07-21-2011 09:37 AM
Ok i am having a problem with ACE rules.
I have 5 VLANs, I assign VLANs to its ports and make them all Untagged.
I created ACLs and a ACE rules for each ACL, and then assigned to the ports.
So what i am trying to do is to deny access to from one port to other 4 ports and granted access to any other ports. But it is not working, without last rule "allow any any" it has no access to any ports, with the last rule it grants access to every port even to those I denied.
HELP what am I doing wrong? Router in Layer 3 mode, all VLANs have their IP's.
At some moment I was able to work it properly but without using any rules, I just tagged my untagged VLANs to those ports which I wanna get access to.
As you can see I want allow ports GE1 - GE4 communicate with 1 to 24 ports but not to each other.
07-21-2011 10:00 AM
Stanislav,
What is the end goal your looking for?
I see your configurations but I am uncertain as to what your looking to do. If you just want people to not communicate with each other, you can create vlans and do access rules denying the traffic between the vlans or there is an option called protected ports, and with this you could leave them all in 1 vlan. Then the devices you want to be isolated from each other make them in protected port mode. You can find this under the port settings. This isolates devices that are in protected port mode from anyone else in protected port mode. They will still be able to access devices that are not in protected port mode with this setting.
Here is a better description of the protected port mode:
The Protected Ports feature provides Layer 2 isolation between interfaces (Ethernet ports and Link Aggregation Groups (LAGs)) that share the same Broadcast domain (VLAN) with other interfaces.
Devices from protected ports are not allowed to communicate with each other even when they are in the same VLAN.
Packets received on a protected port are dropped when trying to egress on any protected ports. Protected port filtering rules are also relevant to packets that are forwarded by software, such as snooping applications.
Port protection is not subject to VLAN membership. For example, two protected ports placed in the same VLAN are not able to communicate with each other. Port protection enables you to define ports that are able to send packets only to unprotected ports who will usually be the uplinks and not to the other protected ports. Ports or LAGs can be defined as protected or unprotected.
07-21-2011 10:28 AM
The goal is to put people into different VLANs and servers with WAN into its own VLAN1, then make all VLANs access to server VLAN1 and deny to each other.
I dont understand why my rules is not working? How should I setup my VLANs to the ports as untagged or tagged?
07-21-2011 01:13 PM
Stanislav,
You have every port setup as a trunk port and member of all vlans except for the g1-2.
If you only have one device plugging into the port, then you can make it an access port member of that vlan.
07-22-2011 07:23 AM
I am sorry but I dont understand, what should I do? Change port setup? Make all ports untagged? I am new with manageble switches.
I have 5 VLANS,
VLAN1 (default) - ports from 1 to 24 - VLAN IP - 192.168.1.1
VLAN2 - port 25 - VLAN IP - 192.168.2.1
VLAN3 - port 26 - VLAN IP - 192.168.3.1
VLAN4 - port 27 - VLAN IP - 192.168.4.1
VLAN5 - port 28 - VLAN IP - 192.168.5.1
My goal is to make VLANs from 2 to 5 accesseble to VLAN 1 but not to each other
Right now All VLANs is untagged to their ports, no tagged ports at all (dont look on the pictures i posted before)
Right now I can ping computers in VLAN2 from VLAN1 but I can't ping computer in VLAN1 from VLAN2 . But I can ping 192.168.1.1 from computer in VLAN2.
*Note computers have default gateways same as their VLAN IPs
That is far I could go so far...... Please help. ACE Rules I created (on the picture above) is not working I dont know why.
07-25-2011 06:39 AM
You have every port setup as a trunk port and member of all vlans except for the g1-2.
If you only have one device plugging into the port, then you can make it an access port member of that vlan.
Not only one device, I have other 4 switches connected to the port G1, G2, G3, G4, so these ports should be in the trunk mode if I uderstand right.
Please help me!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide