cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1237
Views
0
Helpful
7
Replies

Blocking inbound connection (Cisco SG550XG-24T)

qavlow
Level 1
Level 1

Below are my setting for the Vlan and ip

Vlan 1 :10.0.0.254/24

Vlan 6: 10.0.6.254/24

Vlan 10: 10.0.10.254/24  Management Vlan

 

I would like to allow connection from Vlan 10 to Vlan 6 but blocking connection from vlan 6 to vlan 10. I heard that it can be achieve using reflexive ACL but after I configure the ACL through the web GUI, I am not able to connect from both Vlan 6 and Vlan 10 in both direction. Can anyone tell me if this function can be achieve using this model switch?

7 Replies 7

Hello,

 

the SG550 has a command line, use that and configure the below access list, then apply it inbound to the Vlan 10 interface:

 

access-list 101 permit tcp 10.0.10.0 0.0.0.255 10.0.6.0 0.0.0.255 established
access-list 101 permit icmp 10.0.10.0 0.0.0.255 10.0.6.0 0.0.0.255

 

The second line is just for ICMP (ping) traffic, so you can verify connectivity. That said, I am not sure if the SG550 lets you use the 'established' keyword...

Hello again.

 

actually, looking at the CLI command reference (attached) again, I don't think you can use 'established'. Reflexive access lists are not supported either...

 

https://www.cisco.com/c/dam/en/us/td/docs/switches/lan/csbms/550xseries/cli_guide/CLI_Tesla_Sx550X_SG550XG_2_2_5.pdf

Hello


@qavlow wrote:

Below are my setting for the Vlan and ip

Vlan 1 :10.0.0.254/24

Vlan 6: 10.0.6.254/24

Vlan 10: 10.0.10.254/24  Management Vlan

 

I would like to allow connection from Vlan 10 to Vlan 6 but blocking connection from vlan 6 to vlan 10.?


try this:

ip access-list extended Vl6-V10
remark Deny Vlan6 to initiate connection to Vlan10
permit tcp 10.0.6.0 0.0.0.255 any established
deny tcp 10.0.6.0 0.0.0.255 any
permit ip any any

 

int vlan 10
Ip access-group Vl6-V10 out


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

My bad, I couldn't find the 'established' keyword in release 2.2.5, looks like it was added in a later reease (2.3 or.2.4)...

 

Just for reference, do you happen to have a link to the respective command ? The link I posted is the CLI for 2.2.5, which apparently is outdated...

Couldn't use the keyword established as show as unrecognized command. Is there any other way ? I saw that from the Web GUI that I can apply ACL as ingress and egress to the specific port. 

I can't find any command reference higher that 2.2.5 . My firmware version is at 2.20.
https://www.cisco.com/c/en/us/support/switches/sg550xg-24t-24-port-10gbase-t-stackable-switch/model.html#CommandReferences

Even if tcp established were supported on your switch, it is a very incomplete solution. It would successfully achieve your requirement that connection can be established from one vlan to a second vlan but not able to establish connection from second vlan to first vlan for tcp traffic. But it does not do anything about traffic that is UDP, or ICMP, or any other protocol. You need something like reflexive acl or CBAC. And I believe that your platform does not support these.

 

HTH

 

Rick

HTH

Rick