Showing results for 
Search instead for 
Did you mean: 


Chris McDaniel

My apologies in advance if this has already been answered.

I have to limit a particular site from reaching other sites via our WAN cloud.  I believe the easiest is to "white list" the nets that are allowed and allow the implicit deny all take care of the rest.  So my question is this:

stack of 3750G (3) with a WAN VLAN configured


If I apply the following ACL to the VLAN interface (VLAN 10) I should only allow access to the listed networks from the other networks behind the 3750, correct?

ip access-list extended COMP1_TO_COMP2

permit ip host host  - WAN Router and BGP Peer

permit ip any host --- Optimizer

permit ip any --- net_1

permit ip any  --- net_2

permit ip any --- net_3

ip access-list extended COMP2_TO_COMP1

permit ip host host   - WAN Router and BGP Peer

permit ip host --- Optimizer

permit ip any -- Net_1

permit ip any -- Net_2

permit ip any -- Net_3

Interface VLAN10

ip address

ip access-list COMP1_TO_COMP2 OUT

ip access-list COMP2_TO_COMP1 IN

is this correct or am I completley wacked out???

7 Replies 7

Jon Marshall
VIP Community Legend VIP Community Legend
VIP Community Legend


Not entirely sure what you are trying to do but you seem to have your acls the wrong way round. Vlan 10 uses the subnet  so -

1) the first line in each acl is redundant because the two IPs are in the same vlan so they won't go the vlan 10 interface

2) the acls are applied the wrong way. Inbound means traffic coming from clients on the vlan ie. 192.168.67.x clients and outbound is traffic going to the 192.168.67.x clients.


Hi Jon - Thanks for the quick reply...

What I am trying to accomplish is to restrict all users at this to only be able to access certain subnets at other sites.  And restrict certain sites from accessing this site.  Its a legal thing...  So the rest of this config would look like:

Vlan 10

ip addr

vlan 2

ip addr

vlan 30

ip addr

There are no users in the VLAN10 on the WAN router, Optimizer, and the Core.  So based on your response I should apply the COMP2_TO_COMP1 ACL on the user subnets as an INBOUND and COMP1_to_COMP2 as an OUTBOUND on VLAN 10...