Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
445
Views
0
Helpful
2
Replies

On an Sx500, when are VLAN-bound ACLs applied?

elderberry
Level 1
Level 1

‎05-31-2021 01:41 PM

Hello,

I want to know when exactly VLAN ACLs are applied, on these particular switches: Sx500, Firmware version 1.4.11.5

 

Note, this seems to work differently from most other Cisco switches. Most information out there does not apply, and can not be used, on Sx500. I don't see SVI mentioned in the manual.

 

First, suppose a packet stays within its VLAN. It enters via port 11, VLAN 2 and is forwarded to port 12, VLAN 2. VLAN 2 has an ACL. Is it applied? When is it applied?

 

Next, suppose a packet gets routed. Destination is 10.0.3.10

1. It enters via port 11, VLAN 2

2. VLAN 2 has address 10.0.2.2/24. 10.0.2.2 was used as the gateway. A routing decision is being made.

3. 10.0.3.10 is in VLAN 3. The packet enters VLAN 3 (does it?).

4. The packet is forwarded to port 13, VLAN 3.

 

When are the VLAN ACLs applied here? (and when not?)

At/after step 1, the VLAN 2 ACL?

Before/after step 2, the VLAN 2 ACL?

At/after step 3, the VLAN 2 or 3 ACL?

At step 4, any VLAN ACL?

 

Note, as I understand information about some other switches, it would be only the VLAN 2 ACL at step 2, and the ACLs have different features. But this is an SG500, how does it work here?

 

 

Thanks

Labels:
0 Helpful
2 Replies 2

Martin Aleksandrov
Cisco Employee
Cisco Employee

‎06-04-2021 05:01 AM

@elderberry 

 

Hi there, 

 

Yes, the configuration process is quite different but the logic is fundamentally the same. Please refer to the following articles that might guide you through the configuration steps.

 

1. https://www.cisco.com/c/en/us/support/docs/smb/switches/cisco-350-series-managed-switches/smb3025-configure-ipv4-based-access-control-list-acl-and-access-cont.html 

 

2. https://www.cisco.com/c/en/us/support/docs/smb/switches/cisco-small-business-500-series-stackable-managed-switches/smb2674-add-access-control-list-acl-to-interface-binding-on-sx500-se.html 

 

Regards,

Martin

0 Helpful

elderberry
Level 1
Level 1

‎06-12-2021 11:30 AM

OK, I tried to use VLAN ACLs. Still an Sx500 switch.

I tested it assuming they apply only when routing, as if the VLAN-as-an-interface were an SVI. Because that way it's easy to make useful ACLs.

I created interfaces for routing, bound some ACLs to the VLANs, enabled IPv4 routing. BUT I did not actually use the routing. I did not use the VLAN interfaces as gateways anywhere. All the inter-subnet traffic is routed by an external router.

Result: The (externally) routed traffic was dropped (as if the ACLs applied). The initial assumption is wrong. I could watch some packets passing through the (external) router, as the first hop was not blocked by ACLs. But they did not arrive at the destination, when the second hop could be blocked by ACL.

After disabling IPv4 routing and removing the ACLs, traffic worked as it should.

This means, the VLAN ACLs are not just applied when routing, they are even applied when packets enter and leave the switch via the same VLAN.

 

So the question remains: When are VLAN ACLs applied? But 2 simple cases must be considered:

Case 1: Packet enters via port P1, in VLAN V1, leaves via port P2.

Case 2: Packet enters via port P1, in VLAN V1, gets routed, ends up in VLAN V2, leaves via port P2.

 

thanks

 

0 Helpful
Customers Also Viewed These Support Documents