cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1177
Views
0
Helpful
11
Replies

SG300-28 VLAN based ACL not working

Phen10
Level 1
Level 1

Hi,

I am having some issue with IPv4 based ACE rules.  Basically 3 VLAN's 192.168.20.0/24(VLAN20, 192.168.40.0/24(VLan40), 192.168.55.0/24(VLAN 55).  Vlan20 is office net, Vlan 40 is guest, Vlan 55 is default route subnet to firewall.  all traffic should be allowed Firewall access.  I want to deny all traffic from Vlan 40 to Vlan 20.  I want to deny all traffic vlan 20 to vlan 40 except some web services on 192.168.40.114:32400 TCP

I have no issues setting up the deny traffic but am struggling getting the permit traffic rule to work.  I am binding the ACL to Vlan 20 and 40 as default deny as well

1 Accepted Solution

Accepted Solutions

Sure - that is the reason i suggested as below 

"Either you need to granular rules like what port you looking to allow. example 80 or 443 and so on, to make a strict rule"

So remove from web server to Local pool permit, and add only required ports and test it.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

11 Replies 11

balaji.bandi
Hall of Fame
Hall of Fame

How about adding another permit rule from the 192.168.40.114 to the 192.168.20.0 network? is that works ?

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

No. still not working.  Also I dont want 40 to have access to 20.

Actually, that last attempt I had the subnet wrong.  I fixed to 0.0.0.225 and it works. Thanks  40.114 now has access to 20.0/24 now which I don't want.  how do I fix that?

This ACL, Device is not FW so it is not a stateful Firewall to remember your connection - so that is a limitation with ACL.

either you need to granular rules like what port you looking to allow. example 80 or 443 so on, to make strict rule.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Phen10
Level 1
Level 1

I not sure about this solution of having network open in both direction to get the permit rule to work.  In this thread the user was able to get it to work for permitting traffic in one direction only.

https://community.cisco.com/t5/small-business-switches/acl-config-on-sg-300-28p/td-p/1858212

 

Sure - that is the reason i suggested as below 

"Either you need to granular rules like what port you looking to allow. example 80 or 443 and so on, to make a strict rule"

So remove from web server to Local pool permit, and add only required ports and test it.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

I have tried it that way and it doesn't work. 

First, check 192168.40.114 port 32400 listenings, and change the source port to any

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Phen10
Level 1
Level 1

still not working. 

still not working. 

nice to have more information on what is not working. totally broken? or one side working.? 

First, check 192168.40.114 port 32400 listening  - is this working (I believe and take as working)?

Can you post again the screenshot of ACE and what firmware you running? enable Logging and check what is the error you get?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

I think I finally understand how it works.  Thanks for the tip on the logging, it showed me more clearly what ports were traversing the rules and failing.