Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
687
Views
0
Helpful
2
Replies

SG300-10P Layer 3 IPv4 ACL w/ InterVLAN Routing Issue

Go to solution
dragonfir3
Level 1
Level 1

‎08-04-2016 08:14 PM

So, I'll start off saying I am still a novice when it comes to VLANs and ACLs so if you wish to help me, have patience, please.

Anyways, the short story is that I would like to make a Management VLAN inaccessible to the rest of my VLANs on this switch. I understand that I will need to ACLs to accomplish this but either A) I am doing it wrong or B) what I am trying to do isn't possible. Here is my mock-up network info:

VLAN 101 = 131.111.1.0/24

VLAN 102 = 10.60.1.0/24

VLAN 681 = 131.186.0.0/24 (Management)

I can ping all my VLAN gateways on the switch using any VLAN so I know InterVLAN Routing is working like it is suppose to. The next step was to block VLANs 101 and 102 from being able to access VLAN 681. It looked easy enough and I thought I set it up right but I can still ping VLAN 681 IP address when I  reside on either VLAN 101 or 102 which is a no-go. If you need any more particulars please let me know and I'll try to get it to you. Thank you in advance for assistance. 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
chrihussey
VIP Alumni
VIP Alumni

‎08-05-2016 04:46 AM

There are multiple ways to do this, but in it's simplest form:

!

access-list 100 deny ip any 131.186.0.0 0.0.0.255

access-list 100 permit ip any any

!

interface vlan 101

ip access-group 100 in

!

interface vlan 102

ip access-group 100 in

!

View solution in original post

0 Helpful
2 Replies 2

Go to solution
chrihussey
VIP Alumni
VIP Alumni

‎08-05-2016 04:46 AM

There are multiple ways to do this, but in it's simplest form:

!

access-list 100 deny ip any 131.186.0.0 0.0.0.255

access-list 100 permit ip any any

!

interface vlan 101

ip access-group 100 in

!

interface vlan 102

ip access-group 100 in

!

0 Helpful

Go to solution
dragonfir3
Level 1
Level 1
In response to chrihussey

‎08-05-2016 05:42 PM

Wow, I feel like a noob. I was applying the ACL to the Management VLAN instead of applying it to the VLANs I didn't want to have access to it. I took a few tries on telnet but after digging through my CLI manual for some commands, I got it all working the way I want it. Again, thanks for the little nudge in the right direction.

For anyone else that comes to this thread, here is an example of what I inputted on Telnet/SSH to set up my ACL:

username:*****

password:*****

switchxxxx # config

switchxxxx(config) # ip access-list extended Computers

switchxxxx(config-ip-al) # deny ip any 131.186.0.0 0.0.0.255

switchxxxx(config-ip-al) # permit ip any any

switchxxxx(config-ip-al) # exit

switchxxxx(config) # interface vlan 101

switchxxxx(config-if) # service-acl input Computers default-action deny-any

switchxxxx(config-if) # exit

switchxxxx(config) # exit

switchxxxx # write

0 Helpful
Customers Also Viewed These Support Documents