cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

CISCO SWITCHES FOR SMALL and MEDIUM BUSINESS

Introducing the next generation of Cisco Small and Medium Business Switches. Cisco is refreshing its SMB Switch portfolio. Click here  to learn more.


12878
Views
0
Helpful
7
Replies
Highlighted
Beginner

SG 300 series ACL

Hello,

Where I can find more information about ACL concerning the SG 300. I have read some

articles about cisco acl. Maybe there are examples or .....

The manual is very short about it

thnx

Everyone's tags (1)
7 REPLIES 7
Highlighted
Beginner

Re: SG 300 series ACL

I would also like more information regarding ACLs. Especially when using the web-based UI.

Highlighted
Frequent Contributor

Re: SG 300 series ACL

Hey guys,

Here is a screen shot of the gui and setting up the acl.  It is quite easy, if your blocking an ip address you can do that, if your blocking an protocol then you can do that by selecting the protocol tab.

There is also an option to do mac-base acl's or ipv6 ones.

Highlighted
Cisco Employee

Re: SG 300 series ACL

A document focusing on QoS in SG300 and IP phone deployment scenarios is posted in the documents section of this community site. It also shows how an ACL can be set up. The document can be downloaded here:

https://supportforums.cisco.com/docs/DOC-16271

Highlighted
Rising star

Re: SG 300 series ACL

Hi Ivor

I had a look at that referring document in your post above.

It seems a bit ambiguous to me. If the information is confusing to me,  I guess others may be confused as well.

See page 7 of 10 of your referring document above..

I am concerned with the usage of  255.255.255.255 for masking a specific IP host, or maybe I don't understand the context the 255.255.255.255 mask is being used within QOS?

The  300 series switches incorporates a great  built in help manual.  This help text within the switch for the section on ACE mentions the following;

Source IP Wildcard Mask—Enter the mask to define a range of  IP addresses. Note that this mask is different than in other uses, such as  subnet mask. Here, setting a bit as 1 indicates don't care and 0 indicates to  mask that value

I think this masking is just about identical to inverse mask I use on say a catalyst 2960, where a  0 indicates that the address bits must be considered (exact match); a 1 in the mask is a "don't care".

So using that information,  if I wish a my PC  to be excluded from accessing another specific  IP  host.

My source host IP=192.168.20.102  and the use mask of  0.0.0.0  to specify this is a host specific address.

My destination host IP=10.1.1.11  and the use mask of  0.0.0.0  to specify this is a host specific address.

So to put this into action

Step 1 Create a ACL name

Step 2    I have a few entries in my ACE  attached to the ACL .

I have them a specific  orde,r as I know the switch runs through the ACE entries from top to bottom and if it finds a pattern match exits at that point.

Deny  access from MY PC to IP host at 10.1.1.14

Permit  access from MY PC to IP host 4.2.2.1

Deny  access to any other host in the 4.2.2.2-254  range  (circled in red below)

Deny access from MY PC to a IP host at 192.168.20.61

Permit all other traffic ( otherwise the implicit (hidden) rule is to deny all at the end of a ACE list..)

Step 3. Attach the ACL to my Gi3 interface as MY PC is connected to that switch port.

             The ACL will filter or pattern match  on ingress of packets coming into the switch.

Ivor, am I way off here is the usage of ACL in QOS treated differently.

regards Dave

Highlighted
Cisco Employee

Re: SG 300 series ACL

Dave,

You are correct. The wildcard mask in the doc is a typo - it should say 0.0.0.0 instead. I have asked for a correction to be made and will post an updated document to the forum when it is done.

Ivor

Highlighted
Beginner

Re: SG 300 series ACL

Is it possible tot post some examples

Highlighted
Cisco Employee

Re: SG 300 series ACL

Firstly, please note that I did upload an updated document. Here's the link:

https://supportforums.cisco.com/docs/DOC-16271

Here's an example of an ACL which accomplishes the following:

Defining an IP ACL with 4 ACEs:

Permit IP protocol flow source IP of 176.176.100.100 and  destination IP of 176.176.1.1  and DSCP of 34

Permit TCP flow with any IP (source and destination) with destination port 23 (Telnet)

Deny any UDP flow from network 175.175.x.x (use mask) to any destination and port

Deny and disable port for UDP flow to destination 176.176.1.1

ip access-list IPACL

permit ip 176.176.100.100  0.0.0.0 176.176.1.1  0.0.0.0 dscp 34

permit-tcp any any any  23

deny-udp 175.175.1.1  0.0.255.255 any any any

deny-udp disable-port any any 176.176.1.1  0.0.0.0 any


Defining a MAC ACL with 3 ACEs:

Permit MAC source 00:11:22:33:44:55 to MAC destination 00:99:88:77:66:55 with VLAN tag of 5 and cos 4 and and 5

Deny any traffic (any MAC) with VLAN tag of 10

Deny and disable port for source MAC 00:aa:bb:00:00:00 where only the first 3 bytes are checked

mac access-list MACACL
permit 00:11:22:33:44:55 00:00:00:00:00:00 00:99:88:77:66:55 00:00:00:00:00:00 vlan 5 cos 4 1
deny any any vlan 10
deny disable-port 00:aa:bb:00:00:00 00:00:00:ff:ff:ff any