ACLS to block internet access

Posted on 2008-10-24
Last Modified: 2008-10-31
Hi Experts,
i need to block the access to internet to a network, that is a secondary network of the vlan1. The actual vlan1 details :
#sho ip inter vlan 1
Vlan1 is up, line protocol is up
  Internet address is
  Broadcast address is
  Address determined by setup command
  MTU is 1500 bytes
  Helper address is not set
  Directed broadcast forwarding is enabled
  Secondary address
  Secondary address
  Secondary address
  Secondary address
  Secondary address
 and an access list that i tried to use :

Extended IP access list 101
    deny tcp any eq www
    permit ip any any

but i'm afraided that is not i need to apply it as access-group on vlan1 interface? And if yes...are we sure that it's affect only the www traffic and only in the network?
Any suggestion is really appreciated.

p.s. also an ACLS example :)
Question by:u-boot96
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 16

Accepted Solution

btassure earned 500 total points
ID: 22794993
Assuming you don't already have any ACLs in place then yes to both questions.
The ACL is already created so all you need to do is:
conf t
int vlan 1
ip access-group 101 in

Open in new window


Author Comment

ID: 22797495
thanks, now i have locked the internet to the network, but now i have another issue, becouse i need to grant the internet access to another network that it's again a secondary ip address of vlan1, but it's not allowed to our ISP to access internet. I think that i have to use nat. The isp allowed networks are,156.0,158.0,181.0,182.0. but not the 183.0. Is it possible to enable ip NAT inside between secondary addresses of the same vlan? Do i need virtual vlan?
LVL 13

Expert Comment

ID: 22806425
You can NAT for specific ranges.

Set an outside interface: ip nat ouside
Set an inside interface (VLAN1): ip nat inside
Create a route-map to match ranges you want to permit:
route-map permit_nat permit 10
  match ip address <range 1>
  match ip address <range 2>
  match ip address <etc>
Setup NAT to use the route-map: ip nat inside source route-map permit_nat interface <outsinde interface> overload
LVL 13

Expert Comment

ID: 22806433
Whoops, where "range 1, 2, etc" is a standard access list or prefix-list. IE:

access-list 1 permit
route-map permit_nat permit 10
 match ip address 1

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Hello , This is a short article on how would you go about enabling traceoptions on a Juniper router . Traceoptions are similar to Cisco debug commands but these traceoptions are implemented in Juniper networks router . The following demonstr…
In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses
Course of the Month10 days, 11 hours left to enroll

628 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question