Odd question about exclude IP-ranges

tommyleandersson · ‎03-06-2018

We have a couple of SG-300 in a lighting network on seven stages. Every SG-300 is setuped with two VLAN. VLAN1 is for fileserver and remotes. VLAN2 is for sACN, a networkprotocol for distrubute lighting data (as ArtNet).

Most of the stages lightingconsolles has two network ports, so it´s easy to connect both of them on each VLAN-ports on SG300.

Now to the tricky part. We have stages with lightingconsolles with only one network port. I put my last network port on every SG300 connecting them togheter via a central switch, and told that VLAN2 is forbidden so I don´t have all the sACN data all over the network.

Is´t possible to forbidd a IP-range, 200.x.x.x and until 255.255.255.255 on my last port instead to forbidd VLAN2-traffic? If it´s easier to accept a IP-range on a port 10.101.x.x it works fine also. ;)

Thanks!

Aleksandra Dargiel · ‎03-08-2018

Hi Tommy,

I am afraid those switches do not support outbound ACL if this is what you are looking for. SG350 would do the job.

I hope this helps.

Aleksandra

tommyleandersson · ‎03-09-2018

Hi Aleksandra,

My SG300 has ACL. :)

I playing around with ACL and try to deny outgoing UDP-traffic on my switch on a single port, but it would not work.

I set up a ACL-Group called "sACN".

In my ACE-table I put a Group1 as priority 1, Deny, Protocol: UDP, Destination IP: 239.255.0.1 and IP wild-card 0.0.255.255

Group2 as priority 2, Permit, Protocol: Any, Destination IP: any

I need two Groups... Permit and Deny to solve this.

In ACL binding Group i put my ACL-Group name "sACN" on my main switch that connect my entire network togheter and stop trafic from this multicast package I don´t wanted on all my SG300.

So thanks for the tip about ACL. :)

//Tommy