Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1760
Views
0
Helpful
4
Replies

ACL and VLAN interface Cisco SG300

Go to solution
chiprule
Level 1
Level 1

‎04-10-2020 11:06 AM

Hi Guys,

I have a question about acl and vlan interface.

I create test environment as follow:

 

Cisco SG300 in Layer 3 Mode

Vlan: 1

IP interface: 172.16.1.2/30

"This is transit network to pfsense"

 

Vlan: 200

IP interface: 192.168.100.0/24

"This is clients VLAN"

 

PFsense

IP: 172.16.1.1/30

"Firewall"

 

I create others vlan too, but they aren't relevant now.

My goal is to isolate vlan 200 from other vlans both inbound and outbound, and grant access to internet.

I set this rule in ACL

new acl cisco.PNGnew binding.PNG

 

My question is, why I must explicit permit interface from 192.168.100.254/24 to 192.168.100.0/24 and viceversa to get access to this int from my host in the same vlan?

 

Thanks

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
agekov
Cisco Employee
Cisco Employee
In response to chiprule

‎04-11-2020 10:26 PM

    Hello @chiprule ,

Thank you for the update.

Yes, you will need explicit permit rule to reach interface in the same vlan, because the "deny any" rule will deny the traffic within the same vlan included.

 

 

 

 

Kind Regards! 

 

Anton Gekov
Technical Consulting Engineer – Level 1
Global CX Centers – Small Business Support

View solution in original post

0 Helpful
4 Replies 4

Go to solution
agekov
Cisco Employee
Cisco Employee

‎04-11-2020 12:07 AM

  Hello  chiprule,

Hope you are doing well!

My name is Anton and I am working in the Cisco Small Business Support Team.

I would suggest that rules 14 and 15 are quite general and deny traffic within the VLAN 200 (192.168.100.0/24 subnet also will be included in this rule ).

That is why you need to explicitly permit interface from 192.168.100.254/24 to 192.168.100.0/24 and viceversa to get access to this int.

You can test with disabling those rules 14 and 15 and check if your traffic within the VLAN will be permitted without creating explicit rules. 

 

 

Kind Regards!

Anton Gekov
Technical Consulting Engineer – Level 1
Global CX Centers – Small Business Support
0 Helpful

Go to solution
chiprule
Level 1
Level 1
In response to agekov

‎04-11-2020 06:49 AM

Hi @agekov ,

thank you so much for your prompt reply.

I disabled rule: 7, 8, 14, 15, because disabling only 14 and 15 it doesn't make sense testing it.

Result:

I can reach vlan interface 192.168.200.254 from a host of the same vlan (in this case 192.168.200.100).

I can reach other 192.16.0.0/16 subnets, (this is not my goal)

 

From what I understood from Cisco acl, you must do explicit permit to interface if you deny RFC1918 or "deny any" in order to reach this interface from same vlan, correct?

 

0 Helpful

Go to solution
agekov
Cisco Employee
Cisco Employee
In response to chiprule

‎04-11-2020 10:26 PM

    Hello @chiprule ,

Thank you for the update.

Yes, you will need explicit permit rule to reach interface in the same vlan, because the "deny any" rule will deny the traffic within the same vlan included.

 

 

 

 

Kind Regards! 

 

Anton Gekov
Technical Consulting Engineer – Level 1
Global CX Centers – Small Business Support
0 Helpful

Go to solution
chiprule
Level 1
Level 1
In response to agekov

‎04-13-2020 06:07 AM

Hi @agekov 

thanks for support!

0 Helpful
Customers Also Viewed These Support Documents