cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

ACE rules problem with SF-300

StaismanS
Beginner
Beginner

Ok i am having a problem with ACE rules.

I have 5 VLANs, I assign VLANs to its ports and make them all Untagged.

I created ACLs and a ACE rules for each ACL, and then assigned to the ports.

access_rules.jpg

So what i am trying to do is to deny access to from one port to other 4 ports and granted access to any other ports. But it is not working, without last rule "allow any any" it has no access to any ports, with the last rule it grants access to every port even to those I denied.

HELP what am I doing wrong? Router in Layer 3 mode, all VLANs have their IP's.

At some moment I was able to work it properly but without using any rules, I just tagged my untagged VLANs to those ports which I wanna get access to.

port_mng.png

As you can see I want allow ports GE1 - GE4 communicate with 1 to 24 ports but not to each other.

5 REPLIES 5

David Carr
Frequent Contributor
Frequent Contributor

Stanislav,

What is the end goal your looking for?

I see your configurations but I am uncertain as to what your looking to do.  If you just want people to not communicate with each other, you can create vlans and do access rules denying the traffic between the vlans or there is an option called protected ports, and with this you could leave them all in 1 vlan.  Then the devices you want to be isolated from each other make them in protected port mode.  You can find this under the port settings.  This isolates devices that are in protected port mode from anyone else in protected port mode.  They will still be able to access devices that are not in protected port mode with this setting.

Here is a better description of the protected port mode:

  • Protected Port —  Select to make this a protected port, which entails the following:
  • The Protected Ports feature provides Layer 2 isolation between  interfaces (Ethernet ports and Link Aggregation Groups (LAGs)) that  share the same Broadcast domain (VLAN) with other interfaces.

    Devices from protected ports are not allowed to communicate with each  other even when they are in the same VLAN.

    Packets received on a protected port are dropped when trying to egress  on any protected ports. Protected port filtering rules are also relevant  to packets that are forwarded by software, such as snooping  applications.

    Port protection is not subject to VLAN membership. For example, two  protected ports placed in the same VLAN are not able to communicate with  each other. Port protection enables you to define ports that are able  to send packets only to unprotected ports who will usually be the  uplinks and not to the other protected ports. Ports or LAGs can be  defined as protected or unprotected.

    StaismanS
    Beginner
    Beginner

    The goal is to put people into different VLANs and servers with WAN into its own VLAN1, then make all VLANs access to server VLAN1 and deny to each other.

    I dont understand why my rules is not working? How should I setup my VLANs to the ports as untagged or tagged?

    David Carr
    Frequent Contributor
    Frequent Contributor

    Stanislav,

    You have every port setup as a trunk port and member of all vlans except for the g1-2.

    If you only have one device plugging into the port, then you can make it an access port member of that vlan.

    StaismanS
    Beginner
    Beginner

    I am sorry but I dont understand, what should I do? Change port setup? Make all ports untagged? I am new with manageble switches.

    I have 5 VLANS,

    VLAN1 (default) - ports from 1 to 24  -  VLAN IP - 192.168.1.1

    VLAN2 - port 25 -  VLAN IP - 192.168.2.1

    VLAN3 - port 26 -  VLAN IP - 192.168.3.1

    VLAN4 - port 27 -  VLAN IP - 192.168.4.1

    VLAN5 - port 28 -  VLAN IP - 192.168.5.1

    My goal is to make VLANs from 2 to 5 accesseble to VLAN 1 but not to each other

    Right now All VLANs is untagged to their ports, no tagged ports at all (dont look on the pictures i posted before)

    Right now I can ping computers in VLAN2 from VLAN1 but I can't ping computer in VLAN1 from VLAN2 . But I can ping 192.168.1.1 from computer in VLAN2.

    *Note computers have default gateways same as their VLAN IPs

    That is far I could go so far...... Please help. ACE Rules I created (on the picture above) is not working I dont know why.

    StaismanS
    Beginner
    Beginner

    You have every port setup as a trunk port and member of all vlans except for the g1-2.

    If you only have one device plugging into the port, then you can make it an access port member of that vlan.


    Not only one device, I have other 4 switches connected to the port G1, G2, G3, G4, so these ports should be in the trunk mode if I uderstand right.

    Please help me!

    Getting Started

    Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: