Cisco Support Community
Community Member

SG300-52 ACL questions

We have a customer who is replacing older Dell switches with Cisco SG300-52s.  On one of the SG's they'll need 6 ports reserved on a VLAN for public Internet IPs (the 100Base-T uplink to the data center's Cisco switch as well as multiple Cisco ASA's to go to different networks (production, development, etc...) and the rest on the first and all 52 on the 2nd will be par of their production LAN (the other LANs served by the ASAs have their own switches behind them.  On the ASAs we have ACLs to, for example, block port 25 to certain IPs (but allow it to their inbound MX servers).  Here's the question, I guess questions:

1) Do the SGs allow me to create ACLs to block say port 25 at the switch level before they even get to the ASA's; and

2) Assuming #1 is yes, do I even want to do that or should I let the ASA's do that since firewalling is really what they're good at.

The ASA's get hammered all day long with remote IPs attempting to get into port 25, especially on their "" IP, the question is it better to block it at the incoming switch or at the firewall?



Re: SG300-52 ACL questions

Hi Brian,

Good to hear from you again.

There are a couple of rules you should be aware of with ACL's and their ACE definitions.

  • ACLs enable network managers to define patterns (filter and actions) for ingress traffic.

  • Packets, entering the switch on a port or LAG with an active ACL, are either admitted or denied entry.

  • You can have different access-lists  bound to different ports.

  • A port can be either secured with ACLs or configured with advanced QoS policy, but not both.

  • There is a implicit deny entry at the end of a ACE list attached to a ACL.

see  admin guide   page 307 onwards for any clarification.

I think more  security is better than less, and access-lists in the switches offer wire speed filtering .  The only drawback on this is the extra management you have to perform to set it up and maintain the ACE entries..

But the  switch does allow for selectively adding a access list for INGRESS filtering of pattern matches of the ACE entries.

This I would think would affect your decision,  as the needed access list needed to be attached to the port coming in from your Cisco router.

Click on the picture below to see  a screen capture of most of  the ACE options available to you,  for packet permitting or denying.

I have told that ACE entry to deny TCP  traffic to a specific destination HOST address (note the reverse mask).

regards Dave

CreatePlease to create content