Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Want to block host to host communication

Hello All,

I am trying to stop all traffic between specific hosts in separate vlans. Here is my access-list.

Extended IP access list 101

    10 deny ip host 10.21.224.230 host 10.21.223.236

    20 deny ip host 10.21.224.231 host 10.21.223.236

    30 deny ip host 10.21.224.232 host 10.21.223.236

    40 deny ip host 10.21.224.230 host 10.21.223.237

    50 deny ip host 10.21.224.231 host 10.21.223.237

    60 deny ip host 10.21.224.232 host 10.21.223.237

    70 deny ip host 10.21.224.230 host 10.21.223.238

    80 deny ip host 10.21.224.231 host 10.21.223.238

    90 deny ip host 10.21.224.232 host 10.21.223.238

    100 permit ip any any

I applied that access list to the vlan interface OUT that the 10.21.224.x hosts reside and I am still able to ping the .223 hosts from  the .224 hosts. I assume I am missing something simple here. Any help is appreciated and thank you!

  • LAN Switching and Routing
Everyone's tags (1)
3 REPLIES
New Member

Want to block host to host communication

I figured it out, I was getting my In and Out applications backwards. I needed to apply the ACL to the VLan interface Inbound instead of outbound.

The other question I have if anyone can answer is will this stop traffic bi-directionally or do I need to apply the inverse of this to the Vlan that houses the 10.21.223.x to stop traffic bi-drectionally?

Purple

Want to block host to host communication

Hi,

even if  those hosts want to communicate with the 10.21.224.x hosts then these ones won't be able to reply back as they are filtered by your ACL.

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

Want to block host to host communication

Hello, Chris.

If you are sure that the hosts 10.21.224.x will keep the ip-address assignment, then your solution is fine.

If there is a risk to change the ip-addresses, then it's better to apply inbound ACL on L2 client ports that are used for the devices connection.

ACL would be like deny ip any host 10.21.223.x .... permit ip any any

176
Views
0
Helpful
3
Replies