03-26-2012 11:27 AM
Hello,
I have a SG300 Switche working in layer 3 mode.
I configured 3 VLANs on the switch, assigned all ports, given IP addresses to VLANs interfaces, etc.
Now I want to implement ACL to permit or deny access between vlans and hosts.
Can I apply an ACL to a whole VLAN (in or out) like Catalyst models?
I mean apply the ACL to the entire vlan or the only way in this model is to implement that ACL port by port?
Every time I have a new port configure to work in a Vlan I have to implement the ACL?
Thanks
Solved! Go to Solution.
03-27-2012 10:56 AM
Yes just go into CLI mode and ise the ;
interface range command to specify a range of switch ports.
here is an example from my switch using a MAC based ACL
hope this helps
Dave
mac access-list extended stop
deny f0:de:f1:03:c0:d4 00:00:00:00:00:00 00:08:9b:bd:92:2e 00:00:00:00:00:00 vlan 1
permit any any vlan 1
exit
interface range gigabitethernet1 - 10
service-acl input stop
exit
Remember to save your configuration with a write mem
03-26-2012 06:54 PM
Hi Angel,
There are alot of posts on ACL and the Admin Guide chapter 17 discusses its operation .
But check out the following most interesting post.
https://supportforums.cisco.com/message/3587545#3587545
The SG300 doesn't have the ACL flexability of a catalyst switch. ACL has to be attached or bound to a switch port and the ACL then filters on ingress of frames into the switch, not egress..
regards Dave
03-27-2012 09:21 AM
David,
Thanks for your help.
So If I have 30 ports in Vlan1 and want to apply an ACL to vlan1, I should have to configure 30 times port by port? Do I have a way to set the 30 ports one time?
Thanks.
03-27-2012 10:47 AM
Hi Angel,
YES,you have a way to bind the ACL to 30 ports at once via CLI.
when in CLI configuratuion mode use the interface range command.
I almost gave you the syntax.
03-27-2012 10:56 AM
Yes just go into CLI mode and ise the ;
interface range command to specify a range of switch ports.
here is an example from my switch using a MAC based ACL
hope this helps
Dave
mac access-list extended stop
deny f0:de:f1:03:c0:d4 00:00:00:00:00:00 00:08:9b:bd:92:2e 00:00:00:00:00:00 vlan 1
permit any any vlan 1
exit
interface range gigabitethernet1 - 10
service-acl input stop
exit
Remember to save your configuration with a write mem
10-06-2015 02:53 AM
Is it possible to apply such acl on trunk port?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide