Access-list Permit and Deny for SG300-10 Switch, ACL

rkent649649 · ‎07-07-2015

Good morning, I have a Cisco SG300-10 10Port Gigabit Managed Switch that is set to L3 Mode. I have set 2 vlan (vlan 30 and vlan 40) and set a static route from our firewall so the vlan can connect to the internet. Now as I go further, I would like to make vlan 30 inaccessible by vlan 40 while vlan 40 can be access by vlan 30 and at the same time both vlan would have an internet connectivity. As I searched for this, I came across with ACL, and tried to configure the switch. However, during the process, what happened was, both vlan can no longer access with each other but there is still an internet connectivity for each vlan.

For my current switch running-config, please do see the information below.

config-file-header
Switch
v1.3.5.58 / R750_NIK_1_35_647_358
CLI v1.0
set system mode router

file SSD indicator encrypted
@
ssd-control-start
ssd config
ssd file passphrase control unrestricted
no ssd file integrity control
ssd-control-end cb0a3fdb1f3a1af4e4430033719968c0
!
vlan database
vlan 30,40
exit
voice vlan oui-table add 0001e3 Siemens_AG_phone________
voice vlan oui-table add 00036b Cisco_phone_____________
voice vlan oui-table add 00096e Avaya___________________
voice vlan oui-table add 000fe2 H3C_Aolynk______________
voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone
voice vlan oui-table add 00d01e Pingtel_phone___________
voice vlan oui-table add 00e075 Polycom/Veritel_phone___
voice vlan oui-table add 00e0bb 3Com_phone______________
ip dhcp relay address 192.168.20.254
ip dhcp relay enable
ip dhcp information option
bonjour interface range vlan 1
ip access-list extended Dot30
permit ip 192.168.30.0 0.0.0.255 192.168.20.113 0.0.0.255
deny ip 192.168.30.0 0.0.0.255 192.168.40.0 0.0.0.255
exit
ip access-list extended Dot40
permit ip 192.168.40.0 0.0.0.255 192.168.20.113 0.0.0.255
permit ip 192.168.40.0 0.0.0.255 192.168.30.0 0.0.0.255
exit
hostname switch
clock timezone " " 0 minutes 0
clock dhcp timezone
!
interface vlan 1
shutdown
!
interface vlan 30
ip address 192.168.30.1 255.255.255.0
ip dhcp relay enable
!
interface vlan 40
ip address 192.168.40.1 255.255.255.0
ip dhcp relay enable
!
interface gigabitethernet1
service-acl input Dot30 default-action permit-any
switchport mode access
switchport access vlan 30
switchport forbidden default-vlan
!
interface gigabitethernet2
service-acl input Dot30 default-action permit-any
switchport mode access
switchport access vlan 30
switchport forbidden default-vlan
!
interface gigabitethernet3
service-acl input Dot30 default-action permit-any
switchport mode access
switchport access vlan 30
switchport forbidden default-vlan
!
interface gigabitethernet4
service-acl input Dot30 default-action permit-any
switchport mode access
switchport access vlan 30
switchport forbidden default-vlan
!
interface gigabitethernet5
service-acl input Dot40 default-action permit-any
switchport mode access
switchport access vlan 40
switchport forbidden default-vlan
!
interface gigabitethernet6
service-acl input Dot40 default-action permit-any
switchport mode access
switchport access vlan 40
switchport forbidden default-vlan
!
interface gigabitethernet7
service-acl input Dot40 default-action permit-any
switchport mode access
switchport access vlan 40
switchport forbidden default-vlan
!
interface gigabitethernet8
service-acl input Dot40 default-action permit-any
switchport mode access
switchport access vlan 40
switchport forbidden default-vlan
!
interface gigabitethernet9
switchport forbidden default-vlan
!
interface gigabitethernet10
ip address 192.168.20.113 255.255.255.0
switchport forbidden default-vlan
!
exit
ip default-gateway 192.168.20.254

Please do note that the ACL configuration was done using the web GUI for I keep on having error like unrecognized command if I'd go for CLI command. Hoping for any help from you guys. Thank you very much in advance.

Mark Malone · ‎07-08-2015

Hi you could try this

conf t
ip access-list extended Dot30
permit ip 192.168.30.0 0.0.0.255 192.168.20.113 0.0.0.255
permit ip 192.168.40.0 0.0.0.255 192.168.20.113 0.0.0.255
permit ip 192.168.30.0 0.0.0.255 192.168.40.0 0.0.0.255 -------permits vlan 30 to speak to 40
deny ip 192.168.40.0 0.0.0.255 192.168.30.0 0.0.0.255----------denys vlan 40 from speaking to 30
exit

remove extra acl no need

conf t
no ip access-list extended Dot40
permit ip 192.168.40.0 0.0.0.255 192.168.20.113 0.0.0.255
permit ip 192.168.40.0 0.0.0.255 192.168.30.0 0.0.0.255
exit

apply it to all ports as its sg300 dont think you can do vlan ip access group
interface range g1 - 10
service-acl input Dot30

heres the admin guide may help

http://www.cisco.com/c/dam/en/us/td/docs/switches/lan/csbms/sf30x_sg30x/administration_guide/78-19308-01.pdf

rkent649649 · ‎07-08-2015

Thank you for that. By the way, for the default action, in service-acl command, do I need to put permit any or deny any? I've tried deny any, and what happen is when i connect a host to vlan30 or vlan40, it losses connection and can no longer generate IP from the DHCP.

togrul.azizli · ‎07-09-2015

Hi rkent

I dont know if your switch supports Reflexive ACLs but you can deny traffic from one direction and allow opposite direction with help of Reflexive ACLs (Behind ASA's inpection was Reflexive ACLs )

http://www.cisco.com/c/en/us/td/docs/ios/12_2/security/configuration/guide/fsecur_c/scfreflx.html

togrul.azizli · ‎07-08-2015

Hi Mark

I have two questions:

1)What is the difference between 2 ACLs and 1 ACL (which covering both)?

2)if switch permits vlan 30 to ping 40 but deny opposite . Then when I ping from 30 to 40 , icmp is permitted but in order to ping be succesfull from 40 to 30 echo-reply has to come. So switch will block echo-reply which comes from 40 to 30 . Theoretically the idea of permitting traffic from one vlan to another and denying opposite way is not possible and if it works then how? ASAs has security levels and it has this kind of function but ASAs has inspection and its more capable device than switch.

Regards