On an SG300-28MP I have 4 VLANS and I want to isolate the guest wi-fi vlan using an acl but I'm not having any luck
Created by: D-Default, S-Static, G-GVRP, R-Radius Assigned VLAN
Vlan Name Ports Created by ---- ----------------- --------------------------- ---------------- 1 1 gi1-10,gi22-25,gi27-28, D Po1-8 25 AMX gi13-17,gi22-28 S 50 Guest-WiFi gi22-25 S 100 Cameras gi11-12,gi18-25,gi27-28 S
Extended IP access list DENY-GUESTS-OUT deny ip 192.168.188.0 0.0.0.255 192.168.185.0 0.0.3.255 permit ip any any Extended IP access list DENY-GUESTS-IN permit ip 192.168.188.0 255.255.255.0 host 192.168.185.1 deny ip 192.168.188.0 0.0.0.255 192.168.185.0 0.0.3.255 permit ip any any Extended IP access list DENY-GUESTS-PORT permit ip 192.168.188.0 0.0.0.255 192.168.185.0 0.0.3.255 permit ip any any
Maximum Parallel Paths: 1 (1 after reset) IP Forwarding: enabled Codes: > - best, C - connected, S - static
S 0.0.0.0/0 [1/1] via 192.168.185.1, 07:57:21, vlan 1 C 192.168.185.0/24 is directly connected, vlan 1 C 192.168.186.0/24 is directly connected, vlan 25 C 192.168.187.0/24 is directly connected, vlan 100 C 192.168.188.0/24 is directly connected, vlan 50
SG300-28MP#SHOW IP INTERFACE
IP Address I/F I/F Status Type Directed Precedence Status admin/oper Broadcast ------------------- ---------- ------------- ----------- ---------- ---------- ----------- 192.168.185.254/24 vlan 1 UP/UP Static disable No Valid 192.168.186.254/24 vlan 25 UP/UP Static disable No Valid 192.168.187.254/24 vlan 100 UP/UP Static disable No Valid 192.168.188.254/24 vlan 50 UP/UP Static disable No Valid
I've been using the web interface for config and after seeing the cli output of "SHOW INTERFACES ACCESS-LISTS" I see the ACLs are strictly ingress only so that solves some of my confusion. This "vlan 50 Ingress: DENY-GUESTS-OUT " is pointless since it's ingress only but I wasn't sure when I added it in.
I would think this config would work but if I open vlan 50 web interface and ping to a host in any other vlan it responds.
I do have an RV320 on a stick with routes to each vlan interface and I also have "inter vlan routing" enabled on all vlans. I've tried with out this but I then can't launch the vlan management web page.
I'm working offsite so may be it does work if I'm a client on the guest netowrk since I have ACLs on gi 22-23 which are my wi-fi trunks and I'm thinking that's where the ACLs should be but I'd like to know why the other ACLs don't that are assigned to the vlans and why I can ping from the web page when logged into VLAN 50's management interface. I haven't found any good youtube video on this subject and what is available is all IOS which is a bit different.
Yeah that 255.255.255.0 was a mistake. I think I've made some sense of it all now.
1st, the RV320 just needs the routes for all vlans in advanced routing not "Intervlan routing" enabled in Port Management > VLAN membership to allow me to access through my vpn. That bothered me since that's what using L3 mode of the SG300 was for.
2nd, I had the idea in my head that inter-vlan flow would go from a source into its vlan and out through the "switch/router" and then into the dest vlan and then out of that vlan to its destination. Even though it's all under the same hood I thought there was logical segments in the flow. This flawed thinking would then give me an in and an out on each vlan in the path to place the ACL if both in and outs were supported. Of course only ingress is supported so I still was thinking the ACL could go on either vlan cuz in my head they both had "ins" in the flows path.
I now believe that in regard to flow vlans are nothing more than another port of the switch, its just isn't physical there and you can't physically conect to it so flow can only go from the source into its vlan and then out the dest vlan to the destination, there's nothing flow wise in between that would provide the "out" on the source vlan and the "in" on the dest vlan. This thinking then only allows me one palce to put the ACL if only ingress is ACLs are permitted.
Now the reason I wasn't seeing the ACLs work is because pinging from the vlan occurs after "ingress" from with in the vlan so only pinging from a host on the vlan would actually get filtered by an ACL ingress filter. I was able to test this theory on another vlan that had a host that could initiate pings.
Extended IP access list DENY-GUESTS-IN deny ip 192.168.188.0 0.0.0.255 192.168.185.2 0.0.0.254 deny ip 192.168.188.0 0.0.0.255 192.168.186.0 0.0.1.255 permit ip any any SG300-28MP#SHOW INTERFACES ACCESS-LISTS
I still have the ACLs on the interface ports that my wi-fi APs connect to. I saw on a youtube tutorial that said extended ACLs should go as close to the source as possible so is it better to put them on the wi-fi trunk ports and delete the vlan ACL or should I delete the port ACLs and just leave the vlan ACL? Could leave both but then the switch has to work harder.
My 1st deny allows only the gateway IP from my .188 vlan and the 2nd deny should block the .186 and .187 from .188. At least that's what I think that mask should do. Now for guest clients on the .188 (vlan 50) do I need to allow any ports to allow them access to the internet? I have no clients on that vlan to test from remotely to see if they can surf the internet with out further permits.
Article ID:4006 Configure Secure Shell (SSH) Server Authentication
Settings on a Switch Objective Secure Shell (SSH) is a protocol that
provides a secure remote connection to specific network devices. This
connection provides functionality that is similar...
Article ID:4982 Access an SMB Switch CLI using SSH or Telnet Objective
The Cisco Small Business Managed Switches can be remotely accessed and
configured through the Command Line Interface (CLI). Accessing the CLI
allows commands to be entered in a termina...
Article ID:5735 Convert Configuration Files using the Configuration
Migration Tool on Cisco Small Business Switches Introduction The Cisco
Configuration Migration Tool allows you to convert configuration files
from previous generation of Cisco Small Busin...