Buy or Renew
Buy or Renew
NOTICE: The community will be in READ-ONLY Sept. 6 – 9 to add Umbrella release notes and announcements. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1485
Views
50
Helpful
4
Replies

Isolate devices within VLAN using ACL on Cisco SG350 switch

william.shillpz
Level 1
Level 1

‎02-24-2022 01:39 PM

Hi,

 

I have a router on a stick configuration. Pfsense acts as the main router and the SG350 Cisco switch on L2 mode. 

 

Everything works fine regarding the current configuration. The addition I want to do is to isolate all my guests coming from an Access Point in VLAN60. Meaning I don't want them to see each other at all. I'm trying to set up the proper ACL rule through the web-gui, when enabling it, all the hosts within VLAN60 are not able to obtain an IP address from the DHCP-server from Pfsense.

 

My guess is that I¨m either composing the rule wrong or my Wildcard mask is completely off cutting all the traffic.

 

The VLAN60 has a static IP of 192.168.60.1/24

The DHCP pool range used for VLAN60 is 192.168.60.10 - 192.168.60.50

 

I have added screenshots regarding the configuration made on the web-gui. I would appreciate your help figuring out what I'm doing wrong.

 

Thanks

 

cisco-1.PNG

 

cisco-2.PNG

 

cisco-3.PNG

 

4 Replies 4

balaji.bandi
Hall of Fame
Hall of Fame

‎02-24-2022 01:47 PM

If this switch acts as Layer2,  Pfsense acts as FW, and Layer 3, why not create an ACL rule on FW not to connect each other?

 

where is this P configured :

 

he VLAN60 has a static IP of 192.168.60.1/24

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

william.shillpz
Level 1
Level 1
In response to balaji.bandi

‎02-25-2022 12:30 PM

Hi Balaji.bandi,

 

I was under the impression the ACL was to be done at the switch layer, as it controls the traffic within the same VLAN (60 in this case). I'm far from being an expert on networking, so maybe the right way is to do this at Pfsense. That would be a firewall rule I suppose?

 

The IP for VLAN60 = 192.168.60.1/24 is configured on Pfsense. As a VLAN on the LAN (physical interface)

balaji.bandi
Hall of Fame
Hall of Fame
In response to william.shillpz

‎02-25-2022 06:06 PM 

as it controls the traffic within the same VLAN (60 in this case)

Apologies i was an impression different VLAN, so i suggested where Layer 3 was located.

If this Layer 2 filtering in the same VLAN, this can be done in switching itself.

 

Coming back to your config, are your source and destination the same IP address?

what is your goal ? you do not like any specific IP to contact to any other specific IP in the same range ?

 

example 192.168.60.10 to 192.168.60.100 (deny - rest allow ?)

 

I have somewhat fewer hands-on models:

 

check some configurations suggested :

https://www.cisco.com/c/en/us/support/switches/350-series-managed-switches/products-configuration-examples-list.html

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

william.shillpz
Level 1
Level 1
In response to balaji.bandi

‎02-27-2022 02:29 PM

My goal is to have all the devices in VLAN 60 isolated from each other. They are already able to reach out to the Internet, which is the only thing they need. I don't want any devices within VLAN 60 to see any other device in the VLAN.

 

The source address is within the range of 192.168.60.10 - 192.168.60.100. I was trying to isolate them by denying this address space to communicate with each other (you can see my attempt in the first picture I attached in my first post), but then DHCP and probably DNS stopped working for all the devices in VLAN60. This was not what I intended. 

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card