11-28-2013 03:03 PM
On an SG300-28MP I have 4 VLANS and I want to isolate the guest wi-fi vlan using an acl but I'm not having any luck
SHOW VLAN
Created by: D-Default, S-Static, G-GVRP, R-Radius Assigned VLAN
Vlan Name Ports Created by
---- ----------------- --------------------------- ----------------
1 1 gi1-10,gi22-25,gi27-28, D
Po1-8
25 AMX gi13-17,gi22-28 S
50 Guest-WiFi gi22-25 S
100 Cameras gi11-12,gi18-25,gi27-28 SSG300-28MP#SHOW ACCESS-LISTS
Extended IP access list DENY-GUESTS-OUT
deny ip 192.168.188.0 0.0.0.255 192.168.185.0 0.0.3.255
permit ip any any
Extended IP access list DENY-GUESTS-IN
permit ip 192.168.188.0 255.255.255.0 host 192.168.185.1
deny ip 192.168.188.0 0.0.0.255 192.168.185.0 0.0.3.255
permit ip any any
Extended IP access list DENY-GUESTS-PORT
permit ip 192.168.188.0 0.0.0.255 192.168.185.0 0.0.3.255
permit ip any anySG300-28MP#SHOW INTERFACES ACCESS-LISTS
Interface ACLs
--------- -----------------------
gi22 Ingress: DENY-GUESTS-PORT
gi23 Ingress: DENY-GUESTS-PORT
gi24 Ingress: DENY-GUESTS-PORT
vlan 1 Ingress: DENY-GUESTS-IN
vlan 25 Ingress: DENY-GUESTS-IN
vlan 50 Ingress: DENY-GUESTS-OUT
vlan 100 Ingress: DENY-GUESTS-INSG300-28MP#show ip route
Maximum Parallel Paths: 1 (1 after reset)
IP Forwarding: enabled
Codes: > - best, C - connected, S - static
S 0.0.0.0/0 [1/1] via 192.168.185.1, 07:57:21, vlan 1
C 192.168.185.0/24 is directly connected, vlan 1
C 192.168.186.0/24 is directly connected, vlan 25
C 192.168.187.0/24 is directly connected, vlan 100
C 192.168.188.0/24 is directly connected, vlan 50SG300-28MP#SHOW IP INTERFACE
IP Address I/F I/F Status Type Directed Precedence Status
admin/oper Broadcast
------------------- ---------- ------------- ----------- ---------- ---------- -----------
192.168.185.254/24 vlan 1 UP/UP Static disable No Valid
192.168.186.254/24 vlan 25 UP/UP Static disable No Valid
192.168.187.254/24 vlan 100 UP/UP Static disable No Valid
192.168.188.254/24 vlan 50 UP/UP Static disable No ValidSG300-28MP#
I've been using the web interface for config and after seeing the cli output of "SHOW INTERFACES ACCESS-LISTS" I see the ACLs are strictly ingress only so that solves some of my confusion. This "vlan 50 Ingress: DENY-GUESTS-OUT " is pointless since it's ingress only but I wasn't sure when I added it in.
I would think this config would work but if I open vlan 50 web interface and ping to a host in any other vlan it responds.
I do have an RV320 on a stick with routes to each vlan interface and I also have "inter vlan routing" enabled on all vlans. I've tried with out this but I then can't launch the vlan management web page.
I'm working offsite so may be it does work if I'm a client on the guest netowrk since I have ACLs on gi 22-23 which are my wi-fi trunks and I'm thinking that's where the ACLs should be but I'd like to know why the other ACLs don't that are assigned to the vlans and why I can ping from the web page when logged into VLAN 50's management interface. I haven't found any good youtube video on this subject and what is available is all IOS which is a bit different.
11-29-2013 08:13 AM
Hi Vinni, I have just broke myself from accessing my own switch using a host wild card.
ip access-list extended test
deny ip 192.168.1.0 0.0.0.255 192.168.1.104 0.0.0.0
exit
!
interface vlan 1
service-acl input test
192.168.1.104 = my switch
192.168.1.x = my subnet
If you want to block host address, make sure to use 0.0.0.0 wild card for the host.
-Tom
Please mark answered for helpful posts
11-29-2013 09:27 AM
Yeah that 255.255.255.0 was a mistake. I think I've made some sense of it all now.
1st, the RV320 just needs the routes for all vlans in advanced routing not "Intervlan routing" enabled in Port Management > VLAN membership to allow me to access through my vpn. That bothered me since that's what using L3 mode of the SG300 was for.
2nd, I had the idea in my head that inter-vlan flow would go from a source into its vlan and out through the "switch/router" and then into the dest vlan and then out of that vlan to its destination. Even though it's all under the same hood I thought there was logical segments in the flow. This flawed thinking would then give me an in and an out on each vlan in the path to place the ACL if both in and outs were supported. Of course only ingress is supported so I still was thinking the ACL could go on either vlan cuz in my head they both had "ins" in the flows path.
I now believe that in regard to flow vlans are nothing more than another port of the switch, its just isn't physical there and you can't physically conect to it so flow can only go from the source into its vlan and then out the dest vlan to the destination, there's nothing flow wise in between that would provide the "out" on the source vlan and the "in" on the dest vlan. This thinking then only allows me one palce to put the ACL if only ingress is ACLs are permitted.
Now the reason I wasn't seeing the ACLs work is because pinging from the vlan occurs after "ingress" from with in the vlan so only pinging from a host on the vlan would actually get filtered by an ACL ingress filter. I was able to test this theory on another vlan that had a host that could initiate pings.
SG300-28MP#show access-lists
Extended IP access list DENY-GUESTS-IN
deny ip 192.168.188.0 0.0.0.255 192.168.185.2 0.0.0.254
deny ip 192.168.188.0 0.0.0.255 192.168.186.0 0.0.1.255
permit ip any any
SG300-28MP#SHOW INTERFACES ACCESS-LISTS
Interface ACLs
--------- -----------------------
gi22 Ingress: DENY-GUESTS-IN
gi23 Ingress: DENY-GUESTS-IN
gi24 Ingress: DENY-GUESTS-IN
vlan 50 Ingress: DENY-GUESTS-IN
SG300-28MP#
I still have the ACLs on the interface ports that my wi-fi APs connect to. I saw on a youtube tutorial that said extended ACLs should go as close to the source as possible so is it better to put them on the wi-fi trunk ports and delete the vlan ACL or should I delete the port ACLs and just leave the vlan ACL? Could leave both but then the switch has to work harder.
My 1st deny allows only the gateway IP from my .188 vlan and the 2nd deny should block the .186 and .187 from .188. At least that's what I think that mask should do. Now for guest clients on the .188 (vlan 50) do I need to allow any ports to allow them access to the internet? I have no clients on that vlan to test from remotely to see if they can surf the internet with out further permits.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: