Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
561
Views
0
Helpful
1
Replies

SG300-10 Vlan / ACL Help

Don Nelson
Level 1
Level 1

‎02-17-2015 08:39 AM

I am experiencing a slight issue that for whatever reason I can't seem to figure out. I have 5 Vlans

 

Vlan 1 192.168.1.0 Network Management network

Vlan 2 192.168.2.0 PC Network

Vlan 3 192.168.3.0  Wireless Network

Vlan 4 192.168.4.0 Network 2

Vlan 250 192.168.250.0 Guest Wifi

192.168.1.2 is my management IP, 192.1681.1 is assigned to my asa5505 for all vlans to access to get out to the Internet. All but my uplink port (10) are set as access ports going to my layer 2 switch and assigned with 1 untagged vlan for that specific port ( Port 3 is on Vlan 3 for my wireless controller).

When I am on the wireless network I am able to ping users on any of the vlans. I would like to be able to do the following:

Deny 192.168.250.0 from seeing all of the vlans (Except 1 for Internet)

Deny 192.168.4.0 from seeing all of the vlans (Except 1 for Internet)

Allow 192.168.3.0 & 192.168 2.0 access to each other but not see Vlan 4 or Vlan 250.

I tried to do a ACL called Deny Guest Vlan, and created a ACE to deny Source IP 192.168.250.0 wildcard 0.0.0.0 Destination 192.168.3.0 0.0.0.0 but on the 192.168.250.0 I lost my internet access and was unable to ping 192.168.250.1

Im not sure if I am in the right area or not for denying this access.  I am currently running firmware 1.0.4.88

Thank you,

Don

 

Labels:
0 Helpful
1 Reply 1

Michal Bruncko
Level 4
Level 4

‎02-17-2015 10:13 AM

Hi

from your description it seems you are using SG300-10 as L3 routing switch and asa5505 (with IP 192.1681.1) as internet gateway is that right?

I would suggest you to do not routing on SG300 switch, but instead do it on asa5505. Reasons:

  • asa5505 is hardware firewall with all possible options how to perform communication filtering. having ASA5505 behaving like both firewall and router in single device is good also for maintaining reasons.
  • you mentioned that you are using 192.168.1.0/24 as management network. In this case it is not very clever to provide access to internet through this VLAN. It should be dedicated (as its name points) for management purposes.

this means that:

  • make your SG300 switch L2 aware only (or configure only management IP on it for VLAN1)
  • create all necessary VLANs on ASA firewall including IP addresses (for simplicity use lowest possible IP as gateway address)
  • configure link between SG300 and ASA as trunk which carries all VLANs mentioned by you
  • test if you have connectivity eachother
  • if so, start implementing firewall rules directly on ASA firewall
0 Helpful
Customers Also Viewed These Support Documents