Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3147
Views
0
Helpful
3
Replies

Apply ACL to SVI to only allow certain IPs to access VLAN

Go to solution
InformationTechnology25368
Level 1
Level 1

‎09-14-2020 05:19 AM

I am new to Cisco and purchased 3 entry level SG350X-48P switches. They are running v2.5.5.47 and the 3 switches have been successfully stacked. For now I am doing most of the config from the GUI and I am having trouble with ACL binding to a VLAN - it is just not working as I expect. Here is the test setup:

 

VLAN 1 (default)

VLAN 10 (will be used by clients)

VLAN 20 (will be used by servers)

VLAN 30 (will be used by finance servers)

 

I have already created SVI for each VLAN, so all VLANs can communicate. Now I am trying to allow only specific host 192.168.10.2 in VLAN 10 to access host 192.168.30.1 in VLAN 30 (and deny everything else). I create the ACL, ACE and ACL Binding to the VLAN, which gives this config:

 

ip access-list extended "ALLOW IP TO VLAN 30"
permit ip 192.168.10.2 0.0.0.0 any ace-priority 1 log-input
exit

!
interface vlan 30
name "VLAN30"
ip address 192.168.30.254 255.255.255.0
service-acl input "ALLOW IP TO VLAN 30"
!

But this still allows communication from all VLANs into VLAN30, so what am I doing wrong?

 

Note, I have seen some users referring to configuring ACLs inbound/outbound to VLANs, but my config only allows me to apply input (not output) to the service-acl:

 

iel-it-lan-s123#configure

iel-it-lan-s123(config)#int vlan 30
iel-it-lan-s123(config-if)#service-acl
input Specify the input direction
iel-it-lan-s123(config-if)#

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Richard Burts
Hall of Fame
Hall of Fame

‎09-14-2020 01:17 PM

I do not have much experience with SG350 and so am dealing with general principles rather than with anything specific to this series of switches. I find it very odd that it forces the access list to be applied inbound. But if that is the case then I believe that the solution is to change the access list so that 192.168.30.x is the source and 192.168.10.2 is the destination. Instead of this

permit ip 192.168.10.2 0.0.0.0 any ace-priority 1 log-input

you might have something sort of like this

permit ip 192.168.30.1 0.0.0.0 192.168.10.2 0.0.0.0 ace-priority 1

This should enable communication between these 2 hosts. Note that 192.168.30.1 will not be able to communicate with anything else, and that no other device in 192.168.30.0 will be able to communicate with anything that is not in vlan 30.

HTH

Rick

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Richard Burts
Hall of Fame
Hall of Fame

‎09-14-2020 01:17 PM

I do not have much experience with SG350 and so am dealing with general principles rather than with anything specific to this series of switches. I find it very odd that it forces the access list to be applied inbound. But if that is the case then I believe that the solution is to change the access list so that 192.168.30.x is the source and 192.168.10.2 is the destination. Instead of this

permit ip 192.168.10.2 0.0.0.0 any ace-priority 1 log-input

you might have something sort of like this

permit ip 192.168.30.1 0.0.0.0 192.168.10.2 0.0.0.0 ace-priority 1

This should enable communication between these 2 hosts. Note that 192.168.30.1 will not be able to communicate with anything else, and that no other device in 192.168.30.0 will be able to communicate with anything that is not in vlan 30.

HTH

Rick
0 Helpful

Go to solution
InformationTechnology25368
Level 1
Level 1
In response to Richard Burts

‎09-28-2020 07:00 AM

Hi Rick,

 

Apologies for the delay, but yes this solved my problem. It seems counter intuitive to me as the syntax for permit ip  source/destination seems backward when binded to the VLAN.

 

At least it is working now and if anyone else comes across this issue, here is the relevant sections of my config:

 

ip access-list extended "ALLOW IP TO VLAN 30"
permit ip 192.168.30.1 0.0.0.0 192.168.10.2 0.0.0.0 ace-priority 1 log-input
exit

 

!
interface vlan 30
name "VLAN30"
ip address 192.168.30.254 255.255.255.0
service-acl input "ALLOW IP TO VLAN 30"
!

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to InformationTechnology25368

‎09-28-2020 09:09 AM

Thanks for the update. I agree that the logic of source address/destination address can be a bit confusing when determining inbound or outbound for access lists. I find it helpful to think of it in this way. inbound or outbound are relative to the switch on which you are configuring the access list. If you have vlan 30 with subnet of 192.168.30.0 then inbound is traffic from the locally connected subnet 192.168.30.0 (the source) coming into the switch on its way to somewhere else. And outbound is traffic from somewhere else going through the switch and out to the locally connected subnet 192.168.30.0. in is from the subnet in to the switch and out is from the switch out to the connected subnet.

 

I am glad that my explanation has been helpful. Thank you for marking this question as solved. This will help other participants in the community to identify discussions which have helpful information. This community is an excellent place to ask questions and to learn about networking. I hope to see you continue to be active in the community.

HTH

Rick
0 Helpful
Customers Also Viewed These Support Documents