cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

Cisco 887 no ip access-group

leepeiwai
Beginner
Beginner

Hi,

I am not able to apply an access-list to FastEthernet 0 as the ip access-group is not supported in Interface mode but only in interface vlan mode.

How can I stop traffic into the LAN network?

Cheers,

Pei Wai.

1 ACCEPTED SOLUTION

Accepted Solutions

Giuseppe Larosa
Hall of Fame Master Hall of Fame Master
Hall of Fame Master

Hello Leepewai,

an ACL is an OSI layer3 object so it can only be applied to a L3 interface that is the Vlan interface in your case as the fastethernet port is a switchport ( like a L2 LAN switch port) in your router.

You should be able to achieve the desired traffic filtering by applying the ACL on the SVI interface using ip access-group at interface vlan level.

Your only limitation is that you cannot filter traffic between fastethernet ports ( traffic within the IP subnet associated to the Vlan) that are member of the same L2 Vlan. This can be achieved on a multilayer switch like C3750 using VACL feature.

Hope to help

Giuseppe

View solution in original post

6 REPLIES 6

Giuseppe Larosa
Hall of Fame Master Hall of Fame Master
Hall of Fame Master

Hello Leepewai,

an ACL is an OSI layer3 object so it can only be applied to a L3 interface that is the Vlan interface in your case as the fastethernet port is a switchport ( like a L2 LAN switch port) in your router.

You should be able to achieve the desired traffic filtering by applying the ACL on the SVI interface using ip access-group at interface vlan level.

Your only limitation is that you cannot filter traffic between fastethernet ports ( traffic within the IP subnet associated to the Vlan) that are member of the same L2 Vlan. This can be achieved on a multilayer switch like C3750 using VACL feature.

Hope to help

Giuseppe

Hello Giuseppe,

So I understood why ACL cannot be applied to fastethernet as it is switchport, thanks!

I have 2 subnet: VLAN 2 (office)-192.168.89.0/24 , VLAN 3 (wireless guest)-10.127.0.0/24.

Both VLAN can accesss to Internet, but VLAN 3 should not access to VLAN 2

I created an ACL:

Access-list 33 permit 192.168.89.0 0.0.0.255

Then I applied it to Interface VLAN 2:

INTERFACE VLAN 2

IP Access-Group 33 IN

However, I am still able to ping to the VLAN 2 (192.168.89.1) from the Guest PC.

Please advise how do I stop Guest PC to acccess to VLAN 2?

Cheers,

Pei Wai

Hello Pei Wai,

I would suggest to use an extended IP ACL as you want to block communication between Vlan2 and Vlan3

access-list 101 remark deny vlan3 to vlan2

access-list 101 deny ip 192.168.89.0 0.0.0.255 10.127.0.0 0.0.0.255

access-list 101 permit ip any any

int vlan2

ip access-group 101 in

This should break communication between vlan2 and vlan3 without impacting internet connectivity

Your ACL 33 allows traffic sourced from 192.168.89.0/24 including that with destination 10127.0.0/24

Hope to help

Giuseppe