Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1697
Views
10
Helpful
4
Replies

Cisco SMB Switch SGE2000 ACL restriction

J_Vansen_S
Level 3
Level 3

‎07-18-2012 02:07 AM

hi,

I am running the SGE2000 as my l3 core switch with multiple inter-vlans.

have a customer requirement that needs to restrict eg. GUEST-VLAN10 to all other VLANS in the network.

Only allowing access to the internet.

It seems on the switch i am able to bind ACL to per port interface.


Please advise if this is possible on the SGE2000

Labels:
0 Helpful
4 Replies 4

Davidwagman1
Level 7
Level 7

‎07-18-2012 05:26 AM

Hi J Vansen,

Yes it is possible.

Before you bind the ACL to the port interface, did you create an ACE and ACL?

Best,

David

Johnnatan_Rodriguez_Miranda
Level 1
Level 1
In response to Davidwagman1

‎09-20-2012 03:36 PM

Hi J_Vansen_S

Yes, it's possible with your SGE2000 because it is a Layer 3 switch. With the command  “ip access-group (ACL-Name) in” you can block access to other vlan, for example

For example, let's say you have 4 VLAN's  and a WAN conection.

Vlan10  192.168.10.0/24 (GUEST-VLAN10)

Vlan20  192.168.20.0/24

Vlan30  30.0.0.0/8

Vlan40  192.168.0.0/16

Wan     10.10.10.0/30

This is the configuration:

ena

config t

   ip routing                                                                                                               -->Enable routing features

   vlan 10                                                                                      -->Creates your Vlan10

     name GUEST-VLAN10

     exit

   ip access-list extended DenyVLAN-10                                     -->creates an ACL to deny the networks (VLAN's)

    deny ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255                    -->denies vlan 20

    deny ip 192.168.10.0 0.0.0.255 30.0.0.0 0.255.255.255                    -->denies vlan 30

    deny ip 192.168.10.0 0.0.0.255 192.168.40.0 0.0.255.255         -->denies vlan 40

    permit ip any any                                                                       -->allows access to the internet

    exit

  interface Vlan10

   ip address 192.168.10.254 255.255.255.0

   ip access-group DenyVLAN-10 in                                                                 -->associate the ACL to VLAN10

   exit

  interface Vlan20

   ip address 192.168.20.254 255.255.255.0

   exit

  interface Vlan30

   ip address 30.0.0.0 255.0.0.0

   exit

  interface Vlan40

   ip address 192.168.40.254 255.255.0.0

   exit

If this answer was satisfactory for you, please mark the question as Answered.

Greetings, Johnnatan Rodriguez Miranda

isaacmora
Level 1
Level 1
In response to Johnnatan_Rodriguez_Miranda

‎09-25-2012 07:29 AM

i had the same problem !!!

it works thanks

0 Helpful

David Hornstein
Level 7
Level 7
In response to isaacmora

‎09-25-2012 11:23 AM

Hi Guys,

The new Sx300 and Sx500 have a supported CLI, i guess you can used CLI on the newer product, but the CLI above looks pretty similar to the 300 series CLI.

I know I can restrict a guest network,  as David Wagman suggested vua the GUI,  creating a ACE and ACL and then binding the ACL to the physical interface. (The switch filters on ingress of the packets)

The SxGE2000 does not have a supported CLI.  But if you look at the flow of the CLI above,  yep the only drawback is as I mentioned above, you add the access-list to a interface, not the VLAN.

regards Dave

0 Helpful
Customers Also Viewed These Support Documents