cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2066
Views
0
Helpful
10
Replies

Need help with configuring a particular setting on SF300-08

mdavisbbc
Level 1
Level 1

I work for a small business and we have a couple computers that we want to share a ethernet enabled copier/printer with, but for security reasons want to block those computers from internet access.  How would one go about allowing that?

Thanks in advance,

Mark Davis

10 Replies 10

johuggin
Level 1
Level 1

Hey Mark,

Before I get give you too many options, are the computers and the printer/copier on the same VLAN? Are they local to the same SF300-08 switch?

Also, do these computers need access to any other resources on your network other than the copier/printer? This will help me better understand your requirement.

Thanks!

Joey

Yes they are currently on the same VLAN, should they be configured separately?  By local to the same switch I'm assuming you mean directly connected, if so, then yes.  As of now there are no other resources to connect to.  It may be possible in the future that there might be a networked server for backup etc.  But for now no.

Thanks,

Mark

Mark,

Thanks for the information.

Edit: See the reply below for best-practices. This would be my recommendation if at all possible.

For a quick fix, you may be able to use a IPv4-Based ACL to block all IP-based traffic from the computers on the switch. This should not block ARPs from the computers to the copier/printer, or local layer-2 traffic.

The only catch is you need to know the device's IP addresses.

Using the Switch Configuraton Utility (GUI):

- Navigate to Access-Control > IPv4-Based ACL. Click Add to create a new ACL. This adds the base ACL.

- Select your new ACL using the drop-down and click Go. To add rules to the ACL, click Add.

ex

1)

Priority: 1

Action: Deny

Source:

Destination: any

etc for each host..

Again, you need to know each computer's IP address for this to work. They should be able to send traffic locally to the printer/copier but shouldn't have any other access.

Hello Mark,

While it is possible to setup ACL's on the switch to perform the action you desire, I is not best practice to do so. The best parctice for the solution you are looking for is to set ACLs or controls on the Edge device router/firewall blocking the IP or mac address of those computer from getting to the internet. The other solution is to just not program a default gateway on those computers then restrict user rights to the computer, so the user just can't add one.

If you are still requiring the switch to perform the function I would recommend calling into the support number 1-866-606-1866 so we can get the mac addresses of the computers and go through creating the ACL and ACE's for the rules needed.

Cisco Small Business Support Center

Randy Manthey

CCNA, CCNA - Security

Randy,

What do you mean by set "ACLs or controls on the Edge"? Where is that configuration available?

Thanks,

Mark

Generaly there is a router, firewall, or some kind of edge device connecting your internal network to the internet. This device can have rules or Access Control Lists (ACL's) created on it to prevent or allow traffic. Do you have a router or firewall on your network?

Cisco Small Business Support Center

Randy Manthey

CCNA, CCNA - Security

Yes, I do have a router.  There are settings internally that allow or disallow service.

Randy,

Allow me to explain my setup and then if possible can you give specific instructions on how to configure the switch to accomplish my desired outcome?

We have a small office (5 copmuters total).  We just recently purchased a new photocopier that has network print capabilities and so we are going to be using a hardwires network to print.  Up to this point all networking, printing, etc has been accomplished wirelessly.  This new copier/printer doesn't support wireless because the color information is too vital to be transmitted wirelessly.  (This is what I was told by the copier salesman.)  That said, we are running cable tomorrow and all the computers will be hardwired to the router.  I purchased a SF300-08 switch because I need to manage a couple situations, but have no idea how to acoomplish this task.

All the computers on the network need access to the printer, but there is one computer that we do not connect to the internet for security reasons.  (Not my idea, the bosses.)  That said, I need that computer to be able to connect to the network to print, but not have any accessiblity to the internet.  Additionally, we also want to keep our wireless router too.  As a matter of fact the modem that AT&T provided has the wireless router built into it (it's a Netopia modem/router).

Any help and/or advice would be helpful.  I only know enough about networking, ect to get myself into some trouble.  Any expertise you could supply would be immensely appreciated.

Thanks,

Mark

Hello Mark,

I can't support the netopia router/modem, but I would think there should be an admin guide for the configuration. If it is a modem/router and you said there is rules for allowing or blocking services, which sounds like access list you should be able to create a rule for the client you want to block on the modem/router to prevent it from talking to the internet.

If you want to insure no outside security threats can make it to the computer staticly assign an IP address but don't give it a default gateway address. The client will not be able to talk to any other network but its own. It sounds like you only have one vlan or a flat network so this should work, but if you need to be able to have this computer in the future talk to other networks internally then it isn't a viable solution. Blocking at the modem/router would be the only solution.

The SG300-08 Switch you could setup an ACL to block that client from talking to the modem/router, but the potential for causing valid traffic from being blocked in your own network grows.

To create this rule you would first

go to Access Control

Create a MAC Base ACL (give it a meaning full name)

Create 2 a MAC BASE ACE

  • Rule 1
    • Priority 10
    • Action Deny
    • Destination Any
    • Source User Defined
      • MAC address of client wanting to be blocked
    • Apply
  • Rule 2
    • Priority 20
    • Action Permit
    • Destination Any
    • Source Any
    • Apply

Bind the ACL to a port

Make sure to only bind the ACL to the port that connects to the router/modem.

Cisco Small Business Support Center

Randy Manthey

CCNA, CCNA - Security

Randy,

I tried your suggestion of using the ACL on the modem/router.  The only configuration available is MAC adress filtering.  When I put in the mac address and told it to not allow access, that computer still had internet access.  I'm confused!

Any suggestions why this would be the case?

Thanks,

Mark