12-13-2019 10:11 PM - edited 12-13-2019 10:12 PM
Hi All,
Looking for any ideas on this issue i'm currently having. It is very similar to this issues here: https://community.cisco.com/t5/small-business-switches/help-me-to-create-ipv4-based-acls-for-vlans-using-gui/td-p/2645142
I thought I had the solution on hand but when I implemented it I am still able to communicate between VLANS.
Here is my situation -
I'm running a SG350XG with multiple VLANS - no dhcp (static IP) / with a routing table to internet access
VLANS:
Vlan 1 - 172.16.16.0/24 - internet access
Vlan 10 - 10.10.1.0/24
Vlan 20 - 10.10.2.0/24
Vlan 30 - 10.10.3.0/24
Vlan 40 - 10.10.4.0/24
Etc
I have created IPv4 ACL and set a similar setup like the setup described in the previous post. But still able to communicate between VLANS. Unsure of what I'm doing wrong. I've even set a specific deny on all ports for a specific IP but can still ping it from another VLAN. I'm doing this all from GUI, since I don't know CLI
12-14-2019 12:55 AM
As per my understanding example, you like to deny the traffic between VLAN
Example: VLAN 10 not required access to VLAN 20
Then you need to have a source of ACL should be 10.10.1.0/24 and destination 10.10.2.0/24
if you like you need to have other direction also
source of ACL should be 10.10.2.0/24 and destination 10.10.1.0/24.
Not sure from what IP address you ping 10.10.3.13? if you ping from the same subnet, this will not block.
12-14-2019 08:06 AM
Thank you for taking the time to reply to my message. I made the modifications specific to this particular issue to test. Vlan 10 (IP 10.10.1.x) should be denied any communication to Vlan 30 (IP 10.10.3.x). it Should be denied from any IP on that subnet if I did the wildcard correctly. I added a screen shot of a Ping from VLAN 10 subnet to VLAN 30 subnet but still able to communicate after adjusted settings. In theory, the rule on this ACE should stop the source (bound to VLAN 10) from reaching the destination.
12-14-2019 08:57 AM
Hi,
To block the traffic from Vlan10 to Vlan30 (your last example) you should bind your "Mix1" ACL to Vlan30 not Vlan10. Can you please try and test via "ping" again.
Best regards,
Antonin
12-14-2019 02:25 PM
Ok so I binded the "Mix1" ace to Vlan 30. Unfortunately, I was still able to ping the computer. Just to test things a little further, i created the vice versa for Mix3 ace and bound it to VLAN10. In theory, shutting down both VLANS from eachother, but still able to ping machines from either VLAN. I have 1 machine on VLAN 30 - 10.10.3.13 and 1 machine on VLAN 10 - 10.10.1.111 for testing purposes. ** Just in case, I have saved all changes **
12-14-2019 09:13 AM
You need to understand since source coming VLAN 10 then you need to block at VLAn30 and vice-versa
attach the rule to correct VLAN and test.
12-14-2019 02:27 PM
Hi BB,
I've done the following :
Ok so I binded the "Mix1" ace to Vlan 30. Unfortunately, I was still able to ping the computer. Just to test things a little further, i created the vice versa for Mix3 ace and bound it to VLAN10. In theory, shutting down both VLANS from eachother, but still able to ping machines from either VLAN. I have 1 machine on VLAN 30 - 10.10.3.13 and 1 machine on VLAN 10 - 10.10.1.111 for testing purposes. ** Just in case, I have saved all changes **
12-15-2019 03:30 AM
Hi,
Thanks for the feedback. Can you please test the ACL pinging from Vlan10 PC to Vlan30 PC. In general for the locally sourced traffic (ie. from the switch itself) ACLs do not apply.
Best regards,
Antonin
12-15-2019 04:19 AM
Looks something fishy here, your ACL seems to be ok for me. Just to confirm before i put some thought on this.
Can you post Ipconfig from VLAN 10 and VLAN 30 PC and post the ping output which was a success ?
12-15-2019 07:40 AM
Thank you for checking back BB,
I'm offsite currently. I will test this in about 28 hours when i get onsite.
Billy
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: