Deny access to SG300 from outside

Thomas_Madsen · ‎02-14-2014

I've configured a range SG300 to be used in a building for users to get internet access via theire own FW.

It's using QoS and some traffic shaping.

Every now and then i need to change some settings on it, and it's kinda stupid if i have to get out to the location every time i need to change something. To solve that i configured the Managment Access bit where only my office subnet has access to it. Ofcourse that solves some of my concernes aobut access from rest of the world, but i would very much like to have access to it from the location also, and from my homeoffice.

How can i solve this ?? not sure how i would configure ace/acl to solve it without fu..g up access completly.

Thnsk for any help

Thomas

mpyhala · ‎02-14-2014

Thomas,

Does the firewall support VPN access? That would be the most secure way to manage the switch remotely.

- Marty

Thomas_Madsen · ‎02-16-2014

there is no firewall in front

Thats why i would like to restrict access to SG300, they are used to connect 21 firewalls to the internet on a /26 net. they are used as a building net where internet comes as fiber, hooked up to a SG300-10SFP where net goes out to SG300-20 using fiber and from the SG300-20 to each enduser that uses theire own firewall's :-)

Nagaraja Thanthry · ‎02-16-2014

Hello Thomas,

The configuration example in the following document may help:

http://sbkb.cisco.com/CiscoSB/ukp.aspx?vw=1&docid=7ffabcdfa21e4e53aaf14d51ea5db6ba_Access_Profiles_Configuration_on_SG300_Series_Switches.xml&pid=2&respid=0&snid=6&dispid=0&cpage=search

Nagaraja

Thomas_Madsen · ‎02-16-2014

thansk for reply, but if you did read my first post.

I'm using access profiles, but you can only add 1 subnet in it, i would like to be able to access it from different locations.

Like from "onsite" where vlan1 has 1 subnet, and from work where i have another subnet, and from homeoffice where i have another subnet.

This cant be done using access profiles.