Beginner Access control Lists

Unanswered Question
Sep 29th, 2008

I have a 6509 with a router module installed. On this router I have multiple vlan interfaces one for each subnet. I am adding a new subnet which I want to isolate except for outbound Internet access and specified functions between the subnets.

the subnets are which is the gateway to the internet, and I want to add

All of these have an interface on the router of 1 as the last octet. I have written the following access lists


deny ip

deny ip

deny ip

permit ip any any


permit ip eq telnet

Will these access lists do what I need and which should be applied outbound and which should be applied inbound


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Giuseppe Larosa Mon, 09/29/2008 - 09:02

Hello Ron,

I would suggest you to use only one ACL.

first the permitted communication between local subnets

access-list 105 permit tcp eq telnet

! note the position of the TCP port you want to have telnet access to devices in from

! then you deny all other internal communication

access-list 105 deny ip

access-list 105 deny ip

access-list 105 deny ip

! then you permit internet access

access-list 105 permit ip any

! in this way you have also anti-spoofing you don't allow a source non in to go out

I would apply this ACL inbound on SVI Vlan with ip address

let's suppose it is vlan 10:

int vlan 10

ip access-group 105 in

Hope to help



This Discussion