cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1217
Views
0
Helpful
14
Replies

ACL should apply in where

2 Accepted Solutions

Accepted Solutions

I think your configuration should be on the port (could be connected to the ISP router) which is used for traffic going out to your ISP:

 

interface GOINGOUT0/1
ip access-group DENY out


ip access-list extended DENY
permit ip host 10.51.165.180 host 10.104.101.60
permit ip host 10.51.165.181 host 10.104.101.60
permit ip host 10.51.165.182 host 10.104.101.60
permit ip host 10.51.165.183 host 10.104.101.60
permit ip host 10.51.165.184 host 10.104.101.60
deny ip any host 10.104.101.60
permit ip any any

View solution in original post

If you take the acl I gave to you it will be applied with IN on the svi of your server host.

 

The acl should be adapted based on if you apply IN or OUT. 

 

OUT --> Traffic TO the vlan 

IN --> Traffic going away FROM the vlan


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

14 Replies 14

Francesco Molino
VIP Alumni
VIP Alumni

Hi

 

You want to deny every subnets to reach your host 10.104.101.60 except the 5 IPs you gave.

Let's assume your host 10.104.101.60 belongs to vlan 101

I would suggest to create an ACL and attach that ACL on SVI 101:

 

ip access-list extended DENY

 permit ip host 10.104.101.60 host 10.51.165.180

 permit ip host 10.104.101.60 host 10.51.165.181

 permit ip host 10.104.101.60 host 10.51.165.182

 permit ip host 10.104.101.60 host 10.51.165.183

 permit ip host 10.104.101.60 host 10.51.165.184

 deny   ip host 10.104.101.60 any

!

int vlan 101

 ip access-group DENY in

 

 

 


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Hello,

 

where is 10.104.101.60 ? Is that part of a VLAN as well ? If so, apply the access list outbound on the interface 10.104.101.60 is connected to...

10.104.101.60 is not part of the VLAN in my LAN, it is in different country already.

Ok then apply the ACL on the interface that routes traffic outside of your network.

Is it a L2L VPN?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

it is not VPN, it is to other ISP router via MPLS line.
should i apply the ACL on that SVI that directly connect to the ISP router ?

does below ACL still valid in apply to this SVI?

 

ip access-list extended DENY
permit ip host 10.51.165.180 host 10.104.101.60
permit ip host 10.51.165.181 host 10.104.101.60
permit ip host 10.51.165.182 host 10.104.101.60
permit ip host 10.51.165.183 host 10.104.101.60
permit ip host 10.51.165.184 host 10.104.101.60
deny ip 10.51.165.0 0.0.0.255 any ********** i'm not to sure of this, will it work, then next is permit all
permit ip any any

I think your configuration should be on the port (could be connected to the ISP router) which is used for traffic going out to your ISP:

 

interface GOINGOUT0/1
ip access-group DENY out


ip access-list extended DENY
permit ip host 10.51.165.180 host 10.104.101.60
permit ip host 10.51.165.181 host 10.104.101.60
permit ip host 10.51.165.182 host 10.104.101.60
permit ip host 10.51.165.183 host 10.104.101.60
permit ip host 10.51.165.184 host 10.104.101.60
deny ip any host 10.104.101.60
permit ip any any

Hi

I added this line deny ip 10.51.165.0 0.0.0.255 any ********** because you wanted to deny other hosts from this subnet to access the network 10.104.101.0/24.

Indeed, after reading your first post you want to deny any subnets to access host 10.104.101.60.
Then the new line instead of that one will be:
deny ip any host 10.104.101.60

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Hello

Possibly create two acls and apply them accordingly.

 

vlan 1650

ip access-list extended TEST1
permit ip host 10.104.101.60 host 10.51.165.180  
permit ip host 10.104.101.60 host 10.51.165.181
permit ip host 10.104.101.60 host 10.51.165.182
permit ip host 10.104.101.60 host 10.51.165.183
permit ip host 10.104.101.60 host 10.51.165.184
deny ip 10.51.165.0 0.0.0.255 any
permit ip any any

int vlan 1650
ip access-group TEST1 OUT

other vlans
ip access-list extended TEST2
deny ip 10.51.165.0 0.0.0.255 any
permit ip any any

int vlan xx
ip access-group TEST2 OUT

 

res
Paul


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Paul,
I have more that 10 VLAN, I don't want to add ACL on every interface VLAN 

Hello

Just realized is this host is external to your LAN?

 

If so you could apply an acl on the wan interface to negate  access by this host.

 

ip access-list extended TEST
permit ip host 10.104.101.60 host 10.51.165.180  
permit ip host 10.104.101.60 host 10.51.165.181
permit ip host 10.104.101.60 host 10.51.165.182
permit ip host 10.104.101.60 host 10.51.165.183
permit ip host 10.104.101.60 host 10.51.165.184
deny ip host 10.104.101.60 any 
permit ip any any

int xxx
description WAN
ip access-group TEST IN


 

res
Paul


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

 

If you take the acl I gave to you it will be applied with IN on the svi of your server host.

 

The acl should be adapted based on if you apply IN or OUT. 

 

OUT --> Traffic TO the vlan 

IN --> Traffic going away FROM the vlan


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Hello
I guess that would be correct for RACL applied to SVIs but not for routed interfaces

Res
Paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Hello

IN - ingress - inwards from outside network

OUT - egress - outwards from inside network

Think of a door to a room and your stood their allowing people in or out

IN = allow them in
OUT = allow them out

Res
Paul


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: