Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1922
Views
0
Helpful
1
Replies

SG300 Routing between VLANs. I dont want to route some traffic.

stownsend
Level 2
Level 2

‎05-26-2011 03:31 PM

I'm using an

SG300-28P as our VLAN interconnect between our ISP and Firewalls as well as remtoe Offices.

So there are several VLANs that we have on the unit:

101     10.1.x.x Internal Subnet

102     10.2.x.x Internal Subnet

10#     10.#.x.x Internal Subnet

192     192.168.0.x Subnet for Public Use in our Building

198     Our Public IP Address Space 1

204     Our Public IP Address Space 2

So Obviously I want to be able to route between the 10.#.x.x Subnets.

Though I dont want to route between the other Subnets.

How can I setup the ACLs to make sure that someone on one of the 3 Public Subnets does not try to Connect to the Internal Subnets.

Is it Allow All IP and then a Deny 192,198, 204 as source to the 10# VLANs?

Or is it Deny 192,198, 204 as source to the 10# VLANs then Allow All IP  (or Allow 10.1, 10.2, 10.#)?

Thanks,

  Scott<-

Labels:
0 Helpful
1 Reply 1

David Hornstein
Level 7
Level 7

‎05-26-2011 07:33 PM

Hi Scott,

I responded to a question regarding ACL on the 300 series and included screen shots. 

the bottom line is;

1. the IP based ACL use reverse masks, ie. 192.168.10.0  mask= 0.0.0.255 and

2. the ACL is bound on a interface to check ingress of pattern matches against ACL.

3. there is a implicit deny at the end of a pattern match so the last ACE entry in a list might be a permit all.

check out my discussion from the URL below, it works very well and  at wire speed, have fun

regards Dave

https://supportforums.cisco.com/message/3265075#3265075

0 Helpful
Customers Also Viewed These Support Documents