01-09-2011 04:31 AM
Hello,
Where I can find more information about ACL concerning the SG 300. I have read some
articles about cisco acl. Maybe there are examples or .....
The manual is very short about it
thnx
04-20-2011 05:05 PM
I would also like more information regarding ACLs. Especially when using the web-based UI.
04-22-2011 12:22 PM
Hey guys,
Here is a screen shot of the gui and setting up the acl. It is quite easy, if your blocking an ip address you can do that, if your blocking an protocol then you can do that by selecting the protocol tab.
There is also an option to do mac-base acl's or ipv6 ones.
04-22-2011 10:34 PM
A document focusing on QoS in SG300 and IP phone deployment scenarios is posted in the documents section of this community site. It also shows how an ACL can be set up. The document can be downloaded here:
04-23-2011 12:25 AM
Hi Ivor
I had a look at that referring document in your post above.
It seems a bit ambiguous to me. If the information is confusing to me, I guess others may be confused as well.
See page 7 of 10 of your referring document above..
I am concerned with the usage of 255.255.255.255 for masking a specific IP host, or maybe I don't understand the context the 255.255.255.255 mask is being used within QOS?
The 300 series switches incorporates a great built in help manual. This help text within the switch for the section on ACE mentions the following;
Source IP Wildcard Mask—Enter the mask to define a range of IP addresses. Note that this mask is different than in other uses, such as subnet mask. Here, setting a bit as 1 indicates don't care and 0 indicates to mask that value
I think this masking is just about identical to inverse mask I use on say a catalyst 2960, where a 0 indicates that the address bits must be considered (exact match); a 1 in the mask is a "don't care".
So using that information, if I wish a my PC to be excluded from accessing another specific IP host.
My source host IP=192.168.20.102 and the use mask of 0.0.0.0 to specify this is a host specific address.
My destination host IP=10.1.1.11 and the use mask of 0.0.0.0 to specify this is a host specific address.
So to put this into action
Step 1 Create a ACL name
Step 2 I have a few entries in my ACE attached to the ACL .
I have them a specific orde,r as I know the switch runs through the ACE entries from top to bottom and if it finds a pattern match exits at that point.
Deny access from MY PC to IP host at 10.1.1.14
Permit access from MY PC to IP host 4.2.2.1
Deny access to any other host in the 4.2.2.2-254 range (circled in red below)
Deny access from MY PC to a IP host at 192.168.20.61
Permit all other traffic ( otherwise the implicit (hidden) rule is to deny all at the end of a ACE list..)
Step 3. Attach the ACL to my Gi3 interface as MY PC is connected to that switch port.
The ACL will filter or pattern match on ingress of packets coming into the switch.
Ivor, am I way off here is the usage of ACL in QOS treated differently.
regards Dave
04-25-2011 09:20 PM
Dave,
You are correct. The wildcard mask in the doc is a typo - it should say 0.0.0.0 instead. I have asked for a correction to be made and will post an updated document to the forum when it is done.
Ivor
05-29-2011 11:33 AM
Is it possible tot post some examples
05-31-2011 11:34 AM
Firstly, please note that I did upload an updated document. Here's the link:
https://supportforums.cisco.com/docs/DOC-16271
Here's an example of an ACL which accomplishes the following:
ip access-list IPACL
permit ip 176.176.100.100 0.0.0.0 176.176.1.1 0.0.0.0 dscp 34
permit-tcp any any any 23
deny-udp 175.175.1.1 0.0.255.255 any any any
deny-udp disable-port any any 176.176.1.1 0.0.0.0 any
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide