First you must deny the packets from host 3 to host 1; then permit any thing else.
access-list 101 deny ip host 192.168.1.51 host 192.168.1.34
access-list 101 permit ip any any
however, if you want only to deny the ping, you must use icmp instead of ip in the deny part:
access-list 101 deny icmp host 192.168.1.51 host 192.168.1.34 echo
I think your problem stems from the wireless router, which, unfortunately, is a consumer-grade device, so it is explicitly off-topic here. Likely, it is configured with a firewall that drops ICMP on the WAN interface, and it will not respond to ping. You will need to disable that if you want to ping. If the wireless router is performing NAT, then you will have a problem initiating traffic from outside to inside the router. You should disable NAT if you want to ping the laptop.
Also, you will need routes in both routers so that they know how to reach the networks on the other side of the other router. Routers learn routes in three ways:
- Directly connected networks
- Statically configured routes
- Dynamically from a routing protocol
Router1 will need to know that it should go to the wireless router in order to reach the network on the other side of the wireless router. You have not given use the network that you are using on the other side of the wireless router, so I will use 10.1.1.0/24
as an example. On Router1, you can use a static route:
ip route 10.1.1.0 255.255.255.0 192.168.1.1
On the wireless router, you will need to configure routes to 192.168.2.0/24
and 192.168.3.0/24through
192.168.1.254. The wireless router already knows how to reach the
192.168.1.0/24` network because it is directly connected to it.
For your other configurations, You should make some tweaks to follow best practices.
On Router1, you should set the host name to match the diagram. You will also need a password on the VTY lines if expect to connect to the router via telnet.
hostname Router1
!
line vty 0 15
password MyRouter1Password
login
!
On Switch0, you should configure a trunk interface for the interface that connects to Switch1. Use descriptions on the interfaces, including the one connected to the wireless router. Also, you will also need a password on the VTY lines if expect to connect to the switch via telnet.
hostname Switch0
!
interface FastEthernet0/23
description Connection to Wireless Router F0/0
switchport access vlan 2
switchport mode access
!
interface FastEthernet0/24
description Connection to Switch1 F0/22
switchport mode trunk
!
line vty 0 15
password MySwitch0Password
login
!
On Switch1, use descriptions on the interfaces. Also, you will also need a password on the VTY lines if expect to connect to the switch via telnet.
hostname Switch1
!
interface FastEthernet0/22
description Connection to Switch0 F0/24
switchport mode trunk
!
interface FastEthernet0/23
description Connection to Switch2 F0/24
switchport mode trunk
!
interface FastEthernet0/24
description Connection to Router1 F0/1
switchport mode trunk
!
line vty 0 15
password MySwitch1Password
login
!
On Switch2, use descriptions on the interfaces. Also, you will also need a password on the VTY lines if expect to connect to the switch via telnet.
hostname Switch2
!
interface FastEthernet0/24
description Connection to Switch1 F0/23
switchport mode trunk
!
line vty 0 15
password MySwitch2Password
login
!
Best Answer
You need to use private-vlans. Private vlans are used in a case where devices on the same subnet and vlan need to be separated from one another. For example in a hotel floor you may have devices in each room in the same vlan but you don't want one guest to sniff other guest's traffic.
To acheive this you need private-vlans consisting of two communities.
Private-vlans is composed of primary and secondary members. Promiscuous will be member of primary vlan but isolated and community will be member of secondary.
Members of same community can talk to each other but not to different communities.
Members of isolated vlan cannot talk to other isolated vlans or communities.
But both community and isolated can talk to the promiscuous which is the port that is connected to the router.
You need to put pc2 & pc3 in one community and pc1 & 4 in another community. So each pair will be able to communicate between with one another but not with the other community members.
To visually illustrate it
vlan 1000
2001 - community - pc1 & pc4 should be here.
2002 - community - pc2 & pc3 should be here.
Hope it made sense to you.
You can read more about private vlans here: https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5000/sw/configuration/guide/cli/CLIConfigurationGuide/PrivateVLANs.html#42874