Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
465
Views
0
Helpful
2
Replies

ACL on IOS Switch

Go to solution
Kingsleyizuka
Level 1
Level 1

‎09-19-2018 02:24 AM - edited ‎03-08-2019 04:11 PM

Hi Everyone,
 
I've a Cisco Switch running IOS 12.4 but it seems impossible to configure an ACL to restrict access to a particular IP outside the network i.e. on the internet.
 
When I used "deny ip" or "deny tcp" and applied "IN" ACL group on the interface, it restricted access to all IP or TCP request on that interface respectively. "IN" is the only option available in the IOS.
 
For example, to block access to x.x.x.x (IP address):
access-list 190 deny ip any x.x.x.x 0.0.0.0
access-list 190 permit ip any any
 
OR
 
access-list 190 deny tcp any x.x.x.x 0.0.0.0
access-list 190 permit ip any any
 
and applied on the switch interface which connected the router to the switch
access-group 190 IN (because ONLY "IN" option is available)
 
Also, why does the IOS have only IN option for applying the ACL?
 
Thanks.
 
Tell me, I’ll forget; Show me, I’ll remember; Involve me, I’ll understand
~ Chinese Proverb
 
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
ADP_89
Level 1
Level 1

‎09-19-2018 02:43 AM - edited ‎09-19-2018 02:44 AM

Hello,

 

If my understanding is correct you applied this ACL to switch interface where the router is connected on the inbound side. If the IP x.x.x.x resides behind the router the traffic "ip any x.x.x.x 0.0.0.0" will never hit that rule as the ACL will be inspected across traffic from the internet to your servers. If you want to deny that traffic you should use the rule "ip x.x.x.x 0.0.0.0 any". Note* this will block returning traffic from the host, but traffic from your internal clients will still be able to reach that external resource.

If you need to block any type of traffic to that host put the ACL on the router.

 

Regardin the in/out option it depends by the switch hardware architecture. Not all the switches have TCAM that can support both sides.

 

HTH,

ADP

View solution in original post

0 Helpful
2 Replies 2

Go to solution
ADP_89
Level 1
Level 1

‎09-19-2018 02:43 AM - edited ‎09-19-2018 02:44 AM

Hello,

 

If my understanding is correct you applied this ACL to switch interface where the router is connected on the inbound side. If the IP x.x.x.x resides behind the router the traffic "ip any x.x.x.x 0.0.0.0" will never hit that rule as the ACL will be inspected across traffic from the internet to your servers. If you want to deny that traffic you should use the rule "ip x.x.x.x 0.0.0.0 any". Note* this will block returning traffic from the host, but traffic from your internal clients will still be able to reach that external resource.

If you need to block any type of traffic to that host put the ACL on the router.

 

Regardin the in/out option it depends by the switch hardware architecture. Not all the switches have TCAM that can support both sides.

 

HTH,

ADP

0 Helpful

Go to solution
Kingsleyizuka
Level 1
Level 1
In response to ADP_89

‎09-19-2018 06:14 AM - edited ‎09-19-2018 06:19 AM

Thanks for the response.

 

The x.x.x.x is an address on the Internet and the ACL was supposed to filter inbound traffic. Although, the reverse seems to work, the essence of "OUT" is to filter that rule, but applying rules as "IN" is better.

 

Once again thanks.

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card