cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

CISCO SWITCHES FOR SMALL and MEDIUM BUSINESS

Introducing the next generation of Cisco Small and Medium Business Switches. Cisco is refreshing its SMB Switch portfolio. Click here  to learn more.


395
Views
0
Helpful
2
Replies
Filomena
Beginner

ACL to block L2 communication between hosts

Hi,

On the SG350, I thought I could apply some VACL or ip access-group, but these commands are not supported it seems !

The only way to bind an ACL to an interface is

service-acl input
# the output version is not supported it seems ! service-acl output

I use the SG350 with inter-VLAN routing enabled

I have a few VLANs setup, mainly a media VLAN 50.

- All devices in VLAN 50 should not communicate to any other VLAN

- All devices in VLAN 50 should be able to communicate to the DLNA server at 10.0.50.100

- All devices in VLAN 50 should not be able to communicate between them

 

I added the below ACL-ACE rules

config t

ip access-list extended "DLNA VLAN50"

# allow VLAN 50 Net to firewall gateway (DNS/DHCP), to VLAN 50 gateway (SG350 switch) and to brodcast IP (optional)
permit ip 10.0.50.0 0.0.0.255 10.0.50.1 0.0.0.0 ace-priority 10
permit ip 10.0.50.0 0.0.0.255 10.0.50.2 0.0.0.0 ace-priority 20
permit ip 10.0.50.0 0.0.0.255 10.0.50.255 0.0.0.0 ace-priority 25

# Permit gateways to talk back to VLAN 50
permit ip 10.0.50.1 0.0.0.0 10.0.50.0 0.0.0.255 ace-priority 30
permit ip 10.0.50.2 0.0.0.0 10.0.50.0 0.0.0.255 ace-priority 40

# Permit VLAN 50 clients to talk to the DLNA Server on port 8200 for DLNA
permit tcp 10.0.50.0 0.0.0.255 any 10.0.50.100 0.0.0.0 8200 ace-priority 60

# Permit DLNA Server to answer VLAN 50 clients requests but only from its ports TCP 8200 and UDP 1900
permit tcp 10.0.50.100 0.0.0.0 8200 10.0.50.0 0.0.0.255 any ace-priority 80
permit udp 10.0.50.100 0.0.0.0 1900 10.0.50.0 0.0.0.255 any ace-priority 100

# Deny any communication to local hosts
deny ip 10.0.50.0 0.0.0.255 10.0.0.0 0.255.255.255 ace-priority 120 log-input
deny ip 10.0.50.0 0.0.0.255 172.16.0.0 0.15.255.255 ace-priority 140 log-input
deny ip 10.0.50.0 0.0.0.255 192.168.0.0 0.0.255.255 ace-priority 160 log-input

exit

# Apply ACL to VLAN 50
interface vlan 50
service-acl input "DLNA VLAN50" default-action permit-any 
exit

Most things work as expected:

- internet access is preserved

- access to other VLANs is properly denied

- access to media DLNA server 10.0.50.100 is only allowed on the DLNA open ports

 

However: I can ping other VLAN 50 devices between them while they properly cannot ping the 10.0.50.100 media server or access its web server on port 80

 

After some reading, I think that the service-acl input command only applies to L3 and L2 communication between hosts is not reaching the routing interface.

 

- Q1: how come the 10.0.50.100 server is properly isolated from other clients on the VLAN when they try to ping it or access its web server on port 80 ?

- Q2: how can I properly block L2 communication inside VLAN 50 without applying ACL to a port (The VLAN 50 clients are connected to the switch through 2 physical ports but also through a tagged VLAN on a trunk port connected to a wifi AP)

- Q3: since the service-acl output command is not supported, is the isolation I did adequate or I must also add rules to deny "other VLANs to 10.0.50.0 0.0.0.255" ?

- Q4: on teh data sheet for 350 series, I read: "ACL can be applied on both ingress and egress sides". Why only "service-acl input" is allowed ?

 

Hope someone can help me writing the rules I need to achieve the above requierement 

Thank you

2 REPLIES 2
Filomena
Beginner


- Q1: how come the 10.0.50.100 server is properly isolated from other clients on the VLAN when they try to ping it or access its web server on port 80 ?


This one I figured out I think: the Media server is connected to an SG350X Switch which is trunked to the core SG350 switch doing the interVLAN routing. The other VLAN 50 clients are connected to the core Switch.

Please help for the other issues and proper ACLs

 

Well, it was the L2 layer communication on the Wifi AP trunk

Only devices connected by Wifi were talking to each other, not those wired

So the ACLs look to be working

I isolated the AP L2 on the AP software

 

Please give a feedback on my ACLs strategy above

 

Best regards