02-12-2024 04:43 AM - edited 02-12-2024 04:48 AM
Can anyone help me / point me in the right direction with setting up ACLs on the CBS 250 switch.
Im so used to doing it on normal switches using the CLI but on this device its just web based and nothing I try that i think makes sense works. I have lost all access to it several times as I bind ACLs to vlans as well. I feel like i am just going round in circles getting nowhere.
All I want to do is allow ping and ports 1000 and 69 between my two vlans. (but also i am guessing i need to allow 443 to be able to get on to manage the switch and for internet access for vlan 3?)
Vlan 1 - 192.168.2.0
Vlan 3 - 172.16.200.0
The network is setup like below (I would have preferred a trunk to the firewall but I am not allowed to change that at the moment).
The CBS switch has ipv4 routing enabled.
Solved! Go to Solution.
02-13-2024 02:57 AM
All sorted now. Well I can get traffic being allowed one way through the switch which will do for now.
Basically the change that made it work was to not have the same port number as source and destination. Once i changed it to one ace had any 69 and the other 69 any. The traffic would work.
02-12-2024 04:55 AM
CBS is small business switches, i would avoide make more complicated for the device functionalioty like more ACL inspection
If the device have Gateway configure FW IP, then do the all the restriction on Firewall as per the configuration.
Or is the end device gateway is CBS Switch ?
02-12-2024 06:17 AM - edited 02-12-2024 06:23 AM
Customer has said the ACLs must be on the switch as this is how it was previously set up. If it was me doing my own setup I would have all security done on the firewall.
For additional info the end devices gateways are the firewall but they set static routes on the end devices to point to the other vlan.
I have deleted all acls and aces now and still cant ping between the 2 vlans. They are both classed as directly connected arent they? so there shouldnt be any reason why I cant ping between them. Unless I am missing something?
02-12-2024 07:59 AM - edited 02-12-2024 08:08 AM
Right done some more on this and now have pings working and controlled by an ACE/ACL as when i change it to deny on the ACE, ping is blocked. Changing it back to to permit and ping is allowed again so I added udp port 69 but when i try and test tftp there is no connection.
I found i can get the config off it which is good so here it is. What am i missing to make tftp not work. I think once that is fixed then i am sorted. (oh i should add i am only using ports 5 and 6 at the moment between two laptops that i am using to test)
!
unit-type-control-start
unit-type unit 1 network gi uplink none
unit-type-control-end
!
vlan database
vlan 3
exit
voice vlan oui-table add 0001e3 Siemens_AG_phone
voice vlan oui-table add 00036b Cisco_phone
voice vlan oui-table add 00096e Avaya
voice vlan oui-table add 000fe2 H3C_Aolynk
voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone
voice vlan oui-table add 00d01e Pingtel_phone
voice vlan oui-table add 00e075 Polycom/Veritel_phone
voice vlan oui-table add 00e0bb 3Com_phone
bonjour interface range vlan 1
ip access-list extended LAN_to_DMZ
permit icmp 192.168.2.0 0.0.0.255 172.16.200.0 0.0.0.255 any any ace-priority 5
permit udp 192.168.2.0 0.0.0.255 tftp 172.16.200.0 0.0.0.255 tftp ace-priority 6
exit
ip access-list extended DMZ_to_LAN
permit icmp 172.16.200.0 0.0.0.255 192.168.2.0 0.0.0.255 any any ace-priority 5
permit udp 172.16.200.0 0.0.0.255 tftp 192.168.2.0 0.0.0.255 tftp ace-priority 6
permit ip 172.16.200.0 0.0.0.255 any ace-priority 7
exit
hostname switch
username admin password encrypted
interface vlan 1
name LAN
ip address 192.168.2.252 255.255.255.0
no ip address dhcp
no snmp trap link-status
!
interface vlan 3
name DMZ
ip address 172.16.200.252 255.255.255.0
no snmp trap link-status
!
interface GigabitEthernet1
switchport access vlan 3
!
interface GigabitEthernet2
switchport access vlan 3
!
interface GigabitEthernet3
switchport access vlan 3
!
interface GigabitEthernet4
switchport access vlan 3
!
interface GigabitEthernet5
service-acl input DMZ_to_LAN
switchport access vlan 3
!
interface GigabitEthernet6
service-acl input LAN_to_DMZ
!
exit
02-12-2024 08:24 AM
Sorry ive just realised the laptop in the LAN was going out to the firewall as when I pulled that connection, everything stopped working. so back to square one
02-12-2024 08:38 AM
The ACL need to tag to Layer 3 Interface check this video :
https://www.youtube.com/watch?v=08T4Ovw7O48
For additional info the end devices gateways are the firewall
If the end device Gateway are Firewall, then the ACL need to be created on Firewall as i mentioned before.
If the end device point to Gateway to switch IP only this take effective.
I have deleted all acls and aces now and still cant ping between the 2 vlans. They are both classed as directly connected arent they? so there shouldnt be any reason why I cant ping between them. Unless I am missing something?
If the CBS doing inter-vlan routing and device point to switch all should work expecte between these 2 VLAN, but as you mentioned all device point to Firewall, firewall doing routing and protection between the VLAN. in the Case Switch acting just layer 2
what interface connected on switch to Firewall - the diagram show only Firewall side not on the switch side.
02-12-2024 09:29 AM
Thanks. Yes thats the video i originally looked at.
I have just tested it and I can deny a ping between the two vlans with the ACL on the switch with the Gateways set on the firewall.
(For info there are ACLs on the firewall that match the ACLs on the switch. Ie allow the same ports and ping)
I have static routes set on the two end devices telling it to use the switch l3 gw to reach the other vlan.
(I know this is a bad way to do it but ive got my hands tied and have to do it as the customer has other sites working this way.)
switch port 5 ------> port 2 firewall (vlan 3)
switch port 6 ------> port 3 firewall (vlan 1)
02-12-2024 10:01 AM
Sure if that is your rquirement you can do that and let us know if you have still issue to help.
02-13-2024 02:57 AM
All sorted now. Well I can get traffic being allowed one way through the switch which will do for now.
Basically the change that made it work was to not have the same port number as source and destination. Once i changed it to one ace had any 69 and the other 69 any. The traffic would work.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide