09-23-2013 07:18 AM
Hi,
I have a stack of SG500 switches that are in layer 3 mode.
There are 3 VLANS
100 = Data 192.168.1.0
200 = Phone 192.168.200.0
500 = Management 192.168.220.0
Each VLAN has an ip address and clients have their gateways set as the switches interface address. Intervlan is working and clients can ping across VLANS and access the internet.
I now want to apply some restrictions. For example I want to be able to apply rules such as:-
1) Any client on 100 or 200 can not access each other or Management
2) Management can access anything on ANY VLAN.
3) Clients on 100 can access host 192.168.200.100 on vlan 200 on port 443 only.
I have tried setting up an example ACL and ACE such as per attached screenshot and apply the ACL to all ports on the switch:-
When I do this the management can't ping anything. It seems that the 'deny' is blocking the replies etc.
Is this possible, if you how? Thanks in advance.
09-25-2013 11:15 AM
Dear Sy,
Thank you for reaching the Small Business Support Community.
To permit/deny ICMP packets you would have to enter a new ACE for that particular protocol, and locate it as second ACE top to down. Below is a document for IPv4 ACL setup where on step 6 you must select ICMP and on step 16 you can decide either "Any" ICMP packet or some in particular.
http://sbkb.cisco.com/CiscoSB/Loginr.aspx?login=1&pid=2&app=search&vw=1&articleid=3025
I hope this helps and please let me know if there is anything else I may assist you with in the meantime.
Kind regards,
Jeffrey Rodriguez S. .:|:.:|:.
Cisco Customer Support Engineer
*Please rate the Post so other will know when an answer has been found.
01-13-2016 10:22 AM
I have the similar issue. Could you look at my discussion?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide