Re: Creating vlans on sf300-getting issue to get right configs.

nasseerudin · ‎01-06-2012

Hi,

i just got a sf300 and i need to break down my network to create different subnets.

actually i am using the 192.168.1.0 /24 subnet.

what i need to do is to subnet my network so that the different vlan cannot talk to each other.

for e.g

vlan 2 is data and vlan 3 is for ip cameras.

i do not want the pc on vlan 2 be able to ping or access the cameras on vlan 3.

i tried using forbiden, or rem vlan but i can still ping.

my default vlan is the vlan 1.

can someone give me a help on this.

thanks

nasseerudin · ‎01-06-2012

i encounter the following which is related to the above:
well i started from scratch and created 3 vlan.
vlan 1, vlan 2, vlan 3: management vlan , pc, lap respectively.
i connected a pc on port fe 7 and configured for access to vlan 2 only.pc configure with ip 192.168.2.250 /24 gateway 192.168.2.253
Did a ping to 192.168.2.253 and it works fine. Ping 192.168.3.253 as well as 192.168.1.253 and could ping them too.
Same done from the laptop whic is found on vlan 3.
the issue is: when laptop is on, i can ping the switch 192.168.3.253 (vlan3) from the pc (vlan 2).But as soon as i disconnect the laptop, the pc can not ping the

switch at 192.168.3.253. This happens versa with the laptop.
why is it such?
i need to configure the pc so that it can not talk with the laptop vlan. can someone please help me.
find below my switch sf 300 configure on layer 3 configuration.

LVCMAIN#sh run
vlan database
vlan 2-3
exit
voice vlan oui-table add 0001e3 Siemens_AG_phone________
voice vlan oui-table add 00036b Cisco_phone_____________
voice vlan oui-table add 00096e Avaya___________________
voice vlan oui-table add 000fe2 H3C_Aolynk______________
voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone
voice vlan oui-table add 00d01e Pingtel_phone___________
voice vlan oui-table add 00e075 Polycom/Veritel_phone___
voice vlan oui-table add 00e0bb 3Com_phone______________
interface vlan 1
ip address 192.168.1.253 255.255.255.0
exit
interface vlan 2
ip address 192.168.2.253 255.255.255.0
exit
interface vlan 3
ip address 192.168.3.253 255.255.255.0
exit
interface vlan 1
no ip address dhcp
exit
bonjour interface range vlan 1
hostname LVCMAIN
enable password level 15 encrypted 1561482c1292222496d39bb43eb61619184a51c9
username cisco password encrypted 1561482c1292222496d39bb43eb61619184a51c9 privi
lege 15
no snmp-server server
interface fastethernet7
switchport mode access
switchport access vlan 2
exit
interface fastethernet24
switchport mode access
switchport access vlan 3
exit
interface gigabitethernet4
switchport mode access
switchport access vlan 2
exit
interface vlan 2
name pc
exit
interface vlan 3
name lap
exit

David Hornstein · ‎01-14-2012

Hi

Your Layer 3 switch is working fine, you are just looking at a characteristic on how Layer 3 interface routes work in cisco switches.

Here is an example from my SG300-10P

You will note, from the 'show vlan' command below, I created a VLAN 3 amd gi3 is the ONLY switch port that is a member of that VLAN.

switch38cbaf#show vlan

Vlan Name Ports Type Authorization

---- ----------------- --------------------------- ------------ -------------

1 1 gi1-2,gi4-10,Po1-8 Default Required

3 test gi3 permanent Required

100 100 gi1-3,gi8,gi10 permanent Required

I had plugged a PC into gi3. This then made the IP interface on VLAN3 available or active.

I then looked at the IP routes in the switch. Note that VLAN3 has a valid directly connected IP network route in the screen capture below.

switch38cbaf#show ip route

Maximum Parallel Paths: 1 (1 after reset)

IP Forwarding: enabled

Codes: C - connected, S - static, D - DHCP

D 0.0.0.0/0 [1/2] via 192.168.20.1 0:3:38 vlan 1

C 192.168.3.0/24 is directly connected vlan 3

C 192.168.20.0/24 is directly connected vlan 1

I pulled the PC out of Gigabit port 3 on my switch at this point of time.

Gi3 is the only port that is a member of VLAN3.

As you can see from the console entries below in red, and VLAN3 went down because no other active ports are members of vlan3.

12-Nov-2011 23:44:48 %LINK-W-Down: gi3, aggregated (2)

12-Nov-2011 23:44:48 %LINK-W-Down: Vlan 3, aggregated (3)

All ports attached to VLAN3 are how down and as a consequence the interface route goes away.

This is reflected in the show IP route below, as the interface route for VLAN3 goes down and disappears from the route table.

switch38cbaf#

switch38cbaf#show ip route

Maximum Parallel Paths: 1 (1 after reset)

IP Forwarding: enabled

Codes: C - connected, S - static, D - DHCP

D 0.0.0.0/0 [1/2] via 192.168.20.1 0:4:9 vlan 1

C 192.168.20.0/24 is directly connected vlan 1

switch38cbaf#

This is the reason why you lose pinging ability to VLAN3, or to put it simply something has to be active on VLAN3 for VLAN 3 to respond to a ping or do other processes. This is a normal behavior of Cisco switches.

regards Dave

nasseerudin · ‎01-16-2012

yes but i would like to restrict the device from talking to other found in different vlan.

for example a device in vlan can not talk with vlan 3.

i tried to forbid it on the port but it does still ping.

so what is really the use of forbidding vlan.

David Hornstein · ‎01-16-2012

Hi Nasseerudin

Dead right, I only explained why pinging the gateway disappeared, my apologies.

It's much easier to restrict network to network connectivity when compared to host to host connectivity.

I have to admit Access-list functionality is the easiest way to control unicast traffic movement between VLANs.

1. creating a access-list

2. Adding a number of ACE entries to either permit or deny pattern matches.

3. Binding the Access-List to a switch port to filter the ingress traffic.

I'll make use of a previous example within this support community of what you may need to do. it's a good discussion with examples.

https://supportforums.cisco.com/message/3368125#3368125

REMEMBER, that the access list, pattern matches ACE entries on packets coming into or another term is ingressing into the switch

regards Dave

nasseerudin · ‎01-18-2012

thanks for replying.

but lets say on my vlan 3 ip's are distributed through a dhcp and are dynamic whereas vlan 2 are fixed ip's on the devices.

vlan 4 is used to have my servers so vlan 3 need to communicate with vlan 4.

in this case i dont want any devices from vlan 3 to be able to reach vlan 2 for security purposes.

what are the steps to do this?

David Hornstein · ‎01-18-2012

Hi Nasseerudin

Here is a 6 minute recording I made for you showing how to create a access list and ACE entries to restrict IP traffic from one network from another on my SG300-10P.

The rules are the same for any SF/SG series product.

Click here to see a 6 minute recording of me creating a Access List with ACE entries and bounding the ACL to a switch port..

Again I will reinforce a remember that, the ACL is bound to a switch port. ACL monitors ingress traffic traffic, in other words traffic coming into the switch and then permits or denies traffic according to the ACE entries contained within the access-list.

The switch matches the packets runs through the ACE list from top to bottom , with a implicit invisible (built in ) deny at the end of the list.

Hope this answers your question.

regards Dave