03-26-2012 11:27 AM
Hello,
I have a SG300 Switche working in layer 3 mode.
I configured 3 VLANs on the switch, assigned all ports, given IP addresses to VLANs interfaces, etc.
Now I want to implement ACL to permit or deny access between vlans and hosts.
Can I apply an ACL to a whole VLAN (in or out) like Catalyst models?
I mean apply the ACL to the entire vlan or the only way in this model is to implement that ACL port by port?
Every time I have a new port configure to work in a Vlan I have to implement the ACL?
Thanks
Solved! Go to Solution.
03-27-2012 10:56 AM
Yes just go into CLI mode and ise the ;
interface range command to specify a range of switch ports.
here is an example from my switch using a MAC based ACL
hope this helps
Dave
mac access-list extended stop
deny f0:de:f1:03:c0:d4 00:00:00:00:00:00 00:08:9b:bd:92:2e 00:00:00:00:00:00 vlan 1
permit any any vlan 1
exit
interface range gigabitethernet1 - 10
service-acl input stop
exit
Remember to save your configuration with a write mem
03-26-2012 06:54 PM
Hi Angel,
There are alot of posts on ACL and the Admin Guide chapter 17 discusses its operation .
But check out the following most interesting post.
https://supportforums.cisco.com/message/3587545#3587545
The SG300 doesn't have the ACL flexability of a catalyst switch. ACL has to be attached or bound to a switch port and the ACL then filters on ingress of frames into the switch, not egress..
regards Dave
03-27-2012 09:21 AM
David,
Thanks for your help.
So If I have 30 ports in Vlan1 and want to apply an ACL to vlan1, I should have to configure 30 times port by port? Do I have a way to set the 30 ports one time?
Thanks.
03-27-2012 10:47 AM
Hi Angel,
YES,you have a way to bind the ACL to 30 ports at once via CLI.
when in CLI configuratuion mode use the interface range command.
I almost gave you the syntax.
03-27-2012 10:56 AM
Yes just go into CLI mode and ise the ;
interface range command to specify a range of switch ports.
here is an example from my switch using a MAC based ACL
hope this helps
Dave
mac access-list extended stop
deny f0:de:f1:03:c0:d4 00:00:00:00:00:00 00:08:9b:bd:92:2e 00:00:00:00:00:00 vlan 1
permit any any vlan 1
exit
interface range gigabitethernet1 - 10
service-acl input stop
exit
Remember to save your configuration with a write mem
10-06-2015 02:53 AM
Is it possible to apply such acl on trunk port?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: