Solved: Re: Deny ping request from specific PC to PC

PandaTV · ‎12-19-2019

So I have this problem in which you have 6 PC, 1 router and 2 switches to work with. So, PC1, PC2 and PC3 are in 1 switch and PC4,PC5 and PC6 are the other switch. So what I'm trying to do is not allow PC1 to ping PC4, same goes for PC4, it won't be allowed to ping PC1. Though PC1 can ping both PC5, PC6, PC2 and PC3, and PC4 can ping both PC2, PC3, PC5 and PC6. The Network ID I'm working with is 192.168.7.0 .So I set the 1 net side of the network to have a default gate of 192.168.7.1 and the other side is 192.168.8.1.

The problem is every time I try to use command to block specific host, it will still ping and will allow the request. This are the list of IP set for each PC:

PC1 - 192.168.7.3

PC2 - 192.168.7.4

PC3 - 192.168. 7.5

PC4 - 192.168.8.3

PC5 - 192.168.8.4

PC6 - 192.168.8.5

so I tried commanding it like this

access-list 101 deny icmp host 192.168.7.3 host 192.168.8.3 echo

access-list 101 deny icmp host 192.168.8.3 host 192.168.7.3 echo

access-list 101 permit ip any any

interface fastEthernet 0/0

ip access-group 11 in

interface fastEthernet 1/0

ip access-group 11 in

So yea, whenever I ping both sides, it still pings and it feels like the command isn't even there. Is there anyway you can tell me where I did wrong?

Georg Pauwen · ‎12-19-2019

Hello,

looks like you have simply assigned a wrong (non-existing) access list to the interfaces. Change:

interface FastEthernet0/0
ip address 192.168.7.1 255.255.255.0
ip access-group 11 in
duplex auto
speed auto
!
interface FastEthernet1/0
ip address 192.168.8.1 255.255.255.0
ip access-group 11 in
duplex auto
speed auto

to

interface FastEthernet0/0
ip address 192.168.7.1 255.255.255.0
ip access-group 101 in
duplex auto
speed auto
!
interface FastEthernet1/0
ip address 192.168.8.1 255.255.255.0
ip access-group 101 in
duplex auto
speed auto

View solution in original post

luis_cordova · ‎12-19-2019

Hi @PandaTV

If it is a project in PacketTracer, compress it (winzip) and attach it to check.

Regards

PandaTV · ‎12-19-2019

Hi thanks for the respond. Sorry I forgot to attach my file, here's the compress file.

Georg Pauwen · ‎12-19-2019

Hello,

looks like you have simply assigned a wrong (non-existing) access list to the interfaces. Change:

interface FastEthernet0/0
ip address 192.168.7.1 255.255.255.0
ip access-group 11 in
duplex auto
speed auto
!
interface FastEthernet1/0
ip address 192.168.8.1 255.255.255.0
ip access-group 11 in
duplex auto
speed auto

to

interface FastEthernet0/0
ip address 192.168.7.1 255.255.255.0
ip access-group 101 in
duplex auto
speed auto
!
interface FastEthernet1/0
ip address 192.168.8.1 255.255.255.0
ip access-group 101 in
duplex auto
speed auto

paul driver · ‎12-20-2019

Hello

@PandaTV wrote:

So I have this problem in which you have 6 PC, 1 router and 2 switches to work with. So, PC1, PC2 and PC3 are in 1 switch and PC4,PC5 and PC6 are the other switch. So what I'm trying to do is not allow PC1 to ping PC4, same goes for PC4, it won't be allowed to ping PC1.

no need for any complex access-list on Switch1 -2 - pc 1 & pc 4 ports just apply the following (not sure about PT , but on real hardware it is applicable)

int xx
switchport protected < -- this will negate communication between any host attach to these ports with this feature applied

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul