ACL not working in Cisco 3550

Answered Question
Jun 23rd, 2010

Dear Experts,


ACL not working in cisco 3550.


current IOS : /c3550-i9q3l2-mz.121-22.EA9.bin"


I need to deny host 10.28.0.30 from my network.


my ACL :


ip access-list extended abc

deny ip any host 10.28.0.30

permit ip any any


int vlan 100

ip access-group abc out

ip access-group abc in


OR


ip access extended abc1

deny icmp any host 10.28.0.30 echo

permit ip any any


int vlan 100

ip access-group abc1 out

ip access-group abc1 in



Still i am able to ping this host from my network, i need deny everything to this host ( ping , telnet, etc) from my network and my network throug vlan 100.


So please help me  how can i solve this issue.


Thanks in ADV,

Correct Answer by Nagendra Kumar ... about 6 years 8 months ago

Hi,


Can you let us know in what direction you want to block the traffic?. Is it originated from 10.28.0.30 or destinated to 10.28.0.30?.


Currently your ACL configuration seems to block traffic destinated to 10.28.0.30. ACL normally will not affect the locally originated traffic. Try sending ICMP from some other device via this 3550 and see if it is blocked.


If you want to block everything to/from this device,



ip access-list extended abc

deny ip any host 10.28.0.30

deny ip host 10.28.0.30 any

permit ip any any


and apply the same under interface.


HTH,

Nagendra

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Nagendra Kumar ... Wed, 06/23/2010 - 04:41

Hi,


Can you let us know in what direction you want to block the traffic?. Is it originated from 10.28.0.30 or destinated to 10.28.0.30?.


Currently your ACL configuration seems to block traffic destinated to 10.28.0.30. ACL normally will not affect the locally originated traffic. Try sending ICMP from some other device via this 3550 and see if it is blocked.


If you want to block everything to/from this device,



ip access-list extended abc

deny ip any host 10.28.0.30

deny ip host 10.28.0.30 any

permit ip any any


and apply the same under interface.


HTH,

Nagendra

csawest.dc Wed, 06/23/2010 - 05:01

Dear Naikumar,



Thanks  a lot , this command which is given by you, it's working fine.


I am not able to ping from my network to this host.


Thanks mate, have a great support.


Cheers!!!

Actions

This Discussion