02-22-2019 12:29 AM
Below are my setting for the Vlan and ip
Vlan 1 :10.0.0.254/24
Vlan 6: 10.0.6.254/24
Vlan 10: 10.0.10.254/24 Management Vlan
I would like to allow connection from Vlan 10 to Vlan 6 but blocking connection from vlan 6 to vlan 10. I heard that it can be achieve using reflexive ACL but after I configure the ACL through the web GUI, I am not able to connect from both Vlan 6 and Vlan 10 in both direction. Can anyone tell me if this function can be achieve using this model switch?
02-22-2019 01:58 AM
Hello,
the SG550 has a command line, use that and configure the below access list, then apply it inbound to the Vlan 10 interface:
access-list 101 permit tcp 10.0.10.0 0.0.0.255 10.0.6.0 0.0.0.255 established
access-list 101 permit icmp 10.0.10.0 0.0.0.255 10.0.6.0 0.0.0.255
The second line is just for ICMP (ping) traffic, so you can verify connectivity. That said, I am not sure if the SG550 lets you use the 'established' keyword...
02-22-2019 03:53 AM
Hello again.
actually, looking at the CLI command reference (attached) again, I don't think you can use 'established'. Reflexive access lists are not supported either...
02-22-2019 05:23 AM - edited 02-22-2019 05:26 AM
Hello
@qavlow wrote:
Below are my setting for the Vlan and ip
Vlan 1 :10.0.0.254/24
Vlan 6: 10.0.6.254/24
Vlan 10: 10.0.10.254/24 Management Vlan
I would like to allow connection from Vlan 10 to Vlan 6 but blocking connection from vlan 6 to vlan 10.?
try this:
ip access-list extended Vl6-V10
remark Deny Vlan6 to initiate connection to Vlan10
permit tcp 10.0.6.0 0.0.0.255 any established
deny tcp 10.0.6.0 0.0.0.255 any
permit ip any any
int vlan 10
Ip access-group Vl6-V10 out
02-22-2019 05:39 AM
My bad, I couldn't find the 'established' keyword in release 2.2.5, looks like it was added in a later reease (2.3 or.2.4)...
Just for reference, do you happen to have a link to the respective command ? The link I posted is the CLI for 2.2.5, which apparently is outdated...
03-06-2019 01:12 AM
Couldn't use the keyword established as show as unrecognized command. Is there any other way ? I saw that from the Web GUI that I can apply ACL as ingress and egress to the specific port.
03-06-2019 01:24 AM
03-06-2019 08:15 AM
Even if tcp established were supported on your switch, it is a very incomplete solution. It would successfully achieve your requirement that connection can be established from one vlan to a second vlan but not able to establish connection from second vlan to first vlan for tcp traffic. But it does not do anything about traffic that is UDP, or ICMP, or any other protocol. You need something like reflexive acl or CBAC. And I believe that your platform does not support these.
HTH
Rick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide