Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

ACLs on 3550-EMI


I'm trying to figure out how to configure this ACL to allow access to the Internet for VLAN 20. I got it to work but I'm wondering if I can be more specific than:

permit tcp any eq www

If there was an internal webserver, I wouldn't want them to have access and instead have a specific permit statement for that host.

Also is it correct that I need a permit statement to the default route? and the DNS server?


interface Vlan20

description VLAN 20 - Faculty_Staff

ip address secondary

ip address

ip access-group FACULTY_STAFF in

ip helper-address

Int f0/48 is the connection to the PIX which is the default gateway.

interface FastEthernet0/48

description - to PIX

no switchport

ip address


ip default-gateway

ip classless

ip route

ip http server


permit ip host

permit ip host

permit ip host X.X.X.X

permit tcp any eq www

Thanks for your help, SG


Re: ACLs on 3550-EMI

You can get specific down to the host level in an ACL, e.g. permit tcp host any eq www. Your ACL will need to allow for outbound DNS queries, but you don't need anything else for web traffic to work -- the last statement's destination is "any", so that covers everything.

New Member

Re: ACLs on 3550-EMI

Thanks for the reply. So you're saying I'd need a permit statement for the DNS to allow for queries but not for the default route?

Also, I would like to have control over access to internal web servers. For example I would want to allow our Student VLAN access to any website etc, externally but only selective access to webservers on our internal network.

With the last statement destination of any, I realize this allows for web traffic to any host...does that apply to internal web hosts as well as external web hosts?

Thanks for your help, SG


Re: ACLs on 3550-EMI

Yes, you'll need a permit statement for DNS. ACLs and routes aren't related to each other.

The last statement does indeed apply to internal and external networks -- the access list doesn't know which networks are internal and which aren't.

CreatePlease to create content