Cisco 3560 ACL

I have not used ACL's much, so not sure the way to do this without a lot of playing.  I have a 3560, with a VLAN 905.  I'd like to make it so that all inbound traffic from my default gateway is blocked.

I basically want to block all Internet access on this VLAN.  I know this is pretty simply, but don't know the exact commands.

Thanks.

RailroadAsked:
Who is Participating?
 
SouljaCommented:
What you posted is not what I stated above:

ip access-list extended No_Internet_VLAN905
permit ip host 172.20.5.50 any
permit ip any 172.20.0.0 0.0.255.255
deny ip any host 10.30.2.1


interface vlan 905
ip access-group No_Internet_VLAN905 in


0
 
SouljaCommented:
Is the vlan 905 interface on the 3560 switch? If so, just apply

Ip access-list extended internet
Deny tcp any any eq 80
Permit ip any any

Interface vlan 905
Ip access-group internet in
0
 
RailroadAuthor Commented:
Yes there is a vlan 905 interface on the 3560.

This doesn't block all internet traffic, only that on port 80.  It also blocks access to internal websites.  Also realized there is one computer on that VLAN that I need to allow internet access.  I've setup a reservation in DHCP to assign it to 172.20.5.50.

I tried this:

ip access-list extended No_Internet_VLAN905
 permit ip any host 172.20.5.50
 deny   ip host 172.20.0.1 any
 permit ip any any

ip access-group No_Internet_VLAN905 in

However this still didn't block access.  I also tried:

ip access-list extended No_Internet_VLAN905
 permit ip 172.20.0.0 0.0.255.255 any
 permit ip any host 172.20.5.50

This didn't work either.  Ideas?
0
Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

 
SouljaCommented:
Okay, so you want to allow access to internal networks and internet for all internet for that one host?

ip access-list extended No_Internet_VLAN905
permit ip any x.x.x.x 255.x.x.x  (this line is for your internal networks. if more than one network you can add multiple lines.)
permit ip host 172.20.5.50 any
deny ip any any

0
 
RailroadAuthor Commented:
ip access-list extended No_Internet_VLAN905
 permit ip any host 172.20.5.50
 permit ip host 172.20.5.50 any
 deny   ip any host 10.30.2.1
 deny   ip host 10.30.2.1 any
 permit ip any 172.20.0.0 0.0.255.255
 permit ip 172.20.0.0 0.0.255.255 any

This doesn't work.  10.30.2.1 is the 3560's default gateway.  Ideas?
0
 
RailroadAuthor Commented:
Ok so other than order and the fact that I have the "reverse" commands, mine is the same.  Why does yours work and not mine?
0
 
SouljaCommented:
Did it work for you?
0
 
SouljaCommented:
On another note: order is everything when it comes to ACL's.
0
 
RailroadAuthor Commented:
Yes, it's working.
0
 
SouljaCommented:
Great!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.