I am running the SGE2000 as my l3 core switch with multiple inter-vlans.
have a customer requirement that needs to restrict eg. GUEST-VLAN10 to all other VLANS in the network.
Only allowing access to the internet.
It seems on the switch i am able to bind ACL to per port interface.
Please advise if this is possible on the SGE2000
Hi J Vansen,
Yes it is possible.
Before you bind the ACL to the port interface, did you create an ACE and ACL?
Yes, it's possible with your SGE2000 because it is a Layer 3 switch. With the command “ip access-group (ACL-Name) in” you can block access to other vlan, for example
For example, let's say you have 4 VLAN's and a WAN conection.
Vlan10 192.168.10.0/24 (GUEST-VLAN10)
This is the configuration:
ip routing -->Enable routing features
vlan 10 -->Creates your Vlan10
ip access-list extended DenyVLAN-10 -->creates an ACL to deny the networks (VLAN's)
deny ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255 -->denies vlan 20
deny ip 192.168.10.0 0.0.0.255 18.104.22.168 0.255.255.255 -->denies vlan 30
deny ip 192.168.10.0 0.0.0.255 192.168.40.0 0.0.255.255 -->denies vlan 40
permit ip any any -->allows access to the internet
ip address 192.168.10.254 255.255.255.0
ip access-group DenyVLAN-10 in -->associate the ACL to VLAN10
ip address 192.168.20.254 255.255.255.0
ip address 22.214.171.124 255.0.0.0
ip address 192.168.40.254 255.255.0.0
If this answer was satisfactory for you, please mark the question as Answered.
Greetings, Johnnatan Rodriguez Miranda
The new Sx300 and Sx500 have a supported CLI, i guess you can used CLI on the newer product, but the CLI above looks pretty similar to the 300 series CLI.
I know I can restrict a guest network, as David Wagman suggested vua the GUI, creating a ACE and ACL and then binding the ACL to the physical interface. (The switch filters on ingress of the packets)
The SxGE2000 does not have a supported CLI. But if you look at the flow of the CLI above, yep the only drawback is as I mentioned above, you add the access-list to a interface, not the VLAN.