Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2865
Views
0
Helpful
7
Replies

How do I segment the ports on a SF-300 switch? Want to isolate LAN ports.

mitecsolutions
Level 1
Level 1

‎07-13-2012 11:33 AM

                  
The default Gateway and DHCP server is connected to port 1 of the switch.  I have various other devices on the network plugged into other ports on the switch.

I want port 1 to communicate with every port on the switch, but don't want the other ports to be able to see eachother unless I specifically allow them to.

For example, port 5 should see port 1, and 7, but nothing else.

Everything needs to be in the same subnet.  With the older Dlink switches I am used to this feature is called "Port Segmentation" but I see no such option in this switch.   I have been playing with the VLAN settings but so far I have not been able to achieve this.

Thanks for any suggestions!

Ryan

Labels:
0 Helpful
7 Replies 7

paolo bevilacqua
Hall of Fame
Hall of Fame

‎07-13-2012 03:22 PM

Wrong forum, post in "small business -switches". You can move your post using the action panel on the right.

0 Helpful

Davidwagman1
Level 7
Level 7
In response to paolo bevilacqua

‎07-13-2012 06:01 PM

Hi Ryan,

Is your SF300 in layer 2 or layer 3 mode? I see you need to have everything in the same subnet, so vlans probably aren't optimal for this.

What you can do is use access control lists, and either by mac address or ip address, to deny or allow all, or certain specified traffic, across the port. Without knowing more about your network, it is hard to suggest the particular access control lists you should create.

Hope that helps.

Best,

David

0 Helpful

mitecsolutions
Level 1
Level 1
In response to Davidwagman1

‎07-13-2012 06:58 PM

Layer 2.

Thanks for your suggestion.   The setup is for LAN services, specifically Internet, to tenants in a building.

Cable modem -> Router doing NAT and DHCP --> SF300 Switch Port 1

The switch then connects to every room in the building, where the tenants can either connect their own wifi router or plug directly into the switch. 

They will obtain a private IP address in the 192.168.50.x subnet and will only be able to communicate with LAN port 1, which is the router/dhcp server.


I can't use ACL in this particular scenario.  I want any device to obtain a DHCP address regardless of MAC and get connected to the internet, and not be able to communicate with any other LAN device. 

I did have a bit of success by setting ethernet port 1 to "unprotected" mode and the rest to "protected" mode, which almost did what I want.   BUT I need the explicit ability to connect ports together if needed, for example an office has a printer/workstation in one room and a server in another.   Well in that scenario ports 1, 3, and 5 all need to be on their own broadcast domain.

0 Helpful

Davidwagman1
Level 7
Level 7
In response to mitecsolutions

‎07-14-2012 04:34 AM

Hi Ryan,

You are correct, the protected port will kind of do what you want - but its either unprotected or protected - there are no "protection groups" so to speak, that you can create multiple isolation zones. It doesn't sound like the ACLs will work for your either.

When I read what you're trying to do, the first thing I think of is to  put each tenant into their own subnet and vlan.

It seems, to me at  least, the most secure, effective way of accomplishing this. I even started replying with that until I read that you said everything has to be in the same subnet. May I ask, why does everything have to be in the same subnet? What router are you using?

Best,

David

0 Helpful

mitecsolutions
Level 1
Level 1
In response to Davidwagman1

‎07-16-2012 04:02 PM

The router is a Mikrotik RB450.  I like having a single DHCP server/subnet and having all tenants on one subnet because I also use Netflow Analyzer to visualize who is hogging the bandwidth, and collect other data.  

With everybody on the same subnet I can easily see 192.168.50.10 is averaging 2 Mbps over the last 24 hrs and 192.168.50.20 is averaging 20 Mbps, for example.

I'm sure it could all be configured to work accross multiple Subnets, but for the sake of simplicity, and the fact that I have it all working perfectly fine with this aging Dlink switch, I wish to leave the setup as-is and just replace the switch with a new Cisco.

Here is the switch series and Traffic Segmentation feature I am currently using to accomplish this:  http://dlink.com/us/en/business-solutions/support/faqs/switches/web-smart-gigabit/dgs-series/how-do-i-segment-traffic-on-my-network

0 Helpful

Davidwagman1
Level 7
Level 7
In response to mitecsolutions

‎07-18-2012 05:39 AM

Hi Ryan,

The SG300 will not support the same thing that the  DLink is currently doing. Unfortunately, that is not how  the protected port works in these switches. Your network design does not allow for ACLs or subnetting, though I still feel that would be the most effective way to approach this. Of course, there are easy ways to monitor network traffic across subnets and vlans. However, giving your issue some thought, there should be a layer 2 way to do this using vlans:

Your sg300 must be in layer 2 mode. Depending on your router, you may need to add the vlans for the trunk)

port 1 -  trunk mode - router - 1U, 2T, 3T, 4T, etc.

port 2 - trunk mode - management computer (can access all) - 1U, 2T, 3T, 4T, etc.

port 3 - access mode  - 2U

port 4 - access mode - 3 U

port 5 - access mode - 4 U

port 6 - access mode (lets say this is a 2nd port in the apt where port 5 is) - 4 U

and so on. Please note U = untagged, T = tagged, and that the first two are trunk ports and the rest are access ports.

Please give that a try and let me know if you have any success.

Also, remember that the small business support center is available to assist via phone or chat.

Best,

David

0 Helpful

Davidwagman1
Level 7
Level 7

‎07-24-2012 07:04 PM

Hi Ryan,

Just wanted to check in and see if this was resolved.

Best,

David

Please rate helpful posts and identify correct answers.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Switch products supported in this community
Cisco Business Product Family
  • CBS110
  • CBS220
  • CBS250
  • CBS350
Cisco Switching Product Family
  • 110
  • 200
  • 220
  • 250
  • 300
  • 350
  • 350X
  • 550X
Customers Also Viewed These Support Documents