Re: Blocking http https access from vlan 1 to Management 33 on SG350X

NexusXP · ‎04-15-2021

Hello,

I am newbie, i replaced 2 switches with vlan33 protected by FW with 4 cisco 2x sg350x and 2x SX350X in Hybrid stack. The stack is now accessible from vlan1 and vlan33. Removing FW I have to filter accesses in http https from vlan1 to vlan33. how can i do it, i tried but i lock everything or cmq accessible

balaji.bandi · ‎04-15-2021

Removing FW I have to filter accesses in http  https from vlan1 to vlan33

You are removing FW or you need FW rule to access VLAN 1and VLAN 33 to access devices ? can you clarify ?

what FW is this ?

explain what you have tried - where ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

NexusXP · ‎04-15-2021

before putting SG350X, SX350X in Hybrid Stack online I had 2 Dell 1052 switches with the same VLANs. Access to VLAN 33 (management) was managed by the policies on the PFSENSE firewall which had 2 network interfaces, one pointing to LAN (VLAN1, 192.168.0.254) other MANAGEMENT (VLAN33, 192.168.33.254). The policy allowed access for example from 192.168.0.40 to all MANAGEMENT (192.168.33.0). The stack has the same IPs, I would like to do the same thing. Allow access to VLAN33 only to certain IPs, for example 192.168.0.40. Now everyone can see http / https: //192.168.0.254 or 192.168.33.254.

balaji.bandi · ‎04-15-2021

Where you want to do this on switches ? or FW ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

NexusXP · ‎04-15-2021

Firewall (it was ONLY for access management between LAN and MANAGEMENT and navigation of the devices) and now I no longer have that VM, in addition to not changing the configuration of the infrastructure (gw, etc) to the switch I gave the same IPs.

balaji.bandi · ‎04-15-2021

Firewall you mean PFSENSE ? Do you have any smalll network diagram show how it is connected to suggest better.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

NexusXP · ‎04-15-2021

sure, attached

Thanks

NexusXP · ‎04-22-2021

Hi Balaji

something comes to mind as a solution ?

Tomasz

balaji.bandi · ‎04-22-2021

I may have missed this thread due to many in my list to address.

If both VLAN Gateway point to PFSENSE

you need ti build a FW to block rquired services not to talk each other

below guide can help you :

https://nguvu.org/pfsense/pfsense-baseline-setup/#firewall%20rules

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

NexusXP · ‎04-22-2021

i know .. i no longer have pfsense, its work i would like to do at cisco stack. then allow access to the page "https://192.168.0.254/cs4005acaf/mts/config/log_off_page.htm" only some IPs on the LAN (vlan1) and block access to VLAN33 (Management) "https://192.168.33.254/ cs4005acaf / mts / config / log_off_page.htm "

balaji.bandi · ‎04-22-2021

May be i missed you mean in the picture after migration you no Longer have PFSENSE you like to do the ACL in SG 550 Switches ( is this switches hold your Layer 3 VLAN now ?)

https://video.cisco.com/video/6146343273001

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

NexusXP · ‎05-07-2021

Hello BB,

you don't miss the pfsense firewall, it's no longer in the current configuration. firewall managed ONLY accesses in HTTP / HTTPS from 192.168.0.0/24 (VLAN1) to 192.168.33.0 VLAN 33 for device checks and maintenance. The same job now I would like to do at the cisco stack. i saw video guide where it explains how to block all flow between 2 vlan. I would like to block only http and https do you have a specific guide?

Blocking http/https access from vlan1 to vlan33 on SG350X