03-14-2012 02:15 PM
I setup switch SG300-52P in layer 3 mode.
I have 3 vlans (10,20,30) and ports assigned to every vlan.
Each host can ping its own gateway (depending the vlan).
I want to permit some traffic from a vlan to an specific host (server) on another vlan. I try with ACL but can't do it.
Can anybody help me how to do this?
thanks a lot.
Solved! Go to Solution.
03-17-2012 06:17 AM
Hi Ruy,
My ACL isa very restrictive.
ip access-list extended Restrict_FTP
permit ip 192.168.10.0 0.0.0.255 192.168.20.10 0.0.0.0
exit
It only permits the 192.168.10.0 network to get to the host 192.168.20.10 IP Host.
Maybe there should also be (in red) ;
ip access-list extended Restrict_FTP
permit ip 192.168.10.0 0.0.0.255 192.168.20.10 0.0.0.0
deny ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255
permit any any
exit
I have to admit i prefer using the GUI to produce my ACE entries. The table it creates shows how the ACL is going to work. and importantly in what order.
http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00800a5b9a.shtml
regards dave
03-14-2012 08:45 PM
Hi Ray,
There is alot of stuff here on the community on ACL and 300 series.
It may be interesting to use the search option , but here is a link that may help you;
https://supportforums.cisco.com/thread/2136493?tstart=0
regards dave
03-15-2012 09:00 AM
Dave, thanks for your reply. I read your post
https://supportforums.cisco.com/thread/2136493?tstart=0
and I have a couple of question.
In your example you restricted a host to an FTP server. What if you want to allowed entire vlan 10 to a single host in vlan 20.
How would you do it ? and in which interface do you have to bind that ACL?
Thanks a lot.
Ruy
03-15-2012 11:36 PM
Hi Ruy
assume the VLAN10 network is 192.168.10.x
assume that the host in VLAN 20 is 192.168.20.10
ip access-list extended Restrict_FTP
permit ip 192.168.10.0 0.0.0.255 192.168.20.10 0.0.0.0
exit
There is a impicit butnot seen command to deny all traffic at the end of the filter list above.
Since the switch filters packets in ingress into the switch, I would apply the ACL to switch ports where i would see packets from 192.168.10.x network traffic coming into the switch.
interface gigabitethernet8
service-acl input Restrict_FTP
exit
03-16-2012 06:59 AM
David, thanks a lot gor your help. I´m going to try it.
In your example, if I have 30 ports on vlan 10 192.168.10.x I should apply this filter port by port?
Is there a cli command to apply the filter to whole vlan?
In the other example (restricted FTP) from your first link. what does it mean the 20-21 at the end?
deny tcp 192.168.10.106 0.0.0.0 any 192.168.10.101 0.0.0.0 20-21
thank you very much!
Ruy
03-16-2012 04:11 PM
David forget my last question (20-21) i didnt think about it. 20-21 are the ftp ports. Sorry about that.
I tried the acl you write in red and it doesnt work. I have no comunication between vlan 10 and that host. I think there is something wrong with some other part of configuration.
03-17-2012 06:17 AM
Hi Ruy,
My ACL isa very restrictive.
ip access-list extended Restrict_FTP
permit ip 192.168.10.0 0.0.0.255 192.168.20.10 0.0.0.0
exit
It only permits the 192.168.10.0 network to get to the host 192.168.20.10 IP Host.
Maybe there should also be (in red) ;
ip access-list extended Restrict_FTP
permit ip 192.168.10.0 0.0.0.255 192.168.20.10 0.0.0.0
deny ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255
permit any any
exit
I have to admit i prefer using the GUI to produce my ACE entries. The table it creates shows how the ACL is going to work. and importantly in what order.
http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00800a5b9a.shtml
regards dave
02-22-2018 09:12 AM
I have found the Cisco SBS switches do not utilize wildcard masking properly. For example, I have the following access list. I highlighted one of the configuration lines:
SW1#show access-list TEST
Extended IP access list TEST
permit ip any 192.168.12.0 0.0.0.255 ace-priority 40
deny ip any 192.168.13.0 0.0.0.255 ace-priority 60
deny ip any 192.168.50.0 0.0.1.255 ace-priority 80
permit tcp any any any 443 ace-priority 100
permit tcp any any any www ace-priority 120
deny tcp any any 192.168.0.0 0.0.255.255 22-23 ace-priority 140
deny tcp any any 192.168.0.0 0.0.255.255 69 ace-priority 160
deny tcp any any 192.168.0.0 0.0.255.255 1433 ace-priority 180
deny tcp any any 192.168.0.0 0.0.255.255 3306 ace-priority 200
permit tcp any any 192.168.0.0 0.0.255.255 3389 ace-priority 220
deny udp any any 192.168.0.0 0.0.255.255 161-162 ace-priority 240
deny udp any any 192.168.0.0 0.0.255.255 1812-1813 ace-priority 260
permit ip any host 192.168.1.88 ace-priority 280
deny ip any 192.168.0.0 0.0.3.255 ace-priority 300
permit ip any any ace-priority 320
This line seems to allow access to port 81 at 192.168.0.11 but deny the port on 192.168.0.12.
Unless I'm missing something, there is a serious security issue with the SG line of switches.
02-23-2018 02:30 AM
06-15-2018 09:55 AM
I worked with the support team and it is a confirmed bug.
The id is CSCvj91570
for those with access, you can look it up and follow it here
06-16-2018 04:15 AM
You rock!
My workaround was replacing our SG300's with a bunch of used C3560-X switches, that ended up costing about half as much as the SG300's did new...
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide