Where I can find more information about ACL concerning the SG 300. I have read some
articles about cisco acl. Maybe there are examples or .....
The manual is very short about it
Here is a screen shot of the gui and setting up the acl. It is quite easy, if your blocking an ip address you can do that, if your blocking an protocol then you can do that by selecting the protocol tab.
There is also an option to do mac-base acl's or ipv6 ones.
A document focusing on QoS in SG300 and IP phone deployment scenarios is posted in the documents section of this community site. It also shows how an ACL can be set up. The document can be downloaded here:
I had a look at that referring document in your post above.
It seems a bit ambiguous to me. If the information is confusing to me, I guess others may be confused as well.
See page 7 of 10 of your referring document above..
I am concerned with the usage of 255.255.255.255 for masking a specific IP host, or maybe I don't understand the context the 255.255.255.255 mask is being used within QOS?
The 300 series switches incorporates a great built in help manual. This help text within the switch for the section on ACE mentions the following;
Source IP Wildcard Mask—Enter the mask to define a range of IP addresses. Note that this mask is different than in other uses, such as subnet mask. Here, setting a bit as 1 indicates don't care and 0 indicates to mask that value
I think this masking is just about identical to inverse mask I use on say a catalyst 2960, where a 0 indicates that the address bits must be considered (exact match); a 1 in the mask is a "don't care".
So using that information, if I wish a my PC to be excluded from accessing another specific IP host.
My source host IP=192.168.20.102 and the use mask of 0.0.0.0 to specify this is a host specific address.
My destination host IP=10.1.1.11 and the use mask of 0.0.0.0 to specify this is a host specific address.
So to put this into action
Step 1 Create a ACL name
Step 2 I have a few entries in my ACE attached to the ACL .
I have them a specific orde,r as I know the switch runs through the ACE entries from top to bottom and if it finds a pattern match exits at that point.
Deny access from MY PC to IP host at 10.1.1.14
Permit access from MY PC to IP host 22.214.171.124
Deny access to any other host in the 126.96.36.199-254 range (circled in red below)
Deny access from MY PC to a IP host at 192.168.20.61
Permit all other traffic ( otherwise the implicit (hidden) rule is to deny all at the end of a ACE list..)
Step 3. Attach the ACL to my Gi3 interface as MY PC is connected to that switch port.
The ACL will filter or pattern match on ingress of packets coming into the switch.
Ivor, am I way off here is the usage of ACL in QOS treated differently.
You are correct. The wildcard mask in the doc is a typo - it should say 0.0.0.0 instead. I have asked for a correction to be made and will post an updated document to the forum when it is done.
Firstly, please note that I did upload an updated document. Here's the link:
Here's an example of an ACL which accomplishes the following:
ip access-list IPACL
permit ip 188.8.131.52 0.0.0.0 184.108.40.206 0.0.0.0 dscp 34
permit-tcp any any any 23
deny-udp 220.127.116.11 0.0.255.255 any any any
deny-udp disable-port any any 18.104.22.168 0.0.0.0 any