Cisco 2621 ACL's block all but what's allowed

[TopGun]

Hey guys I have a quick question about something I'm stuck on.

How would I go about only allowing the traffic that I have acl's set for and blocking any other traffic?

Just as an example say I have an acl that allows traffic from 192.168.1.0 to 192.168.2.10

How would I go about setting it up so that no other traffic can occur such as http traffic from 192.168.3.20 to 192.168.1.10

I'm hoping there's a way to deny everything and then only allow what I want. It would seem crazy if I would have to deny every single protocol from every possible action.

Thanks.

 

[Protoform-X]

No worries, guy. ACL's have this thing called "implict deny" which means they deny everything that you haven't allowed through them. Basically, the packet comes into the ACL, runs through the list, and if it doesn't match one of them it hits a deny statement at the end and the router drops it like a rock.

For VLANs/ Subnets/IP Ranges, just add your own deny statement in the list.

 

[TopGun]

The issue I'm having is I have an acl set up so that vlan 10 (172.16.110.0/24) and vlan 30 (172.16.130.0/24) are allowed IP traffic to 172.16.100.30/24 on vlan 1 (172.16.100.0/24).

That works fine as long as I'm trying to communicate with 172.16.100.30 but if I try to say ping from 172.16.120.20/24 on vlan 20 (172.16.120.0/24) to 172.16.130.10/24 on vlan 30 (172.16.130.0/24) it's successful.

That's an issue because I want any traffic that I haven't allowed to be denied.
I'm also a little lost on what interfaces to apply the access-group to and whether to have it in or out.

I just selected the physical port I'm using for trunking as well as the virtual interfaces and then applied the access group to "out" but I'm not sure if that is the correct way to do it either.


Hopefully some of that makes sense.
-Thanks

 

[Vito_Corleone]

You want to apply the ACLs to the SVI (VLAN interface). And, for direction, think of the VLAN like a physical port.