Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1335
Views
0
Helpful
3
Replies

SG300 IP ACL binding bug

Go to solution
Rommelbakje
Level 1
Level 1

‎11-22-2013 02:15 PM

Hello All,

Installing 2 SG300 switches (latest firmware) in a small network gave me the following challenge:

How can I bind an IP ACL to a VLAN instead of a physical port?

The situation:

- 1 central SG300-20 in layer 3 incuding trunk to L2 SG300-10.

- 1 remote SG300-10 in layer 2 including trunk to L3 SG300-20.

- Multiple VLANs on both switches including their SVI's on the L3 switch and InterVLAN routing on the L3 switch enabled.

- Would be nice if traffic between VLANs somehow could be restricted trough ACL's.

Problems of binding ACL's to ports instead of VLANs:

- Port membership regarding the different VLANs is very non-lineair, so use of "interface range" is not possible to 'mirror' the ACL administration to the VLAN administration. Shifting ports across VLANss creates an ACL-administration 'discomfort'.

- More important; What about the ports remote on the layer 2 switch (on the other side of the trunk)? How can I bind multiple ACL's on the L3 switch to the ports of the physical different L2 switch? InterVLAN traffic trough the trunk should also be restricted by the ACL's on the L3 SG300-20....

How can I accomplish this?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Tom Watts
VIP Alumni
VIP Alumni

‎11-22-2013 02:49 PM

Hi Rommel

How can I bind an IP ACL to a VLAN instead of a physical port?

This is not supported at this time, the binding is for LAG and port only, not a virtual interface.

- Would be nice if traffic between VLANs somehow could be restricted trough ACL's.

The ACL works for ingress traffic only which can be descriminated by several different methods. Since a SVI is the the VLAN interface, you can discriminate the subnet or specific IP addresses contained within effectively making access rules for the VLAN even if it is not bound to the virtual interface.

- More important; What about the ports remote on the layer 2 switch (on  the other side of the trunk)? How can I bind multiple ACL's on the L3  switch to the ports of the physical different L2 switch? InterVLAN  traffic trough the trunk should also be restricted by the ACL's on the  L3 SG300-20..

The same VLAN traffic of a layer 2 device would be locally switched. For inter-VLAN communication the traffic would have to be sent to the routed interface. Since the traffic is restricted ingress only on the SX300 I do not see a complication as a connected layer 2 device request would be ingress to the Sx300 switch port.

The only thing I can determine from the post is that you may possible have one hell of a big ACL depending how restrictive you want to be with specific host connections. Just keep it under 512 ACE since that is what the switch supports.

-Tom
Please mark answered for helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Tom Watts
VIP Alumni
VIP Alumni

‎11-22-2013 02:49 PM

Hi Rommel

How can I bind an IP ACL to a VLAN instead of a physical port?

This is not supported at this time, the binding is for LAG and port only, not a virtual interface.

- Would be nice if traffic between VLANs somehow could be restricted trough ACL's.

The ACL works for ingress traffic only which can be descriminated by several different methods. Since a SVI is the the VLAN interface, you can discriminate the subnet or specific IP addresses contained within effectively making access rules for the VLAN even if it is not bound to the virtual interface.

- More important; What about the ports remote on the layer 2 switch (on  the other side of the trunk)? How can I bind multiple ACL's on the L3  switch to the ports of the physical different L2 switch? InterVLAN  traffic trough the trunk should also be restricted by the ACL's on the  L3 SG300-20..

The same VLAN traffic of a layer 2 device would be locally switched. For inter-VLAN communication the traffic would have to be sent to the routed interface. Since the traffic is restricted ingress only on the SX300 I do not see a complication as a connected layer 2 device request would be ingress to the Sx300 switch port.

The only thing I can determine from the post is that you may possible have one hell of a big ACL depending how restrictive you want to be with specific host connections. Just keep it under 512 ACE since that is what the switch supports.

-Tom
Please mark answered for helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/
0 Helpful

Go to solution
Rommelbakje
Level 1
Level 1
In response to Tom Watts

‎11-24-2013 07:47 AM

Hello Tom,

Thank you for your response!

My question is almost answered:

-The ACL works for ingress traffic only which can be descriminated by several different methods. Since a SVI is the the VLAN interface, you can discriminate the subnet or specific IP addresses contained within effectively making access rules for the VLAN even if it is not bound to the virtual interface.

I’ve tested this; the problem is the IP ACL will only become active after it is bound to a LAG or port (and then will only apply to that specific port). Otherwise this would indeed be te answer! Would this be normal behaviour for the SG300 in Layer 3 mode? How can one force an ACL to be active, without binding it to a LAG or port?

-The same VLAN traffic of a layer 2 device would be locally switched. For inter-VLAN communication the traffic would have to be sent to the routed interface. Since the traffic is restricted ingress only on the SX300 I do not see a complication as a connected layer 2 device request would be ingress to the Sx300 switch port.

So binding the ACL to the L3 switch’s local trunk port would be sufficient to control access between all subnets trunked to the remote switch…

How about a request from a local port on the L3 switch to a port belonging to the remote L2 switch: that would be egress from the trunk’s point of view, and therefore would not be filtered by an ACL bound to the trunk port. Wich brings another problem along: If there are multiple ACL’s to be applied for the remote ports on the L2 switch, all these ACL’s must be bound to the trunk port. The switch only allows 1 ACL per port, while I use more ACL’s (one per subnet) to keep it “simple”.

Of course this last problem can be overcome by using the ACL’s without binding them. I'm not aware if this is possible and how to achieve this…

0 Helpful

Go to solution
Rommelbakje
Level 1
Level 1

‎11-25-2013 07:53 AM

Hi All,

I forgot to mention I was using 1.3.0.62, wich does not seem to be the latest at this moment. 1.3.5.58 just came available. This answeres my question, however I’m still curious if using ACL’s without binding them is possible with 1.3.0.62! 

Release notes 1.3.5.58 -> "Modified VLAN ACL such that an ACL can now be attached to a VLAN, and not only to port/LAG for Sx300 and Sx500."

0 Helpful
Customers Also Viewed These Support Documents