Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
905
Views
0
Helpful
0
Replies

SG-350 MAC-Based ACL fails to filter traffic on port

the79bomb
Level 1
Level 1

‎02-20-2019 12:58 PM - edited ‎02-20-2019 12:59 PM

I would like to restrict access to the server on port 1 to specific devices by MAC address.  I have the following config on my SG350-10:

 

switch8f97f0#show run
v2.3.5.63 / RLINUX_923_093
CLI v1.0
mac access-list extended Server-Access
permit 5c:51:4f:ca:aa:aa ff:ff:ff:ff:ff:ff any ace-priority 1
permit 18:67:b0:c9:aa:aa ff:ff:ff:ff:ff:ff any ace-priority 2
permit c4:9d:ed:04:aa:aa ff:ff:ff:ff:ff:ff any ace-priority 3
permit 00:1f:29:05:aa:aa ff:ff:ff:ff:ff:ff any ace-priority 4
permit b0:72:bf:ff:aa:aa ff:ff:ff:ff:ff:ff any ace-priority 5
deny any any ace-priority 10
exit
!
interface vlan 2
name Office
ip address dhcp
!
interface GigabitEthernet1
service-acl input Server-Access
switchport access vlan 2
!
interface GigabitEthernet10
spanning-tree link-type point-to-point
switchport mode trunk
macro description switch
!next command is internal.
macro auto smartport dynamic_type switch
!

 

I connect to a computer connected to a different switch on GE10 and am able to ping and RDP the server.

I also tried applying the ACL to the VLAN instead:

 

!
interface vlan 2
name Office
ip address dhcp
service-acl input Server-Access
!

 

Is there something wrong with my config or does the feature just not work?

I was also considering applying port protection on the uplink port and restricting access that way but it would reduce the number of usable ports on the switch in my case - the devices allowed in the ACL are all connected to another switch.

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents