Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Extended IP ACL

Unanswered Question
Apr 4th, 2012
User Badges:


Let's say I have Gi0/0 - and Gi0/2 -

I need to access everything from first network to second but nothing from to

I'm very beginner, I can't figure the ACL..

Thanks !

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 1 (1 ratings)
Zeeshan Siddiqui Wed, 04/04/2012 - 03:26
User Badges:

Hi Adrian,

Please go through following link


Configure ACL below

conf t

IP access-list extended test

deny ip  (you may have to change to wild card mask depending on the router / L3 switch you are using)

int Gi0/0 

ip access-group test in

The ACL is going to match the soucre and destination ip address when it enters interface Gi0/0

This will block traffic coming from when it hit your Gi0/0 interface

They are a number of ways of applying an ACL please go through URL If you are new to ACL I would test in a test LAB and not in production

I hope this answer your questions

Adrian Ardelean Wed, 04/04/2012 - 03:47
User Badges:

I did this way:


deny ip


the problem is  I lost connection from to router

If I ping the gateway ( from a windows host it gives me:

Destination net unreachable

Zeeshan Siddiqui Wed, 04/04/2012 - 04:16
User Badges:

Hi Adrian,

Are you usinging a L3 switch here ?

Can you post a basic diagram of your setup including gateways and where you test PC is connected (I believ this is a Lab envirement) and remove the config mentioned above as it will block all traffic when you match following criteria entering Gi0/0.

For example if you ping from host

The traffic will leave Gi0/0 interface and hit  the ip header will look like  [ source | destination ]

Now with the return traffic the header will look like [ source | destination ] and will be blocked with ACL

in short the ACL mentioned above will block traffic when the IP header contains a source address 172.16.2.x and destination header 172.16.0.x hitting the Gi0/0 interface (in) direction

Adrian Ardelean Wed, 04/04/2012 - 04:25
User Badges:

Hi Zeeshan,

It's a 2921 router and it's intended to use for network segmentation. For the moment, yes, it's in a testing env., I have two PCs connected to each interface.

PC1:     GW: (Gi0/0)

PC2:  GW: (Gi0/2)

The Gi0/0-3 are L3 but I also have a EHWIC-D-8ESG with L2 ports (gi0/1/0-7) that I will use later.


Neeraj Arora Wed, 04/04/2012 - 08:35
User Badges:
  • Silver, 250 points or more


I can give you a solution...well more of an option to accomplish what you are looking for but this will only work for TCP connections, not for ICMP or UDP. They would either be allowed or blocked

Use the Established keyword in ACL which will only allow response traffic from subnet going to, nothing initiated from this subnet would be allowed

Config will look like this:

access-list 100 permit tcp established

access-list 100 deny tcp     --> this will allow UDP and ICMP initiated from this subnet

access-list 100 deny ip   --> This will block everything including UDP & ICMP which is initiated from this subnet, so use either one of these lines in the ACL

access-list 100 permit ip any     --> To allow traffic going towards internet, if you want to allow that for future

interface gig0/2

ip access-group 100 in

Apart from this, you have an option of using CBAC functionality in routers but that is dependant on the IOS being used and honestly I am not an expert in that, so would suggest you to dig more into this topic before thinking of implementing it

Hope the above option helps


Zeeshan Siddiqui Wed, 04/04/2012 - 09:32
User Badges:

Hi Adrian,

I completely agree with Neraaj

I have actually done some testing in a Lab enviroment using a 3750 you have to use the establish keyword for one way traffic for TCP.

You can try with suggestion below if Neeraj advice does not full fill your requirements

Another option would be Reflexive ACL again it depend on your router model / IOS unfortunately can not test in my lab as it is not supported on a 3750.

The URL below can be helpfull



This Discussion