cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2361
Views
0
Helpful
9
Replies

SF300 - 08 Need help to create restrictions

ng_jun_fu
Level 1
Level 1

I want to create a network with the following switch SF 300 - 08.

I am not use to GUI.

I am having problems setting the settings.

Currently, i have assigned each port with a vlan 1 to 8 for ports 1 to 8.

How do i do an inter vlan with the GUI? Also, i want to restrict port 7 and 8 to certain ports only. Example:

Port 7 and 8 can read port 5 and 6 but not others?

9 Replies 9

Tom Watts
VIP Alumni
VIP Alumni

Hi Junfu,

The switch has a fully supported CLI. If you're running the 1.0.0.27 firmware, the CLI does not exist. So I'd recommend to first upgrade to at least 1.1.2.0 firmware.

By default, the switch is in layer 2. The switch cannot perform any intervlan routing without a router. If you require the switch to permit intervlan routing, you will need to make the switch in to layer 3 mode. Keep in mind, changing the switch to layer 3 will erase all configuration on the switch.

Here is a document on how to change the switch to layer 3

https://supportforums.cisco.com/docs/DOC-27038

In order to do the restrictions you mention, you need to create an ACE and then bind the ACL to each interface. If the switch remains in layer 2 mode, the ACL can be applied to the uplink interface as all intervlan communication takes place at the router. The ACL is for INGRESS traffic only.

To Create an ACL and ACE go to Access Control -> IPV4-BASED ACL then create the ACL name. Then go to Access Control -> IPV4-BASED ACE and create the rules for the ACL here. The switch does not support per vlan parameters therefore you would have to do so per subnet or by protocols.

Lastly, once your ACL is constructed for the desired port, you need to bind it to the port. Access Control -> ACL Binding

-Tom
Please rate helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/

Thank you very much for your kind support, sorry to ask a very stupid question.

Where do i find the "proper" firmware. for the switch?

I do not want to accidentally download some firmware with an insecure url.

Is it this link below?

http://www.cisco.com/cisco/software/release.html?mdfid=283019670&catid=268438038&softwareid=282463181&release=1.2.7.76&relind=AVAILABLE&rellifecycle=&reltype=latest

Do i need to download the previous versions to update it to the newest firmware or just the latest version would do?

The link you posted is correct. If you upgrade to the 1.2.7.76, I'd recommend to factory reset the switch afterwards. If you choose to use 1.1.2.0 then it wouldn't matter much. The 1.2.7.76 had a massive code change so a lot overlap can happen and previous config files may not interop well on the new code base since the switch XML changed.

-Tom
Please rate helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/

Which would you suggest me to use? 1.1.2.0 or 1.2.7.76?

It is always recommended to use the latest released software, the reason being, if you run in to any problems, the first thing you will be asked is to upgrade the firmware.

If you don't have a maintenance window for a while, then I'd recommend to go to the 1.1.2.0 code for the interim until you have a scheduled maintenance where you can erase the switch and manually configure it after an upgrade to the 1.2.7.76

-Tom
Please rate helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/

Alright, i will use the lastest firmware just incase there are any problems or errors which then i could get help easier i guess.

ng_jun_fu
Level 1
Level 1

Ok i have updated the firmware to the latest version 1.2.7.76.

I just want port 7 and 8 to be restricted from outside information, they can only get information from maybe port 2~4 from this switch and not the rest or anything else in the network.

Is this possible to do so for this switch?

Please advice and guide me!!!

To protect the other ports, i can do a mac filter address or ip address right?

Sorry, i am not use to graphic user interface.

I am only use to using hyperterminal by using commands.

I tried it with this switch and it became some kind of user graphic interface style which spook me out.

It has been 4 years since i touched any switches or routers after graduation.

The link below:

https://supportforums.cisco.com/docs/DOC-27038

Is for sx300

My switch is sf300.

Also, the interface is totally different from what indicated from that url.

There is nowhere to input the commands...

just selection of 1 2 3 4 ... etc...

Exactly like the graphic user interface.

Now i am using http 192.168.1.254 to do the settings.

I think this is the way to choose level 2 or level 3.

Go to administrator -> system settings -> choose L2 or L3.

Tell me if i am wrong.

At the moment i have created vlans accordingly:

Port 1 - default vlan 1

Port 2 - vlan 2

Port 3 - vlan 3

Port 4 - vlan 4

Port 5 - vlan 5

Port 6 - vlan 6

Port 7 - vlan 7

Port 8 - vlan 8

Added IPv4

vlan 1 - 192.168.1.10

vlan 2 - 192.168.2.10

vlan 3 - 192.168.3.10

vlan 4 - 192.168.4.10

vlan 5 - 192.168.5.10

vlan 6 - 192.168.6.10

vlan 7 - 192.168.7.10

vlan 8 - 192.168.8.10

What should i do next?

I am not sure about how to set the ACL and Extended ACL

I am not sure about the rest whether if i should do ACL and ACE, please guide.

or are there any other methods or ways?    

Hi Junfu, the link you provided is accurate so I am not sure what you've encountered.

It looks like your switch is in layer 3 since you have multiple SVI. Since the switch is layer 3, this also means the switch can locally communicate between vlan's without going to a different device.

This means an access list can be created. The caveat here is the access list is ingress traffic only. This means all traffic going in to the port will be subject to the ACL but all traffic exiting the port (egress) is not checked.

With your example, port 1 is vlan 1 and port 2 is vlan 2 respectively 192.168.1.10 and 192.168.2.10. If you'd like to prohibit port 1 to going to port 2, an access list example would be like this-

ip access-list extended test

deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

permit ip any any

interface fa01

service-acl input test

This will stop all 192.168.1.0 network traffic to communicate to 192.168.2.0 network traffic for all traffic ingress on fast ethernet 1 while the any any statement will allow 192.168.1.0 network to talk to any port on any other subnet.

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/

I understand your meaning of the extended list.

ip access-list extended test

deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

permit ip any any

interface fa01

service-acl input test

But... i can only do it via graphic user interface using explorer...

I am unable to type those codes in which is giving me a headache.

ok i understand what you mean, i will try it.

hmm... so port 2 can only talk and recieve data from port 3 to 8? (from what i can observe from the extended acl.)

Will it be able to talk to the rest of the network? is there a way to block the port from recieving any data out of this switch.

I would only like the port to talk to certain ports in the same switch, but not "anything" else in the entire network.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Switch products supported in this community
Cisco Business Product Family
  • CBS110
  • CBS220
  • CBS250
  • CBS350
Cisco Switching Product Family
  • 110
  • 200
  • 220
  • 250
  • 300
  • 350
  • 350X
  • 550X