Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

Extended IP ACL


Let's say I have Gi0/0 - and Gi0/2 -

I need to access everything from first network to second but nothing from to

I'm very beginner, I can't figure the ACL..

Thanks !

Community Member

Extended IP ACL

Hi Adrian,

Please go through following link

Configure ACL below

conf t

IP access-list extended test

deny ip  (you may have to change to wild card mask depending on the router / L3 switch you are using)

int Gi0/0 

ip access-group test in

The ACL is going to match the soucre and destination ip address when it enters interface Gi0/0

This will block traffic coming from when it hit your Gi0/0 interface

They are a number of ways of applying an ACL please go through URL If you are new to ACL I would test in a test LAB and not in production

I hope this answer your questions

Community Member

Extended IP ACL

I did this way:


deny ip


the problem is  I lost connection from to router

If I ping the gateway ( from a windows host it gives me:

Destination net unreachable

Community Member

Extended IP ACL

Hi Adrian,

Are you usinging a L3 switch here ?

Can you post a basic diagram of your setup including gateways and where you test PC is connected (I believ this is a Lab envirement) and remove the config mentioned above as it will block all traffic when you match following criteria entering Gi0/0.

For example if you ping from host

The traffic will leave Gi0/0 interface and hit  the ip header will look like  [ source | destination ]

Now with the return traffic the header will look like [ source | destination ] and will be blocked with ACL

in short the ACL mentioned above will block traffic when the IP header contains a source address 172.16.2.x and destination header 172.16.0.x hitting the Gi0/0 interface (in) direction

Community Member

Extended IP ACL

Hi Zeeshan,

It's a 2921 router and it's intended to use for network segmentation. For the moment, yes, it's in a testing env., I have two PCs connected to each interface.

PC1:     GW: (Gi0/0)

PC2:  GW: (Gi0/2)

The Gi0/0-3 are L3 but I also have a EHWIC-D-8ESG with L2 ports (gi0/1/0-7) that I will use later.


Extended IP ACL


I can give you a solution...well more of an option to accomplish what you are looking for but this will only work for TCP connections, not for ICMP or UDP. They would either be allowed or blocked

Use the Established keyword in ACL which will only allow response traffic from subnet going to, nothing initiated from this subnet would be allowed

Config will look like this:

access-list 100 permit tcp established

access-list 100 deny tcp     --> this will allow UDP and ICMP initiated from this subnet

access-list 100 deny ip   --> This will block everything including UDP & ICMP which is initiated from this subnet, so use either one of these lines in the ACL

access-list 100 permit ip any     --> To allow traffic going towards internet, if you want to allow that for future

interface gig0/2

ip access-group 100 in

Apart from this, you have an option of using CBAC functionality in routers but that is dependant on the IOS being used and honestly I am not an expert in that, so would suggest you to dig more into this topic before thinking of implementing it

Hope the above option helps


Community Member

Extended IP ACL

Hi Adrian,

I completely agree with Neraaj

I have actually done some testing in a Lab enviroment using a 3750 you have to use the establish keyword for one way traffic for TCP.

You can try with suggestion below if Neeraj advice does not full fill your requirements

Another option would be Reflexive ACL again it depend on your router model / IOS unfortunately can not test in my lab as it is not supported on a 3750.

The URL below can be helpfull

CreatePlease to create content