Thanks Thomas for you answer. That is pretty much how I created the access list. My problem if I understand it correct is if I deny access from vlan3 in the vlan2 acls then I will have no access from vlan2 to vlan3 because the reply packages coming back from vlan3 will be filtered.

Thanks Salman for you answer too. What do you mean with "ACL in outbound" direction. What I understand is that the sg300 switch can only have ACL on the ingress traffic. So is there any possibility to see who started the ip conversation?

Thanks for your help

Andreas

Correct, there is not an inside or outside, the ACL is applied ingress only. The switch logging should show if traffic dropped per the ACL.

-Tom

Hello


Option 1 (Not sure if this would deny traffic both ways if so see option 2)
-----------

Access-list 100 permit ip 192.168.3.0 0.0.0.255 any
Access-list 101 permit ip any any

Vlan-access map TST 10
Match IP address 100
Action drop

Vlan-access map TST 20
Match IP address 101
Action forward

Vlan filter-list TST 20



Option 2 ( tcp traffic initiated from vlan 2 would allow return top traffic from vlan 3)
-----------
Ip access-list extended TST
Permit tcp 192.168.3.0 0.0.0.255 any established
deny tcp 192.168.3.0 0.0.0.255 any
permit ip any any

Int vlan 2
Ip access-group TST out

Res
Paul

Sent from Cisco Technical Support iPad App

hi Paul the commands you presented unfortunately do not apply to SG500 switches ...

do you have "the same" set of commands for SG500 series ?

hello
Whatabout option 2?

Res
Paul

Sent from Cisco Technical Support iPad App

what is "option 2" ?

Hello

Option 2 ( tcp traffic initiated from vlan 2 would allow return top traffic from vlan 3)
-----------
Ip access-list extended TST
Permit tcp 192.168.3.0 0.0.0.255 any established
deny tcp 192.168.3.0 0.0.0.255 any
permit ip any any

Int vlan 2
Ip access-group TST out



Sent from Cisco Technical Support iPad App

hi there, my misunderstanding.

both options do not work.

there is no command "ip access-group X out" for an interface

Hum, okay try this

Ip access-list extended TST

Permit tcp  192.168.3.0 0.0.0.255 any established

deny tcp 192.168.3.0 0.0.0.255 any

permit ip any any

int vlan 3

service-acl input TST

Please don't forget to rate any posts that have been helpful.

Thanks.

no luck.

SG500 does not recognize anything like "service-acl"

below set of availabe commands:

SG500(config-if)#service-acl

% Unrecognized command

SG500(config-if)#

  bridge               Bridge configuration commands

  do                   execute an EXEC-level command

  dot1x                dot1x protocol

  end                  Exit from configure mode

  exit                 Exit from current context

  help                 Description of the interactive help system

  ip                   Global IP configuration commands

  ipv6                 IPv6 commands

  name                 set vlan name

  no                   Negate command

  sntp                 Global Simple Network Time Protocol (SNTP)

                       configuration subcommands

SG500(config-if)#ip

  address              Set the IP address of an interface

  dhcp                 Configure DHCP services

  igmp                 Configure igmp interface.

  proxy-arp            Enable proxy ARP on interface

SG500(config-if)#do

  boot                 Boot Commands

  clear                Reset functions

  clock                Manage the system clock

  configure            Enter configuration mode

  copy                 Copy from one file to another

  crypto               Cryptographic commands

  debug-mode           Exit from the EXEC to debug mode

  delete               Delete a file from the flash file system

  dir                  Display the list of files on the flash file system

  disable              Disable privileged commands

  dot1x                802.1x EXEC commands

  exit                 Exit from the EXEC

  green-ethernet       Green ethernet commands

  help                 Description of the interactive help system

  ip                   Global IP configuration commands

  login                Exit from the EXEC and Log in

  macro                Ports macros

  menu                 Enter into Menu-CLI

  more                 Display a file

  no                   Negate command

  ping                 Send echo messages.

  reload               Halt and perform a cold restart

  rename               Rename a file

SG500(config-if)#