Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Access list ------Urgent

I have got 3 network 1)192.168.100.0, 2)192.168.200.0 ,3)192.168.300.0 on fastethernet 0/1,0/2,0/3 of 3560 switch.How can i put accesslist such that i can deny all traffic from 192.168.100.0 to 192.168.200.0 ? at the same time network 192.168.200.0 need access to 192.168.100.0 network

10 REPLIES

Re: Access list ------Urgent

Hi,

an extendet ACL:

ip access-list 101 192.168.100.0 0.0.0.255 192.168.200.0 0.0.0.255

apply this acl inbound to the FastEthernet IF from where the packet comes (192.168.100.x in that case).

Re: Access list ------Urgent

access-lsit 101 deny ip 192.168.100.0 0.0.0.255 192.168.200.0 0.0.0.255

permit ip any any

int fa0/1

ip access-group 101 in

New Member

Re: Access list ------Urgent

I had tried all these but its not giving the needed thing.

If tries to ping from 192.168.100.1 to 192.168.200.1 its giving reply.If i tries to ping from 192.168.200.1 to 192.168.100.1 its also giving reply.its not blocking any packet

One more thing does cisco 3550/3560 series switch support stateful filtering.I mean session management.

Silver

Re: Access list ------Urgent

Hi Vijay ,

create extended access-list ex..

access-list 101 deny ip 192.168.100.0 0.0.0.255 192.168.200.0 0.0.0.0255

access-list 101 permit ip any any

apply this access-list on f0/2

int f0/2

ip access-group 101 in.

Thnaks,

satish

New Member

Re: Access list ------Urgent

You may try this ...

int fast 0/1

ip access-group 101 in

access-list 101 permit tcp 192.168.100.0 0.0.0.255 192.168.200.0 0.0.0.255 established

access-list 101 deny ip 192.168.100.0 0.0.0.255 192.168.200.0 0.0.0.255

access-list 101 permit ip any any

New Member

Re: Access list ------Urgent

I had tried all these but its not giving the needed thing.

If tries to ping from 192.168.100.1 to 192.168.200.1 its giving requested timed out.If i tries to ping from 192.168.200.1 to 192.168.100.1 its giving destination host unreachable.

One more thing does cisco 3550/3560 series switch support stateful filtering.I mean session management.

Silver

Re: Access list ------Urgent

If you are trying to ping from the router/switch where you have applied the ACCEESS LIST, packets will be ALWAYS allowed to go through.

ACLs are not applied to locally generated packets. The workaround is to define policy based routing and run traffic through loopback, but that's overkill.

Just try pinging from computer attached to the said network, not directly from the L3 device where ACLs are applied.

Hope this helps.

New Member

Re: Access list ------Urgent

i will send you the diagram...I pinged from local pc which is connected at an ip 192.168.100.1.please go through th diagram

waiting for reply...

Re: Access list ------Urgent

Can the host 192.168.200.1 ping its own default gateway??

If it pings, see the trace from this host to 100.1

Also paste the acl config that you created & "sh run interface" configs of 200.1 & 100.1

Purple

Re: Access list ------Urgent

If you have applied th ACL the way the previous posters have indicated , it should not ping . I would verify your config and make sure the ports you have pc's or servers in are in the correct layer 2 vlan . If you can post the whole 3560 config perhaps we can see something.

172
Views
0
Helpful
10
Replies