Showing results for 
Search instead for 
Did you mean: 


Introducing the next generation of Cisco Small and Medium Business Switches. Cisco is refreshing its SMB Switch portfolio. Click here  to learn more.


SG 300 series ACL


Where I can find more information about ACL concerning the SG 300. I have read some

articles about cisco acl. Maybe there are examples or .....

The manual is very short about it



I would also like more information regarding ACLs. Especially when using the web-based UI.

David Carr
Frequent Contributor

Hey guys,

Here is a screen shot of the gui and setting up the acl.  It is quite easy, if your blocking an ip address you can do that, if your blocking an protocol then you can do that by selecting the protocol tab.

There is also an option to do mac-base acl's or ipv6 ones.

Ivor Diedricks
Cisco Employee

A document focusing on QoS in SG300 and IP phone deployment scenarios is posted in the documents section of this community site. It also shows how an ACL can be set up. The document can be downloaded here:

Hi Ivor

I had a look at that referring document in your post above.

It seems a bit ambiguous to me. If the information is confusing to me,  I guess others may be confused as well.

See page 7 of 10 of your referring document above..

I am concerned with the usage of for masking a specific IP host, or maybe I don't understand the context the mask is being used within QOS?

The  300 series switches incorporates a great  built in help manual.  This help text within the switch for the section on ACE mentions the following;

Source IP Wildcard Mask—Enter the mask to define a range of  IP addresses. Note that this mask is different than in other uses, such as  subnet mask. Here, setting a bit as 1 indicates don't care and 0 indicates to  mask that value

I think this masking is just about identical to inverse mask I use on say a catalyst 2960, where a  0 indicates that the address bits must be considered (exact match); a 1 in the mask is a "don't care".

So using that information,  if I wish a my PC  to be excluded from accessing another specific  IP  host.

My source host IP=  and the use mask of  to specify this is a host specific address.

My destination host IP=  and the use mask of  to specify this is a host specific address.

So to put this into action

Step 1 Create a ACL name

Step 2    I have a few entries in my ACE  attached to the ACL .

I have them a specific  orde,r as I know the switch runs through the ACE entries from top to bottom and if it finds a pattern match exits at that point.

Deny  access from MY PC to IP host at

Permit  access from MY PC to IP host

Deny  access to any other host in the  range  (circled in red below)

Deny access from MY PC to a IP host at

Permit all other traffic ( otherwise the implicit (hidden) rule is to deny all at the end of a ACE list..)

Step 3. Attach the ACL to my Gi3 interface as MY PC is connected to that switch port.

             The ACL will filter or pattern match  on ingress of packets coming into the switch.

Ivor, am I way off here is the usage of ACL in QOS treated differently.

regards Dave


You are correct. The wildcard mask in the doc is a typo - it should say instead. I have asked for a correction to be made and will post an updated document to the forum when it is done.


Is it possible tot post some examples

Firstly, please note that I did upload an updated document. Here's the link:

Here's an example of an ACL which accomplishes the following:

Defining an IP ACL with 4 ACEs:

Permit IP protocol flow source IP of and  destination IP of  and DSCP of 34

Permit TCP flow with any IP (source and destination) with destination port 23 (Telnet)

Deny any UDP flow from network 175.175.x.x (use mask) to any destination and port

Deny and disable port for UDP flow to destination

ip access-list IPACL

permit ip dscp 34

permit-tcp any any any  23

deny-udp any any any

deny-udp disable-port any any any

Defining a MAC ACL with 3 ACEs:

Permit MAC source 00:11:22:33:44:55 to MAC destination 00:99:88:77:66:55 with VLAN tag of 5 and cos 4 and and 5

Deny any traffic (any MAC) with VLAN tag of 10

Deny and disable port for source MAC 00:aa:bb:00:00:00 where only the first 3 bytes are checked

mac access-list MACACL
permit 00:11:22:33:44:55 00:00:00:00:00:00 00:99:88:77:66:55 00:00:00:00:00:00 vlan 5 cos 4 1
deny any any vlan 10
deny disable-port 00:aa:bb:00:00:00 00:00:00:ff:ff:ff any