Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3147
Views
0
Helpful
2
Replies

Cisco SG500 Intervlan routing ACL

sydoveton
Level 1
Level 1

‎09-23-2013 07:18 AM

Hi,


I have a stack of SG500 switches that are in layer 3 mode.


There are 3 VLANS


100 = Data 192.168.1.0

200 = Phone 192.168.200.0

500 = Management 192.168.220.0


Each VLAN has an ip address and clients have their gateways set as the switches interface address. Intervlan is working and clients can ping across VLANS and access the internet.


I now want to apply some restrictions. For example I want to be able to apply rules such as:-


1) Any client on 100 or 200 can not access each other or Management

2) Management can access anything on ANY VLAN.

3) Clients on 100 can access host 192.168.200.100 on vlan 200 on port 443 only.


I have tried setting up an example ACL and ACE such as per attached screenshot and apply the ACL to all ports on the switch:-


  • ACL's
ACL's

When I do this the management can't ping anything. It seems that the 'deny' is blocking the replies etc.

Is this possible, if you how? Thanks in advance.

Labels:
0 Helpful
2 Replies 2

jeffrrod
Level 4
Level 4

‎09-25-2013 11:15 AM

Dear Sy,

Thank you for reaching the Small Business Support Community.

To permit/deny ICMP packets you would have to enter a new ACE for that particular protocol, and locate it as second ACE top to down.  Below is a document for IPv4 ACL setup where on step 6 you must select ICMP and on step 16 you can decide either "Any" ICMP packet or some in particular.

http://sbkb.cisco.com/CiscoSB/Loginr.aspx?login=1&pid=2&app=search&vw=1&articleid=3025

I hope this helps and please let me know if there is anything else I may assist you with in the meantime.

Kind regards,

Jeffrey Rodriguez S. .:|:.:|:.
Cisco Customer Support Engineer

*Please rate the Post so other will know when an answer has been found.

Jeffrey Rodriguez S. .:|:.:|:. Cisco Customer Support Engineer *Please rate the Post so other will know when an answer has been found.
0 Helpful

Alexandr Matskevich
Level 1
Level 1
In response to jeffrrod

‎01-13-2016 10:22 AM

I have the similar issue. Could you look at my discussion?

https://supportforums.cisco.com/ru/discussion/12747561

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Switch products supported in this community
Cisco Business Product Family
  • CBS110
  • CBS220
  • CBS250
  • CBS350
Cisco Switching Product Family
  • 110
  • 200
  • 220
  • 250
  • 300
  • 350
  • 350X
  • 550X
Customers Also Viewed These Support Documents