Access-list and Switching Module
Page 1 of 1

Author:  oabtwliwb [ Sun Oct 05, 2014 12:07 pm ]
Post subject:  Access-list and Switching Module

I configured R8:

R8(config)#access-list 101 deny ip any any
R8(config)#interface FastEthernet 1/1
R8(config-if)#ip access-group 101 in

-> R1 still can ping R2. :-(

Unbenannt.png [ 15.24 KiB | Viewed 114002 times ]

Author:  rednectar [ Sun Oct 05, 2014 8:48 pm ]
Post subject:  Re: Access-list and Switching Module

Your problem is a fundamental one that requires understanding of the OSI model.

interface f1/1 on R8 is a port on a LAYER 2 switch. Yes, that switch MAY be living in a slot on a router, but it is a switch. It makes switching decisions based on LAYER 2 MAC addresses. It does not even know care the packets that arrive are IP, IPv6 or even IPX

But your access list is asking for traffic to be denied based on LAYER 3 protocol information.
R8(config-if)#ip access-group 101 in

Some of the newer Nexus gear from Cisco supports PACLS (Port Access Control Lists) where you actually can do that kind of stuff. To emulate that in GNS3 you'd need to use a Nexus 1000V see

Page 1 of 1 All times are UTC
Powered by phpBB® Forum Software © phpBB Group