cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Community Helping Community

250
Views
0
Helpful
9
Replies
Highlighted
Beginner

Trouble setting up ACL within Gui for SG350XG

Hi All,

Looking for any ideas on this issue i'm currently having.  It is very similar to this issues here:   https://community.cisco.com/t5/small-business-switches/help-me-to-create-ipv4-based-acls-for-vlans-using-gui/td-p/2645142

 

I thought I had the solution on hand but when I implemented it I am still able to communicate between VLANS.

 

Here is my situation - 

I'm running a SG350XG with multiple VLANS - no dhcp (static IP) / with a routing table to internet access

VLANS:

Vlan 1   - 172.16.16.0/24   - internet access

 

Vlan 10 - 10.10.1.0/24

Vlan 20 - 10.10.2.0/24

Vlan 30 - 10.10.3.0/24

Vlan 40 - 10.10.4.0/24

Etc

 

I have created IPv4 ACL and set a similar setup like the setup described in the previous post.   But still able to communicate between VLANS.  Unsure of what I'm doing wrong. I've even set a specific deny on all ports for a specific IP but can still ping it from another VLAN.  I'm doing this all from GUI, since I don't know CLIACL Bindings Vlan.jpgMix 1 ace.jpgMix 3 ace.jpgping.jpg

 

Everyone's tags (3)
9 REPLIES 9
VIP Advisor

Re: Trouble setting up ACL within Gui for SG350XG

As per my understanding example, you like to deny the traffic between VLAN

 

Example: VLAN 10 not required access to VLAN 20

 

Then you need to have a source of ACL should be 10.10.1.0/24 and destination 10.10.2.0/24

if you like you need to have other direction also

source of ACL should be 10.10.2.0/24 and destination 10.10.1.0/24.

 

Not sure from what IP address you ping 10.10.3.13? if you ping from the same subnet, this will not block.

 

BB
*** Rate All Helpful Responses ***
Beginner

Re: Trouble setting up ACL within Gui for SG350XG

Thank you for taking the time to reply to my message.  I made the modifications specific to this particular issue to test. Vlan 10 (IP 10.10.1.x) should be denied any communication to Vlan 30 (IP 10.10.3.x). it Should be denied from any IP on that subnet if I did the wildcard correctly.  I added a screen shot of a Ping from VLAN 10 subnet to VLAN 30 subnet but still able to communicate after adjusted settings.  In theory, the rule on this ACE should stop the source (bound to VLAN 10) from reaching the destination.

Ping from Mix 1 to Mix3 cisco.jpgMix 1 source ACL to Mix 3 destination.jpg

Rising star

Re: Trouble setting up ACL within Gui for SG350XG

Hi,

To block the traffic from Vlan10 to Vlan30 (your last example) you should bind your "Mix1" ACL to Vlan30 not Vlan10. Can you please try and test via "ping" again.

Best regards,

Antonin

Beginner

Re: Trouble setting up ACL within Gui for SG350XG

Ok so I binded the "Mix1" ace to Vlan 30.  Unfortunately, I was still able to ping the computer.  Just to test things a little further, i created the vice versa for Mix3 ace and bound it to VLAN10.  In theory, shutting down both VLANS from eachother, but still able to ping machines from either VLAN.    I have 1 machine on VLAN 30 - 10.10.3.13 and 1 machine on VLAN 10  - 10.10.1.111 for testing purposes.  ** Just in case, I have saved all changes  **

mix1 ace.jpgmix3 ace.jpgPing from Vlan 10 to 30.jpgping from Vlan 30 to 10.jpgvlan binding.jpg

VIP Advisor

Re: Trouble setting up ACL within Gui for SG350XG

You need to understand since source coming VLAN 10  then you need to block at VLAn30 and vice-versa

attach the rule to correct VLAN and test.

 

BB
*** Rate All Helpful Responses ***
Beginner

Re: Trouble setting up ACL within Gui for SG350XG

Hi BB,

 

I've done the following :

Ok so I binded the "Mix1" ace to Vlan 30.  Unfortunately, I was still able to ping the computer.  Just to test things a little further, i created the vice versa for Mix3 ace and bound it to VLAN10.  In theory, shutting down both VLANS from eachother, but still able to ping machines from either VLAN.    I have 1 machine on VLAN 30 - 10.10.3.13 and 1 machine on VLAN 10  - 10.10.1.111 for testing purposes.  ** Just in case, I have saved all changes  **

mix1 ace.jpgmix3 ace.jpgPing from Vlan 10 to 30.jpgping from Vlan 30 to 10.jpgvlan binding.jpg

Rising star

Re: Trouble setting up ACL within Gui for SG350XG

Hi,

Thanks for the feedback. Can you please test the ACL pinging from Vlan10 PC to Vlan30 PC. In general for the locally sourced traffic (ie. from the switch itself) ACLs do not apply.

Best regards,

Antonin

VIP Advisor

Re: Trouble setting up ACL within Gui for SG350XG

Looks something fishy here, your ACL seems to be ok for me. Just to confirm before i put some thought on this.

 

Can you post Ipconfig from VLAN 10 and VLAN 30 PC and post the ping output which was a success ?

 

BB
*** Rate All Helpful Responses ***
Beginner

Re: Trouble setting up ACL within Gui for SG350XG

Thank you for checking back BB, 

 

I'm offsite currently.  I will test this in about 28 hours when i get onsite.

 

Billy

CreatePlease to create content
Content for Community-Ad
July's Community Spotlight Awards