1 Reply Latest reply: Apr 1, 2011 9:15 AM by Keith Barker - CCIE RS/Security, CISSP RSS

    ip access-group in|out




      I have problems understanding ACL which is made for GUEST wifi users :


      interface Vlan112

      description wifi guests

      ip address

      ip access-group acl_lan_112_out out

      ip helper-address

      standby 112 ip



      ip access-list extended acl_lan_112_out

      permit ip host any (it's wlc)

      permit ip host any (domain controller)

      permit ip any host ( access point)

      deny   ip any log

      permit ip any any


      Cnfiguration is correct. Just I can understand, how it works.

      So only the traffic out is filtered by ACL.  Can't understand the line "deny   ip any log" . it does that guest users can't access anything internal. But what I understand if I look to this ACL: if  source is traffic is denied . So no internet? Because that ip is from wifi subnet. . I would write ACL "deny any" that says from any location deny to, but it's not correct, what I don't understand.