11-09-2015 03:32 AM
Hi all.
What I'm trying to do, is to get basic filtering on SG300, that configured in router mode.
config-file-header
sg300-csw01-nya
v1.4.1.3 / R800_NIK_1_4_194_194
CLI v1.0
set system mode routerfile SSD indicator encrypted
@
ssd-control-start
ssd config
ssd file passphrase control unrestricted
no ssd file integrity control
ssd-control-end cb0a3fdb1f3a1af4e4430033719968c0
!
no cdp run
spanning-tree priority 4096
port jumbo-frame
lacp system-priority 10
vlan database
vlan 10,20,30,40,50,60
exit
voice vlan state disabled
voice vlan oui-table add 0001e3 Siemens_AG_phone________
voice vlan oui-table add 00036b Cisco_phone_____________
voice vlan oui-table add 00096e Avaya___________________
voice vlan oui-table add 000fe2 H3C_Aolynk______________
voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone
voice vlan oui-table add 00d01e Pingtel_phone___________
voice vlan oui-table add 00e075 Polycom/Veritel_phone___
voice vlan oui-table add 00e0bb 3Com_phone______________
port-channel load-balance src-dst-mac-ip
no lldp run
loopback-detection enable
ip dhcp relay address 172.16.40.203
ip dhcp relay enable
no boot host auto-config
no boot host auto-update
no bonjour enable
ip access-list extended ac-wfnw
permit udp 172.16.50.0 0.0.0.255 any 172.16.40.203 0.0.0.0 domain ace-priority 10
permit tcp 172.16.50.0 0.0.0.255 any 172.16.40.203 0.0.0.0 domain ace-priority 20
deny ip any 172.16.20.0 0.0.0.255 ace-priority 1000
deny ip any 172.16.40.0 0.0.0.255 ace-priority 1010
deny ip any 172.16.60.0 0.0.0.255 ace-priority 1020permit ip any any ace-priority 2000
exit
ip access-list extended ac-canw
permit ip 172.16.60.51 0.0.0.0 172.16.20.0 0.0.0.255 ace-priority 10
deny ip any 172.16.20.0 0.0.0.255 ace-priority 1000
deny ip any 172.16.50.0 0.0.0.255 ace-priority 1010
permit ip any any ace-priority 2000
exit
hostname sg300-csw01-nya
encrypted radius-server host radius.corp.sibekotech.ru key ---
radius-server host source-interface vlan 20
aaa authentication login default radius local
no passwords complexity enable
passwords aging 0
username cisco password encrypted --- privilege 15
username zanswer password encrypted --- privilege 15
ip ssh server
ip ssh password-auth
snmp-server server
snmp-server engineID local 800000090308d09f71612a
snmp-server view noc iso included
snmp-server view noc ifName.3000 excludedsnmp-server view noc ifName.7000 excluded
snmp-server view noc ifName.20000 excluded
snmp-server view noc ifName.100000 excluded
snmp-server view noc ifName.100009 excluded
snmp-server view noc ifName.100019 excluded
snmp-server view noc ifName.100029 excluded
snmp-server view noc ifName.100039 excluded
snmp-server view noc ifName.100049 excluded
snmp-server view noc ifName.100059 excluded
snmp-server group noc v3 priv read noc
encrypted snmp-server user noc noc v3 auth sha --- priv ---
no ip http server
no ip http secure-server
clock timezone YEKT +5
clock source sntp
sntp unicast client enable
sntp unicast client poll
sntp server ntp.corp.sibekotech.ru poll
sntp source-interface vlan 20
ip domain name corp.sibekotech.ru
ip name-server 172.16.40.203!
interface vlan 1
no ipv6 address autoconfig
no ipv6 enable
shutdown
!
interface vlan 10
name vl-blhl
!
interface vlan 20
name vl-mgmt
ip address 172.16.20.254 255.255.255.0
!
interface vlan 30
name vl-ronw
ip address 172.16.30.253 255.255.255.252
!
interface vlan 40
name vl-srnw
ip address 172.16.40.254 255.255.255.0
!
interface vlan 50
name vl-wfnwip address 172.16.50.254 255.255.255.0
ip dhcp relay enable
service-acl input ac-wfnw
!
interface vlan 60
name vl-canw
ip address 172.16.60.254 255.255.255.0
service-acl input ac-canw
!
interface gigabitethernet1
loopback-detection enable
shutdown
description not-conf
spanning-tree link-type point-to-point
spanning-tree guard root
switchport mode access
switchport access vlan 10
!
interface gigabitethernet2
loopback-detection enable
shutdown
description not-conf
spanning-tree link-type point-to-point
spanning-tree guard root
switchport mode access
switchport access vlan 10!
interface gigabitethernet3
loopback-detection enable
shutdown
description not-conf
spanning-tree link-type point-to-point
spanning-tree guard root
switchport mode access
switchport access vlan 10
!
interface gigabitethernet4
loopback-detection enable
shutdown
description not-conf
spanning-tree link-type point-to-point
spanning-tree guard root
switchport mode access
switchport access vlan 10
!
interface gigabitethernet5
loopback-detection enable
shutdown
description not-confspanning-tree link-type point-to-point
spanning-tree guard root
switchport mode access
switchport access vlan 10
!
interface gigabitethernet6
loopback-detection enable
description crt01-ge01
spanning-tree portfast
spanning-tree link-type point-to-point
spanning-tree bpduguard enable
switchport mode access
switchport access vlan 30
!
interface gigabitethernet7
loopback-detection enable
shutdown
description srv01-eth1
lacp port-priority 10
spanning-tree link-type point-to-point
spanning-tree guard root
channel-group 2 mode autoswitchport mode access
!
interface gigabitethernet8
loopback-detection enable
shutdown
description srv01-eth2
lacp port-priority 10
spanning-tree link-type point-to-point
spanning-tree guard root
channel-group 2 mode auto
switchport mode access
!
interface gigabitethernet9
loopback-detection enable
shutdown
description asw01-gi01
lacp port-priority 10
spanning-tree link-type point-to-point
spanning-tree guard root
channel-group 1 mode auto
switchport mode access
!interface gigabitethernet10
loopback-detection enable
shutdown
description asw01-gi02
lacp port-priority 10
spanning-tree link-type point-to-point
spanning-tree guard root
channel-group 1 mode auto
switchport mode access
!
interface Port-channel1
speed 1000
loopback-detection enable
description asw01-po1
spanning-tree link-type point-to-point
spanning-tree guard root
switchport trunk allowed vlan add 20,40,50,60
switchport trunk native vlan 10
!
interface Port-channel2
speed 1000
loopback-detection enabledescription srv01-bond0
spanning-tree portfast
spanning-tree link-type point-to-point
spanning-tree bpduguard enable
switchport trunk allowed vlan add 40
switchport trunk native vlan 10
!
interface Tunnel 1
shutdown
!
exit
ip default-gateway 172.16.30.254
11-10-2015 07:45 PM
I've did some research today and find some interesting things. First, You can't mirror Port-Channel or port in it, second ACL start to work if I remove one of ports from Port-Channel and work even if I'll add them back after that.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide