Want to block host to host communication

Chris2152 · ‎10-25-2013

Hello All,

I am trying to stop all traffic between specific hosts in separate vlans. Here is my access-list.

Extended IP access list 101

10 deny ip host 10.21.224.230 host 10.21.223.236

20 deny ip host 10.21.224.231 host 10.21.223.236

30 deny ip host 10.21.224.232 host 10.21.223.236

40 deny ip host 10.21.224.230 host 10.21.223.237

50 deny ip host 10.21.224.231 host 10.21.223.237

60 deny ip host 10.21.224.232 host 10.21.223.237

70 deny ip host 10.21.224.230 host 10.21.223.238

80 deny ip host 10.21.224.231 host 10.21.223.238

90 deny ip host 10.21.224.232 host 10.21.223.238

100 permit ip any any

I applied that access list to the vlan interface OUT that the 10.21.224.x hosts reside and I am still able to ping the .223 hosts from the .224 hosts. I assume I am missing something simple here. Any help is appreciated and thank you!

Chris2152 · ‎10-25-2013

I figured it out, I was getting my In and Out applications backwards. I needed to apply the ACL to the VLan interface Inbound instead of outbound.

The other question I have if anyone can answer is will this stop traffic bi-directionally or do I need to apply the inverse of this to the Vlan that houses the 10.21.223.x to stop traffic bi-drectionally?

cadet alain · ‎10-25-2013

Hi,

even if those hosts want to communicate with the 10.21.224.x hosts then these ones won't be able to reply back as they are filtered by your ACL.

Regards

Alain

Don't forget to rate helpful posts.

Vasilii Mikhailovskii · ‎10-26-2013

Hello, Chris.

If you are sure that the hosts 10.21.224.x will keep the ip-address assignment, then your solution is fine.

If there is a risk to change the ip-addresses, then it's better to apply inbound ACL on L2 client ports that are used for the devices connection.

ACL would be like deny ip any host 10.21.223.x .... permit ip any any