Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
12481
Views
11
Helpful
7
Replies

ACL to block Internet Access from specific vlan

Go to solution
sreeraj.murali
Level 3
Level 3

‎10-11-2017 11:53 PM - edited ‎03-08-2019 12:20 PM

Hi,

Please help with Access list on the Internet Router restricting Internet access from specific vlan to specific destination and allowing complete Internet access from another vlan.

 

I am attaching the topology pic, with all the details, please provide expert assistance.

 

Thanks & Regards

Sreeraj

1 person had this problem
Labels:
Preview file
133 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Meheretab Mengistu
Level 7
Level 7

‎10-12-2017 12:24 AM

Hi,

You need to use extended ACL as you want to select based on both source and destination addresses. You can try the following (on the router):-

access-list 100 permit ip 172.20.4.0 0.0.1.255 any
access-list 100 permit ip 172.20.2.0 0.0.0.255 host 185.61.213.80
access-list 100 permit ip 172.20.2.0 0.0.0.255 host 170.12.17.15
access-list 100 permit ip 172.20.2.0 0.0.0.255 host 170.12.141.9
! You do not need the deny statement because there is implicit deny at the end of ACLs.

interface gi0/0
ip access-group 100 in
end

HTH,
Meheretab
HTH,
Meheretab

View solution in original post

7 Replies 7

Go to solution
Meheretab Mengistu
Level 7
Level 7

‎10-12-2017 12:24 AM

Hi,

You need to use extended ACL as you want to select based on both source and destination addresses. You can try the following (on the router):-

access-list 100 permit ip 172.20.4.0 0.0.1.255 any
access-list 100 permit ip 172.20.2.0 0.0.0.255 host 185.61.213.80
access-list 100 permit ip 172.20.2.0 0.0.0.255 host 170.12.17.15
access-list 100 permit ip 172.20.2.0 0.0.0.255 host 170.12.141.9
! You do not need the deny statement because there is implicit deny at the end of ACLs.

interface gi0/0
ip access-group 100 in
end

HTH,
Meheretab
HTH,
Meheretab

Go to solution
Julio E. Moisa
VIP
VIP
In response to Meheretab Mengistu

‎10-12-2017 04:19 AM

Hi

Additional if you have any GRE tunnel passing through there, you can add

access-list 100 permit gre any any

And if you are using any ipsec over GRE for VPNs you can add the UDP ports 4500 and 500




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

Go to solution
sreeraj.murali
Level 3
Level 3
In response to Julio E. Moisa

‎10-12-2017 04:35 AM

Thanks, Sure will add.
0 Helpful

Go to solution
sreeraj.murali
Level 3
Level 3
In response to Meheretab Mengistu

‎10-12-2017 04:35 AM

Thanks!!! I will try it out.
0 Helpful

Go to solution
Julio E. Moisa
VIP
VIP
In response to sreeraj.murali

‎10-12-2017 04:38 AM

Great, please keep us posted and please don't forget to rate the comments if they were useful

Have a great day

:-)




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<
0 Helpful

Go to solution
sreeraj.murali
Level 3
Level 3
In response to Julio E. Moisa

‎10-12-2017 04:40 AM

Wil do that for sure.
0 Helpful

Go to solution
Julio E. Moisa
VIP
VIP
In response to sreeraj.murali

‎10-12-2017 04:41 AM

Thank you :-)




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card