cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3147
Views
10
Helpful
5
Replies

ACL config on SG 300 28P

uitmorand
Level 1
Level 1

Hello!

I am trying to set up an ACL on our Cisco SG 300 switch. I want to create an ACL that enables hosts on our guest network to obtain IP addresses from a server on our "internal" network but they should not be able to reach any other resorses on that network. I set it up as follow, but it does not work the way i want. I have also bind interfaces to the ACL. Any sugestions?

Ny bild.jpg

/Morgan

5 Replies 5

rocater
Level 3
Level 3

Hello Morgan,

How is your network currently setup? Are you using the SG300 as a layer3 switch? And if so, is it acting as your default gateway?

Most commonly when setting up a private/internal and public/guest network, I recommend using vlans and two subnets. I can not speak to the DHCP server but most should support multiple vlans and subnets. This allows you to seperate your traffic in a very simple way.

hello!

Tanks for your replay. The switch is configured to run in Layer 3 mode and one interface at each V-lan is default gateway. I want to configure an ACL that function so it only alow DHCP trafific from V-lan 4 Guest to V-lan 3 internal. It shuold also block trafic to V-lan 5. I hope that you understand what i mean, see the picture.

/Morgan

Thanks for the diagram it is very helpful.

I would recommend the following rules

Permit 192.168.175.0/24 to *server IP*

Deny 192.168.175.0/24 to 10.1.10.0/24

Deny 192.168.175.0/24 to 192.168.200.0/24

Permit any to any

This will allow any computers on guest network to talk to the server on the main network. The deny rules will block any traffic from the guest network to the private network and to the other vlan5. The final rule clarifies that all other traffic is ok to go.

Thanks for your suggestion. I have used it with some small changes, and it works perfect. I uppload a picture on my config so you can see. The ACL is only permitting DHCP and DNS traffic between the guest network and the internal.

Tanks again.

/Morgan

Sweden

Message was edited by: Morgan Andersson

Thank you! This helped me accomplish implementing an ACL to protect my internal networks from a hard wired guest.