cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

CISCO SWITCHES FOR SMALL and MEDIUM BUSINESS

Introducing the next generation of Cisco Small and Medium Business Switches. Cisco is refreshing its SMB Switch portfolio. Click here  to learn more.


1807
Views
0
Helpful
1
Replies
stownsend
Explorer

SG300 Routing between VLANs. I dont want to route some traffic.

I'm using an

SG300-28P as our VLAN interconnect between our ISP and Firewalls as well as remtoe Offices.

So there are several VLANs that we have on the unit:

101     10.1.x.x Internal Subnet

102     10.2.x.x Internal Subnet

10#     10.#.x.x Internal Subnet

192     192.168.0.x Subnet for Public Use in our Building

198     Our Public IP Address Space 1

204     Our Public IP Address Space 2

So Obviously I want to be able to route between the 10.#.x.x Subnets.

Though I dont want to route between the other Subnets.

How can I setup the ACLs to make sure that someone on one of the 3 Public Subnets does not try to Connect to the Internal Subnets.

Is it Allow All IP and then a Deny 192,198, 204 as source to the 10# VLANs?

Or is it Deny 192,198, 204 as source to the 10# VLANs then Allow All IP  (or Allow 10.1, 10.2, 10.#)?

Thanks,

  Scott<-

1 REPLY 1
David Hornstein
Rising star

Hi Scott,

I responded to a question regarding ACL on the 300 series and included screen shots. 

the bottom line is;

1. the IP based ACL use reverse masks, ie. 192.168.10.0  mask= 0.0.0.255 and

2. the ACL is bound on a interface to check ingress of pattern matches against ACL.

3. there is a implicit deny at the end of a pattern match so the last ACE entry in a list might be a permit all.

check out my discussion from the URL below, it works very well and  at wire speed, have fun

regards Dave

https://supportforums.cisco.com/message/3265075#3265075

Create
Recognize Your Peers
Polls
How would you describe your level of technical expertise?