Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
549
Views
0
Helpful
1
Replies

SG500 ACL / ACE config with many VLANs

bl-dubai-uae
Level 1
Level 1

‎08-15-2014 11:07 AM

Good day!

My hardware:

  • Four SG500 52 and SG500 52P switches are in one stack with many vlans configured.
  • WLC which routes the internet ports. Static route on the sg500 stack.
  • DHCP Server
  • APs on trunk ports

Now I would like to put up some intervlan routing rules.

 

I would put the following ACEs into one ACL:

 

Copy machine 100: 192.168.0.0 - 0.0.255.255 permit 192.168.0.9 - 0.0.0.1

DHCP server 101: 192.168.0.0 - 0.0.255.255 permit 192.168.0.10 - 0.0.0.1

for 1 to vlan count: 192.168.vlanid.0 - 0.0.0.255 permit 192.168.vlanid.0 - 0.0.0.255

Internet access: 192.168.0.0 - 0.0.255.255 permit any

 

Kindly point me to the right direction.

Essentially each VLAN should access a centralized copy machine/ vlan internal traffic shall be allowed / vlan internet traffic shall be allowed.

VLAN X to VLAN Y traffic should be blocked.

 

Thanks a lot. A link to manuals / tutorials are highly appreciated.

 

Labels:
0 Helpful
1 Reply 1

Aleksandra Dargiel
Cisco Employee
Cisco Employee

‎08-21-2014 11:15 PM

Hi,

I follow the rule "the simpler the better" and would create only 2 ACL one to block the traffic on VLAN X when DST subnet is VLAN Y and the second rule - the opposite direction.

You could even work with one of those ACL since most of the protocols would require return traffic anyway.

But with 2 ACL you limit unwanted traffic closer to source and also it is much more clear and understandable if you look at this settings a year later.

Regards,

Aleksandra

0 Helpful
Customers Also Viewed These Support Documents