Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1323
Views
0
Helpful
4
Replies

SGE2xxx - Can it do Layer 3 VLAN classification?

paul.thompson.au
Level 1
Level 1

‎10-05-2010 05:33 PM

Hello all,

I am attempting to design a complex campus network with a single type of switch (SGE2010P) using multiple VLANs between buildings and functions within the building.  EG, Admin, Staff, Students, Wireless staff, Wireless Student, etc.

Now whilst I have used the Linksys SGE series of switches for years with other clients successfully, I now have a layer 3 need to enable DHCP relay and access & restriction of traffic between VLANs.  Problem is I cannot see how the later is done after studying the configuration manual.  I can see this capability on other brand switches so hopefully Im missing something here.

I am not wanting to put in a dedicated layer 3 router/switch as the site requires onsite spares always available and cost is a restriction.  Using the common switch approach has worked for years at numerous other sites and I wish to maintain this.

So the exact functionality description is:

"To create traffic classifers that stop most VLANs from communicating with each other.  The classifiers check IP addresses and match packets between pairs of VLANs that must not communicate is the logic."

Any assistance from the community would be greatly appreciated.

Labels:
0 Helpful
4 Replies 4

David Carr
Level 6
Level 6

‎10-06-2010 10:53 AM

You can telnet or hyperterminal into the device and enable layer 3 under the system mode tab on the switch.  It will reboot the device and you will lose the configurations.  Once in layer 3 mode, you will have the option to setup dhcp relay.

0 Helpful

David Hornstein
Level 7
Level 7

‎10-06-2010 02:26 PM

Hi Paul,

David Carr beat me to it again.. he is dead correct, you have to enable layer3 mode via telnet or hyperterminal as he discussed.

I tested the application for you and here are the screen captures and results.

I setup DHCP relay to MY PC at 192.168.10.14, so i could perform a  wireshark capture or the unicast relayed DHCP requests.

I created a VLAN 90 and added a IP interface  of 10.2.2.1

In a DHCP server  or router,  I would add a route point back to the 10.2.2.0 network via 192.168.10.254 address.

My DHCP server would be located in my VLAN1.

like the screen shot below, I plugged a PC into my VLAN 90 on switch port G1  as it is untagged port within VLAN 90.

Note in the attached wireshark packet capture there is option 82 info which includes my VLAN id 0f HEX 5A  or Decimal VLAN 90.

It works, now go for it. 

With the Classifiers, or we cay call them access-list just be careful how you create the hardware classifiers or Access-List so you don't restrict access to the DHCP server.    Access-Lists have to be added to a interface like a QOS policy has to be added to a interface or they wont work.

regards Dave

73133-DHCP_RELAY.pcap.zip
0 Helpful

paul.thompson.au
Level 1
Level 1
In response to David Hornstein

‎10-06-2010 07:33 PM

Thank you Davids' for the replies.  You have indeed nailed my first questions down, implementing DHCP relay, thanks.

However it does not answer the prime question on functionality I am looking to implement, ie Layer 3 control.

For example.

VLAN 50 is the student LAN.  Its IP range is 192.168.50.0/24

VLAN 100 is the FileServer LAN. Its IP range is 192.168.100.0/24

So what I wish to do is only open up ports TCP/137-139 between traffic?

If port control is not available, then Its OK to use Source IP Address/Range and Destination IP Address/Range, albeit it will require some more careful planning.?

And if that all does not work, would you recommend a 'full' layer 3 PoE 48 port switch?

Cheers,

Paul

0 Helpful

David Hornstein
Level 7
Level 7
In response to paul.thompson.au

‎10-07-2010 08:47 AM

Hi Paul,

You are a hard task master.

The ACL functuionality does run in hardware, so access control is run at wire speed.

I have put a example together to just restrict access to my FTP server and applied or bound the ACL to switch port G1. See screen capture below.

ACL 'listen' for traffic ingressing into the switch port. My PC is connected to switch port G1  and the ACL restricts FTP traffic.

Your ACL would not be deny TCP port 20 and 21  to any network, but you might like to create a ACL and bind the ACL to the switch ports that attach to the Student VLAN;

allow TCP ports 137 from 192.168.50.0  0.0.0.255 to 192.168.100.0  0.0.0.255

allow TCP ports 138 from 192.168.50.0  0.0.0.255 to 192.168.100.0  0.0.0.255

allow TCP ports 139 from 192.168.50.0  0.0.0.255 to 192.168.100.0  0.0.0.255

deny TCP  from 192.168.50.0  0.0.0.255 to 192.168.100.0  0.0.0.255

deny UDP from 192.168.50.0  0.0.0.255 to 192.168.100.0  0.0.0.255

allow anything else

Something to that effect.  But here is my working ACL below

But if cost is a determining factor in product selection,  why not look at the new SRW2024P-K9 (SG300 series)  that was recently introduced..

I'm real hot on the product as I've had a few months to play with the new series.  It's hot of the silicon press and has a lot more new  features, especially with VOIP and Green.

It's a  a layer 3 switch, better warranty (next business day replacement where applicable) , smaller footprint, is more cost effective when compared to the SGE series and simple simple intuitive GUI . Just a thought.

If you want the convenience of the Cisco flexible  CLI and advanced debugging etc.. yep have a word to your local Distributor for advice on price, but a Cisco 3560 or 3750 -X series could fit the job nicely.  Spend some time and check out the datasheets on products mentioned.

regards Dave

0 Helpful
Customers Also Viewed These Support Documents