- is this switch operating as layer 2 switch or layer 3 switch? (is ip routing enabled or not) I just have switches on my network with no routers.  They just communicate using IP addresses, so I think I am using Layer 3.  How can I tell?

- are the source (the panel) and the destination both connected to this switch? Or is one of them connected somewhere else?  There are several switches in between the system that is causing the problem.  Which I am not sure which panel is using the IP that I suspect is causing the problem, but I know it is not on the same switch.

- are the source and the destination both in the same IP subnet? yes

- what is the source IP address? what is the destination IP address? For confidential reasons I can't disclose the IP addresses.  Let's call the Receiver having IP address 10.10.100.25 and the suspected problem IP as 10.10.100.231

- what was the detailed content of the access list you used?  I don't have the exact syntax but something like this:

Access-list 201 deny IP Host 10.10.100.231 any

- what interface did you apply the acl to and how did you apply it? I am not sure.  basically the default when the switch comes up.  

Sorry I have never taken a class in this.  Trying to figure this all out as I go along.

Thanks for the additional information. I understand that you have not had any classes in this technology and will try to help you work through this. Here are responses to things in your post:

- "so I think I am using Layer 3.  How can I tell?" There are several ways. You can look through the switch configuration and if you find the command ip routing then it is layer 3. But you might not see that command and it still might be layer 3. You might check the output of the command show ip protocol. But that is sometimes not easy to interpret. The easiest way to check is to post the output of the command show ip route.

- "There are several switches in between" If there is only one vlan (the default vlan) in all the switches then we can assume connectivity. If there is more than one vlan then we need to check on the possibility that one device is in some vlan and the other device is in a different vlan. The would be a problem. To help figure this out it would be helpful if you would post the output of these commands show interface status, show vlan

- " are the source and the destination both in the same IP subnet? yes" If they are in the same subnet then it is important that they be in the same vlan.  

- "what are the addresses" Especially if the addresses are registered Public IP that your organization has been assigned I can understand not wanting to disclose them. We should be able to work through this with the disguised addresses you mention 10.10.100.25 and 10.10.100.231.

- "Access-list 201 deny IP Host 10.10.100.231 any" I hope it is just not remembering the syntax but the number 201 should be something more like 101.  

Here are some additional things:

- what kind (what model) of switch are these?

- depending on the kind of switch, some switches use command line (CLI) to configure and operate the switch while some other use Graphical User Interface (GUI). I am assuming CLI.

- have you configured vlans on the switches or are you just using the default vlan?

- does your switch have a vlan interface with an IP address? If so please from the switch try to ping both of the addresses. Then immediately do show arp on the switch (or it might be show ip arp depending on the code running in the switch). It would be especially interesting if both addresses do have arp entries.

Hey Rick,  

Thanks for the help on this.

To find out if I am configured for Layer 3, I typed Show IP Route.  Apparently I am not sure of the exact command you are requesting.

The model is WS-C2960S-24TS-L. This is a private network running on VLAN 1.  I am using the Command Line Interface.  I am only using the default VLAN.  I did the ping on both address and got the Machine address for both devices.

We have connectivity.  The switch has a VLAN interface with IP 10.10.100.2.   I am trying to prevent 10.10.100.231 from talking to 10.10.100.25 (the receiver).  All devices send messages to the receiver and the receiver relays the messages on so notification can occur.  All devices and the receiver are on the same VLAN.  10.10.100.231 is out there off one of the switches but I don't know how to find the device with that IP.  If I could find the device I could simply disconnect it.  If I could prevent 10.10.100.231 from talking to the switch at 10.10.100.2 that should work also.

The full command I used is Access-list 101 deny IP host 10.10.100.231 host 10.10.100.25.  I also tried Access-list 101 deny TCP host 10.10.100.231 host 10.10.100.25. And I tried Access-list 101 deny IP host 10.10.100.231 any. I then tested the same command on a known device and the device was able to still report to the receiver.

Any further help you could give me would be appreciated.  

Thanks again for all the help so far,

Al

Al

Thanks for the additional information. The fact that there is only a single vlan (and a single IP subnet) makes this a bit different. Access lists like the one you tried are typically used as traffic is forwarded at layer 3 from one subnet to another subnet. In your case there is no layer 3 forwarding. The device at 10.10.100.231 just arps for 10.10.100.25, gets the mac address of the destination, sends the packet. The switch is doing layer 2 forwarding, looks at the destination mac address, and forwards the packet to the receiver. So you need something that operates at layer 2. I believe that port acl is the feature that you want. This article discusses acl on 2960, including port acl, and I hope it is helpful.

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960/software/release/12-2_55_se/configuration/guide/scg_2960/swacl.html

One thing to understand about Cisco acl is that it is a two step process. You must configure the acl and then you must apply it somewhere for it to be used. Another thing to understand about Cisco acl is that at the bottom of every acl is an implicit command that denies all remaining traffic.

I believe that the acl that you suggested is a good start

Access-list 101 deny IP host 10.10.100.231 host 10.10.100.25

But you need a second statement that might look something like this

access-list 101 permit ip any any

That acl will deny traffic from the suspect address to the receiver and permit every thing else. After you configure the acl you must decide where to apply it. It needs to be assigned inbound on the interface where the traffic will enter the switch. Perhaps you already know what interface that is. If not you could use this to determine which interface. Use the arp table entry for 10.10.100.231 to find the mac address of that device. Then use a show mac address command to look into the switch layer 2 forwarding table and find the interface. Then under that interface you would configure ip access-group 101 in

Give it a try and let us know how it comes out.