Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

You may experience some slow load times, errors, and slight inconsistencies. We ask for your patience as we finalize the launch. Thank you.

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started.

New Member

SG300 intervlan routing - ACL help

I setup switch SG300-52P in layer 3 mode.

I have 3 vlans (10,20,30) and ports assigned to every vlan.

Each host can ping its own gateway (depending the vlan).

I want to permit some traffic from a vlan to an specific host (server) on another vlan. I try with ACL but can't do it.

Can anybody help me how to do this?

thanks a lot.

  • Small Business Switches
Everyone's tags (2)
1 ACCEPTED SOLUTION

Accepted Solutions

Re: SG300 intervlan routing - ACL help

Hi Ruy,

My ACL isa very restrictive.

ip access-list extended Restrict_FTP

permit ip 192.168.10.0 0.0.0.255 192.168.20.10 0.0.0.0

exit

It only permits the 192.168.10.0 network to get to the host 192.168.20.10  IP Host.

Maybe there should also be (in red) ;

ip access-list extended Restrict_FTP

permit ip 192.168.10.0 0.0.0.255 192.168.20.10 0.0.0.0

deny ip 192.168.10.0  0.0.0.255  192.168.20.0  0.0.0.255

permit any any

exit

I have to admit i prefer using the GUI to produce my ACE entries.  The table it creates shows how the ACL is going to work. and importantly in what order.

  • The switch goes through the ACE entries in order from top to bottom as seen in the GUI.
  • The ACL that is attached to a interface,  pattern matching incoming packets (coming into the switch).
  • ACE entries use inverse masking which can be confusing.  Maybe the following tehnote may be useful for understanding the inverse masking;

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00800a5b9a.shtml

regards dave

6 REPLIES

Re: SG300 intervlan routing - ACL help

Hi Ray,

There is alot of stuff here on the community on ACL and 300 series.

It may be interesting to use the search option , but here is a link that may help you;

https://supportforums.cisco.com/thread/2136493?tstart=0

regards dave

New Member

SG300 intervlan routing - ACL help

Dave, thanks for your reply. I read your post

https://supportforums.cisco.com/thread/2136493?tstart=0

and I have a couple of question.

In your example you restricted a host to an FTP server. What if you want to allowed entire vlan 10 to a single host in vlan 20.

How would you do it ? and in which interface do you have to bind that ACL?

Thanks a lot.

Ruy

Re: SG300 intervlan routing - ACL help

Hi Ruy

assume the VLAN10 network is 192.168.10.x

assume that the host in VLAN 20 is 192.168.20.10

ip access-list extended Restrict_FTP

permit ip 192.168.10.0 0.0.0.255 192.168.20.10 0.0.0.0

exit

There is a impicit butnot seen command to deny all traffic at the end of the filter list above.

Since the switch  filters packets in ingress into the switch, I would apply the ACL to switch ports where i would see packets from 192.168.10.x network traffic coming into the switch.

interface gigabitethernet8

service-acl input Restrict_FTP

exit

New Member

Re: SG300 intervlan routing - ACL help

David, thanks a lot gor your help. I´m going to try it.

In your example, if I have 30 ports on vlan 10 192.168.10.x I should apply this filter port by port?

Is there a cli command to apply the filter to whole vlan?

In the other example (restricted FTP) from your first link. what does it mean the 20-21 at the end?

deny tcp 192.168.10.106 0.0.0.0 any 192.168.10.101 0.0.0.0 20-21

thank you very much!

Ruy

New Member

Re: SG300 intervlan routing - ACL help

David forget my last question (20-21) i didnt think about it. 20-21 are the ftp ports. Sorry about that.

I tried the acl you write in red and it doesnt work. I have no comunication between vlan 10 and that host. I think there is something wrong with some other part of configuration.

Re: SG300 intervlan routing - ACL help

Hi Ruy,

My ACL isa very restrictive.

ip access-list extended Restrict_FTP

permit ip 192.168.10.0 0.0.0.255 192.168.20.10 0.0.0.0

exit

It only permits the 192.168.10.0 network to get to the host 192.168.20.10  IP Host.

Maybe there should also be (in red) ;

ip access-list extended Restrict_FTP

permit ip 192.168.10.0 0.0.0.255 192.168.20.10 0.0.0.0

deny ip 192.168.10.0  0.0.0.255  192.168.20.0  0.0.0.255

permit any any

exit

I have to admit i prefer using the GUI to produce my ACE entries.  The table it creates shows how the ACL is going to work. and importantly in what order.

  • The switch goes through the ACE entries in order from top to bottom as seen in the GUI.
  • The ACL that is attached to a interface,  pattern matching incoming packets (coming into the switch).
  • ACE entries use inverse masking which can be confusing.  Maybe the following tehnote may be useful for understanding the inverse masking;

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00800a5b9a.shtml

regards dave

5384
Views
0
Helpful
6
Replies