https://community.cisco.com/t5/network-access-control/acl-to-allow-only-internet-traffic-on-a-subinterface/m-p/4417199#M567821 <P>On a router, you typically apply ACLs on the L3-interface, that is the interface where your IP-address is configured:</P> <PRE>interface gig0/0.2 ip access-group 100 in </PRE> <P>And if your intention is to allow DNS, you should also add UDP/53.</P> Sat, 12 Jun 2021 09:26:15 GMT Karsten Iwen 2021-06-12T09:26:15Z https://community.cisco.com/t5/network-access-control/acl-to-allow-only-internet-traffic-on-a-subinterface/m-p/4417197#M567820 <P>Hello,</P><P>&nbsp;</P><P>Here's a simple topology:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Sans titre.png" style="width: 386px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/122651i0FEFAC9371905874/image-size/medium?v=v2&amp;px=400" role="button" title="Sans titre.png" alt="Sans titre.png" /></span></P><P>&nbsp;</P><P>For the VLAN2, I'd like to allow only internet traffic.</P><P>&nbsp;</P><P>Here's the ACL:</P><P>access-list 100 permit tcp 192.168.2.0 0.0.0.255 any eq 80</P><P>access-list 100 permit tcp 192.168.2.0 0.0.0.255 any eq 443</P><P>access-list 100 permit tcp 192.168.2.0 0.0.0.255 any eq 53</P><P>&nbsp;</P><P>But I'm not sur how to apply it only to the subinterface and if I missed others elements.</P><P>&nbsp;</P><P>Thanks!</P> Sat, 12 Jun 2021 09:18:10 GMT https://community.cisco.com/t5/network-access-control/acl-to-allow-only-internet-traffic-on-a-subinterface/m-p/4417197#M567820 punasup 2021-06-12T09:18:10Z https://community.cisco.com/t5/network-access-control/acl-to-allow-only-internet-traffic-on-a-subinterface/m-p/4417199#M567821 <P>On a router, you typically apply ACLs on the L3-interface, that is the interface where your IP-address is configured:</P> <PRE>interface gig0/0.2 ip access-group 100 in </PRE> <P>And if your intention is to allow DNS, you should also add UDP/53.</P> Sat, 12 Jun 2021 09:26:15 GMT https://community.cisco.com/t5/network-access-control/acl-to-allow-only-internet-traffic-on-a-subinterface/m-p/4417199#M567821 Karsten Iwen 2021-06-12T09:26:15Z https://community.cisco.com/t5/network-access-control/acl-to-allow-only-internet-traffic-on-a-subinterface/m-p/4417207#M567822 <P>Thank you very much, I understand. Also, should I also apply this ACL on the gig0/1 for security (so only internet traffic is allow to 'enter')? You confirme me that there is an implicit deny all clause at the end of every ACL?</P> Sat, 12 Jun 2021 09:52:34 GMT https://community.cisco.com/t5/network-access-control/acl-to-allow-only-internet-traffic-on-a-subinterface/m-p/4417207#M567822 punasup 2021-06-12T09:52:34Z https://community.cisco.com/t5/network-access-control/acl-to-allow-only-internet-traffic-on-a-subinterface/m-p/4417218#M567823 <P>Putting an ACL on the internet-facing interface is best practice but slightly more difficult as you need to allow the return traffic. Or you configure a stateful firewall on the router. If you are on the beginning of your learning, that is probably for a later chapter.</P> <P>And yes, all the ACLs have an implicit "deny any".</P> Sat, 12 Jun 2021 10:32:41 GMT https://community.cisco.com/t5/network-access-control/acl-to-allow-only-internet-traffic-on-a-subinterface/m-p/4417218#M567823 Karsten Iwen 2021-06-12T10:32:41Z https://community.cisco.com/t5/network-access-control/acl-to-allow-only-internet-traffic-on-a-subinterface/m-p/4417220#M567824 <P>Thank you. If you have any online resources on this subject I'm interested.</P> Sat, 12 Jun 2021 10:31:46 GMT https://community.cisco.com/t5/network-access-control/acl-to-allow-only-internet-traffic-on-a-subinterface/m-p/4417220#M567824 punasup 2021-06-12T10:31:46Z https://community.cisco.com/t5/network-access-control/acl-to-allow-only-internet-traffic-on-a-subinterface/m-p/4417222#M567825 <P>I would buy a CCNA study guide and go through that. That are the basics that any Cisco technician needs to have.</P> Sat, 12 Jun 2021 10:36:32 GMT https://community.cisco.com/t5/network-access-control/acl-to-allow-only-internet-traffic-on-a-subinterface/m-p/4417222#M567825 Karsten Iwen 2021-06-12T10:36:32Z