cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
707
Views
3
Helpful
5
Replies

ACL on Interface VLAN

ChrisHendry2416
Level 1
Level 1


Hello,

I was tasked with setting up a subnet on vlan 250 (172.29.1.0/24) that allowed any users on it access to the internet but not private IP's, so ACL below:

IPV4 ACL OPEN_INTERNET
10 deny ip 172.29.1.0/24 10.0.0.0/8
20 deny ip 172.29.1.0/24 172.16.1.0/12
30 deny ip 172.29.1.0/24 192.168.0.0/16
40 permit ip any any

This has been applied to a single interface vlan 250


interface Vlan250
description INTERNET ONLY WIFI
no shutdown
ip access-group OPEN_INTERNET out
ip address 172.29.1.1/24


However, in testing I am still able to get to private IP's on this subnet. This is on a Nexus 5K connected to a stack of 2960's.

Do I need to apply this to a physical interface for it to work properly?

1 Accepted Solution

Accepted Solutions

Joseph W. Doherty
Hall of Fame
Hall of Fame

Try using that ACL"in".

View solution in original post

5 Replies 5

Joseph W. Doherty
Hall of Fame
Hall of Fame

Try using that ACL"in".

Hello,

Thank you, that seems to have done the trick for stopping access to internal resources, however, now I am unable to get a consistent connection.  My Phone says no internet on this Wi-Fi but can still ping 8.8.8.8.  Do I need to specify and "OUT" ACL on this interface to allow traffic from outside to this network as well?

I've grown use to our Firewall which has stateful connections that I forget if it is required to specify in and out on these?

"I've grown use to our Firewall which has stateful connections that I forget if it is required to specify in and out on these?"

On a SVI. "in" is from VLAN's hosts.  "Out" is to the VLAN's hosts..

"Do I need to specify and "OUT" ACL on this interface to allow traffic from outside to this network as well?"

You could.  Using just a single direction ACL blocks two way communication, but not one way communication.  (However, in this case, since you are allowing communication to the Internet, and likely that's also via NAT/PAT and a FW, "unrequested" data, from the Internet, would likely have much difficulty reaching that VLAN.)

Check these 

1- make direction IN not OUT

2- check tcam have room for this ACL

ChrisHendry2416
Level 1
Level 1

I made a stupid mistake there a the end, our DNS was set internally so of course we couldnt find anything.

Review Cisco Networking for a $25 gift card