05-22-2021 08:48 AM - edited 05-22-2021 09:17 AM
Hi,
On the SG350, I thought I could apply some VACL or ip access-group, but these commands are not supported it seems !
The only way to bind an ACL to an interface is
service-acl input
# the output version is not supported it seems ! service-acl output
I use the SG350 with inter-VLAN routing enabled
I have a few VLANs setup, mainly a media VLAN 50.
- All devices in VLAN 50 should not communicate to any other VLAN
- All devices in VLAN 50 should be able to communicate to the DLNA server at 10.0.50.100
- All devices in VLAN 50 should not be able to communicate between them
I added the below ACL-ACE rules
config t ip access-list extended "DLNA VLAN50" # allow VLAN 50 Net to firewall gateway (DNS/DHCP), to VLAN 50 gateway (SG350 switch) and to brodcast IP (optional) permit ip 10.0.50.0 0.0.0.255 10.0.50.1 0.0.0.0 ace-priority 10 permit ip 10.0.50.0 0.0.0.255 10.0.50.2 0.0.0.0 ace-priority 20 permit ip 10.0.50.0 0.0.0.255 10.0.50.255 0.0.0.0 ace-priority 25 # Permit gateways to talk back to VLAN 50 permit ip 10.0.50.1 0.0.0.0 10.0.50.0 0.0.0.255 ace-priority 30 permit ip 10.0.50.2 0.0.0.0 10.0.50.0 0.0.0.255 ace-priority 40 # Permit VLAN 50 clients to talk to the DLNA Server on port 8200 for DLNA permit tcp 10.0.50.0 0.0.0.255 any 10.0.50.100 0.0.0.0 8200 ace-priority 60 # Permit DLNA Server to answer VLAN 50 clients requests but only from its ports TCP 8200 and UDP 1900 permit tcp 10.0.50.100 0.0.0.0 8200 10.0.50.0 0.0.0.255 any ace-priority 80 permit udp 10.0.50.100 0.0.0.0 1900 10.0.50.0 0.0.0.255 any ace-priority 100 # Deny any communication to local hosts deny ip 10.0.50.0 0.0.0.255 10.0.0.0 0.255.255.255 ace-priority 120 log-input deny ip 10.0.50.0 0.0.0.255 172.16.0.0 0.15.255.255 ace-priority 140 log-input deny ip 10.0.50.0 0.0.0.255 192.168.0.0 0.0.255.255 ace-priority 160 log-input exit # Apply ACL to VLAN 50 interface vlan 50 service-acl input "DLNA VLAN50" default-action permit-any exit
Most things work as expected:
- internet access is preserved
- access to other VLANs is properly denied
- access to media DLNA server 10.0.50.100 is only allowed on the DLNA open ports
However: I can ping other VLAN 50 devices between them while they properly cannot ping the 10.0.50.100 media server or access its web server on port 80
After some reading, I think that the service-acl input command only applies to L3 and L2 communication between hosts is not reaching the routing interface.
- Q1: how come the 10.0.50.100 server is properly isolated from other clients on the VLAN when they try to ping it or access its web server on port 80 ?
- Q2: how can I properly block L2 communication inside VLAN 50 without applying ACL to a port (The VLAN 50 clients are connected to the switch through 2 physical ports but also through a tagged VLAN on a trunk port connected to a wifi AP)
- Q3: since the service-acl output command is not supported, is the isolation I did adequate or I must also add rules to deny "other VLANs to 10.0.50.0 0.0.0.255" ?
- Q4: on teh data sheet for 350 series, I read: "ACL can be applied on both ingress and egress sides". Why only "service-acl input" is allowed ?
Hope someone can help me writing the rules I need to achieve the above requierement
Thank you
05-22-2021 03:28 PM
- Q1: how come the 10.0.50.100 server is properly isolated from other clients on the VLAN when they try to ping it or access its web server on port 80 ?
This one I figured out I think: the Media server is connected to an SG350X Switch which is trunked to the core SG350 switch doing the interVLAN routing. The other VLAN 50 clients are connected to the core Switch.
Please help for the other issues and proper ACLs
05-23-2021 03:18 AM
Well, it was the L2 layer communication on the Wifi AP trunk
Only devices connected by Wifi were talking to each other, not those wired
So the ACLs look to be working
I isolated the AP L2 on the AP software
Please give a feedback on my ACLs strategy above
Best regards
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide