07-14-2011 12:15 PM
Using a sg300-52 switch I created two VLANs that share a port for access to the internet. All original devices added to the VLANs are functioning correctly so I have to beleive the VLANs are set up correctly. I added a new desktop and an old laptop to the VLAN and neither worked. I was able to get the desktop to work by enabling VLAN tagging in the network adapter. The laptop is 5 years old and it does not have any such setting in network adapter. There are 2 other devices that share the same port with the laptop and they both function properly. My conclusion is that the laptop does not support VLAN tagging. Is there someway to configure the switch to account for this?
Solved! Go to Solution.
07-16-2011 01:36 PM
Hi Thomas,
I am wondering if something simple as a access-list (or filtering) will do what you want to do. The only problem is that the devices that need limiting have to have fixed IP paramters. (or statically defined via DHCP)
Here is a example of a acess-list i took from my SF300-48P, notice that the access-list (acl) has to be attached to a switch port to monitor or filter packetings coming into the switch port from a IP host. In other words, the acl checks for pattern matches, in the case below on IP addresses on ingress into the switch port.
Since new firmware release version 1.1, we now have the ability to paste into a command line interface (CLI) accessed via telnet, the console or SSH, when the switch is in configuration mode. you can get into configuration mode by typing the command 'config'.
Changes made in the CLI are reflected immediately in the GUI. If you do try the following Access list, the last command could be 'write' to save the configuration into the switches memory.
Note: If you are not confident with the CLI use to GUI to create the following access lists and ACE and bind the ACL to a switch port..
I in the example below, set up a access list for two ports, ports fastethernet1 and gigabitethernet1.
please note: ACL uses reverse subnet masking, which means normally you should specify a specific IP host by the following notation;
192.168.20.5 255.255.255.255 with reverse masking this has to be defined as 192.168.20.5 0.0.0.0
As a packet enters a switch port from a IP host, the access-list is inspected from top to bottom, as soon as a match is found the access list is exited. There is nornally a implicit deny at the end of a access list, that's why my last statement in both access lists is to permit any source IP going to any destination IP other wise the IP host could not get to the WAN router and Internet.
The first IP address shown in the access-list below is the source IP and mask and the second IP address is the destination IP address and mask.
ip access-list extended room200
permit ip 192.168.20.62 0.0.0.0 192.168.20.100 0.0.0.0
permit ip 192.168.20.62 0.0.0.0 192.168.20.63 0.0.0.0
deny ip 192.168.20.62 0.0.0.0 192.168.20.0 0.0.0.255
permit ip any any
exit
The following applies the access list to a switch port
interface fastethernet1
service-acl input room200
exit
ip access-list extended room225
permit ip 192.168.20.63 0.0.0.0 192.168.20.100 0.0.0.0
permit ip 192.168.20.63 0.0.0.0 192.168.20.62 0.0.0.0
deny ip 192.168.20.63 0.0.0.0 192.168.20.0 0.0.0.255
permit ip any any
exit
The following applies the access list to a switch port
interface gigabitethernet1
service-acl input room225
exit
That's the easiest way to contral access in that vlan, and the filter will work at wirespeed.
regards Dave
07-14-2011 09:26 PM
Hi thomas
You said "Using a sg300-52 switch I created two VLANs that share a port for access to the internet"
does this mean you added two new vlans to a single port or is this single port a uplink back to a VLAN aware router ?
You said ".I added a new desktop and an old laptop to the VLAN and neither worked. I was able to get the desktop to work by enabling VLAN tagging in the network adapter."
Ok I think i get it, even though it would be most useful to see the saved configuration file that explains the switch setup. I am making a few assumptions because I cannot see how you configured the switch.
You create two vlans and then added these new Vlans to a port. The switch port by default is in Trunk mode which allows for ;
So I am guessing that the port already was a member if the default VLAN VID=1, but also this port is a tagged members of two new VLANS. Hence you tagging the desktop allowed the PC to be added to the new VLAN.
The bottom line is , what are you trying to achieve with your network.
Are you trying to allow all or certain PC to access the internet without talking to eachother ?
Is there a potential network diagram (drawn from MS paint is fine) that may explain whay you are trying to achieve.
Thomas, personally I am a wee bit confused to understand what you reaklly want.
Dave
07-15-2011 05:59 AM
Dave, Thank you for the response. What I am trying to do is partition two ports (1,25) of the router so that the devices on those two ports can communicate with each other and not the rest of the ports. I need all the ports to have access to port 51 so that they can reach the internet. All devices on all ports are in the same IP range. I have attached a map and the cfg file. These settings work well for me except for this one particular laptop.
Config file:
vlan database
vlan 2
exit
interface range gi1,gi25
switchport default-vlan tagged
exit
mac address-table static 00:00:aa:ba:49:aa vlan 2 interface gigabitethernet1
voice vlan state disabled
voice vlan oui-table add 0001e3 Siemens_AG_phone________
voice vlan oui-table add 00036b Cisco_phone_____________
voice vlan oui-table add 00096e Avaya___________________
voice vlan oui-table add 000fe2 H3C_Aolynk______________
voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone
voice vlan oui-table add 00d01e Pingtel_phone___________
voice vlan oui-table add 00e075 Polycom/Veritel_phone___
voice vlan oui-table add 00e0bb 3Com_phone______________
interface gigabitethernet1
lldp med disable
exit
interface gigabitethernet2
lldp med disable
exit
interface gigabitethernet3
lldp med disable
exit
interface gigabitethernet4
lldp med disable
exit
interface gigabitethernet5
lldp med disable
exit
interface gigabitethernet6
lldp med disable
exit
interface gigabitethernet7
lldp med disable
exit
interface gigabitethernet8
lldp med disable
exit
interface gigabitethernet9
lldp med disable
exit
interface gigabitethernet10
lldp med disable
exit
interface gigabitethernet11
lldp med disable
exit
interface gigabitethernet12
lldp med disable
exit
interface gigabitethernet13
lldp med disable
exit
interface gigabitethernet14
lldp med disable
exit
interface gigabitethernet15
lldp med disable
exit
interface gigabitethernet16
lldp med disable
exit
interface gigabitethernet17
lldp med disable
exit
interface gigabitethernet18
lldp med disable
exit
interface gigabitethernet19
lldp med disable
exit
interface gigabitethernet20
lldp med disable
exit
interface gigabitethernet21
lldp med disable
exit
interface gigabitethernet22
lldp med disable
exit
interface gigabitethernet23
lldp med disable
exit
interface gigabitethernet24
lldp med disable
exit
interface gigabitethernet25
lldp med disable
exit
interface gigabitethernet26
lldp med disable
exit
interface gigabitethernet27
lldp med disable
exit
interface gigabitethernet28
lldp med disable
exit
interface gigabitethernet29
lldp med disable
exit
interface gigabitethernet30
lldp med disable
exit
interface gigabitethernet31
lldp med disable
exit
interface gigabitethernet32
lldp med disable
exit
interface gigabitethernet33
lldp med disable
exit
interface gigabitethernet34
lldp med disable
exit
interface gigabitethernet35
lldp med disable
exit
interface gigabitethernet36
lldp med disable
exit
interface gigabitethernet37
lldp med disable
exit
interface gigabitethernet38
lldp med disable
exit
interface gigabitethernet39
lldp med disable
exit
interface gigabitethernet40
lldp med disable
exit
interface gigabitethernet41
lldp med disable
exit
interface gigabitethernet42
lldp med disable
exit
interface gigabitethernet43
lldp med disable
exit
interface gigabitethernet44
lldp med disable
exit
interface gigabitethernet45
lldp med disable
exit
interface gigabitethernet46
lldp med disable
exit
interface gigabitethernet47
lldp med disable
exit
interface gigabitethernet48
lldp med disable
exit
interface gigabitethernet49
lldp med disable
exit
interface gigabitethernet50
lldp med disable
exit
interface gigabitethernet51
lldp med disable
exit
interface gigabitethernet52
lldp med disable
exit
interface vlan 1
ip address 192.168.20.43 255.255.255.0
exit
ip default-gateway 192.168.20.1
interface vlan 1
no ip address dhcp
exit
hostname Cisco-SG300-52
no passwords complexity not-current
passwords aging 0
username admin password encrypted 44a61231328af9b88a73993ec7525718f49af951 privilege 15
username administrator password encrypted 44a61231328af9b88a73993ec7525718f49af951 privilege 15
username cisco password encrypted 44a61231328af9b88a73993ec7525718f49af951 privilege 15
no snmp-server server
snmp-server location Hauppauge
snmp-server contact "IT Manager"
clock timezone " " -5
clock summer-time web recurring usa
clock source sntp
ip name-server 167.206.7.4 167.206.112.138 192.168.20.34
banner login
Cisco SG300 52 port switch
interface gigabitethernet1
switchport mode general
switchport general allowed vlan add 2 untagged
switchport general pvid 2
exit
interface gigabitethernet25
switchport mode general
switchport general allowed vlan add 2 untagged
switchport general pvid 2
exit
interface gigabitethernet51
switchport mode general
switchport general allowed vlan add 2 untagged
exit
interface vlan 2
name MDI
exit
07-16-2011 01:36 PM
Hi Thomas,
I am wondering if something simple as a access-list (or filtering) will do what you want to do. The only problem is that the devices that need limiting have to have fixed IP paramters. (or statically defined via DHCP)
Here is a example of a acess-list i took from my SF300-48P, notice that the access-list (acl) has to be attached to a switch port to monitor or filter packetings coming into the switch port from a IP host. In other words, the acl checks for pattern matches, in the case below on IP addresses on ingress into the switch port.
Since new firmware release version 1.1, we now have the ability to paste into a command line interface (CLI) accessed via telnet, the console or SSH, when the switch is in configuration mode. you can get into configuration mode by typing the command 'config'.
Changes made in the CLI are reflected immediately in the GUI. If you do try the following Access list, the last command could be 'write' to save the configuration into the switches memory.
Note: If you are not confident with the CLI use to GUI to create the following access lists and ACE and bind the ACL to a switch port..
I in the example below, set up a access list for two ports, ports fastethernet1 and gigabitethernet1.
please note: ACL uses reverse subnet masking, which means normally you should specify a specific IP host by the following notation;
192.168.20.5 255.255.255.255 with reverse masking this has to be defined as 192.168.20.5 0.0.0.0
As a packet enters a switch port from a IP host, the access-list is inspected from top to bottom, as soon as a match is found the access list is exited. There is nornally a implicit deny at the end of a access list, that's why my last statement in both access lists is to permit any source IP going to any destination IP other wise the IP host could not get to the WAN router and Internet.
The first IP address shown in the access-list below is the source IP and mask and the second IP address is the destination IP address and mask.
ip access-list extended room200
permit ip 192.168.20.62 0.0.0.0 192.168.20.100 0.0.0.0
permit ip 192.168.20.62 0.0.0.0 192.168.20.63 0.0.0.0
deny ip 192.168.20.62 0.0.0.0 192.168.20.0 0.0.0.255
permit ip any any
exit
The following applies the access list to a switch port
interface fastethernet1
service-acl input room200
exit
ip access-list extended room225
permit ip 192.168.20.63 0.0.0.0 192.168.20.100 0.0.0.0
permit ip 192.168.20.63 0.0.0.0 192.168.20.62 0.0.0.0
deny ip 192.168.20.63 0.0.0.0 192.168.20.0 0.0.0.255
permit ip any any
exit
The following applies the access list to a switch port
interface gigabitethernet1
service-acl input room225
exit
That's the easiest way to contral access in that vlan, and the filter will work at wirespeed.
regards Dave
07-18-2011 05:21 AM
Dave,
I am out of the office for the next two weeks so I will not be able to try this. I will do so as soon as I get back. Thanks again.
Regards, Tom
07-18-2011 07:36 AM
Tom.
Please alter those ports;
Could be easier just to reset the switch to factory defaults and just impliment the filters or access-lists I pasted in my earlier reply.
regards Dave
08-08-2011 10:38 AM
Dave,
Thanks, the Access list did the trick.
- Tom
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide