Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1169
Views
0
Helpful
10
Replies

Cisco SG300 ACL Problem with outside private network

olivier.guenet
Level 1
Level 1

‎10-18-2017 10:39 PM - edited ‎03-08-2019 12:25 PM

Hi,

 

I have a problem with ACLs on a SG300-52 (Layer3 mode).

 

In fact, I have created ACLs to filter trafic between vlans, and permit Internet access. All this is working fine.

 

However, I have VPN distant with private IP Address (192.168.3.0/24 for example) routed by my firewall. If I activate an ACL on the SG300, no trafic is allowed to pass through even if it an permit ip any any rule applied!

 

I have tested to change my external network to 1.1.1.0/24, and all is working fine...

 

Is the SG300 filtering outside private networks? Is there a possibility to disable that?

 

If not, is it a bug?

 

Thanks for your help

Labels:
0 Helpful
10 Replies 10

Seb Rupik
VIP Alumni
VIP Alumni

‎10-19-2017 12:30 AM

Hi there,

Can you attached the SG300 config with desired ACL present and applied to the correct interface?

 

cheers,

Seb.

0 Helpful

olivier.guenet
Level 1
Level 1
In response to Seb Rupik

‎10-19-2017 12:35 AM

Hi,

 

this is the switch configuration :

 

config-file-header
SW3-RG-1
v1.4.8.6 / R800_NIK_1_4_202_008
CLI v1.0
set system mode router

file SSD indicator encrypted
@
ssd-control-start
ssd config
ssd file passphrase control unrestricted
no ssd file integrity control
ssd-control-end cb0a3fdb1f3a1af4e4430033719968c0
!
spanning-tree priority 0
bridge multicast filtering
vlan database
vlan 10-13,100-103,200-201,250,254,1000-1002
exit
voice vlan oui-table add 0001e3 Siemens_AG_phone________
voice vlan oui-table add 00036b Cisco_phone_____________
voice vlan oui-table add 00096e Avaya___________________
voice vlan oui-table add 000fe2 H3C_Aolynk______________
voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone
voice vlan oui-table add 00d01e Pingtel_phone___________
voice vlan oui-table add 00e075 Polycom/Veritel_phone___
voice vlan oui-table add 00e0bb 3Com_phone______________
no lldp run
system router resources ip-entries 256
ip dhcp relay address 192.168.1.14
ip dhcp relay enable
no boot host auto-config
no bonjour enable
bonjour interface range vlan 1
ip access-list extended USERS-INVITES
permit ip any 192.168.1.14 0.0.0.0 ace-priority 20
permit ip any 10.1.0.7 0.0.0.0 ace-priority 40
permit ip any 10.1.0.11 0.0.0.0 ace-priority 60
permit ip any 172.16.44.128 0.0.0.0 ace-priority 80
permit ip any 192.168.254.0 0.0.0.255 ace-priority 100
deny ip any 192.168.0.0 0.0.255.255 ace-priority 120
deny ip any 172.16.0.0 0.0.31.255 ace-priority 140
deny ip any 10.0.0.0 0.255.255.255 ace-priority 160
exit
ip access-list extended SRV-FORMATION
permit ip any 192.168.1.14 0.0.0.0 ace-priority 780
permit ip any 10.1.0.7 0.0.0.0 ace-priority 800
permit ip any 10.1.0.11 0.0.0.0 ace-priority 820
permit ip any 10.1.0.0 0.0.0.255 ace-priority 840
permit ip any 192.168.1.0 0.0.0.255 ace-priority 860
permit ip any 172.16.44.0 0.0.0.255 ace-priority 880
permit ip any 172.31.0.0 0.0.255.255 ace-priority 900
permit ip any 172.16.44.248 0.0.0.7 ace-priority 920
permit ip any 192.168.254.0 0.0.0.255 ace-priority 940
deny ip any 192.168.0.0 0.0.255.255 ace-priority 960
deny ip any 172.16.0.0 0.0.31.255 ace-priority 980
deny ip any 10.0.0.0 0.255.255.255 ace-priority 1000
exit
ip access-list extended BAC-A-SABLE
permit ip any 192.168.1.14 0.0.0.0 ace-priority 1020
permit ip any 10.1.0.7 0.0.0.0 ace-priority 1040
permit ip any 10.1.0.11 0.0.0.0 ace-priority 1060
permit ip any 10.1.4.0 0.0.0.255 ace-priority 1080
permit ip any 172.31.0.0 0.0.255.255 ace-priority 1100
permit ip any 172.16.44.248 0.0.0.7 ace-priority 1120
permit ip any 192.168.254.0 0.0.0.255 ace-priority 1140
deny ip any 192.168.0.0 0.0.255.255 ace-priority 1160
deny ip any 172.16.0.0 0.0.31.255 ace-priority 1180
deny ip any 10.0.0.0 0.255.255.255 ace-priority 1200
exit
ip access-list extended USERS-FORMATION
permit ip any 192.168.1.14 0.0.0.0 ace-priority 1220
permit ip any 10.1.0.7 0.0.0.0 ace-priority 1240
permit ip any 10.1.0.11 0.0.0.0 ace-priority 1260
permit ip any 172.31.0.0 0.0.255.255 ace-priority 1280
permit ip any 10.1.0.0 0.0.0.255 ace-priority 1300
permit ip any 10.1.4.0 0.0.0.255 ace-priority 1320
permit ip any 10.1.1.0 0.0.0.255 ace-priority 1340
permit ip any 192.168.254.0 0.0.0.255 ace-priority 1360
deny ip any 192.168.0.0 0.0.255.255 ace-priority 1380
deny ip any 172.16.0.0 0.0.31.255 ace-priority 1400
deny ip any 10.0.0.0 0.255.255.255 ace-priority 1420
exit
ip access-list extended AFFICHAGE-DYN
permit ip any 192.168.1.14 0.0.0.0 ace-priority 2000
permit ip any 192.168.1.12 0.0.0.0 ace-priority 2020
permit ip any 192.168.1.15 0.0.0.0 ace-priority 2040
permit ip any 10.1.3.0 0.0.0.255 ace-priority 2060
permit ip any 172.16.44.0 0.0.0.255 ace-priority 2080
permit ip any 192.168.254.0 0.0.0.255 ace-priority 2100
deny ip any 192.168.0.0 0.0.255.255 ace-priority 2120
deny ip any 172.16.0.0 0.0.31.255 ace-priority 2140
deny ip any 10.0.0.0 0.255.255.255 ace-priority 2160
exit
ip access-list extended JSEC
permit ip any 192.168.1.14 0.0.0.0 ace-priority 2180
permit ip any 192.168.1.12 0.0.0.0 ace-priority 2200
permit ip any 192.168.1.15 0.0.0.0 ace-priority 2220
permit ip any 10.1.2.0 0.0.0.255 ace-priority 2240
permit ip any 172.16.44.0 0.0.0.255 ace-priority 2260
permit ip any 192.168.254.0 0.0.0.255 ace-priority 2280
deny ip any 192.168.0.0 0.0.255.255 ace-priority 2300
deny ip any 172.16.0.0 0.0.31.255 ace-priority 2320
deny ip any 10.0.0.0 0.255.255.255 ace-priority 2340
exit
ip access-list extended VIDEO-PROJ
permit ip any 192.168.1.14 0.0.0.0 ace-priority 2360
permit ip any 192.168.1.12 0.0.0.0 ace-priority 2380
permit ip any 192.168.1.15 0.0.0.0 ace-priority 2400
permit ip any 10.1.1.0 0.0.0.255 ace-priority 2420
permit ip any 172.16.44.0 0.0.0.255 ace-priority 2440
permit ip any 172.13.31.0 0.0.255.255 ace-priority 2460
permit ip any 172.16.44.248 0.0.0.7 ace-priority 2480
permit ip any 192.168.254.0 0.0.0.255 ace-priority 2500
deny ip any 192.168.0.0 0.0.255.255 ace-priority 2520
deny ip any 172.16.0.0 0.0.31.255 ace-priority 2540
deny ip any 10.0.0.0 0.255.255.255 ace-priority 2560
exit
ip access-list extended USERS-PRODUCTION
permit ip any 192.168.1.14 0.0.0.0 ace-priority 2760
permit ip any 192.168.1.12 0.0.0.0 ace-priority 2780
permit ip any 192.168.1.15 0.0.0.0 ace-priority 2800
permit ip any 172.16.44.0 0.0.0.128 ace-priority 2820
permit ip any 10.1.2.0 0.0.0.255 ace-priority 2840
permit ip any 10.1.1.0 0.0.0.255 ace-priority 2860
permit ip any 10.1.3.0 0.0.0.255 ace-priority 2880
permit ip any 10.1.0.0 0.0.0.255 ace-priority 2900
permit ip any 192.168.1.0 0.0.0.255 ace-priority 2920
permit ip any 192.168.254.0 0.0.0.255 ace-priority 2940
deny ip any 192.168.0.0 0.0.255.255 ace-priority 2960
deny ip any 172.16.0.0 0.0.31.255 ace-priority 2980
deny ip any 10.0.0.0 0.255.255.255 ace-priority 3000
exit
ip access-list extended SRV-PRODUCTION
permit ip 192.168.1.14 0.0.0.0 any ace-priority 3020
permit ip 192.168.1.12 0.0.0.0 any ace-priority 3040
permit ip 192.168.1.15 0.0.0.0 any ace-priority 3060
permit ip any 192.168.1.0 0.0.0.255 ace-priority 3080
permit ip any 172.16.44.0 0.0.0.255 ace-priority 3100
permit ip any 10.1.0.0 0.0.0.255 ace-priority 3120
permit ip any 172.16.44.248 0.0.0.7 ace-priority 3140
permit ip any 192.168.254.0 0.0.0.255 ace-priority 3160
deny ip any 192.168.0.0 0.0.255.255 ace-priority 3180
deny ip any 172.16.0.0 0.0.31.255 ace-priority 3200
deny ip any 10.0.0.0 0.255.255.255 ace-priority 3220
exit
ip access-list extended USERS-SI
permit ip any 192.168.1.14 0.0.0.0 ace-priority 3240
permit ip any 192.168.1.12 0.0.0.0 ace-priority 3260
permit ip any 192.168.1.15 0.0.0.0 ace-priority 3280
permit ip any 172.16.44.248 0.0.0.7 ace-priority 3300
permit ip any 192.168.44.0 0.0.0.255 ace-priority 3320
permit ip any 192.168.1.0 0.0.0.255 ace-priority 3340
permit ip any 10.1.44.0 0.0.0.255 ace-priority 3360
permit ip any 10.1.1.0 0.0.0.255 ace-priority 3380
permit ip any 10.1.4.0 0.0.0.255 ace-priority 3400
permit ip any 192.168.0.0 0.0.0.255 ace-priority 3420
permit ip any 10.1.0.0 0.0.0.255 ace-priority 3440
permit ip any 192.168.254.0 0.0.0.255 ace-priority 3460
permit ip any 192.168.2.0 0.0.0.255 ace-priority 3480
permit ip any 192.168.3.0 0.0.0.255 ace-priority 3500
permit ip any 192.168.4.0 0.0.0.255 ace-priority 3520
permit ip any 192.168.5.0 0.0.0.255 ace-priority 3540
deny ip any 192.168.0.0 0.0.255.255 ace-priority 3560
deny ip any 172.16.0.0 0.0.31.255 ace-priority 3580
deny ip any 10.0.0.0 0.255.255.255 ace-priority 3600
exit
ip access-list extended SRV-SERVICES
permit ip any 192.168.1.14 0.0.0.0 ace-priority 3620
permit ip any 192.168.1.12 0.0.0.0 ace-priority 3640
permit ip any 192.168.1.15 0.0.0.0 ace-priority 3660
permit ip any 192.168.0.0 0.0.0.255 ace-priority 3680
permit ip any 172.16.44.248 0.0.0.7 ace-priority 3700
permit ip any 192.168.254.0 0.0.0.255 ace-priority 3720
permit ip any 192.168.2.0 0.0.0.255 ace-priority 3740
permit ip any 192.168.3.0 0.0.0.255 ace-priority 3760
permit ip any 192.168.4.0 0.0.0.255 ace-priority 3780
permit ip any 192.168.5.0 0.0.0.255 ace-priority 3800
deny ip any 192.168.0.0 0.0.255.255 ace-priority 3820
deny ip any 172.16.0.0 0.0.31.255 ace-priority 3840
deny ip any 10.0.0.0 0.255.255.255 ace-priority 3860
exit
ip access-list extended MANAGEMENT
permit ip any 192.168.1.14 0.0.0.0 ace-priority 20
permit ip any 192.168.1.12 0.0.0.0 ace-priority 40
permit ip any 192.168.1.15 0.0.0.0 ace-priority 60
permit ip any 192.168.44.0 0.0.0.255 ace-priority 80
permit ip any 192.168.1.0 0.0.0.255 ace-priority 100
permit ip any 172.16.44.248 0.0.0.7 ace-priority 120
permit ip any 192.168.254.0 0.0.0.255 ace-priority 140
permit ip any 10.0.0.0 0.0.0.255 ace-priority 160
deny ip any 192.168.0.0 0.0.255.255 ace-priority 180
deny ip any 172.16.0.0 0.0.31.255 ace-priority 200
deny ip any 10.0.0.0 0.255.255.255 ace-priority 220
exit
ip access-list extended TELEPHONIE
permit ip any 192.168.1.14 0.0.0.0 ace-priority 180
permit ip any 192.168.1.12 0.0.0.0 ace-priority 200
permit ip any 192.168.1.15 0.0.0.0 ace-priority 220
permit ip any 10.1.44.0 0.0.0.255 ace-priority 240
permit ip any 172.16.44.248 0.0.0.7 ace-priority 260
permit ip any 192.168.254.0 0.0.0.255 ace-priority 280
permit ip any 10.0.0.0 0.0.0.255 ace-priority 290
deny ip any 192.168.0.0 0.0.255.255 ace-priority 300
deny ip any 172.16.0.0 0.0.31.255 ace-priority 320
deny ip any 10.0.0.0 0.255.255.255 ace-priority 340
exit
hostname SW3-RG-1
no passwords complexity enable
ip ssh server
snmp-server contact SI
no ip http server
clock timezone CET +1
clock summer-time CEST recurring last sun oct 02:00 last sun mar 03:00
ip domain name imie
ip name-server 192.168.1.15 192.168.1.12
!
interface vlan 1
shutdown
!
interface vlan 10
name USERS-PRODUCTION
ip address 172.16.44.126 255.255.255.128
ip dhcp relay enable
service-acl input USERS-PRODUCTION default-action permit-any
!
interface vlan 11
name USERS-INVITES
ip address 172.16.44.190 255.255.255.192
ip dhcp relay enable
service-acl input USERS-INVITES default-action permit-any
!
interface vlan 12
name USERS-SI
ip address 172.16.44.254 255.255.255.248
ip dhcp relay enable
service-acl input USERS-SI default-action permit-any
!
interface vlan 13
name USERS-FORMATION
ip address 172.31.255.254 255.255.0.0
ip dhcp relay enable
service-acl input USERS-FORMATION default-action permit-any
!
interface vlan 100
name VIDEO-PROJ
ip address 10.1.1.254 255.255.255.0
service-acl input VIDEO-PROJ default-action permit-any
!
interface vlan 101
name JSEC
ip address 10.1.2.254 255.255.255.0
service-acl input JSEC default-action permit-any
!
interface vlan 102
name AFFICHAGE-DYN
ip address 10.1.3.254 255.255.255.0
ip dhcp relay enable
service-acl input AFFICHAGE-DYN default-action permit-any
!
interface vlan 103
name BAC-A-SABLE
ip address 10.1.4.254 255.255.255.0
service-acl input BAC-A-SABLE default-action permit-any
!
interface vlan 200
name MANAGEMENT
ip address 192.168.44.254 255.255.255.0
service-acl input MANAGEMENT default-action permit-any
!
interface vlan 201
name TELEPHONIE
ip address 10.1.44.254 255.255.255.0
service-acl input TELEPHONIE default-action permit-any
!
interface vlan 254
name INTERCO
ip address 192.168.254.1 255.255.255.0
!
interface vlan 1000
name SRV-SERVICES
ip address 192.168.0.254 255.255.255.0
service-acl input SRV-SERVICES default-action permit-any
!
interface vlan 1001
name SRV-PRODUCTION
ip address 192.168.1.254 255.255.255.0
service-acl input SRV-PRODUCTION default-action permit-any
!
interface vlan 1002
name SRV-FORMATION
ip address 10.1.0.254 255.255.255.0
service-acl input SRV-FORMATION default-action permit-any
!
interface gigabitethernet1
description "Prise 0013A4 - Salle 110"
spanning-tree guard root
spanning-tree bpduguard enable
switchport mode access
switchport access vlan 13
!
interface gigabitethernet2
description "Prise 0013A5 - Salle 110"
spanning-tree guard root
spanning-tree bpduguard enable
switchport mode access
switchport access vlan 13
!
interface gigabitethernet3
description "Prise 0013A6 - Salle 110"
spanning-tree guard root
spanning-tree bpduguard enable
switchport mode access
switchport access vlan 13
!
interface gigabitethernet4
description "Prise 0013A7 - Salle 110"
spanning-tree guard root
spanning-tree bpduguard enable
switchport mode access
switchport access vlan 13
!
interface gigabitethernet5
description "Prise 0013A8 - Salle 110"
spanning-tree guard root
spanning-tree bpduguard enable
switchport mode access
switchport access vlan 13
!
interface gigabitethernet6
description Salle_107
spanning-tree guard root
spanning-tree bpduguard enable
!
interface gigabitethernet7
description "Serveur HV02"
spanning-tree guard root
spanning-tree bpduguard enable
switchport mode access
switchport access vlan 1001
!
interface gigabitethernet8
spanning-tree guard root
spanning-tree bpduguard enable
!
interface gigabitethernet9
spanning-tree guard root
spanning-tree bpduguard enable
!
interface gigabitethernet10
spanning-tree guard root
spanning-tree bpduguard enable
!
interface gigabitethernet11
description "Prise 00-3A1 - Salle 104"
spanning-tree guard root
spanning-tree bpduguard enable
switchport mode access
switchport access vlan 13
!
interface gigabitethernet12
description "Prise 00-29B3 - Salle 102"
spanning-tree guard root
spanning-tree bpduguard enable
switchport mode access
switchport access vlan 13
!
interface gigabitethernet13
description "Salle 106"
spanning-tree guard root
spanning-tree bpduguard enable
switchport mode access
switchport access vlan 13
!
interface gigabitethernet14
description "Salle 106"
spanning-tree guard root
spanning-tree bpduguard enable
switchport mode access
switchport access vlan 13
!
interface gigabitethernet15
description "Salle 106"
spanning-tree guard root
spanning-tree bpduguard enable
switchport mode access
switchport access vlan 13
!
interface gigabitethernet16
spanning-tree guard root
spanning-tree bpduguard enable
!
interface gigabitethernet17
spanning-tree guard root
spanning-tree bpduguard enable
!
interface gigabitethernet18
spanning-tree guard root
spanning-tree bpduguard enable
!
interface gigabitethernet19
spanning-tree guard root
spanning-tree bpduguard enable
!
interface gigabitethernet20
spanning-tree guard root
spanning-tree bpduguard enable
switchport mode access
switchport access vlan 12
!
interface gigabitethernet21
spanning-tree guard root
spanning-tree bpduguard enable
!
interface gigabitethernet22
description "LIAISON NANTES HV3 IMIE SERVICES"
spanning-tree guard root
spanning-tree bpduguard enable
switchport mode access
switchport access vlan 1000
!
interface gigabitethernet23
description LIAISON-FORMATION-NANTES-HV1
spanning-tree guard root
spanning-tree bpduguard enable
switchport mode access
switchport access vlan 1002
!
interface gigabitethernet24
description "SRV FORMATION"
spanning-tree guard root
spanning-tree bpduguard enable
switchport mode access
switchport access vlan 1002
!
interface gigabitethernet25
description Salle_107
spanning-tree guard root
spanning-tree bpduguard enable
!
interface gigabitethernet26
description Salle_107
spanning-tree guard root
spanning-tree bpduguard enable
!
interface gigabitethernet27
description Salle_107
spanning-tree guard root
spanning-tree bpduguard enable
!
interface gigabitethernet28
description Salle_107
spanning-tree guard root
spanning-tree bpduguard enable
!
interface gigabitethernet29
description Salle_107
spanning-tree guard root
spanning-tree bpduguard enable
!
interface gigabitethernet30
description Salle_107
spanning-tree guard root
spanning-tree bpduguard enable
!
interface gigabitethernet31
description Salle_105
spanning-tree guard root
spanning-tree bpduguard enable
!
interface gigabitethernet32
description Salle_105
spanning-tree guard root
spanning-tree bpduguard enable
!
interface gigabitethernet33
spanning-tree guard root
spanning-tree bpduguard enable
!
interface gigabitethernet34
description "Salle 108 - RDE0.017A1"
spanning-tree guard root
spanning-tree bpduguard enable
switchport mode access
switchport access vlan 13
!
interface gigabitethernet35
spanning-tree guard root
spanning-tree bpduguard enable
!
interface gigabitethernet36
spanning-tree guard root
spanning-tree bpduguard enable
!
interface gigabitethernet37
description "Salle 104 - 003E1"
spanning-tree guard root
spanning-tree bpduguard enable
switchport mode access
switchport access vlan 13
!
interface gigabitethernet38
description "Salle 104 - RDE0.03A2"
spanning-tree guard root
spanning-tree bpduguard enable
switchport mode access
switchport access vlan 13
!
interface gigabitethernet39
description "Salle 104 - RDE0.03A3"
spanning-tree guard root
spanning-tree bpduguard enable
switchport mode access
switchport access vlan 13
!
interface gigabitethernet40
description "Salle 104 - RDE0.03B1"
spanning-tree guard root
spanning-tree bpduguard enable
switchport mode access
switchport access vlan 13
!
interface gigabitethernet41
description "Port 003c1 - Salle 104"
spanning-tree guard root
spanning-tree bpduguard enable
switchport mode access
switchport access vlan 13
!
interface gigabitethernet42
description "Port 003B2 - Salle 104"
spanning-tree guard root
spanning-tree bpduguard enable
switchport mode access
switchport access vlan 13
!
interface gigabitethernet43
spanning-tree guard root
spanning-tree bpduguard enable
!
interface gigabitethernet44
spanning-tree guard root
spanning-tree bpduguard enable
!
interface gigabitethernet45
spanning-tree guard root
spanning-tree bpduguard enable
!
interface gigabitethernet46
spanning-tree guard root
spanning-tree bpduguard enable
switchport mode access
!
interface gigabitethernet47
description LIAISON-PRODUCTION-NANTES-HV3
spanning-tree guard root
switchport trunk allowed vlan add 10-13,100-103,200-201,254,1000,1002
switchport trunk native vlan 1001
!
interface gigabitethernet48
description "Liaison NANTES-HV2"
spanning-tree guard root
switchport trunk allowed vlan add 10-13,100-103,200-201,254,1000,1002
switchport trunk native vlan 1001
!
interface gigabitethernet49
description IT'PBX
spanning-tree guard root
switchport mode access
switchport access vlan 201
!
interface gigabitethernet50
description IT'GATEWAY
spanning-tree guard root
switchport mode access
switchport access vlan 254
!
interface gigabitethernet51
description SW2-RG-5
switchport trunk allowed vlan add 10-13,100-103,200-201,254,1000-1002
!
interface gigabitethernet52
description SW2-RG-2
switchport trunk allowed vlan add 10-13,100-103,200-201,254,1000-1002
!
exit
ip igmp snooping
ip igmp snooping vlan 1
ip igmp snooping vlan 1 immediate-leave
ip igmp snooping vlan 10
ip igmp snooping vlan 10 immediate-leave
ip igmp snooping vlan 11
ip igmp snooping vlan 11 immediate-leave
ip igmp snooping vlan 12
ip igmp snooping vlan 12 immediate-leave
ip igmp snooping vlan 13
ip igmp snooping vlan 13 immediate-leave
ip igmp snooping vlan 100
ip igmp snooping vlan 100 immediate-leave
ip igmp snooping vlan 101
ip igmp snooping vlan 101 immediate-leave
ip igmp snooping vlan 102
ip igmp snooping vlan 102 immediate-leave
ip igmp snooping vlan 103
ip igmp snooping vlan 103 immediate-leave
ip igmp snooping vlan 200
ip igmp snooping vlan 200 immediate-leave
ip igmp snooping vlan 201
ip igmp snooping vlan 201 immediate-leave
ip igmp snooping vlan 254
ip igmp snooping vlan 254 immediate-leave
ip igmp snooping vlan 1000
ip igmp snooping vlan 1000 immediate-leave
ip igmp snooping vlan 1001
ip igmp snooping vlan 1001 immediate-leave
ip igmp snooping vlan 1002
ip igmp snooping vlan 1002 immediate-leave
ip default-gateway 192.168.254.254

 

Thanks

0 Helpful

Seb Rupik
VIP Alumni
VIP Alumni
In response to olivier.guenet

‎10-19-2017 12:39 AM

What is the subnet of the remote site? I suspect your ACLs are blocking the return traffic.

 

cheers,

Seb.

0 Helpful

olivier.guenet
Level 1
Level 1
In response to olivier.guenet

‎10-19-2017 12:42 AM

Hi,

 

the remote site is 192.168.3.0/24, passing through 192.168.254.1 (vlan 254) which have not acl input.

 

In the TELEPHONIE ACL, we have correctly added 192.168.3.0 0.0.0.0255 as authorized network.

 

If i modify 192.168.3.0/24 by 1.1.1.0/24, all is working fine..

 

Thanks

0 Helpful

Seb Rupik
VIP Alumni
VIP Alumni
In response to olivier.guenet

‎10-19-2017 12:50 AM

So if you change the subnet at the remote site to 1.1.1.0/24 the traffic passes in both directions through the SG300, without needing to change the ACLs?

0 Helpful

olivier.guenet
Level 1
Level 1
In response to Seb Rupik

‎10-19-2017 12:52 AM

Yes, exactly

0 Helpful

Seb Rupik
VIP Alumni
VIP Alumni
In response to olivier.guenet

‎10-19-2017 01:09 AM

If you inserted the following to the TELEPHONE ACL:

permit ip any 192.168.3.0 0.0.0.255 ace-priority 291

...does it work?

 

The 1.1.1.0/24 traffic is allowed through because of the default-action permit statement you have on your ACLs.

 

 

0 Helpful

olivier.guenet
Level 1
Level 1
In response to Seb Rupik

‎10-19-2017 01:10 AM

Not at all

 

Thanks

0 Helpful

Seb Rupik
VIP Alumni
VIP Alumni
In response to olivier.guenet

‎10-19-2017 01:14 AM

Just to clarify, you are inserting the permit 192.168.3.0 0.0.0.255 above the following deny:

deny ip any 192.168.0.0 0.0.255.255 ace-priority 300

 

0 Helpful

olivier.guenet
Level 1
Level 1
In response to Seb Rupik

‎10-19-2017 01:29 AM

To clarify, I have tested to add only permit ip any any without any success too

0 Helpful
Customers Also Viewed These Support Documents