Network A and network B connected with routers via WAN. I need to be able to restrict one host (IP) on NetA to to a single host in NetB - and not allow the NetA host to access any other hosts in NetaA or NetB.
Perhaps I am not clear on what you are trying to accomplish. But if the objective is to allow one host (x) on NET A to communicate only with a single host (y) on NET B and not communicate with any other host, then it seems to me that this can be done with access list filtering. I do not see what PBR would do for this.
note that while access list filtering can certainly prevent host (x) in NET A from communicating with any other host in NET B, it can not restrict the ability of host (x) to communicate with other host in NET A (and PBR would not help with that either). host (x) does not need to go through the router to get to other host in NET A so the router is not able to restrict that access.
I'm a bit of a noob on this type of scenario. What would ACLs look like on both routers? If I really needed to retrict (x) Net A from access other hosts on Net A (not passing through a router) could I configure a VLAN to accomplish this? If so - what ACLs on the routers would accomplish both Net A and restrictions for the (x) host on NetA and the single host (x)Net B?
If you want to restrict a specific host on NET A (x.x.x.x) so that it communicates with a specific host on NET B (y.y.y.y) and not with any other host on NET B then you would need an access list on the router of NET A but I do not see any necessity for an access list on the router of NET B.
Should the host on NET A be able to communicate with other networks (access the Internet etc) or is its access limited to only the host on NET B? It makes a difference in how you would write the access list. Assuming that the host should access only the single host on NET B the access list might look something like this:
access-list 101 permit ip host x.x.x.x host y.y.y.y
access-list 101 deny ip host x.x.x.x any
access-list 101 permit ip any any
you would apply the access list to the interface on the router where NET A is connected using the command:
ip access-group 101 in
The host in NET A will be able to communicate with other devices in NET A. Since they are in the same subnet the host will simply ARP for the destination address, receive the ARP response, and communicate directly. There is not anything you can do on the router to prevent this. The only way to isolate the host so that it communicates only with the host in NET B and nothing else would be to create a VLAN/subnet in which the host was the only device in the VLAN/subnet. Or you could leave the host in NET A and move all the other devices from NET A into a different network.
We are pleased to announce availability of Beta software for 16.6.3. 16.6.3 will be the second rebuild on the 16.6 release train targeted towards Catalyst 9500/9400/9300/3850/3650 switching platforms. We are looking for early feedback from custome...