Hi rick 

Thanks for the reply . 

You wrote

 " the access list the source address is 10.0.0.0 through 10.0.63.255 and the destination address is 10.0.184.0 through 10.0.184.255. But you have applied it outbound on vlan 202. But for vlan 202 10.0.184.0 is the source and not the destination "

When i ping from pc ( ip 10.0.184.50 )  to  10.0.3.1 ,the source is  10.0.184.50 and destination is  10.0.3.1 .

When i am getting reply from the interface 10.0.3.1 , the source must be  10.0.3.1 ? 

Thanks

When I initially read your post I must have been confused about the direction that you applied the access list. You are correct that if a pc at 10.0.184.50 pings to 10.0.3.1 then in the response packet the source address will be 10.0.3.1. Would I be correct in assuming that the pc is connected to switch 1? If it gets response when pinging 10.0.3.1 and 10.0.3.2 but not from 10.0.3.3 then it suggests that there is some issue in the connection between the switches. Can you post the output of show standby from both switches?

HTH

Rick

I don't think below same identity number can be used i.e.

standby 0 priority 200
standby 0 ip 

standby 0 can't be used for every vlan.

Hi Rick 

Sorry for the confusion . I did some changes like  VLAN ID and the groupname (indicated in bold ) .The previous VLAN ID was 202 but the IP address was same . Groupname was 0 and now it id 184 .

Sw1
interface Vlan200
ip address 10.0.3.2 255.255.255.0
standby 0 priority 200
standby 0 ip 10.0.3.1
 
interface Vlan201
ip address 10.0.5.2 255.255.255.0
standby 0 priority 200
standby 0 ip 10.0.5.1
 
interface Vlan184
 ip address 10.0.184.2 255.255.255.0
 ip access-group testaccess out
 standby 184 ip 10.0.184.1
 standby 184 priority 200
 standby 184 preempt
 
 
Sw2
 
interface Vlan200
ip address 10.0.3.3 255.255.255.0
standby 0 priority 50
standby 0 ip 10.0.3.1
 
interface Vlan201
ip address 10.0.5.3 255.255.255.0
  standby 0 priority 50
standby 0 ip 10.0.5.1
 
interface Vlan184
 ip address 10.0.184.3 255.255.255.0
 ip access-group testaccess out
 standby 184 ip 10.0.184.1
 standby 184 priority 50
 standby 184 preempt
 

Access list on Sw1 and Sw2
ip access-list extended testaccess
deny ip 10.0.0.0 0.0.63.255 10.0.184.0 0.0.0.255
permit ip any any

Spanning tree
 

Sw1
spanning-tree mode pvst
spanning-tree extend system-id
spanning-tree vlan 184 4096

Sw2
spanning-tree mode pvst
spanning-tree extend system-id
spanning-tree vlan 184 0

Sw1#sh standby vlan 184
Vlan184 - Group 184
  State is Active
    12 state changes, last state change 00:00:09
  Virtual IP address is 10.0.184.1
  Active virtual MAC address is 0000.0c07.acb8
    Local virtual MAC address is 0000.0c07.acb8 (v1 default)
  Hello time 3 sec, hold time 10 sec
    Next hello sent in 2.128 secs
  Preemption enabled
  Active router is local
  Standby router is unknown
  Priority 200 (configured 200)
  Group name is "hsrp-Vl184-184" (default)

Sw2#sh standby vlan 184
Vlan184 - Group 184
  State is Standby
    19 state changes, last state change 00:00:22
  Virtual IP address is 10.0.184.1
  Active virtual MAC address is 0000.0c07.acb8
    Local virtual MAC address is 0000.0c07.acb8 (v1 default)
  Hello time 3 sec, hold time 10 sec
    Next hello sent in 1.360 secs
  Preemption enabled
  Active router is 10.0.184.2, priority 200 (expires in 8.304 sec)
  Standby router is local
  Priority 50 (configured 50)
  Group name is "hsrp-Vl184-184" (default)

Rick asked 

" Would I be correct in assuming that the pc is connected to switch 1  ? " 

Please see the toplogy diagram attached 

I shutdown the  interface vlan 184 on the Sw1 , then the access list is working as expected meaning i can't ping. 

Thank you for your support 

Thank you for the additional information. The drawing seems to show the PC connected to both switch1 and to switch2. How does that work?

The output of show standby is interesting. Clearly switch2 has heard from switch1 and knows about switch1. But switch1 does not seem to know about switch2

switch1 output

  Active router is local
  Standby router is unknown

switch2 output

  Active router is 10.0.184.2, priority 200 (expires in 8.304 sec)
  Standby router is local

HTH

Rick

Hi Rick

 "You said  

The drawing seems to show the PC connected to both switch1 and to switch2. How does that work? "

On the Sw3( where pc connected , let me call sw3) spanning tree is pvst . so the link to sw2 must be in blocking state ? . Please  Correct me if i am wrong .

Below is the  spanning Tree information on SW1 and Sw2 

Sw1
spanning-tree mode pvst
spanning-tree extend system-id
spanning-tree vlan 184 0

Sw2
spanning-tree mode pvst
spanning-tree extend system-id
spanning-tree vlan 184 4096

" The output of show standby is interesting. Clearly switch2 has heard from switch1 and knows about switch1. But switch1 does not seem to know about switch2 "

Q . What could be the problem ?

Q. Does it impact the access list on sw1 ?

Thanks again 

Hi Rick 

One thing came to my mind. The reason behind the standby router is unknown ,May be on Sw2 the interface was down when i took show standby . I am not sure 

switch1 output

  Active router is local
  Standby router is unknown

Sorry for the inconvenience

Please post latest output of show stand by for the both the switches.

Hi 

here is the output 

Sw1#sh standby vlan 184
Vlan184 - Group 184
  State is Active
    15 state changes, last state change 00:01:48
  Virtual IP address is 10.0.184.1
  Active virtual MAC address is 0000.0c07.acb8
    Local virtual MAC address is 0000.0c07.acb8 (v1 default)
  Hello time 3 sec, hold time 10 sec
    Next hello sent in 1.200 secs
  Preemption enabled
  Active router is local
  Standby router is 10.0.184.3, priority 50 (expires in 8.240 sec)
  Priority 200 (configured 200)
  Group name is "hsrp-Vl184-184" (default)

Sw2#sh standby vlan 184
Vlan184 - Group 184
  State is Standby
    21 state changes, last state change 00:03:24
  Virtual IP address is 10.0.184.1
  Active virtual MAC address is 0000.0c07.acb8
    Local virtual MAC address is 0000.0c07.acb8 (v1 default)
  Hello time 3 sec, hold time 10 sec
    Next hello sent in 0.848 secs
  Preemption enabled
  Active router is 10.0.184.2, priority 200 (expires in 9.312 sec)
  Standby router is local
  Priority 50 (configured 50)
  Group name is "hsrp-Vl184-184" (default)

Every thing is working fine , Do you stil have the problem with HSRP ?

Hi 

I did not have problem with hsrp . the problem was with access list 

Add below statement in the access-list, it should resolve the problem.

deny ip  10.0.184.0 0.0.0.255 10.0.0.0 0.0.63.255

Hi

But  deny ip 10.0.0.0 0.0.63.255 10.0.184.0 0.0.0.255 should block (outbound ) . is'nt it 

Though i  added deny ip  10.0.184.0 0.0.0.255 10.0.0.0 0.0.63.255.But no luck 

Thanks