cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

542
Views
10
Helpful
5
Replies
punasup
Beginner

ACL to allow only internet traffic on a subinterface

Hello,

 

Here's a simple topology:

Sans titre.png

 

For the VLAN2, I'd like to allow only internet traffic.

 

Here's the ACL:

access-list 100 permit tcp 192.168.2.0 0.0.0.255 any eq 80

access-list 100 permit tcp 192.168.2.0 0.0.0.255 any eq 443

access-list 100 permit tcp 192.168.2.0 0.0.0.255 any eq 53

 

But I'm not sur how to apply it only to the subinterface and if I missed others elements.

 

Thanks!

1 ACCEPTED SOLUTION

Accepted Solutions
Karsten Iwen
VIP Mentor

On a router, you typically apply ACLs on the L3-interface, that is the interface where your IP-address is configured:

interface gig0/0.2
  ip access-group 100 in

And if your intention is to allow DNS, you should also add UDP/53.

View solution in original post

5 REPLIES 5
Karsten Iwen
VIP Mentor

On a router, you typically apply ACLs on the L3-interface, that is the interface where your IP-address is configured:

interface gig0/0.2
  ip access-group 100 in

And if your intention is to allow DNS, you should also add UDP/53.

View solution in original post

Thank you very much, I understand. Also, should I also apply this ACL on the gig0/1 for security (so only internet traffic is allow to 'enter')? You confirme me that there is an implicit deny all clause at the end of every ACL?

Putting an ACL on the internet-facing interface is best practice but slightly more difficult as you need to allow the return traffic. Or you configure a stateful firewall on the router. If you are on the beginning of your learning, that is probably for a later chapter.

And yes, all the ACLs have an implicit "deny any".

Thank you. If you have any online resources on this subject I'm interested.

I would buy a CCNA study guide and go through that. That are the basics that any Cisco technician needs to have.

Content for Community-Ad