Cisco SG500 Intervlan routing ACL

Hi,

I have a stack of SG500 switches that are in layer 3 mode.

There are 3 VLANS

100 = Data 192.168.1.0
200 = Phone 192.168.200.0
500 = Management 192.168.220.0

Each VLAN has an ip address and clients have their gateways set as the switches interface address. Intervlan is working and clients can ping across VLANS and access the internet.

I now want to apply some restrictions. For example I want to be able to apply rules such as:-

1) Any client on 100 or 200 can not access each other or Management
2) Management can access anything on ANY VLAN.
3) Clients on 100 can access host 192.168.200.100 on vlan 200 on port 443 only.

I have tried setting up an example ACL and ACE such as per attached screenshot and apply the ACL to all ports on the switch:-

ACL's
When I do this the management can't ping anything. It seems that the 'deny' is blocking the replies etc.

Is this possible, if you how? Thanks in advance.
AW5000Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

cyonconciscoCommented:
Hello, Just to understand what you want to accomplish:

VLAN 100 and 200 should not reach MANAGEMENT VLAN,
But Management VLAN should reach VLAN 100 and 200?

If this is what you want you need a Firewall or something that does inspection for the traffic you want to pass from management to vlan 100 and 200.
Or you can try reflexive ACL , although I think they are not supported on the SG500.

Regards
0
AW5000Author Commented:
@cyonconcisco
Ok, if thats the case then whats the point of the switch access-lists? Other forum posts seem to suggest this is possible.
0
Soulja53 6F 75 6C 6A 61 Commented:
Give this a try:

VLAN 100

access-list 100 permit icmp any any echo-reply
access-list 100 permit tcp any host 192,.168.200.100 eq 443(https)
access-list 100 deny ip any 192.168.200.0 0.0.0.255
access-list 100 deny ip any 196.168.220.0 0.0.0.255
access-list 100 permit ip any any

interface vlan100
ip access-group 100 in

VLAN 200

access-list 200 permit icmp any any echo-reply
access-list 200 permit ip host 192.168.200.100 192.168.100.0 0.0.0.255
access-list 200 deny ip any 192.168.100.0 0.0.0.255
access-list 200 deny ip any 196.168.220.0 0.0.0.255
access-list 200 permit ip any any

interface vlan200
ip access-group 200 in
0
10 Tips to Protect Your Business from Ransomware

Did you know that ransomware is the most widespread, destructive malware in the world today? It accounts for 39% of all security breaches, with ransomware gangsters projected to make $11.5B in profits from online extortion by 2019.

AW5000Author Commented:
@Soulja

Sorry but your commands are for IOS, this is a small business switch (SG500) and the commands are very different.
0
cyonconciscoCommented:
The point of ACL is to filter one-way traffic for static protocols and ports.

If you need bi-directional communication you need to open the return traffic on the ACL.
If its just ping you want from management then echo-reply is enought.
If you need telnet, ssh, snmp, syslog, then you need the corresponding ports opened.

But then the statement:
VLAN 100 and 200 should not reach MANAGEMENT VLAN is not completedly true,

It should be
VLAN 100 and 200 should not reach MANAGEMENT VLAN except for Ping, Telnet, SSH, etc.


Regards
0
Soulja53 6F 75 6C 6A 61 Commented:
@AW5000

Yes, I am aware of that. You should still be able to make your ACL based on what I provided in the gui. Of course it won't be the exact commands but the order and source/dest information should be the same. Also the direction I applied it on your vlan interfaces.
0
AW5000Author Commented:
@cyonconcisco

That seems very impractical. Also surely that would allow 100 and 200 to be telnet and ssh in to the management vlan.

Ok, I think I need to work out an alternative.
0
Soulja53 6F 75 6C 6A 61 Commented:
Create your GUI acl layed out how I did the CLI ACL's above. This should meet all of your requirement.
0
cyonconciscoCommented:
Hi,
As your request:
1) Any client on 100 or 200 can not access each other or Management
2) Management can access anything on ANY VLAN.
3) Clients on 100 can access host 192.168.200.100 on vlan 200 on port 443 only

Point 2, makes the need for inspection, you cannot have one network access ALL the other but deny the return traffic (point 1) just with ACLs.

The commands @Soulja send can be edited for SG500.
But it will not accomplish what you want.

If the requirements from Management VLAN are a little less general, Ex: Management Vlan can do ping, telnet , etc, then you need to open that protocols, services with this:

VLAN100
ip access-list extended VLAN100
permit tcp any 192.168.200.100 0.0.0.0 eq 443   //to host on vlan 200 port 443
deny ip 192.168.1.0 0.0.0.255 192.168.200.0 0.0.0.255  //to vlan 200
permit icmp any 192.168.220.0 0.0.0.255 echo-reply   //pings to management
deny ip any 192.168.220.0 0.0.0.255
permit ip any any

VLAN200
ip access-list extended VLAN200
permit tcp 192.168.200.100 0.0.0.0 eq 443 192.168.1.0 0.0.0.255     //from host on vlan 200 port 443
deny ip any 192.168.1.0 0.0.0.255  //to vlan 1
permit icmp any 192.168.220.0 0.0.0.255 echo-reply   //pings to management
deny ip any 192.168.220.0 0.0.0.255  
permit ip any any


interface vlan 100
service-acl output VLAN100

interface vlan 200
service-acl output VLAN200


Regards
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Soulja53 6F 75 6C 6A 61 Commented:
Cyon is correct. After looking at my acl's. It doesn't account for return traffic back to the management vlan, so yes you would need some type of stateful inspection.

@Cyon

Based on your ACL shouldn't the direction be input on the VLAN interfaces? Also, echo reply allows ping replies back to management, not ping requests, so the two vlan will not be able to ping management, just reply to pings from management.
0
cyonconciscoCommented:
@Soulja
Yes youre correct, thats not "echo-reply" but "echo" for the output traffic.
The ACLS can be inbound but you should invert the source/destination on the statements.
0
cyonconciscoCommented:
but because its for traffic goint to the management VLAN , it should expect "echo-reply" ans the packets comming from VLAN 100 and 200.

Asumming the ping was originated on Management Vlan
0
Soulja53 6F 75 6C 6A 61 Commented:
@Cyon,

Based on your ACL it should be inbound.

Inbound means sourcing from the vlan to the vlan interface.
Outbound means destined for the vlan from the vlan interface.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Switches / Hubs

From novice to tech pro — start learning today.