Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
641
Views
0
Helpful
1
Replies

changing access-lists in SG 300-52

Douger9999
Level 1
Level 1

‎04-18-2016 12:23 PM

Hello all,

A little advice please... 

I recently set up Vlans and L3 switching in a small network. I spent some time tweaking the Access-lists to obtain the desired results, and finally achieved my goal. One observation I have is that when writing access-lists on the SG-300 I find I have better results working in the command-line rather than the GUI - as in the GUI I often have an error, telling me that a line already exists, though I know it does not.

I work in notepad as I was taught, writing out the access-list and making changes as needed. I then copy and paste the final access-list into the putty-based command line, then apply the access-list via command line too.

eg. 

ip access-list extended ACL_CHEESE permit tcp 172.16.1.1 0.0.0.0 any 172.16.2.1 0.0.0.0 80 ace-priority 10

ip access-list extended ACL_CHEESE deny tcp 172.16.1.1 0.0.0.0 any 172.16.2.1 0.0.0.0 80 ace-priority 20

int vlan 10

service-acl input ACL_CHEESE

This applies my Access-list to the correct vlan. Then suppose I want to change my access-list, I would type

no ip access-list extended ACL_CHEESE

This would delete ACL_CHEESE and remove the service-acl input ACL_CHEESE statement from vlan 10

Then I would modify my ACL_CHEESE in notepad and re-paste the modified version into the console and re-write the service-acl line for vlan 10.

However, I noticed that the changes were not instant when using this method. Is that because the switch is busy trying to clear the access-list from it's TCAM table and re-write the new access-list into the TCAM table, so it can be processed in hardware? If so how long does this take? I know it depends how busy the switch is and how long the access-list is etc, but is there a ball park figure? 

There is a command in ASA firewalls, which is clear xlate. I understand this to mean that all current translations (including Access-list rules) are cleared and reprocessed immediately. Is my understanding correct, and is there something which I can do in the SG300 switches to achieve a similar goal?

Or is there simply a better way of writing/editing access-lists which avoids this problem?

Thanks

Doug

Labels:
0 Helpful
1 Reply 1

Douger9999
Level 1
Level 1

‎05-07-2016 05:44 AM

Hi,

Anyone have any ideas please?

Thanks

Doug

0 Helpful
Customers Also Viewed These Support Documents