cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

CISCO SWITCHES FOR SMALL and MEDIUM BUSINESS

Introducing the next generation of Cisco Small and Medium Business Switches. Cisco is refreshing its SMB Switch portfolio. Click here  to learn more.


702
Views
0
Helpful
1
Replies
mmiller0
Beginner

Create multipe ACE's for the same destination

On an SG300 series switch in Layer 3 mode I am trying to limit traffic allowed from one VLAN to another. I am able to create ACL's and ACE's in the web UI. My switch is running the latest software available (1.4.8.6). I am able to create a single ACE for a single destination. The problem is if I want to create multiple ACE's for a single destination (i.e. UDP and TCP) I am getting errors in the web UI stating a rule already exists.

 

For example... I have a DNS server on a VLAN I want all clients to have access to. I need all my clients to access this host via UDP and TCP over port 53. I create a rule with priority 1, protocol UDP, Destination IP to my DNS server, mask to 0.0.0.0, and destination port to 53. This ACE is created. Now I try to create a second ACE, priority 2, protocol TCP, and all the other settings the same. When I click Apply I get an error stating "Entry already exists" and the ACE is not created.

 

Is this expected behavior for the SF300 / SG300 line? Has anyone else been able to create a similar rule?

1 ACCEPTED SOLUTION

Accepted Solutions
Seb Rupik
VIP Advisor

Hi there,

Have you tried creating it via the CLI?:

!
ip access-list extended TEST
  permit udp any any host 10.10.10.1 53 ace-priority 1
  permit tcp any any host 10.10.10.1 53 ace-priority 2
!

Typing the above on my SG300 doesn't give any errors and both entires appear under sh access-list .

 

cheers,

Seb.

 

View solution in original post

1 REPLY 1
Seb Rupik
VIP Advisor

Hi there,

Have you tried creating it via the CLI?:

!
ip access-list extended TEST
  permit udp any any host 10.10.10.1 53 ace-priority 1
  permit tcp any any host 10.10.10.1 53 ace-priority 2
!

Typing the above on my SG300 doesn't give any errors and both entires appear under sh access-list .

 

cheers,

Seb.

 

View solution in original post