09-06-2017 01:53 PM - edited 03-21-2019 11:15 AM
On an SG300 series switch in Layer 3 mode I am trying to limit traffic allowed from one VLAN to another. I am able to create ACL's and ACE's in the web UI. My switch is running the latest software available (1.4.8.6). I am able to create a single ACE for a single destination. The problem is if I want to create multiple ACE's for a single destination (i.e. UDP and TCP) I am getting errors in the web UI stating a rule already exists.
For example... I have a DNS server on a VLAN I want all clients to have access to. I need all my clients to access this host via UDP and TCP over port 53. I create a rule with priority 1, protocol UDP, Destination IP to my DNS server, mask to 0.0.0.0, and destination port to 53. This ACE is created. Now I try to create a second ACE, priority 2, protocol TCP, and all the other settings the same. When I click Apply I get an error stating "Entry already exists" and the ACE is not created.
Is this expected behavior for the SF300 / SG300 line? Has anyone else been able to create a similar rule?
Solved! Go to Solution.
09-07-2017 12:31 AM
Hi there,
Have you tried creating it via the CLI?:
! ip access-list extended TEST permit udp any any host 10.10.10.1 53 ace-priority 1 permit tcp any any host 10.10.10.1 53 ace-priority 2 !
Typing the above on my SG300 doesn't give any errors and both entires appear under sh access-list .
cheers,
Seb.
09-07-2017 12:31 AM
Hi there,
Have you tried creating it via the CLI?:
! ip access-list extended TEST permit udp any any host 10.10.10.1 53 ace-priority 1 permit tcp any any host 10.10.10.1 53 ace-priority 2 !
Typing the above on my SG300 doesn't give any errors and both entires appear under sh access-list .
cheers,
Seb.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide