I am studying for Cisco CCNA exam and I have made myself a task of blocking access from one server to another.

In my lab environment I use Cisco Catalyst 2960 switch (no routing used and all ports are members of same Vlan100), with two Vmware servers. One Vmware server has a VM with 192.168.100.1 IP address (it's a virtual interface), another VMWare server has a VM with 192.168.100.2 IP address (also virtual interface).

My understanding is that I can create an ACL on a switchport where server 2 is plugged in (Gi1/0/2) and the ACL will block traffic coming from server 1 plugged into port Gi1/0/1. For observation I am using my laptop connected to console port of the CISCO Catalyst:

conf t

ip access-list standard Test

deny 192.168.100.1

permit any

int Gi1/0/2

ip access-group Test in

Yet, this doesn't block any traffic from 192.168.100.1

If I don't specify "permit any" - then the implicit deny rule blocks the traffic, meaning it's never matching the first line.

Ok I thought to myself and tried to change it to:

conf t

access-list 10 deny host 192.168.100.1

access-list 10 permit any

int Gi1/0/2

ip access-group 10

But once again it won't block traffic from 192.168.100.1 and will only block it if I don't use "permit any" expression (in which case implicit "deny any" will block it).

I tried all possible things I can think of... I read a lot of forums, it should work but it doesn't. What am I doing wrong and how to troubleshoot it? I already tried to use log after both permit and deny statement... The traffic still goes through, but sometimes it says "Denied 192.168.100.2 packet". But .2 is my destination, not my source address!.... Isn't it supposed to say "Denied 192.168.100.1 packet" instead and just block it?

I am really confused. Is it possible to just enable some kind of debugging to see what source and destination IP address is getting from the Vmware server to that switchport that Cisco ACL doesn't match my requirement?

Regards,

Max