cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Cisco announces new innovations in SD-WAN, ISRs, SD-WAN Services, and Catalyst 9000 Series switches


471
Views
5
Helpful
1
Replies

2960-X ACL/Out

I have  Cisco IOS Software, C2960X Software (C2960X-UNIVERSALK9-M), Version 15.2(2)E3, RELEASE SOFTWARE (fc3)

and I created an access-list to prevent my network to access other 4-networks, the 4-networks I can not access the SWs.

when I tried to configure the access-group with my interface there was no "out" only the "in" option:

X-LAB(config)#int gig 1/0/47
X-LAB(config-if)#ip acc
X-LAB(config-if)#ip access-group 101 ?
  in  inbound packets

 

is there any option that I can activate the out bound option with the interface?

1 ACCEPTED SOLUTION

Accepted Solutions

Re: 2960-X ACL/Out

Switchports (as they are L2) only support inbound access-lists which is why you can't configure outbound.

 

If you can share the configuration and design of your network a little more it would be easier to advise where is most optimal to put your access-list. But from what you have shared applying inbound to this interface would give you your desired results i.e. no communication to 'other' networks.

 

edit: "Extended Access Control List (ACL) can filter the traffic based many factors like source IP address, destination IP address, Protocol, TCP or UDP port numbers etc.

Since an Extended Access Control List (ACL) can filter the IP datagram packet based on the destination IP address, it must be placed on the router which is near to the source network/host. If we place the Extended Access Control List (ACL) near to destination, the unwanted traffic may consume the bandwidth till destination, and the the unwanted traffic will get filtered finally near destination." http://www.omnisecu.com/cisco-certified-network-associate-ccna/where-should-an-extended-access-control-list-acl-be-placed.php

 

Reasoning for why we apply on the 'inbound' as soon as we can.

1 REPLY

Re: 2960-X ACL/Out

Switchports (as they are L2) only support inbound access-lists which is why you can't configure outbound.

 

If you can share the configuration and design of your network a little more it would be easier to advise where is most optimal to put your access-list. But from what you have shared applying inbound to this interface would give you your desired results i.e. no communication to 'other' networks.

 

edit: "Extended Access Control List (ACL) can filter the traffic based many factors like source IP address, destination IP address, Protocol, TCP or UDP port numbers etc.

Since an Extended Access Control List (ACL) can filter the IP datagram packet based on the destination IP address, it must be placed on the router which is near to the source network/host. If we place the Extended Access Control List (ACL) near to destination, the unwanted traffic may consume the bandwidth till destination, and the the unwanted traffic will get filtered finally near destination." http://www.omnisecu.com/cisco-certified-network-associate-ccna/where-should-an-extended-access-control-list-acl-be-placed.php

 

Reasoning for why we apply on the 'inbound' as soon as we can.

CreatePlease to create content
Ask the Expert- Endpoint Security