dtadmin
asked on
access-list to block internet traffic
i need to build an access-list that blocks only internet bound traffic from 1 specific host and allows all other traffic. The host ip is 10.1.200.66
I built the following access-list, but it wasn't successful:
access-list 101 deny tcp host 10.1.200.66 any eq 80
access-list 101 permit ip any any
I built the following access-list, but it wasn't successful:
access-list 101 deny tcp host 10.1.200.66 any eq 80
access-list 101 permit ip any any
You're close. :-)
It needs to be applied to an interface (layer 3).
In your case, most likely a VLAN interface for the VLAN that the host is on.
It needs to be applied to an interface (layer 3).
In your case, most likely a VLAN interface for the VLAN that the host is on.
access-list 101 deny tcp host 10.1.200.66 any eq 80
access-list 101 permit ip any any
int vlan 200 !(or whatever vlan the host is on)
ip access-group 101 in
ASKER
sorry. I forgot to mention that I did apply it to the physical interface on my switch:
int fa2/37
ip access-group 101 in
But I was still able to get to the internet from the pc plugged into that port.
int fa2/37
ip access-group 101 in
But I was still able to get to the internet from the pc plugged into that port.
What port is the PC connected to?
ASKER
The pc (10.1.200.66) is plugged into port fastethernet 2/37.
Have you tried applying the ACL directly to 2/37?
Is this a layer 3 port? Can you post the config of that port?
ASKER
I applied the access list directly to that port.
The only config for that port is "switchport mode access" and "spanning-tree portfast."
The only config for that port is "switchport mode access" and "spanning-tree portfast."
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
switch(config)# ip access-list 101 deny tcp host 10.1.200.66 any eq port http
switch(config)# interface (name-if *where name-if = interface common name or logical name of desired application port - ex. gigabit 1/0/1*)
switch(config)#access-list
switch(config-if)# ip access-group 101 out/in (or leave blank to have it apply bidirectionally)
switch(config-if)# end
switch #copy run start