I recently purchased an SG300-10 switch. Is it possible to change the TCP port numbers for the administrative services on this device? For example, if I wanted to change the web admin port from being availble on port 80 to port 8080, or move the SSH port from 22 to 2022, how would I do this?
I've looked over the web admin interface, and the Security > TCP/UDP services option looks like what I want, but I see no way to change a service's listening port. Is this possible?
Currently there is not an option to change the listening port for each of the services. Under the security settings you can specify which type of connections are allowed for management. If you are looking for more security then there are rules to specify a physical port or IP address for access.
Hmm. It's a little disappoining that this feature does not exist -- it seems to be standard on equipment costing much less, and I had assumed it would be there on this model, certainly given the rich set of features it has otherwise.
This device sits between a DSL modem with a built-in firewall and a web server. I want to basically stop using the modem's firewall, and switch to using ACL's in the SG300 instead.
Disabling the modem's firewall has the unfortunate side-effect of exposing all the modem's service ports to the public internet -- so I'd need to keep that in place. I had thought the easiest apprach would be to put the SG300 into the modem's "DMZ" but if I do that, then the SG300 immediately starts answering port 80 traffic. Which is honsetly a little scary, complex passwords or not.
I'm still reading about writing ACLs and working up my courage to dive into that... I suppose it is possible to write a rule to route (TCP) port-specific traffic from the public internet to an internal IP? Bascially NAT port forwarding?
I certainly understand your concerns with security on the switch, even more so when opening up your net work to the internet.
Under 'Security > Mgmt Access Method > Access Profiles/Profile Rules' you will be able to modify the method of accessing the switch's management interface. You can make it so that a user must be connected to a specific port on the switch, come only from a specified IP address or certain vlan.
You can also create a rule under your access list that does the same thing. Great part is that all of these options are available in layer 2 and layer 3 modes.
The ACLs will let you control traffic flow over the switch, but only as allow or deny. For NAT you would still need a router. In layer 3 mode you would be able to control traffic by IP address which would give you added security.
Hope this information better assist with your goals.
Article ID:4006 Configure Secure Shell (SSH) Server Authentication
Settings on a Switch Objective Secure Shell (SSH) is a protocol that
provides a secure remote connection to specific network devices. This
connection provides functionality that is similar...
Article ID:4982 Access an SMB Switch CLI using SSH or Telnet Objective
The Cisco Small Business Managed Switches can be remotely accessed and
configured through the Command Line Interface (CLI). Accessing the CLI
allows commands to be entered in a termina...
Article ID:5735 Convert Configuration Files using the Configuration
Migration Tool on Cisco Small Business Switches Introduction The Cisco
Configuration Migration Tool allows you to convert configuration files
from previous generation of Cisco Small Busin...