Solved: Which direction should ACL be applied

Kiley Arena · ‎12-28-2014

Hello there,

I'm adding ACLs to lock down the LAN environment and my core is a 4510+R. I want to block port 80, 443 and 8080 from coming INTO the network. My security guy tells me users use port 80, 443 and 8080 to get out and web services use other ports to come back in. I want to use an extended access-list the likes of:

ip access-list extended NO_HTTP

deny tcp any any eq 80
deny tcp any any eq 443
deny tcp any any eq 8080
permit ip any any

My confusion is: which direction on my SVI do I apply this ACL if I want users to be able to access web sites but block inbound traffic on 80, 443 and 8080? All information I've been able to read says to apply extended ACLs as close to the source as possible. With an SVI, that seems like a grey area?

Any kind of clarification on this would be most helpful and appreciative.

Thanks very much in advance,

Kiley

rvasquezmc · ‎12-28-2014

I think from the perspective of SVI you have to apply the access list OUT. OUT means that the traffic will be process by the access list after is get routed or exiting the interface in other words packets origin from the outside GOING OUT to your LAN.

View solution in original post

rvasquezmc · ‎12-28-2014

I think from the perspective of SVI you have to apply the access list OUT. OUT means that the traffic will be process by the access list after is get routed or exiting the interface in other words packets origin from the outside GOING OUT to your LAN.