cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
772
Views
1
Helpful
8
Replies

Very confused setting up ACLs on CBS 250 - 8 port

peat
Level 1
Level 1

Can anyone help me / point me in the right direction with setting up ACLs on the CBS 250 switch.

Im so used to doing it on normal switches using the CLI but on this device its just web based and nothing I try that i think makes sense works.   I have lost all access to it several times as I bind ACLs to vlans as well.   I feel like i am just going round in circles getting nowhere.

All I want to do is allow ping and ports 1000 and 69 between my two vlans.  (but also i am guessing i need to allow 443 to be able to get on to manage the switch and for internet access for vlan 3?)

Vlan 1 - 192.168.2.0

Vlan 3 - 172.16.200.0

The network is setup like below (I would have preferred a trunk to the firewall but I am not allowed to change that at the moment).

The CBS switch has ipv4 routing enabled.

peat_0-1707742083347.png

 

 

1 Accepted Solution

Accepted Solutions

All sorted now.  Well I can get traffic being allowed one way through the switch which will do for now.

Basically the change that made it work was to not have the same port number as source and destination.  Once i changed it to one ace had any 69 and the other 69 any.  The traffic would work.

View solution in original post

8 Replies 8

balaji.bandi
Hall of Fame
Hall of Fame

CBS is small business switches, i would avoide make more complicated for the device functionalioty like more ACL inspection

If the device have Gateway configure FW IP, then do the all the restriction on Firewall as per the configuration.

Or is the end device gateway is CBS Switch ?

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Customer has said the ACLs must be on the switch as this is how it was previously set up.   If it was me doing my own setup I would have all security done on the firewall.

For additional info the end devices gateways are the firewall but they set static routes on the end devices to point to the other vlan.

I have deleted all acls and aces now and still cant ping between the 2 vlans.  They are both classed as directly connected arent they? so there shouldnt be any reason why I cant ping between them.  Unless I am missing something?

 

 

peat
Level 1
Level 1

Right done some more on this and now have pings working and controlled by an ACE/ACL as when i change it to deny on the ACE, ping is blocked.  Changing it back to to permit and ping is allowed again so I added udp port 69 but when i try and test tftp there is no connection.   

I found i can get the config off it which is good so here it is.  What am i missing to make tftp not work.  I think once that is fixed then i am sorted.  (oh i should add i am only using ports 5 and 6 at the moment between two laptops that i am using to test)

!
unit-type-control-start
unit-type unit 1 network gi uplink none
unit-type-control-end
!
vlan database
vlan 3
exit
voice vlan oui-table add 0001e3 Siemens_AG_phone
voice vlan oui-table add 00036b Cisco_phone
voice vlan oui-table add 00096e Avaya
voice vlan oui-table add 000fe2 H3C_Aolynk
voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone
voice vlan oui-table add 00d01e Pingtel_phone
voice vlan oui-table add 00e075 Polycom/Veritel_phone
voice vlan oui-table add 00e0bb 3Com_phone
bonjour interface range vlan 1
ip access-list extended LAN_to_DMZ
permit icmp 192.168.2.0 0.0.0.255 172.16.200.0 0.0.0.255 any any ace-priority 5
permit udp 192.168.2.0 0.0.0.255 tftp 172.16.200.0 0.0.0.255 tftp ace-priority 6
exit
ip access-list extended DMZ_to_LAN
permit icmp 172.16.200.0 0.0.0.255 192.168.2.0 0.0.0.255 any any ace-priority 5
permit udp 172.16.200.0 0.0.0.255 tftp 192.168.2.0 0.0.0.255 tftp ace-priority 6
permit ip 172.16.200.0 0.0.0.255 any ace-priority 7
exit
hostname switch
username admin password encrypted
interface vlan 1
name LAN
ip address 192.168.2.252 255.255.255.0
no ip address dhcp
no snmp trap link-status
!
interface vlan 3
name DMZ
ip address 172.16.200.252 255.255.255.0
no snmp trap link-status
!
interface GigabitEthernet1
switchport access vlan 3
!
interface GigabitEthernet2
switchport access vlan 3
!
interface GigabitEthernet3
switchport access vlan 3
!
interface GigabitEthernet4
switchport access vlan 3
!
interface GigabitEthernet5
service-acl input DMZ_to_LAN
switchport access vlan 3
!
interface GigabitEthernet6
service-acl input LAN_to_DMZ
!
exit

peat
Level 1
Level 1

Sorry ive just realised the laptop in the LAN was going out to the firewall as when I pulled that connection, everything stopped working. so back to square one

The ACL need to tag to Layer 3 Interface check this video :

https://www.youtube.com/watch?v=08T4Ovw7O48

For additional info the end devices gateways are the firewall 

If the end device Gateway are Firewall, then the ACL need to be created on Firewall as i mentioned before.

If the end device point to Gateway to switch IP only this take effective.

I have deleted all acls and aces now and still cant ping between the 2 vlans.  They are both classed as directly connected arent they? so there shouldnt be any reason why I cant ping between them.  Unless I am missing something?

If the CBS doing inter-vlan routing and device point to switch all should work expecte between these 2 VLAN, but as you mentioned all device point to Firewall, firewall doing routing and protection between the VLAN. in the Case Switch acting just layer 2

what interface connected on switch to Firewall - the diagram show only Firewall side not on the switch side.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

In this Cisco Tech Talk, we'll show you how to adjust ACLs that allow internet access but blocks communication with others on different VLANs.

Thanks.  Yes thats the video i originally looked at.

I have just tested it and I can deny a ping between the two vlans with the ACL on the switch with the Gateways set on the firewall.

(For info there are ACLs on the firewall that match the ACLs on the switch.  Ie allow the same ports and ping)

I have static routes set on the two end devices telling it to use the switch l3 gw to reach the other vlan.

(I know this is a bad way to do it but ive got my hands tied and have to do it as the customer has other sites working this way.)

switch port 5 ------> port 2 firewall  (vlan 3)

switch port 6 ------> port 3 firewall  (vlan 1)

 

Sure if that is your rquirement you can do that and let us know if you have still issue to help.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

All sorted now.  Well I can get traffic being allowed one way through the switch which will do for now.

Basically the change that made it work was to not have the same port number as source and destination.  Once i changed it to one ace had any 69 and the other 69 any.  The traffic would work.

Review Cisco Networking for a $25 gift card