12-28-2014 05:27 AM - edited 02-21-2020 05:21 AM
Hello there,
I'm adding ACLs to lock down the LAN environment and my core is a 4510+R. I want to block port 80, 443 and 8080 from coming INTO the network. My security guy tells me users use port 80, 443 and 8080 to get out and web services use other ports to come back in. I want to use an extended access-list the likes of:
ip access-list extended NO_HTTP
deny tcp any any eq 80
deny tcp any any eq 443
deny tcp any any eq 8080
permit ip any any
My confusion is: which direction on my SVI do I apply this ACL if I want users to be able to access web sites but block inbound traffic on 80, 443 and 8080? All information I've been able to read says to apply extended ACLs as close to the source as possible. With an SVI, that seems like a grey area?
Any kind of clarification on this would be most helpful and appreciative.
Thanks very much in advance,
Kiley
Solved! Go to Solution.
12-28-2014 04:11 PM
I think from the perspective of SVI you have to apply the access list OUT. OUT means that the traffic will be process by the access list after is get routed or exiting the interface in other words packets origin from the outside GOING OUT to your LAN.
12-28-2014 04:11 PM
I think from the perspective of SVI you have to apply the access list OUT. OUT means that the traffic will be process by the access list after is get routed or exiting the interface in other words packets origin from the outside GOING OUT to your LAN.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide