11-08-2018 05:51 PM
I have Cisco IOS Software, C2960X Software (C2960X-UNIVERSALK9-M), Version 15.2(2)E3, RELEASE SOFTWARE (fc3)
and I created an access-list to prevent my network to access other 4-networks, the 4-networks I can not access the SWs.
when I tried to configure the access-group with my interface there was no "out" only the "in" option:
X-LAB(config)#int gig 1/0/47
X-LAB(config-if)#ip acc
X-LAB(config-if)#ip access-group 101 ?
in inbound packets
is there any option that I can activate the out bound option with the interface?
Solved! Go to Solution.
11-08-2018 11:53 PM - edited 11-09-2018 12:00 AM
Switchports (as they are L2) only support inbound access-lists which is why you can't configure outbound.
If you can share the configuration and design of your network a little more it would be easier to advise where is most optimal to put your access-list. But from what you have shared applying inbound to this interface would give you your desired results i.e. no communication to 'other' networks.
edit: "Extended Access Control List (ACL) can filter the traffic based many factors like source IP address, destination IP address, Protocol, TCP or UDP port numbers etc.
Since an Extended Access Control List (ACL) can filter the IP datagram packet based on the destination IP address, it must be placed on the router which is near to the source network/host. If we place the Extended Access Control List (ACL) near to destination, the unwanted traffic may consume the bandwidth till destination, and the the unwanted traffic will get filtered finally near destination." http://www.omnisecu.com/cisco-certified-network-associate-ccna/where-should-an-extended-access-control-list-acl-be-placed.php
Reasoning for why we apply on the 'inbound' as soon as we can.
11-08-2018 11:53 PM - edited 11-09-2018 12:00 AM
Switchports (as they are L2) only support inbound access-lists which is why you can't configure outbound.
If you can share the configuration and design of your network a little more it would be easier to advise where is most optimal to put your access-list. But from what you have shared applying inbound to this interface would give you your desired results i.e. no communication to 'other' networks.
edit: "Extended Access Control List (ACL) can filter the traffic based many factors like source IP address, destination IP address, Protocol, TCP or UDP port numbers etc.
Since an Extended Access Control List (ACL) can filter the IP datagram packet based on the destination IP address, it must be placed on the router which is near to the source network/host. If we place the Extended Access Control List (ACL) near to destination, the unwanted traffic may consume the bandwidth till destination, and the the unwanted traffic will get filtered finally near destination." http://www.omnisecu.com/cisco-certified-network-associate-ccna/where-should-an-extended-access-control-list-acl-be-placed.php
Reasoning for why we apply on the 'inbound' as soon as we can.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: