07-29-2012 01:23 PM - edited 03-07-2019 08:02 AM
Hello,
I have a SG300 Switche working in layer 3 mode.
I configured 3 VLANs on the switch with different ip's
Vlan 1: 192.168.1.1
Vlan 2: 192.168,2.1
Vlan 3: 192.168.3.1
Now I want to implement ACL to permit vlan2 to have full access on vlan3 but I want to deny access from vlan3 to vlan2
Is this possible and do you have an example?
Best regards
Andreas
Sent from Cisco Technical Support iPad App
07-29-2012 01:43 PM
Hi Andreas
have you try to place ACL in outbound direction under the VLAN3 ....... which specifically deny the traffic from vlan3 (192.168.3.1) to vlan 2 (192.168.2.1) but allow all other traffic.
hope this will work
Dont forget to rate if its useful.
Regards
Salman Jamshed
07-29-2012 02:13 PM
Hi Andreas,
Log to the UI of the switch.
Navigate Access Control -> IPV4 Based ACL
Create the access list with the name you want.
Navigate Access Control -> IPV4 Based ACE
Select the name of your ACL then click ADD
The priority is very important. I recommend to do in increments of 10, so rule #1 priority = 10, rule #2 = 20, etc
Action is to DENY
Protocol = ANY
Source IP: 192.168.3.0 0.0.0.255
Destination IP: 192.168.2.0 0.0.0.255
Save this
Create second ACE rule,
Priority 20
Action PERMIT
Protocol = ANY
Source IP: Any
Destination: Any
Save
Lastly, you need to bind the ACL to a port.
Go to Access Control -> ACL Binding
Choose a port, edit it, choose the IPV4 ACL, apply it.
-Tom
08-03-2012 01:06 AM
Thanks Thomas for you answer. That is pretty much how I created the access list. My problem if I understand it correct is if I deny access from vlan3 in the vlan2 acls then I will have no access from vlan2 to vlan3 because the reply packages coming back from vlan3 will be filtered.
Thanks Salman for you answer too. What do you mean with "ACL in outbound" direction. What I understand is that the sg300 switch can only have ACL on the ingress traffic. So is there any possibility to see who started the ip conversation?
Thanks for your help
Andreas
08-03-2012 08:22 AM
Correct, there is not an inside or outside, the ACL is applied ingress only. The switch logging should show if traffic dropped per the ACL.
-Tom
05-11-2013 03:00 PM
Andreas, have you found the solution ?
05-11-2013 06:06 PM
Hello
Option 1 (Not sure if this would deny traffic both ways if so see option 2)
-----------
Access-list 100 permit ip 192.168.3.0 0.0.0.255 any
Access-list 101 permit ip any any
Vlan-access map TST 10
Match IP address 100
Action drop
Vlan-access map TST 20
Match IP address 101
Action forward
Vlan filter-list TST 20
Option 2 ( tcp traffic initiated from vlan 2 would allow return top traffic from vlan 3)
-----------
Ip access-list extended TST
Permit tcp 192.168.3.0 0.0.0.255 any established
deny tcp 192.168.3.0 0.0.0.255 any
permit ip any any
Int vlan 2
Ip access-group TST out
Res
Paul
Sent from Cisco Technical Support iPad App
05-12-2013 01:40 AM
hi Paul the commands you presented unfortunately do not apply to SG500 switches ...
do you have "the same" set of commands for SG500 series ?
05-12-2013 01:57 AM
hello
Whatabout option 2?
Res
Paul
Sent from Cisco Technical Support iPad App
05-12-2013 01:59 AM
what is "option 2" ?
05-12-2013 02:07 AM
Hello
Option 2 ( tcp traffic initiated from vlan 2 would allow return top traffic from vlan 3)
-----------
Ip access-list extended TST
Permit tcp 192.168.3.0 0.0.0.255 any established
deny tcp 192.168.3.0 0.0.0.255 any
permit ip any any
Int vlan 2
Ip access-group TST out
Sent from Cisco Technical Support iPad App
05-12-2013 02:16 AM
hi there, my misunderstanding.
both options do not work.
there is no command "ip access-group X out" for an interface
05-12-2013 03:29 AM
Hum, okay try this
Ip access-list extended TST
Permit tcp 192.168.3.0 0.0.0.255 any established
deny tcp 192.168.3.0 0.0.0.255 any
permit ip any any
int vlan 3
service-acl input TST
Please don't forget to rate any posts that have been helpful.
Thanks.
05-12-2013 04:04 AM
no luck.
SG500 does not recognize anything like "service-acl"
below set of availabe commands:
SG500(config-if)#service-acl
% Unrecognized command
SG500(config-if)#
bridge Bridge configuration commands
do execute an EXEC-level command
dot1x dot1x protocol
end Exit from configure mode
exit Exit from current context
help Description of the interactive help system
ip Global IP configuration commands
ipv6 IPv6 commands
name set vlan name
no Negate command
sntp Global Simple Network Time Protocol (SNTP)
configuration subcommands
SG500(config-if)#ip
address Set the IP address of an interface
dhcp Configure DHCP services
igmp Configure igmp interface.
proxy-arp Enable proxy ARP on interface
SG500(config-if)#do
boot Boot Commands
clear Reset functions
clock Manage the system clock
configure Enter configuration mode
copy Copy from one file to another
crypto Cryptographic commands
debug-mode Exit from the EXEC to debug mode
delete Delete a file from the flash file system
dir Display the list of files on the flash file system
disable Disable privileged commands
dot1x 802.1x EXEC commands
exit Exit from the EXEC
green-ethernet Green ethernet commands
help Description of the interactive help system
ip Global IP configuration commands
login Exit from the EXEC and Log in
macro Ports macros
menu Enter into Menu-CLI
more Display a file
no Negate command
ping Send echo messages.
reload Halt and perform a cold restart
rename Rename a file
SG500(config-if)#
05-12-2013 04:14 AM
hello
i dont have access ti cco documentation to check the ios commands for this switch
can you create the acl if so you must be able to apply it to an interface
res
paul
Sent from Cisco Technical Support Android App
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide