cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1799
Views
5
Helpful
6
Replies

SG300-20 configure 1 ip pr port

Thomas_Madsen
Level 1
Level 1

We got 1 customer that would like us to configure a system based on SG300-20 linked up with an SG300-10SFP using trafficshaping ingress and egress limited to 40mbit.

This part of the case is solved using ingress/egress 40960 with an burtlimit a bith higher.

But he also wants each firewall configured on the net to only be able to have 1 ip on that spesific port.

this is an owner of a building that rents out to other companies. Each comapny is assinged a port on the SG300-20 and has theire own ip  (ie 100.100.12.34)  all of them are part of a /26 net and would use the same Gateway.

Is this possible ? 

that the company assigned to ie port 14 in switch 1 only can use 100.100.12.34/26 gw 100.100.12.1 and if they change to 100.100.12.36 it will not work.  This to prevent the endusers from changing and fu...g up the net for the rest :-)

and on port 16 on switch 1 they can only use 100.100.12.36/26 with gw 100.100.12.1

thnsk for any input

switches are in layer2 mode , but nothing is in production yet so i can change ot layer3 if thats what it takes.

regard

Thomas                 

6 Replies 6

Tom Watts
VIP Alumni
VIP Alumni

Hi Thomas, you can enable dynamic ARP inspection, make the port UNTRUSTED then make a MAC to IP binding for the desired addresses you want to connect in to the port. Then for the uplink, make it a trusted port to allow all ingress connection there.

-Tom
Please mark answered for helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/

Will i have to configure this on all 5 boxes or just the SG300-20 boxes ?

the 300-10SFP will only be for uplinking and connecting the different 300-20.

do i also enable the arp pacekt validation ?

I'm mostly using gui :-)  Just stareted to figure out i got to learn some more CLI :-)

If i got this right i do as following

security -> ARP inspection and check the "enable" ARP Inspections status"

In interface settings i check all to trusted interface = No for port 1-18 while port 19-10 is trusted interface=Yes

In Arp Access Control i enter the MAC address for the endusers firewall and the 1 ip address it should have ie 100.100.12.34

that should do it ??

Hi Thomas, your concept sounds correct.

This is how this works

Assuming your topology is this-

Internet -> Router -> Core switch (no client/customer) -> Access switch -> Client/customer

For argument sake, your uplink from access switch is port 18 which connects to port 18 of the core switch

Problem statement-

On access switch, your desire is to have a client or customer connect to the switch using a specific MAC address and IP address and no other

Possible solutions-

Dynamic ARP inspections statically MAPS and IP address to a MAC address, any connection using the same MAC but different IP will be dropped and any connection using the same IP but different MAC will be dropped

Create an access list to permit only the desire IP address on the INGRESS port and block any other traffic to that port

Solution work flow-

Enable dynamic ARP inspection

Security -> ARP inspection -> Properties -> Enable

Enable trusted interfaces - These interfaces will allow any traffic and not subject to your inspection list. Untrusted is subject to the inspect list

Security -> ARP Inspection -> Interface Settings -> Edit interfaces as desired

Build your inspection table

Security -> ARP inspection -> ARP access control -> Add ->

-Control name is an arbitrary value, it is a description

-IP address is the IP you want in the database

-MAC address is the binding to the IP address for the switch to look up in the data

If DAI is too stringent for you, you may create an access list as an alternative solution

Access Control -> IPV4 based ACL -> Add

-ACL Name is what you want to call it, a description -> Apply

Next define the access list by going to IPV4 ACE bu click IPV4-based ACE -> Add

-Priority is an ordering system, you should structure your rules in an order for the switch to look up the rules

-Action permit or deny, in your case you want to permit

-Protocol will be IP (all traffic)

-Source IP address will be your host connection 100.100.12.34

-Wildcard mask will be 0.0.0.0  (this is a single host wild card)

-Destination will be Any

Click apply

Once the access list is built, it then gets bound to an interface. The interface must be the interface where the traffic goes to and not leaving

Access Control -> ACL Binding (port)

-Check box for the port your customer/client connects

-Interface is where the customer/client connects to the switch

-Check box for Select IPV4-Based ACL

-Default action is Deny Any

-Apply

With this completed correctly, only your IP for all traffic will connect to that port and any other IP will not be allowed, will discard if connection through that same port.

-Tom
Please mark answered for helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/

I had a misstype in my previous post, should been 19-20 as trusted. Thoose are the ports that gone get minigbic :-)

i gone have a try at this on monday, the most important is that if i try to connect some other device using another ip it wont interfer with the guy using that because it wont be let in on that port.

It might be that i have to use the ACL by the way you explain here it looks like the correct solution :-)

If i got it correct i have to create 60 different ACL lists, 1 from each ip and the when all are made i have to bind them to the correct port.

so if i am to use 4 switches i create the number of connections to each of them and then bind them to the port the users are connected on.

Will the priority have any featuere here ? since they all are the "same" ??

Hi Thomas, all traffic will be equal unless you make another access list to give priorities OR the connected host is sending tag packet then the PCP in the packet will determine traffic priority.

-Tom
Please mark answered for helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/

If i got the aCL bit correct wouldnt that just deny traffic on the port, but will it also stop the guy on switch 3 port 20 from settings ie ip 100.100.12.34 and not 100.100.12.33 that he should use and then create a ip crash with the guy actually using 100.100.12.34. ??

This is how i would like the net to be :-)   would it work to use VLAN ??

Vlan5: 100.100.12.5\26- tag på GE1

Vlan6: 100.100.12.6\26 - tag på GE2

Vlan7: 100.100.12.7\26- tag på GE3

Vlan8: 100.100.12.8\26- tag på GE4

Vlan23: 100.100.12.23\26- tag på GE3 on switch 3

Vlan34: 100.100.12.34\26- tag på GE3 on switch 4

The internet/router is GW where 0.0.0.0/0.0.0.0 100.100.12.1 will be

kvakkestad.jpg