1 Reply Latest reply: Oct 6, 2017 3:40 PM by davidhild RSS

ACL Cisco IOS help


I have an ACL on a VLAN interface which is used for wired Guest access.

The device is given a IP address in the Guest range I want to deny access to internal networks and allow Internet only access

Problem is the following Access list in not working correctly

Extended IP access list Internet-Only

    10 permit udp any any eq domain

    20 permit tcp any any eq domain

    30 permit udp any eq bootps any

    40 permit udp any any eq bootpc

    50 permit udp any eq bootpc any

    60 permit ip any host

    70 permit ip any host

    80 deny ip any (12 matches)

    90 deny ip any

    100 deny ip any

    110 permit ip any any (1759 matches)



The host receives an IP address of 10.129.88.x and cannot ping out to or internally as you can see it hits the first Deny rule.

The ACL is applied to the vlan interface for guest for outbound traffic. No inbound ACL is applied to the VLAN


interface vlan 100

ip access-group ACCESS-list out


What am I missing here ?

Appreciate the feedback



  • 1. Re: ACL Cisco IOS help

    I'm not sure of the reference point for the data, but it seems to me that you need a "ip access-group ACCESS-list in" on the VLAN interface. That is, assuming your VLAN 100 is the VLAN that your endpoint is a member of. The fact that the UDP entries do not show any hits, yet the endpoint received an IP may be an indication of this.


    I could be wrong and completely misunderstanding your network, but it's worth a try, IMHO.


    I hope this is helpful.