Thanks, Mark.

VKStephanie · ‎05-24-2017

Hello everyone,

I did a search and found partial solutions for this... but the code they recommended isn't recognized on my switch. After a few weeks of banging my head against the wall, I'm ready to ask for help.

Here's the situation:

We have a network with several VLANs for different departments. We have a guest wifi network that can currently access all other network resources such as printers on other VLANs. We want to restrict this guest network to only be able to access the internet and nothing else.

I am testing this on a switch where I am physically connected to an access port on the guest VLAN. My switch is a Cisco SG-300-52. When no ACL is in place, everything works and I can access network resources as well as internet. I can't seem to apply the ACL via CLI, so I did it in the GUI. I applied it to the guest VLAN. At that point, my access drops and I can't get anywhere. It's either all or nothing and I'm not sure why. I'm also not sure how to apply this to our wifi network and not a switch port, but I'm just trying to get the restriction to work on a hardwire first since I can't work on the wifi during business hours.

Here are the rules in my ACL:

ip access-list extended GuestVLAN

permit ip 10.10.40.0 255.255.255.0 10.10.110.xx 255.255.255.0 ace-priority 20

permit ip 10.10.40.0 255.255.255.0 10.10.40.254 255.255.255.255 ace-priority 40

deny ip 10.10.40.0 255.255.255.0 10.10.0.0 255.255.255.0 ace-priority 60

deny ip any any ace-priority 80

I want to deny all access to the inner network. All the VLANs start with 10.10.x.x. This is the third rule at priority 60. The first two are rules to allow traffic to the gateway of that vlan and the network gateway (the xx one at priority 20).

Further down is where the vlan is created. You can see the acl is applied to the VLAN as a whole:

interface vlan 40

name Guest_VLAN

ip address 10.10.40.250 255.255.255.0

service-acl input GuestVLAN

Not sure how much this is needed, but here's the port I'm connected to for testing:

interface gigabitethernet2

flowcontrol auto

no snmp trap link-status

storm-control broadcast enable

storm-control include-multicast unknown-unicast

switchport mode access

switchport access vlan 40

Thanks for your help... I'm not sure what I'm missing.

Mark Malone · ‎05-25-2017

Hi

im not overly familiar with these SMB switches the syntax is slightly different in cli than catalyst but looking at the acl and going on general concept on how to block vlans speaking to each other I would block inbound and outbound basically have a reverse of each line in the acl and apply in and out on vlan interface and then have a permit ip any any at the end of the acl or else its blocking everything else that might be what's happening when you apply it

VKStephanie · ‎05-26-2017

So instead of the Deny ip Any Any at the end, have Permit ip any any instead?

Mark Malone · ‎05-26-2017

acls are implicit deny anyway so you wouldn't even need a deny deny at the end , its good practice to block exactly what's required but then allow everything else through just in case

also reverse each line like below example , so its blocking both directions and not just 1 then apply the acl in and out under the vlan interface

permit ip 10.10.40.0 255.255.255.0 10.10.40.254 255.255.255.255 ace-priority 40

permit ip 10.10.40.254 255.255.255.255 10.10.40.0 255.255.255.0 ace-priority 50

VKStephanie · ‎06-22-2017

Thanks, Mark! (Sorry for the long time in responding. There was a migration going on that I got pulled in on)

My test machine has an IP in the guest vlan and I'm still able to reach network resources on the main section of the network (the 110). I reversed each line and put the permit any any. Here's the new ACL:

ip access-list extended Guest40
permit ip 10.10.40.0 255.255.255.0 10.10.110.253 255.255.255.0 ace-priority 10
permit ip 10.10.110.253 255.255.255.0 10.10.40.0 255.255.255.0 ace-priority 20
permit ip 10.10.40.0 255.255.255.0 10.10.40.254 255.255.255.255 ace-priority 30
permit ip 10.10.40.254 255.255.255.255 10.10.40.0 255.255.255.0 ace-priority 40
deny ip 10.10.40.0 255.255.255.0 10.10.0.0 255.255.255.0 ace-priority 70
deny ip 10.10.0.0 255.255.255.0 10.10.40.0 255.255.255.0 ace-priority 80
permit ip any any ace-priority 100

According to this, I should only be able to reach 10.10.110.253 and other devices on 10.10.40.x... but that's not what's happening.

Just to be sure, I'm hardlined into a port on my test switch. The other switches don't need to have the ACL too, right? It should propagate throughout the network if it's on one switch?

Mark Malone · ‎06-25-2017

Hi

Its needs to be on the layer 3 SVI vlan interface switch (the routable device)and also the acl must be set in the in / out direction under the vlan interfaces

so say example if you want vlan 10 to stop talking to 20 and vice versa it needs to be on both vlan 10 and 20 SVI vlan interface in/out both directions , this prevents them speaking to each other

acl looks a slight bit wrong might be just typo

the highlighted is set as a host route but with class C subnet should be 255.255.255.255 or change the host to network 10.10.110.0

ip access-list extended Guest40
permit ip 10.10.40.0 255.255.255.0 10.10.110.253 255.255.255.0 ace-priority 10
permit ip 10.10.110.253 255.255.255.0 10.10.40.0 255.255.255.0 ace-priority 20
permit ip 10.10.40.0 255.255.255.0 10.10.40.254 255.255.255.255 ace-priority 30
permit ip 10.10.40.254 255.255.255.255 10.10.40.0 255.255.255.0 ace-priority 40
deny ip 10.10.40.0 255.255.255.0 10.10.0.0 255.255.255.0 ace-priority 70
deny ip 10.10.0.0 255.255.255.0 10.10.40.0 255.255.255.0 ace-priority 80
permit ip any any ace-priority 100

VKStephanie · ‎06-27-2017

Thanks, Mark.

Thanks so much for your help so far!!

I corrected those two lines in the ACL. I'm not sure I understood your explanation... I placed the same ACL rules on both the 40 VLAN and the 110 vlan with the idea to restrict the traffic between the two... however, I seem to have locked myself out after applying. Both my machine and the actual switch are on the 110 VLAN, so I'm not sure what happened.

I don't much care if 110 can reach 40, but I need to keep 40 out of 110.

Mark Malone · ‎06-27-2017

Hey

ok lets simplify it then just block 40 from 110 and the reverse of it as well and just apply it under the vlan 40 interface

Interface vlan 40
service-acl input GuestVLAN
service-acl output GuestVLAN

ip access-list extended GuestVLAN
deny ip 10.10.40.0 255.255.255.0 10.110.0.0 255.255.255.0 ace-priority 10
deny ip 10.110.0.0 255.255.255.0 10.10.40.0 255.255.255.0 ace-priority 20
permit ip any any ace-priority 100

Also you could try this way through the GUI looks standard enough to do

https://sbkb.cisco.com/CiscoSB/GetArticle.aspx?docid=865924b7d74b4a178d60d774eec1594b_Configuring_IPv4_Access_Control_Lists_on_300_Series_Managed_.xml&pid=2&converted=0

Segregating a VLAN from the rest of the network