SFE2000 IP Access List is locking up the switch

fritoss007 · ‎09-14-2009

Hi, i'm using brand new 1 X SFE2000, 1 X RV082 as router and 2 X WAP2000 with linksys power injectors in my network. I would like to have 3 VLANs. first one would be a management vlan, second an admin vlan and the last one a customer vlan. management would be used for computer tech to manage the equipment. the admin Vlan would be used for all the employees, the AD win2k8 server will be on this vlan too. the customer vlan would be used only to get to the internet. VLan 1 would speak to 2 and 3, but 2 and 3 would not speak to each other. I will relay the AD DHCP server on the 3 vlan. The switch is on layer 3 protocol.

Here is my problem, as soon as i activate the IP access list, the switch is locking up and the only way i can get it to work is to go back to a previous saved config without IP access list activated. i'm activating IP access list with all access to any vlan...and still the same problem... MAC access list is working perfectly.

i'm having the latest firmware...

any advice would be welcome !

thanks alot !

chrcoope · ‎09-14-2009

Hello,

What is the IP subnet for VLAN 1?

What is the IP subnet for VLAN 2?

What is the IP subnet for VLAN 3?

Tell me how it is your setting up your IP ACL?

What routes have you added to the layer 3 switch?

What IP addresses have you added to the layer 3 switch?

What routes have you added to the RV082?

What IP addresses have you added to the RV082?

Regards,

Christopher

fritoss007 · ‎09-15-2009

What is the IP subnet for VLAN 1?

192.168.1.0~254

What is the IP subnet for VLAN 2?

192.168.2.0~254

What is the IP subnet for VLAN 3?

192.168.3.0~254

Tell me how it is your setting up your IP ACL?

prot. src. add. src. mask dest. add dest. mask action

IP any any any any permit

i opened averything to make some test

What routes have you added to the layer 3 switch?

dest ip pref.lenght next hop route type metric

0.0.0.0 /0 192.168.1.1 remote 1

What IP addresses have you added to the layer 3 switch?

192.168.1.2

192.168.2.2

192.168.3.2

What routes have you added to the RV082?

dest ip mask def. gateway hop count interface

192.168.2.0 255.255.255.0 192.168.2.1 1 LAN

192.168.3.0 255.255.255.0 192.168.2.1 1 LAN

What IP addresses have you added to the RV082?

192.168.1.1

multiple subnet config

192.168.2.0 255.255.255.0

192.168.3.0 255.255.255.0

chrcoope · ‎09-16-2009

My immediate reaction is to change:

prot. src. add. src. mask dest. add dest. mask action

IP any any any any permit

To:

prot. src. add. src. mask dest. add dest. mask action

ANY any any any any permit

I have some reservations as to how the RV082 is deployed but I have to test an alternative in my lab.

What is the firmware version on the SFE2000?

Can you attach a config file for the SFE?

You say the switch locks up, does it continue to pass any traffic on any ports at all or does it just lock you out of the interface?

If you console the switch after applying your ACL with the serial cable, does it still have an IP bound to the management interface?

fritoss007 · ‎09-17-2009

hi christopher,

i'll be at the customer's place by tomorow morning...until tomorow i'll not be able to do any test...

thanks alot !

fritoss007 · ‎09-17-2009

is there a place here i can download a simulator of that switch ?

thanks...

chrcoope · ‎09-18-2009

No simulator that I am aware of. A program called "Packet Tracer" is available to Cisco university students, and that has a small selection of small business devices but not this one.

I will look into your config today. Immediately I notice that the management/native VLAN was changed from 100. From where did you perform this change?

fritoss007 · ‎09-18-2009

I think i did it from the console

thanks alot !

chrcoope · ‎09-18-2009

Did

prot. src. add. src. mask dest. add dest. mask action

ANY any any any any permit

Also cause the switch to lock up?

Did you use the default console, or load an alternate console?

fritoss007 · ‎09-18-2009

I didn't tried "any" anywhere as i was supposed to go at the customer's place today...but i got 1 good news, I will replace their linksys switch for a cisco switch...i mean temporarily...by monday morning. This way the SFE2000 will be at my office and out of production...test will be easier this way !

have a good weekend christopher

i'll be back with news by monday

mbhakkad · ‎10-20-2009

Can you please assist me in order to save config file from web GUI to the desktop.

Thank you.

chrcoope · ‎10-23-2009

That will be similar to this...

If you need something more specific, Just let me know and I will get teh exact screen shot for you. I just happened to have this onhand from today.

Regards,

Christopher

fritoss007 · ‎09-21-2009

Hi christopher,

I finally bring back to switch to my office. I did add the "any" to my acl test rule...but i got an error when i'm binding the ACL to a port...see the attach

thanks !

chrcoope · ‎09-21-2009

Yes, I have seen this error before. Could you attach the current configuration and tell me what it is you ultimately wish to accomplish with your ACL? If so, I can look at the config, and then I should be able to tell you how to implement what you need. You may in fact be better off contacting the SBSC directly and opening a case with us. Then we could WebEx and work this out. The number here is 866.616.1866.

Regards,

Chris

fritoss007 · ‎09-22-2009

Hi christopher,

i used the same config file posted earlier...but i've only added "ANY" in my test ACL and bind it to a port...what i want to do is very simple

VLAN 1 subnet 192.168.1.0/24.....Admin VLAN subnet to acces my network hardware

VLAN 2 subnet 192.168.2.0/24.....Active Directory domain subnet

VLAN 3 subnet 192.168.3.0/24.....it's my guest internet VLAN wich shoul only have acces to internet

VLAN 1 speak to VLAN 2

VLAN 1 speak to VLAN 3

VLAN 2 speak to VLAN 1

VLAN 2 don't speak to VLAN 3

VLAN 3 speak to VLAN 1 only to be routed out to internet

VLAN 3 speak to VLAN 2 only for DHCP relay...dhcp is my active directory Domain Ctrl on VLAN 2

is that what you've asked for ?

thank again !