Showing results for 
Search instead for 
Did you mean: 

ACL to only allow Internet

I would like to setup an ACL to only allow, Internet,DHCP,DNS. No inter vlan routing. Would the following work?

This will be on a pair of 7k's

Thanks for your Help!


ip access-list Internet_Only

deny ip any

deny ip any

deny ip any

deny ip any

deny ip  any

deny ip   any

permit ip any    172.31.x.x (GateWay)

permit tcp any any eq www

permit tcp any any eq 443

permit UDP any  eq 67

permit UDP any  eq 68

permit UDP  any any eq domain

permit UDP  eq  domain any

permit TCP  any any eq domain

permit TCP  eq domain any

deny ip any any log


Hey Howard,

It depends where you're planning to apply this ACL and what your internal subnets and vlans are if it will have the desired results.  It looks like your internal subnets are all the private address spaces, so just for example purposes let's say your network looks like this:

Vlan 10 -

vlan 20 -

vlan 30 -

ACL's are sequential, once a packet matches a line of the ACL it follows that action and does not check any other lines.  If you applied that ACL to, let's say, the switches uplink port (firewall or internet access port) your first 6 lines of the ACL block all traffic for the 3 subnets so your DHCP and DNS traffic gets dropped too.  You want to make sure you put the more specific rules on top (before the "deny ip any").

For inter vlan routing, you have to use vlan access-maps and filters. Those can be a little tricky and they don't filter by port or protocol, they only filter by IP address, also they are direction specific, you can't apply one "in" or "out" like you do on a port ACL, you just apply it and if a packet matches the access map and is trying to enter or exit the vlan, it is dropped.

May need a little more info on where you're trying to control and your network layout to build both a PACL and VACL but I hope that gives you a little more insight on both topics




The unwanted IP address space is much larger than the RFC 1918 addresses you have included in your ACL. f you are really fastidious about not letting in undesirable traffic consult such sites as The Bogon Reference - Team Cymru for lists of bogons to be denied.  (It is of course not the only site but it is the easiest for me to remember)

Also the easiest way to prevent inter-VLAN routing might be to put each VLAN in its own VRF and leak the global route to the global routing table.  Then you have independent control over what each VLAN is able to access.