Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
12924
Views
0
Helpful
10
Replies

SG300 intervlan routing - ACL help

Go to solution
rdrisaldi
Level 1
Level 1

‎03-14-2012 02:15 PM

I setup switch SG300-52P in layer 3 mode.

I have 3 vlans (10,20,30) and ports assigned to every vlan.

Each host can ping its own gateway (depending the vlan).

I want to permit some traffic from a vlan to an specific host (server) on another vlan. I try with ACL but can't do it.

Can anybody help me how to do this?

thanks a lot.

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
David Hornstein
Level 7
Level 7
In response to rdrisaldi

‎03-17-2012 06:17 AM

Hi Ruy,

My ACL isa very restrictive.

ip access-list extended Restrict_FTP

permit ip 192.168.10.0 0.0.0.255 192.168.20.10 0.0.0.0

exit

It only permits the 192.168.10.0 network to get to the host 192.168.20.10  IP Host.

Maybe there should also be (in red) ;

ip access-list extended Restrict_FTP

permit ip 192.168.10.0 0.0.0.255 192.168.20.10 0.0.0.0

deny ip 192.168.10.0  0.0.0.255  192.168.20.0  0.0.0.255

permit any any

exit

I have to admit i prefer using the GUI to produce my ACE entries.  The table it creates shows how the ACL is going to work. and importantly in what order.

  • The switch goes through the ACE entries in order from top to bottom as seen in the GUI.
  • The ACL that is attached to a interface,  pattern matching incoming packets (coming into the switch).
  • ACE entries use inverse masking which can be confusing.  Maybe the following tehnote may be useful for understanding the inverse masking;

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00800a5b9a.shtml

regards dave

View solution in original post

0 Helpful
10 Replies 10

Go to solution
David Hornstein
Level 7
Level 7

‎03-14-2012 08:45 PM

Hi Ray,

There is alot of stuff here on the community on ACL and 300 series.

It may be interesting to use the search option , but here is a link that may help you;

https://supportforums.cisco.com/thread/2136493?tstart=0

regards dave

0 Helpful

Go to solution
rdrisaldi
Level 1
Level 1
In response to David Hornstein

‎03-15-2012 09:00 AM

Dave, thanks for your reply. I read your post

https://supportforums.cisco.com/thread/2136493?tstart=0

and I have a couple of question.

In your example you restricted a host to an FTP server. What if you want to allowed entire vlan 10 to a single host in vlan 20.

How would you do it ? and in which interface do you have to bind that ACL?

Thanks a lot.

Ruy

0 Helpful

Go to solution
David Hornstein
Level 7
Level 7
In response to rdrisaldi

‎03-15-2012 11:36 PM

Hi Ruy

assume the VLAN10 network is 192.168.10.x

assume that the host in VLAN 20 is 192.168.20.10

ip access-list extended Restrict_FTP

permit ip 192.168.10.0 0.0.0.255 192.168.20.10 0.0.0.0

exit

There is a impicit butnot seen command to deny all traffic at the end of the filter list above.

Since the switch  filters packets in ingress into the switch, I would apply the ACL to switch ports where i would see packets from 192.168.10.x network traffic coming into the switch.

interface gigabitethernet8

service-acl input Restrict_FTP

exit

0 Helpful

Go to solution
rdrisaldi
Level 1
Level 1
In response to David Hornstein

‎03-16-2012 06:59 AM

David, thanks a lot gor your help. I´m going to try it.

In your example, if I have 30 ports on vlan 10 192.168.10.x I should apply this filter port by port?

Is there a cli command to apply the filter to whole vlan?

In the other example (restricted FTP) from your first link. what does it mean the 20-21 at the end?

deny tcp 192.168.10.106 0.0.0.0 any 192.168.10.101 0.0.0.0 20-21

thank you very much!

Ruy

0 Helpful

Go to solution
rdrisaldi
Level 1
Level 1
In response to rdrisaldi

‎03-16-2012 04:11 PM

David forget my last question (20-21) i didnt think about it. 20-21 are the ftp ports. Sorry about that.

I tried the acl you write in red and it doesnt work. I have no comunication between vlan 10 and that host. I think there is something wrong with some other part of configuration.

0 Helpful

Go to solution
David Hornstein
Level 7
Level 7
In response to rdrisaldi

‎03-17-2012 06:17 AM

Hi Ruy,

My ACL isa very restrictive.

ip access-list extended Restrict_FTP

permit ip 192.168.10.0 0.0.0.255 192.168.20.10 0.0.0.0

exit

It only permits the 192.168.10.0 network to get to the host 192.168.20.10  IP Host.

Maybe there should also be (in red) ;

ip access-list extended Restrict_FTP

permit ip 192.168.10.0 0.0.0.255 192.168.20.10 0.0.0.0

deny ip 192.168.10.0  0.0.0.255  192.168.20.0  0.0.0.255

permit any any

exit

I have to admit i prefer using the GUI to produce my ACE entries.  The table it creates shows how the ACL is going to work. and importantly in what order.

  • The switch goes through the ACE entries in order from top to bottom as seen in the GUI.
  • The ACL that is attached to a interface,  pattern matching incoming packets (coming into the switch).
  • ACE entries use inverse masking which can be confusing.  Maybe the following tehnote may be useful for understanding the inverse masking;

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00800a5b9a.shtml

regards dave

0 Helpful

Go to solution
bcoverstone
Level 1
Level 1

‎02-22-2018 09:12 AM

I have found the Cisco SBS switches do not utilize wildcard masking properly.  For example, I have the following access list.   I highlighted one of the configuration lines:

 

SW1#show access-list TEST
Extended IP access list TEST
    permit  ip any 192.168.12.0 0.0.0.255 ace-priority 40
    deny    ip any 192.168.13.0 0.0.0.255 ace-priority 60
    deny    ip any 192.168.50.0 0.0.1.255 ace-priority 80
    permit  tcp any any any 443 ace-priority 100
    permit  tcp any any any www ace-priority 120
    deny    tcp any any 192.168.0.0 0.0.255.255 22-23 ace-priority 140
    deny    tcp any any 192.168.0.0 0.0.255.255 69 ace-priority 160
    deny    tcp any any 192.168.0.0 0.0.255.255 1433 ace-priority 180
    deny    tcp any any 192.168.0.0 0.0.255.255 3306 ace-priority 200
    permit  tcp any any 192.168.0.0 0.0.255.255 3389 ace-priority 220
    deny    udp any any 192.168.0.0 0.0.255.255 161-162 ace-priority 240
    deny    udp any any 192.168.0.0 0.0.255.255 1812-1813 ace-priority 260
    permit  ip any host 192.168.1.88 ace-priority 280
    deny    ip any 192.168.0.0 0.0.3.255 ace-priority 300
    permit  ip any any ace-priority 320

 

This line seems to allow access to port 81 at 192.168.0.11 but deny the port on 192.168.0.12.

 

Unless I'm missing something, there is a serious security issue with the SG line of switches.

0 Helpful

Go to solution
Aleksandra Dargiel
Cisco Employee
Cisco Employee
In response to bcoverstone

‎02-23-2018 02:30 AM

well this will need to be investigated closer so please go ahead and open case with Small Business Support team so they can diagnose.
0 Helpful

Go to solution
Holger Ronecker
Level 1
Level 1
In response to bcoverstone

‎06-15-2018 09:55 AM

I worked with the support team and it is a confirmed bug.

The id is  CSCvj91570


for those with access, you can look it up and follow it here

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvj91570

0 Helpful

Go to solution
bcoverstone
Level 1
Level 1
In response to Holger Ronecker

‎06-16-2018 04:15 AM

You rock!

 

My workaround was replacing our SG300's with a bunch of used C3560-X switches, that ended up costing about half as much as the SG300's did new...

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Switch products supported in this community
Cisco Business Product Family
  • CBS110
  • CBS220
  • CBS250
  • CBS350
Cisco Switching Product Family
  • 110
  • 200
  • 220
  • 250
  • 300
  • 350
  • 350X
  • 550X
Customers Also Viewed These Support Documents