asked on

access-list to block internet traffic

i need to build an access-list that blocks only internet bound traffic from 1 specific host and allows all other traffic. The host ip is 10.1.200.66
I built the following access-list, but it wasn't successful:

access-list 101 deny tcp host 10.1.200.66 any eq 80
access-list 101 permit ip any any

atlas_shuddered

switch #config terminal
switch(config)# ip access-list 101 deny tcp host 10.1.200.66 any eq port http
switch(config)# interface (name-if *where name-if = interface common name or logical name of desired application port - ex. gigabit 1/0/1*)
switch(config)#access-list 101 permit ip any any
switch(config-if)# ip access-group 101 out/in (or leave blank to have it apply bidirectionally)
switch(config-if)# end
switch #copy run start

Don Johnston

You're close. :-)

It needs to be applied to an interface (layer 3).

In your case, most likely a VLAN interface for the VLAN that the host is on.

access-list 101 deny tcp host 10.1.200.66 any eq 80
access-list 101 permit ip any any
int vlan 200 !(or whatever vlan the host is on)
 ip access-group 101 in

Open in new window

dtadmin

ASKER

sorry. I forgot to mention that I did apply it to the physical interface on my switch:

int fa2/37
ip access-group 101 in

But I was still able to get to the internet from the pc plugged into that port.

Don Johnston

What port is the PC connected to?

dtadmin

ASKER

The pc (10.1.200.66) is plugged into port fastethernet 2/37.

atlas_shuddered

Have you tried applying the ACL directly to 2/37?

Don Johnston

Is this a layer 3 port? Can you post the config of that port?

dtadmin

ASKER

I applied the access list directly to that port.
The only config for that port is "switchport mode access" and "spanning-tree portfast."