Solved: Re: Create multipe ACE's for the same destination

mmiller0 · ‎09-06-2017

On an SG300 series switch in Layer 3 mode I am trying to limit traffic allowed from one VLAN to another. I am able to create ACL's and ACE's in the web UI. My switch is running the latest software available (1.4.8.6). I am able to create a single ACE for a single destination. The problem is if I want to create multiple ACE's for a single destination (i.e. UDP and TCP) I am getting errors in the web UI stating a rule already exists.

For example... I have a DNS server on a VLAN I want all clients to have access to. I need all my clients to access this host via UDP and TCP over port 53. I create a rule with priority 1, protocol UDP, Destination IP to my DNS server, mask to 0.0.0.0, and destination port to 53. This ACE is created. Now I try to create a second ACE, priority 2, protocol TCP, and all the other settings the same. When I click Apply I get an error stating "Entry already exists" and the ACE is not created.

Is this expected behavior for the SF300 / SG300 line? Has anyone else been able to create a similar rule?

Seb Rupik · ‎09-07-2017

Hi there,

Have you tried creating it via the CLI?:

!
ip access-list extended TEST
  permit udp any any host 10.10.10.1 53 ace-priority 1
  permit tcp any any host 10.10.10.1 53 ace-priority 2
!

Typing the above on my SG300 doesn't give any errors and both entires appear under sh access-list .

cheers,

Seb.

View solution in original post

Seb Rupik · ‎09-07-2017

Hi there,

Have you tried creating it via the CLI?:

!
ip access-list extended TEST
  permit udp any any host 10.10.10.1 53 ace-priority 1
  permit tcp any any host 10.10.10.1 53 ace-priority 2
!

Typing the above on my SG300 doesn't give any errors and both entires appear under sh access-list .

cheers,

Seb.