OK, I'm not an all-powerful CCIE, but I'll take a stab at this. Applying an access list to a switch is only going to limit access to and from your management interface. Switched traffic through the switch is still switched traffic, and by and large, a switch doesn't ever look at IP information, thus wouldn't filter anything based on an IP address.
That would explain why you can't ping the host from the switch (I'd imagine you are getting a "Request Timed Out") but the traffic from the outside world still gets through. Also, What's up with the "2000" access list? Would not an extended IP list be 100-199? --Tim Christian Fredrickson wrote: > > Running a Cisco switch 3548XL > Trying to block a specific IP address. The access-list looks > like: > (I substituted the IP addresses) > access-list 2000 deny ip host ip_address any > access-list 2000 permit ip range.0 0.0.0.255 any > access-list 2000 deny ip any any > > All ports on this switch belong to the same VLAN and all other > switches use > this switch to get to the upper layer switch and use that to > get to the > router. The vlan looks like: > (I substituted the IP addresses) > interface VLAN1 > description line > ip address switch_ip 255.255.255.0 > ip access-group 2000 in > > But I can still ping the host from external addresses. Why is > this ACL not > working? > > Thank you all in advance. > > Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=43117&t=43021 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
