Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

SVI ACLs?

       On an SG300-28MP I have 4 VLANS and I want to isolate the guest wi-fi vlan using an acl but I'm not having any luck

SHOW VLAN

Created by: D-Default, S-Static, G-GVRP, R-Radius Assigned VLAN

Vlan       Name                   Ports               Created by   
---- ----------------- --------------------------- ----------------
1           1         gi1-10,gi22-25,gi27-28,            D        
                       Po1-8                                       
25         AMX              gi13-17,gi22-28              S        
50     Guest-WiFi               gi22-25                  S        
100       Cameras        gi11-12,gi18-25,gi27-28          S        

SG300-28MP#SHOW ACCESS-LISTS

Extended IP access list DENY-GUESTS-OUT
    deny    ip 192.168.188.0 0.0.0.255 192.168.185.0 0.0.3.255
    permit  ip any any
Extended IP access list DENY-GUESTS-IN
    permit  ip 192.168.188.0 255.255.255.0 host 192.168.185.1
    deny    ip 192.168.188.0 0.0.0.255 192.168.185.0 0.0.3.255
    permit  ip any any
Extended IP access list DENY-GUESTS-PORT
    permit  ip 192.168.188.0 0.0.0.255 192.168.185.0 0.0.3.255
    permit  ip any any

SG300-28MP#SHOW INTERFACES ACCESS-LISTS

Interface                  ACLs    
---------          -----------------------
gi22               Ingress: DENY-GUESTS-PORT   
gi23               Ingress: DENY-GUESTS-PORT   
gi24               Ingress: DENY-GUESTS-PORT   
vlan 1             Ingress: DENY-GUESTS-IN   
vlan 25            Ingress: DENY-GUESTS-IN   
vlan 50            Ingress: DENY-GUESTS-OUT   
vlan 100           Ingress: DENY-GUESTS-IN   

SG300-28MP#show ip route

Maximum Parallel Paths: 1 (1 after reset)
IP Forwarding: enabled
Codes: > - best, C - connected, S - static


S   0.0.0.0/0 [1/1] via 192.168.185.1, 07:57:21, vlan 1                   
C   192.168.185.0/24 is directly connected, vlan 1                        
C   192.168.186.0/24 is directly connected, vlan 25                       
C   192.168.187.0/24 is directly connected, vlan 100                      
C   192.168.188.0/24 is directly connected, vlan 50                       

SG300-28MP#SHOW IP INTERFACE


    IP Address         I/F      I/F Status      Type     Directed   Precedence   Status   
                                admin/oper               Broadcast                        
------------------- ---------- ------------- ----------- ---------- ---------- -----------
192.168.185.254/24  vlan 1     UP/UP         Static      disable    No         Valid      
192.168.186.254/24  vlan 25    UP/UP         Static      disable    No         Valid      
192.168.187.254/24  vlan 100   UP/UP         Static      disable    No         Valid      
192.168.188.254/24  vlan 50    UP/UP         Static      disable    No         Valid      

SG300-28MP#

        I've been using the web interface for config and after seeing the cli output of "SHOW INTERFACES ACCESS-LISTS" I see the ACLs are strictly ingress only so that solves some of my confusion.     This "vlan 50            Ingress: DENY-GUESTS-OUT  " is pointless since it's ingress only but I wasn't sure when I added it in. 

I would think this config would work but if I open vlan 50 web interface and ping to a host in any other vlan it responds. 

I do have an RV320 on a stick with routes to each vlan interface and I also have  "inter vlan routing" enabled on all vlans.  I've tried with out this but I then can't launch the vlan management web page.

I'm working offsite so may be it does work if I'm a client on the guest netowrk since I have ACLs on gi 22-23 which are my wi-fi trunks and I'm thinking that's where the ACLs should be but I'd like to know why the other ACLs don't that are assigned to the vlans and why I can ping from the web page when logged into VLAN 50's management interface.  I haven't found any good youtube video on this subject and what is available is all IOS which is a bit different.

2 REPLIES
Green

SVI ACLs?

Hi Vinni, I have just broke myself from accessing my own switch using a host wild card.

ip access-list extended test

deny ip 192.168.1.0 0.0.0.255 192.168.1.104 0.0.0.0

exit

!

interface vlan 1

service-acl input test

192.168.1.104 = my switch

192.168.1.x = my subnet

If you want to block host address, make sure to use 0.0.0.0 wild card for the host.

-Tom
Please mark answered for helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/
New Member

SVI ACLs?

Yeah that 255.255.255.0 was a mistake.  I think I've made some sense of it all now. 

1st, the RV320 just needs the routes for all vlans in advanced routing not "Intervlan routing" enabled in Port Management > VLAN membership to allow me to access through my vpn. That bothered me since that's what using L3 mode of the SG300 was for.

2nd, I had the idea in my head that inter-vlan flow would go from a source into its vlan and out through the "switch/router" and then into the dest vlan and then out of that vlan to its destination.  Even though it's all under the same hood I thought there was logical segments in the flow.  This flawed thinking would then give me an in and an out on each vlan in the path to place the ACL if both in and outs were supported.  Of course only ingress is supported so I still was thinking the ACL could go on either vlan cuz in my head they both had "ins" in the flows path. 

I now believe that in regard to flow vlans are nothing more than another port of the switch, its just isn't physical there and you can't physically conect to it so flow can only go from the source into its vlan and then out the dest vlan to the destination, there's nothing flow wise in between that would provide the "out" on the source vlan and the "in" on the dest vlan.  This thinking then only allows me one palce to put the ACL if only ingress is ACLs are permitted.

Now the reason I wasn't seeing the ACLs work is because pinging from the vlan occurs after "ingress" from with in the vlan so only pinging from a host on the vlan would actually get filtered by an ACL ingress filter. I was able to test this theory on another vlan that had a host that could initiate pings.

SG300-28MP#show access-lists

Extended IP access list DENY-GUESTS-IN
    deny    ip 192.168.188.0 0.0.0.255 192.168.185.2 0.0.0.254
    deny    ip 192.168.188.0 0.0.0.255 192.168.186.0 0.0.1.255
    permit  ip any any
SG300-28MP#SHOW INTERFACES ACCESS-LISTS

Interface                  ACLs    
---------          -----------------------
gi22               Ingress: DENY-GUESTS-IN   
gi23               Ingress: DENY-GUESTS-IN   
gi24               Ingress: DENY-GUESTS-IN   
vlan 50            Ingress: DENY-GUESTS-IN   
SG300-28MP#

I still have the ACLs on the interface ports that my wi-fi APs connect to.  I saw on a youtube tutorial that said extended ACLs should go as close to the source as possible so is it better to put them on the wi-fi trunk ports and delete the vlan ACL or should I delete the port ACLs and just leave the vlan ACL?  Could leave both but then the switch has to work harder.

My 1st deny allows only the gateway IP from my .188 vlan and the 2nd deny should block the .186 and .187 from .188.  At least that's what I think that mask should do.  Now for guest clients on the .188 (vlan 50) do I need to allow any ports to allow them access to the internet?  I have no clients on that vlan to test from remotely to see if they can surf the internet with out further permits.

273
Views
0
Helpful
2
Replies
CreatePlease login to create content