Start Free Trial
Come for the solution, stay for everything else.
Start Free Trial
Applying and extended Cisco ACL to Fastethernet port on a 3750
I have not worked much with extended ACL's so I'm confused about something. When I apply my extended ACL to a workstation access port on the 3750 it looks like this:
ip access-group <extended access group name> in
There is no "out" option in the setup. I don't understand why there is a directional option at all but I can't apply the extended access group unless I choose "in".
Obviously I'm missing something. Will the "in" option prevent traffic from traveling freely in both directions ???
Switches / Hubs
8/22/2022 - Mon
It would, eventually. If you prevent certain packets from coming in then servers on the outside won't be able to send you replies, thus not making a connnection.
I can't answer your question as to why there is no "out" function, as I truly do not know. Either way however they shouldn't be able to transfer data.
I assume this is on your outside facing port to the internet? So if you wanted to block, say, FTP traffic you would do something like this:
ip access-list extended BLOCK_FTP
deny tcp <the outside servers IP> <outside servers wildcard mask> <inside network/IP> <inside network wildmask> 21
What interface is this on? I just tried this on a 1811 router and it worked fine, the "out" option was present. However I tried it on an interface that did not have ip nat outside and it didn't even have the access-group option.
I am not sure if this is the reason or not.
It is on a standard access port that would normally be used for a workstation. The port will eventually connect to a time clock that must be segregated from the rest of the network. I can connect to the port with a laptop and ping the VLAN successfully so it appears ip is flowing in both directions. Hmmmmm !!
I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
So, your setup is basically a router on a stick then? You have multiple VLAN's and you are trying to block the data flow at what level? The router or the switch?
Are you routing using trunking to the router? Can you use access-group commands on that interface that the connection comes in at?
Access ports that go to a switch aren't going to be able to use access-list for IP since they are a layer two device. Again, I am a CCNA so I don't have wizards knowledge, but I am sure you can't use access-group on an access-port and you need to use the access-list at the router where the VLAN is being routed through.
It would look something like this if you are trying to block a specific service to a specific PC.
access-list 101 <user IP Address> <User wildmask> <timeclock IP> <Timeclock wildmask> <Port number>
You may not need the port number if you want to block that PC from the entire time clock server...
Unless of course your using a Layer 3 switch, then I have no clue. :)
Ugh, I am a fool this is a layer 3 switch.... this may be outside the purview of my knowledge.... heh.
to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Sorry to spam this, but I found a question that is close to yours here:
ASKER CERTIFIED SOLUTION
Log in or sign up to see answer
Become an EE member today
7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
See how we're fighting big data
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
Excellent to know this. From reading the URL I gather that the ACL has no effect on Outbound packets at layer 2 it only filters inbound packets. Am I reading this right ???
All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
Thanks everybody for your help.
This question has been classified as abandoned and is being closed as part of the Cleanup Program. See my comment at the end of the question for more details.
Plans and Pricing
Certified Expert Program
© 1996-2023 Experts Exchange, LLC. All rights reserved. Covered by US Patent