Railroad
asked on
Cisco 3560 ACL
I have not used ACL's much, so not sure the way to do this without a lot of playing. I have a 3560, with a VLAN 905. I'd like to make it so that all inbound traffic from my default gateway is blocked.
I basically want to block all Internet access on this VLAN. I know this is pretty simply, but don't know the exact commands.
Thanks.
I basically want to block all Internet access on this VLAN. I know this is pretty simply, but don't know the exact commands.
Thanks.
ASKER
Yes there is a vlan 905 interface on the 3560.
This doesn't block all internet traffic, only that on port 80. It also blocks access to internal websites. Also realized there is one computer on that VLAN that I need to allow internet access. I've setup a reservation in DHCP to assign it to 172.20.5.50.
I tried this:
ip access-list extended No_Internet_VLAN905
permit ip any host 172.20.5.50
deny ip host 172.20.0.1 any
permit ip any any
ip access-group No_Internet_VLAN905 in
However this still didn't block access. I also tried:
ip access-list extended No_Internet_VLAN905
permit ip 172.20.0.0 0.0.255.255 any
permit ip any host 172.20.5.50
This didn't work either. Ideas?
This doesn't block all internet traffic, only that on port 80. It also blocks access to internal websites. Also realized there is one computer on that VLAN that I need to allow internet access. I've setup a reservation in DHCP to assign it to 172.20.5.50.
I tried this:
ip access-list extended No_Internet_VLAN905
permit ip any host 172.20.5.50
deny ip host 172.20.0.1 any
permit ip any any
ip access-group No_Internet_VLAN905 in
However this still didn't block access. I also tried:
ip access-list extended No_Internet_VLAN905
permit ip 172.20.0.0 0.0.255.255 any
permit ip any host 172.20.5.50
This didn't work either. Ideas?
Okay, so you want to allow access to internal networks and internet for all internet for that one host?
ip access-list extended No_Internet_VLAN905
permit ip any x.x.x.x 255.x.x.x (this line is for your internal networks. if more than one network you can add multiple lines.)
permit ip host 172.20.5.50 any
deny ip any any
ip access-list extended No_Internet_VLAN905
permit ip any x.x.x.x 255.x.x.x (this line is for your internal networks. if more than one network you can add multiple lines.)
permit ip host 172.20.5.50 any
deny ip any any
ASKER
ip access-list extended No_Internet_VLAN905
permit ip any host 172.20.5.50
permit ip host 172.20.5.50 any
deny ip any host 10.30.2.1
deny ip host 10.30.2.1 any
permit ip any 172.20.0.0 0.0.255.255
permit ip 172.20.0.0 0.0.255.255 any
This doesn't work. 10.30.2.1 is the 3560's default gateway. Ideas?
permit ip any host 172.20.5.50
permit ip host 172.20.5.50 any
deny ip any host 10.30.2.1
deny ip host 10.30.2.1 any
permit ip any 172.20.0.0 0.0.255.255
permit ip 172.20.0.0 0.0.255.255 any
This doesn't work. 10.30.2.1 is the 3560's default gateway. Ideas?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Ok so other than order and the fact that I have the "reverse" commands, mine is the same. Why does yours work and not mine?
Did it work for you?
On another note: order is everything when it comes to ACL's.
ASKER
Yes, it's working.
Great!
Ip access-list extended internet
Deny tcp any any eq 80
Permit ip any any
Interface vlan 905
Ip access-group internet in