SA520 VLAN firewall rules

Unanswered Question
Sep 17th, 2010


I am new to the Cisco SMB Pro line and am setting up a basic config for an office. I have a SA520, ESW-520, and some AP541Ns. I am setting up multiple VLAN's for security reasons for both private wired devices and also for public internet served wirelessly.

I see the option to make a VLAN nout routable between others and that works perfectly for the public wireless. However when lookng at the firewall rules, I dont see anyway to create firewall rules between VLANs. If I setup a seprate VLAN and want to only open a few ports, or only to a few devices on another VLAN, there does not seem to be a way to do this. You have to select a zone, and VLAN are not listed here, only LAN, WAN, and DMZ. Also you cannot even select LAN to LAN and set the rule up by IP address.

I have to imagine that I am missing something, because this seems like a big ommisino. I am using the most recent firmware, version 1.1.65.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
rshao Mon, 09/27/2010 - 17:19

You are correct. SA500 doesn't support vlan firewall rules.

One possible way to achieve the blocking objective for some hosts is to move those hosts to another vlan and disable the inter-vlan routing for that vlan.

The hosts on that vlan can still go to the Internet but cannot reach the other vlans.

The "Inter-vlan routing" option is under LAN>Available VLANs.



It is possible to define a zone for each VLAN ?

In exemple in "DHCP Reserved IPs (LAN)" all VLAN are listed as VLANid. It would be great to have it in firewall part.

Being able to apply rules between VLAN looks obvious to me, I do not understand why is is not possible here.

I am currently using the last firmware that is "1.1.65" now.

Is it possible to enable this possibility in the next firmware ?

Do you know when the next one will be out ?

Thank you.

Best regards,


PS: A trick over ssh would be a workarount but ssh is also unavailable. (I do not know a trick)

rshao Tue, 10/19/2010 - 15:31

Hi Farbrice,

Unfortunately, SA500 doesn't support the vlan firewall today.


This Discussion

Related Content