Cisco Support Community
Community Member

SG300 - ACL problem

I'm trying to setup an ACL on my SG300-20 to enable FTP and a few other protocols to a server, but I'm running data that returns on different ports (ie active FTP).

Below is a sample:


Extended IP access list Protocol_Restriction

    permit  tcp  any ftp any any


Now that works great to allow a connection, but with active ftp when the data tries to come back on a different port (I assume) it is just hung up as all other ports are denied.

I event tried allowing all ports to come back from the server:


Extended IP access list Protocol_Restriction

    permit  tcp  any ftp any any

    permit  ip any host


But that also didn't work seem to work.

I've played around with this in layer2 and layer3 to no avail.  I've also seen many tips on applying in and out to the various interfaces, but that doesn't seem to work.  Is that something that is only available on higher end switchers/firewalls?

Can anyone assist with this?


Everyone's tags (4)

Re: SG300 - ACL problem


There are a few rules to getting ACLs working.

  • ACL is made up of a number of ACE entries

  • ACE entries use REVERSE MASKING

  • There is an implicit (invisible) deny at the end of the ACE entries, so if you want to include all other traffic at the bottom of a ACE list you have to state with a ACE entry a  permit all any any, like i did in the example below.  I think you got trapped on this rule.

  • ACE entries are ordered in priority from low number  to high number. The ACE entries are executed in desending order starting from a lower number  and down the list as you see it on the GUI.

  • ACL need to be bound to a switch interface.

  • ACL listen for pattern matches on ingress of packets not on egress into a physical switch port.

.So imagine that a ACL is like a ear listening to packets coming into the switch from some other device or IP host.

A scenario to restrict the  FTP access of one host to One FTP server;

I wish to restrict one IP host ( on switch port 8,  from accessing a FTP server which is at IP address

I created a ACE list below as part of a ACL . (I really didn't need  the priority 20 entry )

The restricted Host is on switch port 8, so I would Bind the ACL to switch port 8 to listen for pattern matched within my ACE list

Here is the CLI it created , if you are interested;

ip access-list extended Restrict_FTP

deny tcp any 20-21

permit tcp any 20-21

permit ip any any


interface gigabitethernet8

service-acl input Restrict_FTP


Remember,  to save any  changes.

Hope this helps, but if not check the following community post.

regards Dave

CreatePlease to create content