06-10-2014 06:47 PM - edited 03-07-2019 07:42 PM
Good Evening,
I am attempting to create an ACL to block all traffic from WorkstationA to WorkstationB but allow everything else through. In this environment I only have rights to modify the configuration on SwitchB which is a 3750x running an IPbase image. I have already given this a few shots but I can't seem to get this one.
Here is an example:
I have tried the following on switch B:
ip access-list extended BLOCKA
deny ip host 192.168.1.20 any
permit ip any any
----
(conf int port that WorkstationB resides on)
ip access-group BLOCKA in
Is there any way to make this work when you only have access to SwitchB in this example?
Thank you in advance!
06-10-2014 07:03 PM
06-10-2014 07:05 PM
Thank you for the reply Najaf. Unfortunately I only have access to configure SwitchB. I have no control over any other devices in the topology. Any other ideas?
06-10-2014 07:39 PM
Sorry,
My mistake. I read as you have access to router B and not switch B :-(
Since you have your switch configured as L2 your acl will not have any affect
06-10-2014 07:05 PM
Hi,
Is switch-B a layer-2 or a layer-3 device?
If it is layer-2, your ACL is not going to block host-A
HTH
06-10-2014 07:10 PM
Thank you for the reply Reza. This 3750x is running IPBase image but is not really performing any Layer 3 functions. It is just hanging off of RouterB which is handling all layer 3.
06-10-2014 10:45 PM
u shud use vlan acl (vacl) to achieve d desired result on switch. since it is 3750-x it supports vacl.
config can b as follows:
ip access-list extended BLOCK_A
permit ip source dest
ip access-list extended PERMIT_ANY
permit ip any any
vlan access-map A_To_B 10
match ip address BLOCK_A
action drop
vlan access-map A_To_B 20
match ip address PERMIT_ANY
action forward
vlan filter A_To_B vlan-list source vlan id
Relpy me if it solves ur issue
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: