setting up access-list on sub-network

daisungchoi · ‎05-21-2014

Hi All,

I setup access-list on Router2 to disallow access from PC1 to PC2 but it didn't work.

PC1: should access PC2, shouldn't access PC0

PC0: should access PC2

I setup,

access-list 101 deny ip 192.168.0.127 0.0.0.128 192.168.0.0 0.0.0.128

access-list 101 permit ip any any

and i set on Router2,

interface gi0/0.2

ip access-group 101 in

But still, PC1 can ping to PC0. I also configured on 'interface gi0/0' and it didn't work.

What else should i setup to disallow the connection?

Thanks in advance,

Nagendra Kumar Nainar · ‎05-21-2014

Hi,

You cannot filter the traffic between PC0 and PC1 by ACL in L3 router. Both PC0 and PC1 are in same subnet/VLAN. So the traffic will directly flow from PC0 to L2switch to PC1. You may need to consider Private VLAN concept that you can apply in your L2 switch and make it not communicate among themself but to PC2.

-Nagendra

glen.grant · ‎05-21-2014

Those 2 addresses are not in the same subnet , they are using a /25 mask . Try this

access-list 101 deny ip 192.168.0.128 0.0.0.127 192.168.0.0 0.0.0.127

access-list 101 permit ip any any

Also make sure your trunking setup between switch and router is correct. It should go on the vlan 20 subinterface on the router.

daisungchoi · ‎05-22-2014

thanks for your advice but it didn't work.

I will test with PVLAN Edge and let you know the result.

- Dai Sung Choi

Wassim Aouadi · ‎05-24-2014

Can you post "show run" of the router?

daisungchoi · ‎05-22-2014

I am using 2960s and it only allows PVLAN Edge(protected ports) and will let you know how it goes.

Thanks for your support.

- Dai Sung Choi