Cisco Switches :: SG300 - Implement ACL To Permit Or Deny Access Between Vlans And Hosts
Mar 25, 2012
I have a SG300 Switche working in layer 3 mode.I configured 3 VLANs on the switch, assigned all ports, given IP addresses to VLANs interfaces, etc.Now I want to implement ACL to permit or deny access between vlans and hosts.Can I apply an ACL to a whole VLAN (in or out) like Catalyst models?I mean apply the ACL to the entire vlan or the only way in this model is to implement that ACL port by port?Every time I have a new port configure to work in a Vlan I have to implement the ACL?
I supplied 3 numbers of SG300 series switches for the sole reason to have inter-vlan routing. I created 4 VLANs in the switches and made one switch as Layer 3 switch and other 2 as Layer 2 switch. Inter-Vlan routing is working fine. I am able to ping PCs from different VLANs. But I am not to access shared folders. Customer has installed Window 2003 server installed and it is in VLAN 1. There are some folders created in this server and it is very important for users to have access to the folders.Also, I am not able to access shared folders in other VLANs. I have created a case with Cisco small business and I got a reply saying that the switches will not support shared folder feature, which I think is not real. I am getting a very time to implement this solution in the network. I have a Sonicwall firewall after Core switch which is connected to ISP.
I'm going to have several SG300-28P switches to setup. I'll need to create multiple vlans for data, voice, and wireless traffic. I have the following questions in setting up this configuration:
1) For managing the switches via IP, will LAN1 be the default management network? Should I create a seperate VLAN for managing the switches?
2) For uplinking the switches together, I plan to trunk a port to connect the switches together. What's the configuration on the trunk port to forward all vlans from one switch to another?
3) On some ports, I want to configure a trunk for two vlans (Data and Voice) where the phone has a pass through for PC. The phone supports tagging for the PC and the VoIP traffic. For example on port 10, would VLAN 100 and 300 be set to tagged?
I have 2 SG300-10 switches, and I need two VLANs, one for internal network and one for WiFi APs.I need ports 1->4 on both switches to be part of 1st VLAN and ports 5->8 on 2nd VLAN; and port 10 uplink to 2nd switch.How I set up the VLANs and interface VLAN mode?
i am trying to get a SG300 work as a router between VLAN's?So fare without any lock?Test setup one SG300 switch and 2 PC's ?Ping works from host to VLAN IP's, but not from host A to host B
SG300 with FW 1.1.2.0 configuration i L3 mode set system mode router confip routing (needed on SG300??? - ti is on a 3560 i PacketTracer) vlan databasevlan 5vlan 6vlan 7
I have just purchased a SG300-28P switch I am using a GUI to do my config. I cant create VLANs just fine on this but I can not assign IP address to the VLANs.
I just want to have a Data and Voice VLAN on this I am planning on leaving data on VLAn 1 but I can't seem to find an option to assign an IP address to my voice vlan.
For some odd reason I cant access this switch using a console port.
I have a SG300-28P that is our Main VLAN Switch. Though the VLANs that I have on it are there mostly because of our Edge Router and our AP541Ns.We have the Following VLANs defined (Subnets Changed to conseal Piblic IPs) [code]
VLAN200 and VLAN201 come into Our Edge Router and out on a Single GE Port via VLAN Tagged to thje SG300.The SG 300 Splits them out to Untagged Ports and they are connected to Two Firewalls, each with a IP in the 200 and 201 Subnets. The AP510 has the VLAN200, VLAN192 and VLA101 tagged Subnets sent to it. The AP521 has three SSID, each associated with a Paticular VLAN.
This all works fine, though there are a few hidden flaws. Since all of the VLANs are present, both Internal and Public IPs, one could craft packets form one network and use the SG300 as its gateway to the other subnet and Gain Access. How can I isolate the Subnets, so that I can still use the SG300 as a Default Gateway for the 10.1.0.0/16 Network Make it so if someone from the 10.1.0.0/16 netwok accesses the 201.201.201.0/24 Subnet it uses the SG300's 0.0.0.0 0.0.0.0 default router (the Firewall IP) and not the VLAN InterfaceIf somone in the 201, 200, 192 Subnets uses the SG300 as a Gateway and tries to access a 10.1.0.0/16 address it gets blocked.
How to setup 3 SG300-52 (in L2 mode) as per this diagram:Port 1 on all switches should be able to talk to each other and access the blob at the right.The ports 25 on the other hand should only be able to talk among themselves in their own private vlan. They are to carry sensitive traffic. So I created 3 vlans, vlan 78 for ports gi1, gi51 and vlan 10 for port25,49,50 and a dummy vlan: 666 with the intent of segratating vlan 10 from vlan 78. My attempts so far have failed. ports gi49-50 are configured as trunk ports and gi1,gi51 as access ports as the following cli output (excerpts of the startup config):
Ports gi1 can talk to each other and access the blob but ports 25 refuse to talk to each other. But as soon as I remove the access links to the blob they can! Obviously, at that point port gi1 lose access.Is such a topology feasable or even advisable?
I've seen lots of posts from people having problems routing traffic between two vlans with some complicated examples. Any simple step-by-step example for an SG300 switch (in layer 3 mode) to configure two vlans and sending traffic between the two vlans without an external router?
-VLAN1 10.10.10.0 -VLAN2 10.10.20.0
I've tried to do this through the GUI and can't seem to make it work. I'm missing something in the GUI.
I just received a new Cisco SG300-10 and am configuring it in Layer 3 mode. I am trying to setup multiple routed VLANs going back to a FiOS Actiontec router. My configuration is as follows.
Fios Router: 192.168.1.1 Assigning DHCP 192.168.1.2 through 100. SG300-10 has VLan 1 ip 192.168.1.5 used for Mgmt. VLAN2 is 10.0.2.1 VLAN3 is 10.0.3.1.
I have a static route set on the fios router for both subnets setup as follows.
I have a laptop connected to Gi8 on the Cisco (Vlan 3) and statically assigned 10.0.3.3, with a gateway of 10.0.3.1. DNS set to the fios router (192.168.1.1).
Everything pretty much works EXCEPT, I cannot get out to the internet from either vlan. Traffic routes between vlans/and the default subnet on the fios without issue.
When I ping out, DNS resolves, but will not go past the fios router. Am I missing a setting somewhere?
I have 5 VLANs, I assign VLANs to its ports and make them all Untagged.I created ACLs and a ACE rules for each ACL, and then assigned to the ports.So what i am trying to do is to deny access to from one port to other 4 ports and granted access to any other ports. But it is not working, without last rule "allow any any" it has no access to any ports, with the last rule it grants access to every port even to those I denied.Router in Layer 3 mode, all VLANs have their IP's.
At some moment I was able to work it properly but without using any rules, I just tagged my untagged VLANs to those ports which I wanna get access to. As you can see I want allow ports GE1 - GE4 communicate with 1 to 24 ports but not to each other.
I am trying to setup VLAN's in the company I work for and I am almost there but missing the part when the internet works.I have an SG300 as a L3 Router IP 192.168.0.93.I have created VLAN20 and VLAN40 Assigned VLAN20 192.168.2.1 and VLAN40 192.168.4.1
The static routes have been created and a default router going to the Sonicwall firewall at 192.168.0.1.Port 24 is configured as Untagged VLAN1, Untagged VLAN20 and VLAN40 in trunk mode and going to the Sonicwall NSA 2400. [code]
Working to move all 192.168.0.x network off of VLAN1 and move it a management switch.I have DHCP helper on pointing to the DHCP server.Both VLAN's once the DHCP server is configured to Gateway 192.168.0.93 can get an IP from the correct subnet either 192.168.2.x or 192.168.4.x
All PC's are getting a GW IP of 192.168.2.1 pr 192.168.4.1.All test PC's on both VLAN's can ping each other and any server with the correct GW.When I try to ping google.com or open a web page and try google.com it times out.
In our network two Domain Controllers are configured as the central (S)NTP Servers. For a switch in Layer 3 mode it is quit easy to synchronise with these (S)NTP Servers. But what is actually the best approach for access switches in layer 2 mode, that are connected to the layer 3 switch? The only IP Address they have are part of the management VLAN ID 1 which is not routable. I am actually looking for something like a broadcast without having to put a NTP Server in management vLAN.
I supplied 3 numbers of SG300 series switches for the sole reason to have inter-vlan routing. I created 4 VLANs in the switches and made one switch as Layer 3 switch and other 2 as Layer 2 switch. Inter-Vlan routing is working fine. I am able to ping PCs from different VLANs. But I am not to access shared folders. Customer has installed Window 2003 server installed and it is in VLAN 1. There are some folders created in this server and it is very important for users to have access to the folders.Also, I am not able to access shared folders in other VLANs. I have created a case with Cisco small business and I got a reply saying that the switches will not support shared folder feature, which I think is not real. I am getting a very time to implement this solution in the network. I have a Sonicwall firewall after Core switch which is connected to ISP.
I have a SG300 switch working in layer 3 mode. I created 3 VLANS and the intervlan communication is working fine. I want to know how to block acces to switch managment from the Vlans. One of the vlan is allowed to access the switch but not the others vlans. What is the best way to implement this? with ACL or with Managment Access Method, creating an access profile?
I recently bough for a home lab a sg300-10 switch. I have enabled layer 3 routing on it and have come across a puzzling issue. The switch is the default gw on this network, and in front of the switch there is a cable modem (ip route 0.0.0.0 0.0.0.0 192.168.0.7).
Trunk from 3500 going into SF300-8 #1 QNQTrunk from SF300-8 #1 going into trunk SF300-8 #2QNQ from SF300-08#2 going into Trunk SF300-24, All Vlans from Network 1 seem to be communicating properly between the 3550 and SF300-24 and is isolated from the Transport Network by QnQ. I am having one problem, I can not ping the SF300-24 or get to the management interface. I am able to access other devices on the SF300-24 Vlan1 from devices on the 3550 Vlan1 and vice versa.
These are our first switches and seems like GUI is lot different than the online. Out intervlan routing is o not working. I am absolutely sure that I setup the switch in L3 mode since it allows me to create mutiple interfaces. I am hoping that this GUI issue is related to interVLAN routing.
Below is the blog I started for InterVlan issue [URL]
This is the link for online simulator and what I see in its IP tab. I know this switch is not SG300. [URL]
This is what I see on our switch.
Our switch version switchd64684#show version SW version 1.1.0.73 ( date 19-Jun-2011 time 18:10:49 ) Boot version 1.0.0.4 ( date 08-Apr-2010 time 16:37:57 ) HW version V01
I currently have two SGE2010's with a 4-port LAG configured between them. I'm looking to add another two SGE2010's and I want to add redundancy at the same time. The switches are currently in standalone mode. I don't have fiber connectors and was planning on just using copper for the uplinks.
My questions are:
- Is it possible to use stack mode in conjunction with 4-port LAG groups to create redundant 4-port links between all of the switches? The documentation says that ports 24&48 are reserved for stacking - does that mean I can't specify a LAG instead?
- If 4-port LAGs aren't possible, does that mean that these switches max out at 1Gpbs uplinks if you use stack mode?
I am facing problem in configuration with SF-200-24P Switch . I am failed to configure two vlans on same access port i.e. data vlan and voice vlan. there is an option of auto voice vlan with vlan 1 and i changed to our voice vlan i.e. vlan 101 but didnt work. I tried many options. when i assign single vlan on each
access port it works . I have to configure like to work both data vlan and voice vlan with one access port. I worked on enterprise cisco switches its simple but on small business switch first time i am working.
I have SG300-28P that I am using as layer-3 switch. Recently I ran in to SG300-52 switch and even though loading same firmware doesn't give me option to do layer-3 switching. For SG-300 I see options in GUI to create vlan interfaces under IP information section, while SG300-52 has IP information option only under the management section.let me know if these are 2 different hardware types and L3 is not possible on SG300-52. If its possible to enable L3 switching on SG300-52?
We recently purchased a SF 300-48P to replace a Layer 3 3Com switch that died. I've sucessfully put the switch into Layer 3 mode and assigned ip addresses to each of the VLANs but I cannot figure out how to implement routes for those. Here's some info on our network and what the previous switch had. [code]
Not sure if this can be translated into the Cisco or not.. If i try to create an IP route like these i get errors that the Gateway can be a route.
I was assigned a task to configure an SG300-28P to have 3 different vlans.Now on VLAN1 their will be only one device configured with static IP 192.168.0.230,On the other 2 VLANS there will be a separate router connected on each one of them and will also act as a DHCP server.
I have spent several days tearing my hair out trying to properly configure our small business switch (SG300-10p) for voice. The phones are a relatively new addition and will replace old POTS phones.Our network consists of a 1941 ISR router, the SG300-10P switch, a mac server (handing DHCP, DNS, AFP), 4 client desktops and 4 SGA525G2 IP phones. The router, server, desktops and phones all have their own connection to the switch and the second data ports on the back of the IP phones are not used. We do not have any unified comms devices for voice. Our VOIP solution is hosted by a local SIP provider, and each phone independently registers with the provider's SIP proxy over the internet.
Left almost to it’s own devices (or presumably flat, default settings on VLAN 1), this whole setup works just great. We can TFTP files, make and receive calls, and do all the usual XML stuff. Calls are crystal clear. Even the localisation and directory works. However, I’ve been told several times that to ensure good quality on VOIP calls during periods of busy traffic, I should set up some form of QoS. A Voice VLAN on the switch, I was told, is the best way to do this as it automagically gives priority to the whole voice VLAN over the normal data VLAN.
I have followed instructions in numerous manuals, articles and guides, and have managed to create the Voice VLAN, both manually and automatically (I can watch Smartport detect the phones and see the Auto Voice VLAN add the ports to the VLAN as I connect them). The trouble is, as soon as this happens, the phones lose connectivity with the rest of the network, including the DNS server and the router, and therefore the internet, causing them to lose registration with the SIP service.
I tried adding the server and router ports to the Voice VLAN and tweaking every possible combination of tagged, untagged, excluded, trunk, access, general and PVID settings I can think of (by the way, I have no idea what any of those mean). The switch is in Layer 2 mode, but adding the port connected to the router to all the VLANs does not result in internet connectivity to the phones. I have told the phones to tag frames with the VLAN ID and told them not to. I have tried upgrading firmware and I have rebooted the switch so many times I'm tired of those wretched little flashing lights.
Nothing seems to work. And so I am stuck with everything on VLAN 1. My most recent thought is that the 1941 needs to know about the Voice VLAN (I checked CDP and it knows about the switch), but I’m reluctant to start messing with the router config when this is our production network, at least without knowing what I'm doing. I don’t even know if QoS applies when a Voice VLAN is not set up and we're on VLAN 1, some articles say yes, others say no. And when it is set up right, how does that priority transfer to the router? I’ve looked in the router manual and config options and found something called 802.1Q, but I have no idea what it is, how it works or even if it applies to our situation. Can I forgo VLANs altogether and use QoS some other way, perhaps?I have googled enough to cobble together our setup in IOS up until now. Ideally, I would still like to be able to ssh or https into each device (as I do now) for management, and I’ve read about setting up a another VLAN for config, monitoring etc, but I guess that would mean routing between VLANs in Layer 3.
Is it possible to configure both Catalyst WS-C2960-24PC-L and Switch Cisco SG300-28 to work together for VLANs for voice and data ? If yes, can you give me the resources which I can refer to ?
I'm new to this forum and Cisco in general but I feel it may be very resourceful to me as I am a new network administrator fresh out of school for a local credit unionHere's my situation:We need to limit access to one of our servers to only 3 workstations used by our IT department. The server is on a Cisco 3560G on port 17, which is the interface I'm trying to apply a standard, basic ACL to, which looks like this:
I have configured a Cisco ASA 5505 to allow VPN access from outside to my LAN using Cisco VPN Client software. The connection is establishing properly with the ip address from my VPNPool. From outside (on VPN connection) I can ping the interface e0/0 (outside) and the interface e0/1 (inside) of the firewall, but I cannot ping the layer 3 switch interface to which the ASA is connected ( int gi1/0/22 ip address 192.168.1.2/30 ) and I cannot ping any vlan interfaces inside my switch. Therefore, I cannot connect to any server on my internal LAN. I am available at any time if further information is needed. find attached my ASA config.
