Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
634
Views
0
Helpful
0
Replies

VLAN ACL on SG350x Switch

awweise
Level 1
Level 1

‎03-27-2018 02:52 PM - edited ‎03-08-2019 02:25 PM

Hello,

I've setup an SG350x-48P switch with 6 vlans.  I've configured ACL's and ACE's thru the web gui.  Below is that portion of the configuration.  The ACL's I've setup don't seem to be working.   For example, I can ping a device in Vlan 10 from Vlan 120 (Guest Network).   Please take a look and let me know what I'm doing incorrectly.

 

Thanks.

 

Tony

 


ip access-list extended "Vlan 10"
permit ip 10.1.30.0 0.0.0.255 10.1.10.0 0.0.0.255 ace-priority 10
permit ip 10.1.50.0 0.0.0.255 10.1.10.0 0.0.0.255 ace-priority 20
deny ip 10.0.0.0 0.255.255.255 10.1.10.0 0.0.0.255 ace-priority 30
permit ip any any ace-priority 40
exit
ip access-list extended "Vlan 30"
permit ip 10.1.10.0 0.0.0.255 10.1.30.0 0.0.0.255 ace-priority 10
deny ip 10.0.0.0 0.255.255.255 10.1.30.0 0.0.0.255 ace-priority 20
permit ip any any ace-priority 30
exit
ip access-list extended "Vlan 50"
permit ip 10.1.10.0 0.0.0.255 10.1.50.0 0.0.0.255 ace-priority 10
permit ip 10.1.60.0 0.0.0.255 10.1.50.0 0.0.0.255 ace-priority 20
deny ip 10.0.0.0 0.255.255.255 10.1.50.0 0.0.0.255 ace-priority 30
permit ip any any ace-priority 40
exit
ip access-list extended "Vlan 60"
permit ip 10.1.50.0 0.0.0.255 10.1.60.0 0.0.0.255 ace-priority 10
deny ip 10.0.0.0 0.255.255.255 10.1.60.0 0.0.0.255 ace-priority 20
permit ip any any ace-priority 30
exit
ip access-list extended "Vlan 80"
deny ip 10.0.0.0 0.255.255.255 10.1.80.0 0.0.0.255 ace-priority 10
exit

interface vlan 1
ip address 10.1.1.254 255.255.255.0
no ip address dhcp
!
interface vlan 10
name DATA
ip address 10.1.10.254 255.255.255.0
service-acl input "Vlan 10"
!
interface vlan 30
name VOICE
ip address 10.1.30.254 255.255.255.0
service-acl input "Vlan 30"
!
interface vlan 50
name AVCONTROL
ip address 10.1.50.254 255.255.255.0
service-acl input "Vlan 50"
!
interface vlan 60
name DANTE
ip address 10.1.60.254 255.255.255.0
service-acl input "Vlan 60"
!
interface vlan 80
name CLEANROOM
ip address 10.1.80.254 255.255.255.0
service-acl input "Vlan 80"
!
interface vlan 120
name GUEST
ip address 10.1.120.254 255.255.255.0
dot1x guest-vlan 

2 people had this problem
Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card