https://community.cisco.com/t5/network-security/cisco-switch-acl-never-working-problem/m-p/4535433#M1086630 <P>I am studying for Cisco CCNA exam and I have made myself a task of blocking access from one server to another.</P><P>&nbsp;</P><P>In my lab environment I use Cisco Catalyst 2960 switch (no routing used and all ports are members of same Vlan100), with two Vmware servers. One Vmware server has a VM with 192.168.100.1 IP address (it's a virtual interface), another VMWare server has a VM with 192.168.100.2 IP address (also virtual interface).</P><P>&nbsp;</P><P>My understanding is that I can create an ACL on a switchport where server 2 is plugged in (Gi1/0/2) and the ACL will block traffic coming from server 1 plugged into port Gi1/0/1. For observation I am using my laptop connected to console port of the CISCO Catalyst:</P><P><BR />conf t</P><P>ip access-list standard Test</P><P>deny 192.168.100.1</P><P>permit any</P><P>int Gi1/0/2</P><P>ip access-group Test in</P><P>&nbsp;</P><P>Yet, this doesn't block any traffic from 192.168.100.1</P><P>If I don't specify "permit any" - then the implicit deny rule blocks the traffic, meaning it's never matching the first line.</P><P>&nbsp;</P><P>Ok I thought to myself and tried to change it to:</P><P>&nbsp;</P><P>conf t</P><P>access-list 10 deny host 192.168.100.1</P><P>access-list 10 permit any</P><P>int Gi1/0/2</P><P>ip access-group 10</P><P>&nbsp;</P><P>But once again it won't block traffic from 192.168.100.1 and will only block it if I don't use "permit any" expression (in which case implicit "deny any" will block it).</P><P>&nbsp;</P><P>I tried all possible things I can think of... I read a lot of forums, it should work but it doesn't. What am I doing wrong and how to troubleshoot it? I already tried to use <EM>log</EM> after both permit and deny statement... The traffic still goes through, but sometimes it says "Denied 192.168.100.2 packet". But .2 is my destination, not my source address!.... Isn't it supposed to say "Denied 192.168.100.1 packet" instead and just block it?</P><P>&nbsp;</P><P>I am really confused. Is it possible to just enable some kind of debugging to see what source and destination IP address is getting from the Vmware server to that switchport that Cisco ACL doesn't match my requirement?</P><P>&nbsp;</P><P>Regards,</P><P>Max&nbsp;</P> Thu, 20 Jan 2022 23:54:47 GMT compstar 2022-01-20T23:54:47Z https://community.cisco.com/t5/network-security/cisco-switch-acl-never-working-problem/m-p/4535433#M1086630 <P>I am studying for Cisco CCNA exam and I have made myself a task of blocking access from one server to another.</P><P>&nbsp;</P><P>In my lab environment I use Cisco Catalyst 2960 switch (no routing used and all ports are members of same Vlan100), with two Vmware servers. One Vmware server has a VM with 192.168.100.1 IP address (it's a virtual interface), another VMWare server has a VM with 192.168.100.2 IP address (also virtual interface).</P><P>&nbsp;</P><P>My understanding is that I can create an ACL on a switchport where server 2 is plugged in (Gi1/0/2) and the ACL will block traffic coming from server 1 plugged into port Gi1/0/1. For observation I am using my laptop connected to console port of the CISCO Catalyst:</P><P><BR />conf t</P><P>ip access-list standard Test</P><P>deny 192.168.100.1</P><P>permit any</P><P>int Gi1/0/2</P><P>ip access-group Test in</P><P>&nbsp;</P><P>Yet, this doesn't block any traffic from 192.168.100.1</P><P>If I don't specify "permit any" - then the implicit deny rule blocks the traffic, meaning it's never matching the first line.</P><P>&nbsp;</P><P>Ok I thought to myself and tried to change it to:</P><P>&nbsp;</P><P>conf t</P><P>access-list 10 deny host 192.168.100.1</P><P>access-list 10 permit any</P><P>int Gi1/0/2</P><P>ip access-group 10</P><P>&nbsp;</P><P>But once again it won't block traffic from 192.168.100.1 and will only block it if I don't use "permit any" expression (in which case implicit "deny any" will block it).</P><P>&nbsp;</P><P>I tried all possible things I can think of... I read a lot of forums, it should work but it doesn't. What am I doing wrong and how to troubleshoot it? I already tried to use <EM>log</EM> after both permit and deny statement... The traffic still goes through, but sometimes it says "Denied 192.168.100.2 packet". But .2 is my destination, not my source address!.... Isn't it supposed to say "Denied 192.168.100.1 packet" instead and just block it?</P><P>&nbsp;</P><P>I am really confused. Is it possible to just enable some kind of debugging to see what source and destination IP address is getting from the Vmware server to that switchport that Cisco ACL doesn't match my requirement?</P><P>&nbsp;</P><P>Regards,</P><P>Max&nbsp;</P> Thu, 20 Jan 2022 23:54:47 GMT https://community.cisco.com/t5/network-security/cisco-switch-acl-never-working-problem/m-p/4535433#M1086630 compstar 2022-01-20T23:54:47Z https://community.cisco.com/t5/network-security/cisco-switch-acl-never-working-problem/m-p/4535461#M1086633 <P>Look at&nbsp; VLAN ACL :</P> <P>&nbsp;</P> <P><A href="https://networklessons.com/cisco/ccie-routing-switching/vlan-access-list-vacl" target="_blank">https://networklessons.com/cisco/ccie-routing-switching/vlan-access-list-vacl</A></P> <P>&nbsp;</P> <P>Look at cisco official guide: PACL and VACL</P> <P>&nbsp;</P> <P><A href="https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/configuration/guide/book/vacl.html" target="_blank">https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/configuration/guide/book/vacl.html</A></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Fri, 21 Jan 2022 01:50:11 GMT https://community.cisco.com/t5/network-security/cisco-switch-acl-never-working-problem/m-p/4535461#M1086633 balaji.bandi 2022-01-21T01:50:11Z