Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2036
Views
0
Helpful
3
Replies

Help me to create IPv4 based ACLs for VLANs using GUI

Go to solution
Anitket01
Level 1
Level 1

‎03-16-2015 11:04 AM

Hello,

I’m using Cisco SG500 in layer 3 mode and created different VLANs. Now I want to create IPv4 based ACLs and apply to those VLANs to restrict access.

The VLANs are as per below.
 

  1. Internet VLAN 1 = 10.1.0.0/16 and Internet router IP is 10.1.0.1
     
  2. Server VLAN 10 = 10.10.0.0/16
     
  3. Workstation VLAN 11 = 10.11.0.0/16
  4. Workstation VLAN 12 = 10.12.0.0/16
  5. Workstation VLAN 13 = 10.13.0.0/16
  6. Workstation VLAN 14 = 10.14.0.0/16
     
  7. Guest VLAN 15 = 10.15.0.0/16
     

I’m using built-in DHCP server feature of SG500 so all DHCP Pools are configured on the switch itself.
 

Now I want all members within workstation VLANs to get IPs from the DHCP Pool and only access Internet & Servers and nothing else.

Also, I want all members with in Guest VLAN to get IPs from their DHCP Pool and access only Internet and nothing else.

Is anybody show me how to configure IPv4 based ACLs with minimum ACEs for above scenario? but using only web GUI interface as I don’t have knowledge of CLI.


Thanks in anticipation.

Aniket

 

1 person had this problem
Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Aleksandra Dargiel
Cisco Employee
Cisco Employee

‎03-17-2015 01:31 AM

Hi Aniket,

Since the destination IP address to the internet sites is unknown and traffic to other VLANs can be summarize 10.0.0.0/8 I would do one ACL and use it to bind to all VLANs

10 deny src any dst 10.0.0.0/8

20 permit any any

Note: this ACL would also prevent workstations from communicate between each other inside the same VLAN.

If this is not desired scenario than there needs to be ACE added to allow traffic within VLAN just above deny.

Please find below document which can guide you through Web GUI configuration:

http://sbkb.cisco.com/CiscoSB/ukp.aspx?vw=1&docid=1a4bb16b5d00434da5f6095746775abe_IPv4_Based_ACL.xml&pid=2&respid=0&snid=4&dispid=0&cpage=search

Regards,

Aleksandra

 

 

View solution in original post

0 Helpful

Go to solution
Aleksandra Dargiel
Cisco Employee
Cisco Employee
In response to Anitket01

‎03-23-2015 06:20 AM

Hi Anitket,

In such a scenario it needs to be "permit" source any and destination specific for each VLAN just above "deny rule" That would imply that there would be different ACL for each VLAN.

 

I hope this helps.

Aleksandra

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Aleksandra Dargiel
Cisco Employee
Cisco Employee

‎03-17-2015 01:31 AM

Hi Aniket,

Since the destination IP address to the internet sites is unknown and traffic to other VLANs can be summarize 10.0.0.0/8 I would do one ACL and use it to bind to all VLANs

10 deny src any dst 10.0.0.0/8

20 permit any any

Note: this ACL would also prevent workstations from communicate between each other inside the same VLAN.

If this is not desired scenario than there needs to be ACE added to allow traffic within VLAN just above deny.

Please find below document which can guide you through Web GUI configuration:

http://sbkb.cisco.com/CiscoSB/ukp.aspx?vw=1&docid=1a4bb16b5d00434da5f6095746775abe_IPv4_Based_ACL.xml&pid=2&respid=0&snid=4&dispid=0&cpage=search

Regards,

Aleksandra

 

 

0 Helpful

Go to solution
Anitket01
Level 1
Level 1
In response to Aleksandra Dargiel

‎03-17-2015 06:24 PM

Thanks Aleksandra

What rule (ACE) I should add so that workstations can communicate with each other inside the same VLAN?

0 Helpful

Go to solution
Aleksandra Dargiel
Cisco Employee
Cisco Employee
In response to Anitket01

‎03-23-2015 06:20 AM

Hi Anitket,

In such a scenario it needs to be "permit" source any and destination specific for each VLAN just above "deny rule" That would imply that there would be different ACL for each VLAN.

 

I hope this helps.

Aleksandra

0 Helpful
Customers Also Viewed These Support Documents