cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6461
Views
0
Helpful
15
Replies

SFE2000 IP Access List is locking up the switch

fritoss007
Level 1
Level 1

Hi, i'm using brand new 1 X SFE2000, 1 X RV082 as router and 2 X  WAP2000 with linksys power injectors in my network. I would like to have 3 VLANs. first one would be a management vlan, second an admin vlan and the last one a customer vlan. management would be used for computer tech to manage the equipment. the admin Vlan would be used for all the employees, the AD win2k8 server will be on this vlan too. the customer vlan would be used only to get to the internet. VLan 1 would speak to 2 and 3, but 2 and 3 would not speak to each other. I will relay the AD DHCP server on the 3 vlan. The switch is on layer 3 protocol.

Here is my problem, as soon as i activate the IP access list, the switch is locking up and the only way i can get it to work is to go back to a previous saved config without IP access list activated. i'm activating IP access list with all access to any vlan...and still the same problem... MAC access list is working perfectly.

i'm having the latest firmware...

any advice would be welcome !

thanks alot !

15 Replies 15

chrcoope
Level 1
Level 1

Hello,

What is the IP subnet for VLAN 1?

What is the IP subnet for VLAN 2?

What is the IP subnet for VLAN 3?

Tell me how it is your setting up your IP ACL?

What routes have you added to the layer 3 switch?

What IP addresses have you added to the layer 3 switch?

What routes have you added to the RV082?

What IP addresses have you added to the RV082?

Regards,

Christopher

What is the IP subnet for VLAN 1?

192.168.1.0~254

What is the IP subnet for VLAN 2?

192.168.2.0~254

What is the IP subnet for VLAN 3?

192.168.3.0~254

Tell me how it is your setting up your IP ACL?

prot.     src. add.     src. mask     dest. add     dest. mask     action

IP            any             any               any               any          permit

i opened averything to make some test

What routes have you added to the layer 3 switch?

dest ip    pref.lenght            next hop        route type     metric

0.0.0.0        /0                  192.168.1.1       remote           1

What IP addresses have you added to the layer 3 switch?

192.168.1.2

192.168.2.2

192.168.3.2

What routes have you added to the RV082?

dest ip               mask               def. gateway   hop count   interface

192.168.2.0     255.255.255.0     192.168.2.1          1            LAN

192.168.3.0     255.255.255.0     192.168.2.1          1            LAN

What IP addresses have you added to the RV082?

192.168.1.1

multiple subnet config

192.168.2.0     255.255.255.0

192.168.3.0     255.255.255.0

My immediate reaction is to change:

prot.     src. add.     src. mask     dest. add     dest. mask     action

IP            any             any               any               any          permit

To:

prot.     src. add.     src. mask     dest. add     dest. mask     action

ANY            any             any               any               any          permit

I have some reservations as to how the RV082 is deployed but I have to test an alternative in my lab.

What is the firmware version on the SFE2000?

Can you attach a config file for the SFE?

You say the switch locks up, does it continue to pass any traffic on any ports at all or does it just lock you out of the interface?

If you console the switch after applying your ACL with the serial cable, does it still have an IP bound to the management interface?

hi christopher,

i'll be at the customer's place by tomorow morning...until tomorow i'll not be able to do any test...

thanks alot !

is there a place here i can download a simulator of that switch ?

thanks...

No simulator that I am aware of. A program called "Packet Tracer" is available to Cisco university students, and that has a small selection of small business devices but not this one.

I will look into your config today. Immediately I notice that the management/native VLAN was changed from 100. From where did you perform this change?

I think i did it from the console

thanks alot !

Did

prot.     src. add.     src. mask     dest. add     dest. mask     action

ANY            any             any               any               any          permit

Also cause the switch to lock up?

Did you use the default console, or load an alternate console?

I didn't tried "any" anywhere as i was supposed to go at the customer's place today...but i got 1 good news, I will replace their linksys switch for a cisco switch...i mean temporarily...by monday morning. This way the SFE2000 will be at my office and out of production...test will be easier this way !

have a good weekend christopher

i'll be back with news by monday

Can you please assist me in order to save config file from web GUI to the desktop.

Thank you.

That will be similar to this...

esw safe config.bmp

If you need something more specific, Just let me know and I will get teh exact screen shot for you. I just happened to have this onhand from today.

Regards,

Christopher

fritoss007
Level 1
Level 1

Hi christopher,

I finally bring back to switch to my office. I did add the "any" to my acl test rule...but i got an error when i'm binding the ACL to a port...see the attach

thanks !

Yes, I have seen this error before. Could you attach the current configuration and tell me what it is you ultimately wish to accomplish with your ACL? If so, I can look at the config, and then I should be able to tell you how to implement what you need. You may in fact be better off contacting the SBSC directly and opening a case with us. Then we could WebEx and work this out. The number here is 866.616.1866.

Regards,

Chris

Hi christopher,

i used the same config file posted earlier...but i've only added "ANY" in my test ACL and bind it to a port...what i want to do is very simple

VLAN 1 subnet 192.168.1.0/24.....Admin VLAN subnet to acces my network hardware

VLAN 2 subnet 192.168.2.0/24.....Active Directory domain subnet

VLAN 3 subnet 192.168.3.0/24.....it's my guest internet VLAN wich shoul only have acces to internet

VLAN 1 speak to VLAN 2

VLAN 1 speak to VLAN 3

VLAN 2 speak to VLAN 1

VLAN 2 don't speak to VLAN 3

VLAN 3 speak to VLAN 1 only to be routed out to internet

VLAN 3 speak to VLAN 2 only for DHCP relay...dhcp is my active directory Domain Ctrl on VLAN 2

is that what you've asked for ?

thank again !

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Switch products supported in this community
Cisco Business Product Family
  • CBS110
  • CBS220
  • CBS250
  • CBS350
Cisco Switching Product Family
  • 110
  • 200
  • 220
  • 250
  • 300
  • 350
  • 350X
  • 550X