cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

CISCO SWITCHES FOR SMALL and MEDIUM BUSINESS

Introducing the next generation of Cisco Small and Medium Business Switches. Cisco is refreshing its SMB Switch portfolio. Click here  to learn more.


729
Views
0
Helpful
9
Replies
Highlighted
Beginner

SF 300

                   i recently bought the sf 300-8 L3 switch and i noticed that the ACL rules are binded to ports and not vlans

but what is the point of defining vlans if the rules i make belong to ports?

if i have,lets say 20 ports to one vlan, i have to bind the same rule to 20 ports instead of binding them to vlan that the ports belong?

if the port is a trunk port and the acl is binded to the port and not to vlan the whole filtering is based only to the ip address and not to vlan?

i dont understand it,it is as if at L3 mode,building vlans is redundant and all the work is made with acls and ports

i thought that L3 switch is about interconnect vlans and not ports

is there something i havent understand?

Everyone's tags (3)
9 REPLIES 9
Advocate

SF 300

Hi DDD, the ACL is ingress only, the limitation would be to the physical port or channel group. The ACL also will not affect any egress traffic. In your scenario, you're correct, the ACL would be bound to 20 ports instead of a SVI.

-Tom
Please mark answered for helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/
Beginner

SF 300

So,where the vlans come to use?do i gain something if i define vlans or just use acl with ports?

Advocate

SF 300

DDD, this depends on your needs. If you need to separate traffic like voice and video vs data then a vlan is very beneficial. Or a need to separate a large amount of hosts. If you just need to restrict a host from another host then a vlan or ACL will accomplish this.

Depending on the complexity of the task, if it's 1-2 hosts, then I'd just make a small ACL. If it were 100 hosts that shouldn't particularly communicate to a resource then I'd think a vlan is more prudent depending how your network can handle traffic.

-Tom
Please mark answered for helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/
Beginner

SF 300

As i understand by default all vlans i make communicate with each other and the only way tha i have to define which vlan can communicate to which vlan is by defining acl and binding to the ports that are assigned to these vlans,is tha right?

Advocate

SF 300

DDD, no this is not correctly. In a layer 3 environment, a few requirements must be met;

  • Create the vlan

config t

vlan database

vlan 2

  • Assign an IP address to the vlan

config t

int vlan 1

ip address 192.168.1.254 /24

int vlan 2

ip address 192.168.2.254 /24

  • Associate a port to the vlan

config t

int gi2

switchport mode access

switchport access vlan 2

  • Connect a device to the port that has the IP address in the subnet of the vlan with the default gateway specified as the IP address of the vlan interface

HOST A

IP 192.168.1.10

MASK 255.255.255.0

GATEWAY 192.168.1.254

HOST B

IP 192.168.2.10

MASK 255.255.255.0

GATEWAY 192.168.2.254

With these steps in theory there should be intervlan communication provided things like firewalls or security software do not block things like ICMP. Once connected the way you want or as my example describes, you may make an access list something like

config t

ip access-list extended test

deny ip 192.168.2.10 0.0.0.0 192.168.1.0 0.0.0.255

permit ip any any

int gi2

service-acl input test

The example acl will stop 192.168.2.10 to access 192.168.1.0 network all together while permit any other traffic from the 192.168.2.10 host to access anything else with the assumption you're connecting the 192.168.2.10 host on port gi2 of the switch which would be a member of vlan 2.

-Tom
Please mark answered for helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/
Beginner

SF 300

If i dont make the vlans and just make the acl rules that you wrote and give different networks to pc's like the ones that you made and then bind the rules to the ports that these pc's are,will it be different than the configuration you made?

Advocate

SF 300

DDD, there is another way which is not best practice. You can put 2 ip addresses on a single vlan interface.

-Tom
Please mark answered for helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/
Beginner

SF 300

to your example

if i connect a dsl router on vlan 1 with ip 192.168.1.1  and a pc on vlan 2 with ip 192.168.2.1 

default gateway of pc would be  192.168.2.254

but dns ip of the pc would be 192.168.1.1 or 192.168.2.254?

and do i have to add a static route to the dsl router that says

the network 192.168.2.0    255.255.255.0  send it to 192.168.1.254    ?

Advocate

SF 300

Here is a working example-

https://supportforums.cisco.com/thread/2123434

-Tom
Please mark answered for helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/