I setup switch SG300-52P in layer 3 mode.
I have 3 vlans (10,20,30) and ports assigned to every vlan.
Each host can ping its own gateway (depending the vlan).
I want to permit some traffic from a vlan to an specific host (server) on another vlan. I try with ACL but can't do it.
Can anybody help me how to do this?
thanks a lot.
Solved! Go to Solution.
My ACL isa very restrictive.
There is alot of stuff here on the community on ACL and 300 series.
It may be interesting to use the search option , but here is a link that may help you;
Dave, thanks for your reply. I read your post
and I have a couple of question.
In your example you restricted a host to an FTP server. What if you want to allowed entire vlan 10 to a single host in vlan 20.
How would you do it ? and in which interface do you have to bind that ACL?
Thanks a lot.
assume the VLAN10 network is 192.168.10.x
assume that the host in VLAN 20 is 192.168.20.10
ip access-list extended Restrict_FTP
permit ip 192.168.10.0 0.0.0.255 192.168.20.10 0.0.0.0
There is a impicit butnot seen command to deny all traffic at the end of the filter list above.
Since the switch filters packets in ingress into the switch, I would apply the ACL to switch ports where i would see packets from 192.168.10.x network traffic coming into the switch.
service-acl input Restrict_FTP
David, thanks a lot gor your help. I´m going to try it.
In your example, if I have 30 ports on vlan 10 192.168.10.x I should apply this filter port by port?
Is there a cli command to apply the filter to whole vlan?
In the other example (restricted FTP) from your first link. what does it mean the 20-21 at the end?
deny tcp 192.168.10.106 0.0.0.0 any 192.168.10.101 0.0.0.0 20-21
thank you very much!
David forget my last question (20-21) i didnt think about it. 20-21 are the ftp ports. Sorry about that.
I tried the acl you write in red and it doesnt work. I have no comunication between vlan 10 and that host. I think there is something wrong with some other part of configuration.
My ACL isa very restrictive.
I have found the Cisco SBS switches do not utilize wildcard masking properly. For example, I have the following access list. I highlighted one of the configuration lines:
SW1#show access-list TEST
Extended IP access list TEST
permit ip any 192.168.12.0 0.0.0.255 ace-priority 40
deny ip any 192.168.13.0 0.0.0.255 ace-priority 60
deny ip any 192.168.50.0 0.0.1.255 ace-priority 80
permit tcp any any any 443 ace-priority 100
permit tcp any any any www ace-priority 120
deny tcp any any 192.168.0.0 0.0.255.255 22-23 ace-priority 140
deny tcp any any 192.168.0.0 0.0.255.255 69 ace-priority 160
deny tcp any any 192.168.0.0 0.0.255.255 1433 ace-priority 180
deny tcp any any 192.168.0.0 0.0.255.255 3306 ace-priority 200
permit tcp any any 192.168.0.0 0.0.255.255 3389 ace-priority 220
deny udp any any 192.168.0.0 0.0.255.255 161-162 ace-priority 240
deny udp any any 192.168.0.0 0.0.255.255 1812-1813 ace-priority 260
permit ip any host 192.168.1.88 ace-priority 280
deny ip any 192.168.0.0 0.0.3.255 ace-priority 300
permit ip any any ace-priority 320
This line seems to allow access to port 81 at 192.168.0.11 but deny the port on 192.168.0.12.
Unless I'm missing something, there is a serious security issue with the SG line of switches.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: