cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
999
Views
0
Helpful
6
Replies

Extended Access list in VLAN issue

tunxt99
Level 1
Level 1

Hi there,

My device is CBS350-24FP-4G.

My topology:

VLAN 101 Application 172.30.101.0/24

VLAN 102 Staffs 172.30.102/24

VLAN 103 Bastion 172.30.103.0/24

I'm trying to create an extended ACL to allow a specific IP in VLAN 103 able to SSH to all IP in VLAN 101, others deny.

You can see on my attached image

tunxt99_0-1679285657408.png

tunxt99_2-1679285683991.png

But the ACL didn't work, when I chose "Default Action" to "Deny Any", my machine with IP 172.30.103.99 in VLAN 103 couldn't SSH to machine in VLAN 101. On other hand, "Permit Any" allows all VLAN to SSH to machine in VLAN 101.
Please help me to figure out what's wrong with my configuration.

Thank you!

1 Accepted Solution

Accepted Solutions

KJK99
Level 3
Level 3

@tunxt99 

I feel your pain. On those switches, the direction of service ACLs is always IN. Here’s what the manual says.

“When an ACL is bound to an interface, its ACE rules are applied to packets arriving at that interface.”

Note that those packets arrive from the VLAN you bind the ACL to so the source IP address in ACEs needs to be from the subnet of that VLAN. Therefore, your permit rule with source IP address of 172.30.103.99 should not be bound to the interface of VLAN101 (Subnet 172.30.101.0/24).

It is unfortunate that CISCO with their CBS series of switches follows the path of other small business switch manufactures providing too limited ACL rule set. I usually find workarounds to those limitation, but the end result is not pretty and is difficult to maintain. Since I’m also a server admin for my network, sometimes I just patch a hole using server firewalls.

Kris K

View solution in original post

6 Replies