06-10-2019 09:56 AM
I need to temporarily block two IP subnets at a remote site from reaching across the WAN, but they need to talk to each other in the meantime. These subnets exist on my 4451 at Gi0/0/1.70 (10.63.70.0/24) and Gi0/0/1.71 (10.63.71.0/24), and they need to be blocked from reaching out across Gi0/0/0 (WAN interface).
Could someone show me a simple ACL to apply and where to apply it?
Thanks.
06-10-2019 10:04 AM
Hello,
the below should be sufficient:
access-list 101 deny ip 10.63.70.0 0.0.0.255 any
access-list 101 deny ip 10.63.71.0 0.0.0.255 any
access-list 101 permit ip any any
!
interface GigabitEthernet0/0/0
ip access-group 101 in
06-10-2019 10:14 AM
06-10-2019 10:26 AM
Hello,
applying the access list inbound is recommended (traffic does not actually traverse the interface before it processed).
Also, if you use NAT on your interfaces, you can also simply exclude the subinterfaces from the NAT process (no ip nat inside)...
06-10-2019 10:08 AM
Hello Tim,
I would use two extended ACLs applied inbound on both subinterfaces
access-list 170 permit ip 10.63.70.0 0.0.0.255 10.63.71.0 0.0.0.255
access-list 170 deny ip any any
access-list 171 permit ip 10.63.71.0 0.0.0.255 10.63.70.0 0.0.0.255
access-list 171 deny ip any any
interface gi0/0/1.70
ip access-group 170 in
exit
interface gi0/0/1.71
ip access-group 171 in
exit
This provides the most granular control on what the two subnets can do.
Hope to help
Giuseppe
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide