IP Access List Help

[MrNick0483]

I am wanting to deny access to internet on a few particular VLANS on my network and was wanting some input as to weather the following access list would do the job.

access-list 112 deny tcp any any eq www

Thanks in advance for the help.

 

[VinceWhirlwind]

Although the information supplied is minimal, I would have to say "no", that most likely would not do the job.

The internet is a lot more than just port 80.

Also, port 80 is used within a LAN by a great many applications.

To generically deny access from one subnet to another, you should specify the subnets, not the protocol.

Your access list might go something like this:

- allow Subnet 1 to anything
- allow Subnet 2 to subnet 1
- deny subnet 2 to any

Where subnet 1 is "unrestricted" and Subnet 2 is "internet-barred

 

[Quadratic]

Another thing that should be emphasized here is the implicit deny at the end of that ACL. An ACL with a single deny line will effectively just deny everything.

CCNP, CCDP, CCIP
Core Network Planner, ISP

 

[cknipe]

vlan access maps are going to be better suited for what you want to do. Take a look down that path