Solved: Help me to create IPv4 based ACLs for VLANs using GUI

Anitket01 · ‎03-16-2015

Hello,

I’m using Cisco SG500 in layer 3 mode and created different VLANs. Now I want to create IPv4 based ACLs and apply to those VLANs to restrict access.

The VLANs are as per below.

Internet VLAN 1 = 10.1.0.0/16 and Internet router IP is 10.1.0.1
Server VLAN 10 = 10.10.0.0/16
Workstation VLAN 11 = 10.11.0.0/16
Workstation VLAN 12 = 10.12.0.0/16
Workstation VLAN 13 = 10.13.0.0/16
Workstation VLAN 14 = 10.14.0.0/16
Guest VLAN 15 = 10.15.0.0/16

I’m using built-in DHCP server feature of SG500 so all DHCP Pools are configured on the switch itself.

Now I want all members within workstation VLANs to get IPs from the DHCP Pool and only access Internet & Servers and nothing else.

Also, I want all members with in Guest VLAN to get IPs from their DHCP Pool and access only Internet and nothing else.

Is anybody show me how to configure IPv4 based ACLs with minimum ACEs for above scenario? but using only web GUI interface as I don’t have knowledge of CLI.

Thanks in anticipation.

Aniket

Aleksandra Dargiel · ‎03-17-2015

Hi Aniket,

Since the destination IP address to the internet sites is unknown and traffic to other VLANs can be summarize 10.0.0.0/8 I would do one ACL and use it to bind to all VLANs

10 deny src any dst 10.0.0.0/8

20 permit any any

Note: this ACL would also prevent workstations from communicate between each other inside the same VLAN.

If this is not desired scenario than there needs to be ACE added to allow traffic within VLAN just above deny.

Please find below document which can guide you through Web GUI configuration:

http://sbkb.cisco.com/CiscoSB/ukp.aspx?vw=1&docid=1a4bb16b5d00434da5f6095746775abe_IPv4_Based_ACL.xml&pid=2&respid=0&snid=4&dispid=0&cpage=search

Regards,

Aleksandra