Assuming you have other hosts on the VLAN whose communication you do not want to disturb, the following ACL should do the trick:

access-list 100 permit ip host 10.10.3.5 host 10.10.4.5

access-list 100 deny ip host 10.10.3.5 any

access-list 100 permit ip any any

Note that this will still allow communication within a VLAN so your host 10.10.3.5 will still be able to access resources within the same VLAN. If you want to limit that also then something like a VLAN map needs to be configured. How to configure that depends on what switch/software you are using.

Thanks - I tried that and it doesn't appear to have prevented anything. I initally had a 4006 switch with a 3550 doing the routing and I created the ACL on the 3550. I created a different ACL using a web interfaced wizard and it worked ok, but using the command line for this hasn't worked. I'm still able to ping things on different vlans.

How does your topology look like and where exactly are you applying the ACL? If you can post the configuration you did using the CLI that will also be helpful.

Thanks. This is the config from the 3550 where I created the ACL. I couldn't tunnel down to apply the ACL on the interface itself- only in general global config mode. Thanks for the help.

clock timezone EST -5

ip subnet-zero

ip routing

!

ip domain-name ****

!

spanning-tree mode pvst

spanning-tree extend system-id

!

!

!

!

vlan access-map SecWiz 10

action forward

match ip address SecWiz_Gi0_1_out_ip SecWiz_Fa0_2_in_ip

vlan filter SecWiz vlan-list 1-5

!

interface FastEthernet0/1

no switchport

ip address 192.168.11.2 255.255.255.0

!

interface FastEthernet0/2

switchport access vlan 2

switchport mode access

spanning-tree portfast

!

interface FastEthernet0/3

switchport access vlan 2

switchport mode access

!

interface FastEthernet0/4

switchport access vlan 2

switchport mode access

!

interface FastEthernet0/5

switchport access vlan 2

switchport mode access

!

interface FastEthernet0/6

switchport access vlan 2

switchport mode access

!

interface FastEthernet0/7

switchport access vlan 2

switchport mode access

!

interface FastEthernet0/8

switchport access vlan 2

switchport mode access

!

interface FastEthernet0/9

switchport access vlan 2

switchport mode access

!

interface FastEthernet0/10

switchport access vlan 2

switchport mode access

!

interface FastEthernet0/11

switchport access vlan 2

switchport mode access

!

interface FastEthernet0/12

switchport access vlan 2

switchport mode access

!

interface FastEthernet0/13

switchport access vlan 2

switchport mode access

!

interface FastEthernet0/14

switchport access vlan 2

switchport mode access

!

interface FastEthernet0/15

switchport access vlan 2

switchport mode access

!

interface FastEthernet0/16

switchport access vlan 2

switchport mode access

!

interface FastEthernet0/17

switchport access vlan 2

switchport mode access

!

interface FastEthernet0/18

switchport access vlan 2

switchport mode access

!

interface FastEthernet0/19

switchport access vlan 2

switchport mode access

!

interface FastEthernet0/20

switchport access vlan 2

switchport mode access

!

interface FastEthernet0/21

switchport access vlan 2

switchport mode access

!

interface FastEthernet0/22

switchport access vlan 2

switchport mode access

!

interface FastEthernet0/23

switchport access vlan 2

switchport mode access

!

interface FastEthernet0/24

switchport access vlan 3

switchport mode access

!

interface GigabitEthernet0/1

switchport trunk encapsulation dot1q

switchport mode trunk

!

interface GigabitEthernet0/2

switchport mode dynamic desirable

!

interface Vlan1

ip address 192.168.10.1 255.255.255.0

!

interface Vlan2

ip address 192.168.0.1 255.255.255.0

!

interface Vlan3

ip address 192.168.3.1 255.255.255.0

!

interface Vlan4

ip address 192.168.4.1 255.255.255.0

ip helper-address 192.168.0.102

!

interface Vlan5

ip address 192.168.5.1 255.255.255.0

!

ip classless

ip route 0.0.0.0 0.0.0.0 192.168.11.1

ip http server

!

ip access-list extended SecWiz_Fa0_2_in_ip

deny ip any host 192.168.0.102

permit ip any any

ip access-list extended SecWiz_Gi0_1_out_ip

deny ip 192.168.5.0 0.0.0.255 host 192.168.0.102

permit ip any any

!

access-list 100 permit ip host 192.168.3.5 host 192.168.0.102

access-list 100 deny ip host 192.168.3.5 any

access-list 100 permit ip any any

!

line con 0

Configuring the access-list in the global config mode does not do much as far as denying or permitting traffic is concerned. You need to apply the access-list to the desired physical or logical interface. What did you mean you could not tunnel down to apply it on the interface? Try applying it to your VLAN3 interface using:

interface vlan3

ip access-group 100 in

Thanks for your patience with this. I was able to apply the ACL to the interface (see below), however, when I do it inbound, I can no longer connect to 192.168.3.5 but the 3.5 machine can get anywhere. When I changed the access group to out, I could get back and forth from everywhere. Is it possible that my other ACL is interfering?

interface Vlan3

ip address 192.168.3.1 255.255.255.0

ip access-group 100 in

!

interface Vlan4

ip address 192.168.4.1 255.255.255.0

ip helper-address 192.168.0.102

!

interface Vlan5

ip address 192.168.5.1 255.255.255.0

!

ip classless

ip route 0.0.0.0 0.0.0.0 192.168.11.1

ip http server

!

ip access-list extended SecWiz_Fa0_2_in_ip

deny ip any host 192.168.0.102

permit ip any any

ip access-list extended SecWiz_Gi0_1_out_ip

deny ip 192.168.5.0 0.0.0.255 host 192.168.0.102

permit ip any any

!

access-list 100 permit ip host 192.168.3.5 host 192.168.0.102

access-list 100 deny ip host 192.168.3.5 any

access-list 100 permit ip any any

Your last question first: I don't think your other access lists are interfering. You should understand that an access-list on its own does not do anything at all; it is just a list of source and destination addresses. It has absolutely no effect until you apply it to an interface, which you do with the access-group command. Since I don't see "access-group SecWiz_Fa0_2_in_ip" anywhere in your listing, I don't think it can be interfering with anything.

The nest thing to point out is that access-lists filter packets, not connections. Connections require pqckets in both directions.

The configuration you have here will allow 192.168.3.5 to connect to 192.168.0.102 because it allows packets from 192.168.3.5 to 192.168.0.102. The packets from 192.168.0.102 to 192.168.3.5 are not filtered in any way, so the connection is OK.

The configuration you have here will also allow 192.168.0.102 to connect to 192.168.3.5. The packets from 192.168.0.102 to 192.168.3.5 are not filtered in any way. The return packets from 192.168.3.5 to 192.168.0.102 are allowed by the access list, so the connection is OK.

192.168.3.5 is not allowed to connect to anything else because its packets are blocked by the second line of the access list. Conversely, nothing else can connect to 192.168.3.5. Why not? Well, the packets get to 192.168.3.5, but its reply is blocked by the access list. Hence no connection.

The behaviour you describe is exactly as I would expect from the configuration you have.

What was your original objective? I thought it was to allow 192.168.3.5 to communicate with 192.168.0.102 and nothing else. I think that is what we have achieved here.

However, if you want other machines to connect to 192.168.3.5, you could try adding "access-list 100 permit tcp host 192.168.3.5 any established" between the first and second line of your access list. This will allow 192.168.3.5 to return packets to any other machine that has already established a connection with it. Only works with TCP though, not for UDP and ICMP protocols. There is a way to do UDP and ICMP as well, called "reflexive access-lists", but I think that's beyond the scope of this posting for now.

Is that any clearer? If not, please let us know which part you did not understand.

Kevin Dorrell

Luxembourg

My objective was to allow the 3.5 machine to ONLY communicate with the 0.102 machine, but it's still able to ping other machines on all vlans. Secondly, I need any machine to be able to access the 3.5 machine - I was only trying to limit traffic coming from the 3.5 machine.

It does not help when we learn about your 'actual' objectives 10 posts into the problem. The ACLs you have created using the GUI are being used in a VLAN map that has been applied to pretty much all VLANs. This VLAN map is specifically denying communication to 0.102 from all sources. When you apply the ACL we suggested you are in effect denying any communication from the 3.5 machine. So to answer your question, yes i think your existing ACLs are causing this issue. Try removing the VLAN map and then see what happens.

You say that you want 3.5 to talk to only 0.102 and nothing else but then you say that you want all machines to be able to access 3.5. If this communication is TCP then we can achieve that as TCP is stateful but with UDP or ICMP it is not a feasible requirement as the return ACL will deny packets sourced from 3.5 to machines other than 0.102.

To be honest your requirements are still quit sketchy. Do remember that conveying a problem in its entirety and in an effective manner goes a long way in obtaining a quick resolution. That being said ... please no hard feelings.

Thanks for your help, and there are no hard feelings. I was confident that my initial post, which included an example of what I wanted, coupled with the posting of my configuration would suffice. I stated that I wanted to limit traffic FROM the 3.5 system and never said anything about limiting traffic TO it. I've never worked with ACLs before, so I apologize for my lack of knowledge, and for wasting your time.

It may be a question of where you put this access list. To be effective, it should be an input access list on the VLAN interface containing the host 10.10.3.5 whose traffic you want to block.

int

access-group 100 in

Kevin Dorrell

Luxembourg