip 192.168.1.22 0.0.0.0 any
permit ip any any
apply on int fas0/22
ip access-group abc in .
my above config is it right ??? to deny this perticular ip on my port ?? or need to any chante.
please guide me.
Thanks in ADV,
Vaib...
Vaib
your acl will stop 192.168.1.22 from sending traffic if the device with the 192.168.1.22 address is connected to fa0/22. Is that what you want ?
If you want to block 192.168.1.22 from sending traffic to your pc which is connected to fa0/22 then this won't work. Also you can only apply port acls inbound so you would need to use an acl on the L3 SVI for your pc's vlan and it would need to be applied outbound -
access-list 101 deny ip host 192.168.1.22 host 172.16.1.2
access-list 101 permit ip any any
int vlan
ip access-group 101 out
but as i say it's not clear what you are trying to do.
Jon
04-18-2010 05:32 AM
Dear Jon,
Thanks for your early reply ,
Actually we are using cisco 3550 48P switch., in this switch 1st two ports are uplink from billing authentication server to autheticat our users then access to internet.
our users connected from intface 3 to 48 ( more than 50 users connected each port). all the interface access same vlan include both uplink port ( port 1 & 2 also) vlan 2.
we are allowted port wise ip pool.
e.g interface 3 ( ip pool 172.16.45.0/24 and 172.16.46.0/24
interface 4 ( ip pool 172.16.101.0/24 and 192.169.1.22 only single ip Some users have only single ip in all acccess interface which is port 3 to 48.
each interface users authenticat to both billing authienticat server which is connected port 1 & 2 ).
we need extended access-list , cause so many access-list we need to make by area wise ( we allowted area wise port that's why)
Please see my bellow config of extended access-list for port 3 ,4 ,5 ( these port ip pool in same area) ,
Please let me know is it right or need to any change ??
ip access-list extended abc-area
deny ip any 172.16.2.0 0.0.0.255
deny ip any 172.16.21.0 0.0.0.255
deny ip any 172.16.25.0 0.0.0.255
deny ip any 172.16.29.0 0.0.0.255
deny ip any 172.16.23.0 0.0.0.255
deny ip any 172.16.27.0 0.0.0.255
deny ip any 172.16.71.0 0.0.0.255
deny ip any 172.16.8.0 0.0.0.255
deny ip any 172.16.32.0 0.0.0.255
deny ip any 172.16.19.0 0.0.0.255
deny ip any 172.16.49.0 0.0.0.255
deny ip 223.225.59.248 0.0.0.0 any
deny ip any 172.16.30.0 0.0.0.255
deny ip any 172.16.31.0 0.0.0.255
deny ip any 172.16.47.0 0.0.0.255
deny ip any 172.16.1.128 0.0.0.31
deny ip any 172.16.17.0 0.0.0.255
deny ip any 172.16.39.0 0.0.0.255
deny ip any 172.16.41.0 0.0.0.255
deny ip any 172.16.43.0 0.0.0.255
deny ip 223.225.149.78 0.0.0.0 any
deny ip 223.225.152.249 0.0.0.0 any
deny ip 220.225.59.245 0.0.0.0 any
deny ip 121.235.72.105 0.0.0.0 any
deny ip 121.235.72.108 0.0.0.0 any
deny ip 121.235.73.13 0.0.0.0 any
deny ip 121.235.73.4 0.0.0.0 any
deny ip 223.225.149.87 0.0.0.0 any
deny ip 121.235.73.7 0.0.0.0 any
deny ip any 172.16.34.0 0.0.0.255
deny ip any 172.16.51.0 0.0.0.255
deny ip any 172.16.70.0 0.0.0.255
deny ip any 172.16.181.0 0.0.0.255
deny ip 223.225.59.225 0.0.0.0 any
deny ip 223.225.59.244 0.0.0.0 any
deny ip any 172.16.38.0 0.0.0.255
deny ip any 172.16.55.0 0.0.0.255
deny ip 223.225.152.248 0.0.0.0 any
deny ip any 172.16.0.128 0.0.0.128
deny ip any 172.16.40.0 0.0.0.255
deny ip any 172.16.57.0 0.0.0.255
deny ip any 172.16.11.0 0.0.0.255
deny ip 223.225.59.126 0.0.0.0 any
deny ip 121.235.72.101 0.0.0.0 any
deny ip 121.235.73.5 0.0.0.0 any
deny ip any 172.16.42.0 0.0.0.255
deny ip any 172.16.59.0 0.0.0.255
deny ip 223.225.149.82 0.0.0.0 any
deny ip 223.225.149.76 0.0.0.0 any
deny ip 121.235.73.9 0.0.0.0 any
deny ip 121.235.73.2 0.0.0.0 any
deny ip any 172.16.46.0 0.0.0.255
deny ip any 172.16.44.0 0.0.0.255
deny ip any 172.16.63.0 0.0.0.255
permit ip any any
interface fas 0/3 -5
ip access-group abc-area in
Please guide me .
Thanks in ADV,
Vaib...
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: