Cisco Switching/Routing :: SG300 Restrict Port To Only One Access Point
Jun 10, 2012
On a small Bording School we have the students living in several small houses, each equipped with an AP.Each Ap serve 4 Vlans.I want to restrict the switch for these AP, in a way to keep the students from removing the AP and connecting their own equipment.I tried using the secure port feature on the SG300, but that had the result of allowing the AP but denying all the users connected to the AP.The switch is a SG300-28P placed in L3 mode.
We have a network of 30 VLANS and currently all the vlans have access to everything. We are using Cisco 6509 switch for Layer3 routing.I would like to prevent some VLANs accessing the server VLANs. How can i resrict access to the server VLANs? Do i need to implement access-lists on the 6500 switch? or do i need to create VLANS on the firewall so that all traffic i filtered?
We have a network of 30 VLANS and currently all the vlans have access to everything. We are using Cisco 6509 switch for Layer3 routing.I would like to prevent some VLANs accessing the server VLANs. How can I restrict access to the server VLANs?Do i need to implement access-lists on the 6500 switch? or do i need to create VLANS on the firewall so that all traffic i filtered ?
I have a cisco L2 SG300-10p Managed switch . I want to configure one port as a turn but cant find the command Encapsulation dot1q . Its a poe switch i want to use for both internet and voip in separate vlans.
In my LAN environment, I'm using two cisco SG300-10 switches. Both switches are connected by GE10 on both switches, where both ports are set to trunk.Now on all ports 1-9 on both switches, I'm having client computers attached. So I set ports 1-9 to "access" mode.All interfaces on any switch is left in default vlan.
Is it normal that I see all traffic from all connected devices on any port where I connect a listening device?What I'd like to achieve is, that only traffic that is meant for a specific workstation is actually forwarded to this workstation. By now it seems that I get all the traffic from everybody.
I am trying to setup VLAN's in the company I work for and I am almost there but missing the part when the internet works.I have an SG300 as a L3 Router IP 192.168.0.93.I have created VLAN20 and VLAN40 Assigned VLAN20 192.168.2.1 and VLAN40 192.168.4.1
The static routes have been created and a default router going to the Sonicwall firewall at 192.168.0.1.Port 24 is configured as Untagged VLAN1, Untagged VLAN20 and VLAN40 in trunk mode and going to the Sonicwall NSA 2400. [code]
Working to move all 192.168.0.x network off of VLAN1 and move it a management switch.I have DHCP helper on pointing to the DHCP server.Both VLAN's once the DHCP server is configured to Gateway 192.168.0.93 can get an IP from the correct subnet either 192.168.2.x or 192.168.4.x
All PC's are getting a GW IP of 192.168.2.1 pr 192.168.4.1.All test PC's on both VLAN's can ping each other and any server with the correct GW.When I try to ping google.com or open a web page and try google.com it times out.
I've been trying to configure my router which is linksys E1000 to forward port to my sharepoint server. Here is what I have done so far, setup single portforward to i.e 192.168.xx.xx using port 4848.Now my question is, do I need to configure sharepoint to receive this incoming connection. I do need to have my sharepoint be accessed anywhere on the web.
I have a 3750g connected to a "core" switch stack of 7 other 3750g's via 2 GigE ports in a trunk. This is currently in a switchport mode access port- channel so only the default vlan data is sent over. Now we have a need due to physical location of these switches, to allow vlan20 (DMZ) from this 3750g to the switch stack. I will configure a few ports on the switch stack for vlan20 and they need to be able to talk to the stand alone 3750g.To do this I will change the port channel on both endpoints to
-switchport trunk ecapsulation dot1q
-switchport mode dynamic desirable
also making the appropriate change on the interfaces belonging to this trunk.My question is, now that its a trunk port that carries multiple VLANs, how much is the bandwidth reduced on that 2gbps link?I have a very active VLAN (10) on the stand alone switch, but on the core I'm not going to be assigning VLAN 10 to any ports. So does traffic from VLAN10 even come across the trunk (wasting bandwidth) if no ports on the core side are assigned to it? I really just need vlan 1 and 20 (for now).
I recently bough for a home lab a sg300-10 switch. I have enabled layer 3 routing on it and have come across a puzzling issue. The switch is the default gw on this network, and in front of the switch there is a cable modem (ip route 0.0.0.0 0.0.0.0 192.168.0.7).
I have an 871w set up to add wireless connectivity to an existing network. When adding a client to the physical interfaces to test VLAN internet connectivity, however, a DHCP address is assigned but internet traffic on the terminal never reaches the network nor does the network recognize the IP the terminal shows as being 'connected'. Also, pings sourced from the VLAN do reach destinations. I've attached my config file, I think it's a routing issue of some kind.
10.26.99.0 is the existing network. 10.26.99.1 is an existing 871w router set as the DHCP server for that network and 10.26.99.10 is a Windows Server 2003 DNS box. VLAN 2 and DHCP pool alpha were control sets for trialing DNS settings.
I have a 1130 cisco access point,we are using this for wireless cisco IP phone connectivity to the network.Earlier access point was woring fine and we were able to make calls through IP phone.But we have relocated to new place.Now the access point is not working and we are not able to make the calls on the wireless IP phone as the access point is not working.But the access is in the netwrok and we are able to ping the IP address of the Access point.
We are contonuously getting the below loggs on Access point and the access point is getting power from the ethernet port of the switch not through the external powerr adaptor.
i am trying to configure my HP 420 access point. I have configure different SSID on it, This access point is connected to cisco 4500 switch, i have configure trunk on up link to access point.my problem is the client are not able to get an IP address form the correct vlan if i tagged the SSID to it.
in the following the output of show run int in cisco 4500 switch:
interface GigabitEthernet3/13 description ==== HP ACCess point ==== switchport trunk allowed vlan 99,130,132 switchport mode trunk
I have voice Bandwidth on Cisco Router 7200 and catalyst 3750.Now i want to sell some BW ( 15MB ) to any cleint. How to do that .We have Ethernet connectivity with my cleint.How i restrict client to 15MB. Will i have to form any VLAn or just port limit with bandwidth and which is better way?
i have to Bridge the AP to VLAN1 which has the DHCP pool. For some reason when I try to do this from iOS console it tells me that gig0 is not a bridgable interface. I am newb to Cisco iOS (24 hours new ). I got the Cisco Configuration Professional working and would like to fix my issue through there if possible? why my AP wont get anything but APIPA addresses?
version 12.4 no service pad service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption
I'm having some difficulties with the VLAN setup on the SG-200 and the WiFi access point. The access point (a TP-Link WA801N) is only able to access the internet when it is plugged into a port that is on the default VLAN (PVID 1). If I plug it into one of the other VLANs then any clients connected to the WiFi lose access to the internet and cannot access devices on the VLAN. I have previously used this setup with a first generation Cisco WAP4410N. [code]
I´m facing to one issue with VACL. i have a network lan with 10.40.X.X/16 . in this network i have a Production v LAN 10 with 10.40.10.X/24 and i have created one vlan103 for Guest´ user as 10.40.103.X/24
My goals is to restrict the v LAN 103 to reach or access the v LAN 10, better to restrict Guest user access to the production v LAN. So i try to put this script with VACL method, but does n´t work.
Extended IP access list Restriction-Guest 10 permit ip 10.40.103.0 0.0.0.255 any vlan access-map Guest 10 action drop match ip address Restriction-Guest vlan filter Guest vlan-list 10
After that i still able to ping or access to the v LAN 10 form v LAN 103.
I have a Cisco 887M router which I wish to restrict the devices allowed to be connected/allocated an IP address to two, and *only* two.
I can't, for the life of me, find out how to allow these two devices to connect to ANY port - I can configure a MAC restriction on a single port, but I don't know how to make it so that I can allow JUST these two devices to connect to any port in the 4 port switch/VLAN (VLAN 1 is used because the mongrel who set this up was lazy). I know the MAC addresses I want to allow
How I can do this? I *can* restrict any given port to the two MAC addresses - but if I try to add the MAC addresses to another port, they get removed from the initial one. I need to be able to have them connect to ANY port and work, but allow NOTHING else to work.
For those wondering, this is to counter a user who is utilising company resources for purposes not approved - and costing us quite a bit of money in the process.
I've just been testing QOS on 3560 with version 15.0(1) and it seems the the default qos trust behavior on access ports has changed. By default the trust state of a port is not to trust anything, however rather than rewriting the DSCP value of the incoming packets and settign it to 0 the switch now seems to leave the DSCP value unchanged.
SW04-C3560(config)# do sh mls qos int g0/2 GigabitEthernet0/2 trust state: not trusted trust mode: not trusted trust enabled flag: ena [Code]......
I recently installed a couple of Cisco Aironet 3600 Series Wireless Access Points at a remote site. While I was at the site everything seemed OK, The clients were able to get connected to the access points, the guest network worked fine, I could SSH into the access points, and I could ping them. The problem is when I went back to my home site I tried to SSH into the access points through an ASA IPSec VPN Tunnel and it couldn’t find it. When I try to ping the access points they “time out”. I can ping and connect all other addresses (via RDP, HTTP, etc..) on the same subnet which should rule out an access list problem. A couple of notes to be aware of:
The WAP’s have the Autonomous IOS installed (Version 15.2(2)JB) The WAP’s are connected to Dell PowerConnect 5724 (Not by choice.. We are a Cisco shop, these were already there and have plans this year to replace)
I can ping and SSH with Putty to the WAP’s from the local subnet I cannot ping or SSH from a remote subnet to the WAP’s. I can access all other IP’s and Computers from a remote subnet.
I have 2 data centers miles apart. They are on a Paetec MPLS. I have a Lightower point to point Ethernet link between the two data centers as well. At data center A, I have a Paetec managed router (192.168.2.1). The subnets behind that router are 192.168.2.0, 192.168.100.0 and 192.168.101.0. I also have a Cisco 1841 that is configured with fa0 addressed as 192.168.2.250 and fa1 as 10.5.5.1. Fa1 is the one end of the point to point Ethernet link to data center B.At data center B, I have a Paetec managed router (10.0.2.1). The subnets behind that router are 10.0.2.0, 10.0.100.0 and 10.0.101.0. I also have a Cisco 1841 that is configured with fa0 addressed as 10.0.2.250 and fa1 as 10.5.5.2.What I want to happen is any traffic headed from data center A destined for 10.0.100.0 or 10.0.101.0 to be routed through the point to point Ethernet link. I had Paetec add routes in their managed router to route any traffic headed for 10.0.100.0 and 10.0.101.0 to my Cisco 1841 (192.168.2.250).I wanted to do the same for traffic destined for 192.168.100.0 and 192.168.101.0 from data center B. Paetec added the appropriate routes to the router at data center B.Now, if I trace from data center A to 10.0.100.45, I see this:
1 <1 ms <1 ms <1 ms 192.168.2.1 2 <1 ms <1 ms <1 ms 192.168.2.250 3 4 ms 4 ms 4 ms 10.5.5.2 4 3 ms 3 ms 3 ms 10.0.2.1
So the routing seems to be ok. However after it hits 10.0.2.1, it gets lost after that.Am I missing something? Is this a misconfiguration on Paetec’s routers?
I have 2 cisco 1941/K9 vpn router. I have configured both with LAN ip address given by our vpn provider which is 172.10.10.1 and the other is 172.10.20.1. Both IP addresses are configured to GigabitEthernet port 0/0 on both routers.
1. Is it possible to configure our own set of ip address like 10.71.10.1 and 10.71.50.1 on the GE 0/0 port?
2. Or can we configure our own set of ip addresses (10.71.10.1 and 10.71.50.1) to GigabitEthernet port 0/1 and maintain the other ip addresses on port 0/0?
The first purpose is to have our own set of ip addresses for LAN connection and I will be able to connect or telnet whichever ip address or port is up.
recently i just connected a non cisco ip phone(from panasonic) to Cisco 2960 POE switch at site A. The PABX system is located at site B,Site A and site B are connected using MetroE Point to point.I would like to apply QoS for voice vlan. I want to assign 2MB to the point to point connection for voice vlan.
We have configured a Fex port as acces port but the port no up becouse appear in suspended state, i think the problem is a vlan mistmach as appear in the consistence-parameter information but i not found in what part allow the correct vlan, the N2K are connected to 2 N5K, and 5K are connected to2 N7K
%ETHPORT-3-IF_ERROR_VLANS_SUSPENDED: VLANs 41 on Interface Ethernet101/1/48 are being susp ended. (Reason: Vlan is not configured on remote vPC interface) [code]
I recently set up a small photography business and am trying to get a Cisco 877 and Cisco SG300-10 switch to talk to each other.
What I want is for the Cisco 877 to handle the internet and the SG300-10 to handle the local network,
I have set up 2 vlans in trunk mode on the switch and want vlan2 to manage local traffic and vlan3 to handle the internet.
I have got the 877 connecting to the internet what I dont have, traffic going to vlan2 on the switch from the 877
Look at the running configs for the switch and the router and tell me how to get the vlan on the router to pass traffic to the switch. In a nutshell I am inserting the internet into the switch but am not sure how to progress. I have the c870-advipservicesk9 image file on the router.
I have came across this topic, and I am wondering if this images can be uploaded to any 2900 series switches or not, and if this will work as access port for more than vlans. URL...
On a 4500 switch port , defined as access vlan 10, if the user connects his own dhcp server ( instead of the normal pc that should be connected ), will it cause issues with my existing network. the existing network is all static ip. In above case, will the dhcp server start looking out and assign dhcp ip's , if a user unknowingly removes his static ip and changes to obtain ip via dhcp option on the lan properties.
I have a layer 3 switch, 3550.I have several vlans on there just for playing around with. One of the vlans, has a vonage linksys box attached to it with a UK number attached. From time to time telemarketers call at 03:00 in the morning, this as I'm sure you can imagine is not much fun. The linksys box gets 192.168.3.3 as it's ip.The switch is connected to a non cisco router at 192.168.0.1
interface FastEthernet0/24 no switchport ip address 192.168.0.2 255.255.255.0
I was thinking a time based access list would work best I have tried several variations but the phone still rings. I have tried access-list 1 deny host 192.168.3.3 permit ..... and more extensive lists but the phone still rings. I have not applied the time-range yet, so that's not the problem.I have applied the list to the vlan interface and to fa0/24 but it's not working.
On a 4500 switch port , defined as access vlan 10, if the user connects his own dhcp server ( instead of the normal pc that should be connected ), will it cause issues with my existing network. the existing network is all static ip. In above case, will the dhcp server start looking out and assign dhcp ip's , if a user unknowingly removes his static ip and changes to obtain ip via dhcp option on the lan properties.
