The default Gateway and DHCP server is connected to port 1 of the switch. I have various other devices on the network plugged into other ports on the switch.
I want port 1 to communicate with every port on the switch, but don't want the other ports to be able to see eachother unless I specifically allow them to.
For example, port 5 should see port 1, and 7, but nothing else.
Everything needs to be in the same subnet. With the older Dlink switches I am used to this feature is called "Port Segmentation" but I see no such option in this switch. I have been playing with the VLAN settings but so far I have not been able to achieve this.
Thanks for any suggestions!
Wrong forum, post in "small business -switches". You can move your post using the action panel on the right.
Is your SF300 in layer 2 or layer 3 mode? I see you need to have everything in the same subnet, so vlans probably aren't optimal for this.
What you can do is use access control lists, and either by mac address or ip address, to deny or allow all, or certain specified traffic, across the port. Without knowing more about your network, it is hard to suggest the particular access control lists you should create.
Hope that helps.
Thanks for your suggestion. The setup is for LAN services, specifically Internet, to tenants in a building.
Cable modem -> Router doing NAT and DHCP --> SF300 Switch Port 1
The switch then connects to every room in the building, where the tenants can either connect their own wifi router or plug directly into the switch.
They will obtain a private IP address in the 192.168.50.x subnet and will only be able to communicate with LAN port 1, which is the router/dhcp server.
I can't use ACL in this particular scenario. I want any device to obtain a DHCP address regardless of MAC and get connected to the internet, and not be able to communicate with any other LAN device.
I did have a bit of success by setting ethernet port 1 to "unprotected" mode and the rest to "protected" mode, which almost did what I want. BUT I need the explicit ability to connect ports together if needed, for example an office has a printer/workstation in one room and a server in another. Well in that scenario ports 1, 3, and 5 all need to be on their own broadcast domain.
You are correct, the protected port will kind of do what you want - but its either unprotected or protected - there are no "protection groups" so to speak, that you can create multiple isolation zones. It doesn't sound like the ACLs will work for your either.
When I read what you're trying to do, the first thing I think of is to put each tenant into their own subnet and vlan.
It seems, to me at least, the most secure, effective way of accomplishing this. I even started replying with that until I read that you said everything has to be in the same subnet. May I ask, why does everything have to be in the same subnet? What router are you using?
The router is a Mikrotik RB450. I like having a single DHCP server/subnet and having all tenants on one subnet because I also use Netflow Analyzer to visualize who is hogging the bandwidth, and collect other data.
With everybody on the same subnet I can easily see 192.168.50.10 is averaging 2 Mbps over the last 24 hrs and 192.168.50.20 is averaging 20 Mbps, for example.
I'm sure it could all be configured to work accross multiple Subnets, but for the sake of simplicity, and the fact that I have it all working perfectly fine with this aging Dlink switch, I wish to leave the setup as-is and just replace the switch with a new Cisco.
Here is the switch series and Traffic Segmentation feature I am currently using to accomplish this: http://dlink.com/us/en/business-solutions/support/faqs/switches/web-smart-gigabit/dgs-series/how-do-i-segment-traffic-on-my-network
The SG300 will not support the same thing that the DLink is currently doing. Unfortunately, that is not how the protected port works in these switches. Your network design does not allow for ACLs or subnetting, though I still feel that would be the most effective way to approach this. Of course, there are easy ways to monitor network traffic across subnets and vlans. However, giving your issue some thought, there should be a layer 2 way to do this using vlans:
Your sg300 must be in layer 2 mode. Depending on your router, you may need to add the vlans for the trunk)
port 1 - trunk mode - router - 1U, 2T, 3T, 4T, etc.
port 2 - trunk mode - management computer (can access all) - 1U, 2T, 3T, 4T, etc.
port 3 - access mode - 2U
port 4 - access mode - 3 U
port 5 - access mode - 4 U
port 6 - access mode (lets say this is a 2nd port in the apt where port 5 is) - 4 U
and so on. Please note U = untagged, T = tagged, and that the first two are trunk ports and the rest are access ports.
Please give that a try and let me know if you have any success.
Also, remember that the small business support center is available to assist via phone or chat.
Just wanted to check in and see if this was resolved.
Please rate helpful posts and identify correct answers.