Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2226
Views
0
Helpful
5
Replies

layer 2 Switch ACL or Router ACL

Go to solution
will75136
Level 1
Level 1

‎04-23-2020 02:29 PM

000.PNG4444.PNG

Hi experts, what is the best practice to perform above requirement by using ACL?

I was thinking about using Routers but it won`t drop the ping in same network.

Also, somehow my switch (2960) doesn`t support access-group mode. 

 

Could you give me some advises?

 

Thanks a lot

Will

 

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
luis_cordova
VIP Alumni
VIP Alumni
In response to will75136

‎04-23-2020 03:04 PM - edited ‎04-23-2020 03:08 PM

Hi @will75136 

 

Pinging within the same network cannot be filtered with the methods proposed in your exercise.
However, there is no indication that pinging the other host should be denied.

 

The only ping denial must be between host 192.168.3.2 and host 192.168.1.2

 

I also remind you that at the end of all the lines of every ACL there is an implicit denial.
Therefore, to avoid that all other connectivity is denied, you must enter the permit ip any any line at the end of your ACL

 

Regards

 

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Martin L
VIP
VIP

‎04-23-2020 02:46 PM


L2 switch does not support ACLs; only Routers and L3 switches. L3 switch in PT may not support ACL as it is just simulator.
what is your ACL and where did u place it?
0 Helpful

Go to solution
will75136
Level 1
Level 1
In response to Martin L

‎04-24-2020 08:51 AM

I placed my ACL on R5 and R6.
Maybe R1 and R2 could be an alternative options too?
0 Helpful

Go to solution
luis_cordova
VIP Alumni
VIP Alumni

‎04-23-2020 02:47 PM

Hi @will75136 

 

When the request includes source, destination, and a protocol, an extended ACL should be used.
It is always recommended to configure and apply this type of ACL as close to the origin as possible.

In your case, it would be advisable to create and apply the ACL on the R5 and R6 routers.

 

Regards

0 Helpful

Go to solution
will75136
Level 1
Level 1
In response to luis_cordova

‎04-23-2020 02:58 PM

Thanks, sir.

But what about the end device in same network?
How do we avoid ICMP traffic in same network?
0 Helpful

Go to solution
luis_cordova
VIP Alumni
VIP Alumni
In response to will75136

‎04-23-2020 03:04 PM - edited ‎04-23-2020 03:08 PM

Hi @will75136 

 

Pinging within the same network cannot be filtered with the methods proposed in your exercise.
However, there is no indication that pinging the other host should be denied.

 

The only ping denial must be between host 192.168.3.2 and host 192.168.1.2

 

I also remind you that at the end of all the lines of every ACL there is an implicit denial.
Therefore, to avoid that all other connectivity is denied, you must enter the permit ip any any line at the end of your ACL

 

Regards

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents