cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

CISCO SWITCHES FOR SMALL and MEDIUM BUSINESS

Introducing the next generation of Cisco Small and Medium Business Switches. Cisco is refreshing its SMB Switch portfolio. Click here  to learn more.


4412
Views
0
Helpful
4
Replies
Networking2011
Beginner

SG300-10 ACL entry in layer3 mode

I'm setting up two vlans and I would like all of vlan 2 to only have access to the WAN router on vlan1 at 192.168.30.1.

VLAN1 192.168.30.x

VLAN2 192.168.31.x

I've setup the VLANS and static routes and I'm able to access the WAN router at 192.168.30.1 from the 192.168.31.x network and

everything is fine.

I'm getting an error setting up the IPv4 based ACL that is designed to allow the 192.168.31.x network access to only

the 192.168.30.1 WAN router.

The first rule I setup is to permit source 192.168.31.0 / 0.0.0.255 dest 192.168.30.0/0.0.0.255 to allow all traffic to from the 192.168.31.

net to access the 192.168.30.x net. Then I was going to deny the dest of 192.168.30.1-255 but I'm not sure of the wildcard to

use for that.

I'm not clear on the wildcards but I'm also getting the following error when I setup the first ACE rule:

"MIB Index is out of range.Index must be bigger then 0 and Existing ifindex.."

I suspect the error is related to how I'm using the wildcards?

4 REPLIES 4
David Hornstein
Rising star

I think i did want you wanted to achieve  on my SG300-10P 

I did prioritize my ACE entries from 1 to 3 as the ACL will go through the ACE entries from top to bottom.

I also included a small window with the CLI that was generated grom the GUI incase you wish to try the CLI approach..

I hope it's of some help.

regards Dave

Thanks Dave, that confirms my wildcards but I still get the same error setting up the first rule.

"MIB Index is out of range.Index must be bigger then 0 and Existing ifindex.."

I  checked the firmware and it was at 1.0.0.27 and the lastest from cisco  is 1.1.0.73!   Sounds like cisco has some very old stock in the  warehouses. I'm going to try updating the firmware. Not real impressed  with the low end from cisco after this.

Hi networking 2011,

it seems to me  you may be experiencing a problem by not adding priority to those ACE entries..

.

Good help text is built into the switch  and it says to add  a number to the priority field.

Untitled.jpg

Without adding priority you will get the error message below,.

Untitled.jpg

See how it goes, this is a new switch for you, but we both have the same firmware  and basically the identical switch. 

Historically my switch that i have had for about a year now,  was running 1.0.0.27 till only a couple of months ago.

We don't release firmware that often, and there was no intermediate releases of firmware between 1.0.0.27 and the new 1.1 release of code. 

We unfortunatelly have no control when a switch will be picked off a distributors warehouse shelf and shipped to a Cisco Partner or end user.

Do let me know how you go.

regards Dave

I was absolutely entering the priority each time I tried a new ACE, the error was fixed after the 1.1.0.73 firmware upgrade.

The switch came with 1.0.0.27 firmware. After updating to 1.1.0.73 I can now add IPv4 based ACL entries without error.

Thanks for your help!

Create
Recognize Your Peers
Polls
How would you describe your level of technical expertise?