Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
477
Views
0
Helpful
1
Replies

Frustration with ACLs - SG350X-24P

JasonReg416LGK
Level 1
Level 1

‎09-26-2020 01:20 PM - edited ‎09-26-2020 01:21 PM

I purchased this switch for two reasons.  First to move all Layer 3 routing off of my RV340 and onto the switch and second use the opportunity to set up several VLANs as the network grows.  

So here is what I am trying to do. I have 5 VLANs 1-Management (192.168.1.125-185), 10-Server (192.168.10.125-185), 20-Office (192.168.20.75-95), 50-IofT (192.168.50.10-225), 66-Guest (192.168.66.125-175). Router in on 192.168.1.1 Main Switch is 192.168.1.254.  I want to create ACLs and bind them to VLANs (ideally) to get the following:

  1. I want to isolate VLAN 66 from everything other than internet access.
  2. I want to isolate VLAN 50 from everything other than internet access. At some point I may want to open up access to VLAN 10 but not quite yet.
  3. VLAN 1 needs access to internet and VLAN 10 (Server). Isolated from VLAN 20/50/66
  4. I want to access the server on VLAN 10 from computers on VLAN 20 (they are not currently on fixed IPs but could be); and
  5. VLAN 20 needs internet and the Server Access. Isolated form VLANs 50/66

Every time I create an ACE and bind to VLAN66 I lose internet access.  I am not using CLI - I am trying to use the GUI as I am a bit out of my depth here.  Basically I have tried to set up a permit rule which allows VLAN 66 192.168.66.0 0.0.0.255 access to 192.168.1.1  0.0.0.0 and then bind to VLAN 66 using deny to prevent all other traffic from VLAN 66 but this obviously is not the right way to do this.  Can anyone help and/or point me to a reference for creating these rules?

Thanks in advance - Jason

 

Labels:
0 Helpful
1 Reply 1

balaji.bandi
Hall of Fame
Hall of Fame

‎09-27-2020 12:15 AM - edited ‎09-27-2020 12:16 AM

As per my understanding if you allow only 1 gateway IP 192.168.1.1 everything is blocked by default.

Instead, you can do as below :

Deny other subnets is not required to have access and rest allow,  and test it.

example: from VLAN 66 to 50/20 deny ( make sure the ACE is bind to VLAN interface to work).

https://www.cisco.com/c/en/us/support/docs/smb/switches/cisco-small-business-200-series-smart-switches/smb70-configure-ipv4-based-access-lists-on-the-200-300-series-mana.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful
Customers Also Viewed These Support Documents