ACL to allow SNMP traffic
I created an ACL to allow SNMP traffic through. Once I applied it traffic does not pass. Should be pretty simple. Below is what I used. I am using SNMP v2.
ip access-list extended ABC-ACL
permit udp X.X.0.0 0.0.255.255 host SERVER_IP eq snmp
permit udp X.X.0.0 0.0.255.255 host SERVER_IP eq snmptrap
permit icmp X.X.0.0 0.0.255.255 host SERVER_IP
Additional permit statements omited.
HMidkiff wrote:I created an ACL to allow SNMP traffic through. Once I applied it traffic does not pass. Should be pretty simple. Below is what I used. I am using SNMP v2.ip access-list extended ABC-ACL
permit udp X.X.0.0 0.0.255.255 host SERVER_IP eq snmp
permit udp X.X.0.0 0.0.255.255 host SERVER_IP eq snmptrap
permit icmp X.X.0.0 0.0.255.255 host SERVER_IPAdditional permit statements omited.
HMidkiff wrote:I created an ACL to allow SNMP traffic through. Once I applied it traffic does not pass. Should be pretty simple. Below is what I used. I am using SNMP v2.ip access-list extended ABC-ACL
permit udp X.X.0.0 0.0.255.255 host SERVER_IP eq snmp
permit udp X.X.0.0 0.0.255.255 host SERVER_IP eq snmptrap
permit icmp X.X.0.0 0.0.255.255 host SERVER_IPAdditional permit statements omited.
Where it is applied it to a L3 switch vlan interface or a router interface, which direction etc.,.
Is the SNMP traffic from a specific device, you could add a permit log for that specific device to see what ports it is using.
Also, where is the SNMP coming from in your acl ? if it is the x.x.0.0 network the acl should be -
permit udp x.x.0.0 0.0.255.255 eq snmp host SERVER_IP eq snmp
etc..
Jon
Similar Messages
-
Allow external traffic to access internal computers
We have an ASA 5505 running version 8.4. We are having problems allowing external traffic to access computers behind the firewall. Our current config is:
ASA Version 8.4(3)
hostname ciscoasa
domain-name default.domain.invalid
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 10.2.1.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 152.18.75.132 255.255.255.240
boot system disk0:/asa843-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
object network a-152.18.75.133
host 152.18.75.133
object network a-10.2.1.2
host 10.2.1.2
object-group network ext-servers
network-object host 142.21.53.249
network-object host 142.21.53.251
network-object host 142.21.53.195
object-group network ecomm_servers
network-object 142.21.53.236 255.255.255.255
object-group network internal_subnet
network-object 10.2.1.0 255.255.255.0
access-list extended extended permit ip any any
access-list extended extended permit icmp any any
access-list extended extended permit ip any object-group ext-servers
access-list acl_out extended permit tcp any object-group ecomm_servers eq https
access-list outside_in extended permit ip any host 10.2.1.2
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any echo-reply inside
icmp permit 10.2.1.0 255.255.255.0 inside
icmp permit any echo-reply outside
icmp permit any outside
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
nat (inside,outside) source static a-10.2.1.2 a-152.18.75.133
route outside 0.0.0.0 0.0.0.0 152.18.75.129 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 10.2.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh 10.2.1.2 255.255.255.255 inside
ssh 122.31.53.0 255.255.255.0 outside
ssh 122.28.75.128 255.255.255.240 outside
ssh timeout 30
console timeout 0
dhcpd auto_config outside
dhcpd address 10.2.1.2-10.2.1.254 inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:c7d7009a051cb0647b402f4acb9a3915
: end
ciscoasa(config)# sh nat
Manual NAT Policies (Section 1)
1 (inside) to (outside) source static a-10.2.1.2 a-152.18.75.133
translate_hits = 1, untranslate_hits = 112
ciscoasa(config)# sh nat
Manual NAT Policies (Section 1)
1 (inside) to (outside) source static a-10.2.1.2 a-152.18.75.133
translate_hits = 1, untranslate_hits = 113
ciscoasa(config)#Okay I will bite.
Assuming you have
a. dynamic pat rule for lan users-devices to reach the internet
(missing ???????????????
(should look like a nat rule that makes two entries when you make the one rule)
(with router set at defaults it may make this rule for you already in place)
-object bit
object network obj_any_inside
subnet 0.0.0.0 0.0.0.0
and rule bit
object network obj_any_inside
nat (inside,outside) dynamic interface
b. route rule - tells asa next hop is IP gateway address
route outside 0.0.0.0 0.0.0.0 152.18.75.129 1
c. Nat rule for port forwarding- Using objects it creates two entries (lets say i call it natforward4server)
object bit
object network natforward4server
host 10.2.1.2
Nat bit
object network natforward4server
nat (inside,outside) static interface service tcp 443 443
d. Nat for translated ort.
If you had wanted to translate a port, lets say you have external users that can only use port 80 but need to access https
object bitobject network natfortransl4server
host 10.2.1.2
Nat bit
object network natfortransl4server
nat (inside,outside) static interface service tcp 443 80 -
Allow IPSEC traffic thru 871?
I am using Cisco 871's with Advanced IP Sec IOS for remote offices. I need to allow IPSEC traffic to pass thru the 871 to establish a client IPSEC tunnel. The client VPN software is Nortel's Contivity VPN.
How can I allow IPSEC traffic to pass thru the 871?If you are initiating vpn client connectivity from behind the 871 to outside you need to allow through the IPsec ports udp 500, udp 4500 and protocol 50 esp. I don't know Nortel's vpn client but Im sure they follow the Ipsec security standards.
try this on your 871 router.
access-list 101 permit udp any any eq 500 log
access-list 101 permit udp any any eq 4500 log
access-list 101 permit esp any any log
apply acl-101 to your outbound interface
access-group 101 in
HTH
Jorge -
RV016 Router Allow All Traffic For Outside IP
Hi,
I need to configure the firewall to allow all traffice for an IP address of a sever. What steps in the router do i need to configure this? This is a cloud based voip server and we have IP phones and we need to add an IP address of the phone server to allow all traffic for that IP.
thanks.Hi Jonathan,
I have a similar problem with VOIP traffic being dropped by my new RV016 v3 router.
I have created one Firewall Rule, to allow ALL traffic from the external VOIP PBX provider (single IP) to connect to the internal VOIP phones, which have assigned addresses in a small IP Address range (eg. 10.1.2.50 - 10.1.2.59)
The Aastra VOIP phones continually loose their registration wtih the cloud-based PBX. If you make an outgoing call, it will work, but the PBX will lose connection with the phone, 3 or 4 minutes after you hang up, and will mark it as offline. Incoming calls made within the 3 or 4 minutes will get through, but after that they go right to voicemail on the PBX system.
We used to have an RV016 v2 router and VOIP traffic worked OK, with a similar Firewall Rule. We replaced the v2 router because its CPU crashed.
I tested the VOIP traffic with a WRT160 router with minimal Firewall Rules, and it works OK, as long as SIP-ALG is turned Off. We want to use the RV016 because it provides a larger number of ports for our LAN.
Any suggestions ?
Kirk -
Hi!
We need to allow DNS Traffic from Lan to Wan network for our internal LAN Users through Cisco Router. May we have the lines to add in the router and do we need anything else to apply this access-list?
Thanks.access-list 101 extended permit tcp net_lan sub net_wan sub eq 53
access-list 101 extended permit udp net_lan sub net_wan sub eq 53
access-list 101 extended deny any any
interface Serial 0/0
ip access-group 101 out
N.B. That access-list is only for permit traffic for DNS protocol. All traffic except DNS will be deny -
ACLs never apply to traffic generated by the router
http://www.ciscopress.com/articles/article.asp?p=174313&seqNum=4&rl=1
"Another special note on Cisco ACLs is that ACLs never apply to traffic generated by the router. So, even if you have an inbound and an outbound ACL on a router denying all traffic, the router will still be able to send any packet it wants; the return packet, however, will be blocked as usual".
Is it (the return packet, however, will be blocked as usual) the case all the time ? if it is the case could you please explain ?Thanks Rick,,,I need some clarification about the below scenario please:
suppose I have got R1 (one of many routers) with two interfaces serial0/0 and e0/0,,,the ip address for serial0/0 192.168.0.1/24
the ip address for e0/0 172.16.0.1/16.
R1(config)=access-list 101 deny ip any any
R1(config)#interafec serial 0/0
R1(config-if)#ip access-group out
R1(config)=access-list 150 deny ip any any
R1(config)#interafec fastethernet 0/0
R1(config-if)#ip access-group in
Now we satisfied the condition which it says: "where there is an outbound ACL and an inbound ACL and they both deny all traffic".
1- ((The inbound ACL will deny all traffic)).
This is obvious because any packet trys to enter the router R1, the ACL will check both ip addresses for the source (any) and destination (can be one of the interfaces belong to R1),,,,because it match the condition for ACL, it will be dropped.
2- ((In this case the outbound ACL can deny transit traffic, but can not deny packets generated by the router which will be transmitted)).
This first paragraph (In this case the outbound ACL can deny transit traffic) is fine,,,the second one which is : " but can not deny packets generated by the router which will be transmitted",,,,,,,my understanding is this when packets generated by router R1, these packets have got source ip address and destination ip address.
The source and destination ip addresses still matching the condition of ACL , why should't it be
denied ? -
Firewall Allow all traffic on lan
Is there a way to make a firewall rule to allow all traffic on en1? I have my ip ranges set to allow all traffic, but I still have to turn the firewall off for DHCP to give IP addresses to new devices on the network.
dtich wrote:
thx dean, yes, i had certainly looked at the log, which shows these entries:
Nov 11 21:49:25 north-knoll-server ipfw[8789]: 65534 Deny UDP 169.254.14.242:138 169.254.255.255:138 in via en0
but i have no idea where 169xxx is, nothing on my lan... if the port is 65534, that's an ftp passive port, tried opening that, doesn't solve the problem. if the port is 138, that's netbios, which would be odd, but i tried opening that too. nothing doing. can't figure it out. and the log really isn't helping too much.
traceroute gives me:
traceroute to 169.254.14.242 (169.254.14.242), 64 hops max, 40 byte packets
1 169.254.14.242 (169.254.14.242) 0.593 ms 0.504 ms 0.195 ms
so, i guess that's some internal address that my router uses or something..?? wacky. i'm out of my depth here.
if i allow 169.254.x.x, i still get no joy.
mean anything else to you?
yeah, 169.254.x.x is part of the zeroconf net address range. (See http://en.wikipedia.org/wiki/Zeroconf for more details)
Not sure why the device in particular is trying port 138 unless it's Windows box maybe? Is en0 on your local network or external? -
ACLs to allow read/write to folders but prevent name changes folders
Merger of two sites - need common file structure for storage - both differ at present
I want to set up an initial number of departmental folders for clients to store files.
Clients should not be able to rename any of these top level folders.
They should not be able to add additional folders at the top level.
But they should be able to write to the folders, and be allowed to create sub-folders within the toplevel folders.
How do I set up ACLs to allow this...Create an ACL with a group containing all of your clients.
At the top level of that folder, set the ACL and the Everyone group in POSIX permissions to Read Only.
You can then change permissions on all the sub-folders as you wish. One easy example: let's say that this client has read/write access to all the subfolders, but you don't want them to have anything other than read access for the top folder. You can then set the ACL for the share point that the client group has read/write access, and propagate permissions for the ACL set.
THEN, once you have done this, change the top folder to Read only. do NOT propagate permissions again. Then the top folder will have read-only access, clients can't change or create folders at this level, but have full access to all subfolders. -
Our NMS is getting hit by lots of
Authentication failure traps from our Cisco devices as IT insist on snmp polling our entire network.
To stop this I have put an ACL on the snmp-server community line. ie
access-list 58 permit z.z.z.z 0.0.0.255
access-list 58 permit y.y.y.y 0.0.0.255
access-list 58 permit x.x.x.x 0.0.3.255
snmp-server community ****** RO 58
snmp-server community ****** RW 58
This seems to have stopped some of the devices from sending authentication failure traps to our NMS but others are still sending traps although the snmp requester should be getting dropped by the ACL.
Is there any known reason why this would be happeningHi!
You probably got a line in your config that looks like this:
>snmp-server enable traps snmp authentication ...
Simply take out the "authentication" part in this line and you won't get any more of those traps!
Ciao,
marco -
Firewall blocks Airplay (even under 'allow all traffic')
Hi every body,
I am somewhat at the end of my knowledge. I have a mac mini server running Lion 10.7.2 server. Interestingly, my the server's firewall blocks
a) all airplay traffic and
b) 'reading Airport confirguration' requests
even when the firewall is set to 'allow all traffic'. However, when I completely switch it off, everything works just fine.
Any help would really be appreciated.
Thanks a lot.
Nonresidentalien
P.S. I have also tried to open ports 80 (t), 443(t), 554 (t/u), 3689(t), 5297(t), 5289(t/u), 5353(u), 49159(u) and 49163(u) with no successPointing to the IPv6 thread was a good idea. After reading it, I found out that the firewall preferences in Server Admin only show you IPv4 related firewall rules.
There is a terminal command that allows you to play with IPv6 rules. And by doing so, I was actually able to get AirPlay working again.
First, you want to show you the current IPv6 firewall rules. In my case they looked like this (10.7.2):
reptilehouse:~ sascha$ sudo ip6fw show
01000 285 96163 allow ipv6 from any to any via lo0
01100 66 5750 allow ipv6 from any to ff02::/16
65000 0 0 deny ipv6 from any to any
65535 6 306 allow ipv6 from any to any
As you can see, rule number 01100 only allows traffic to the local subnet, while the next rule (65000) blocks anything else. So you want to get rid of 65000:
reptilehouse:~ sascha$ sudo ip6fw delete 65000
To confirm, show the rule table again and you should see 65000 is gone:
reptilehouse:~ sascha$ sudo ip6fw show
01000 285 96163 allow ipv6 from any to any via lo0
01100 66 5750 allow ipv6 from any to ff02::/16
65535 6 306 allow ipv6 from any to any
Mind you, the rule numbers could be different on your system and you could see more or less rules. But you get the idea.
What I don't know if whether this is sticky, e.g. survives a reboot. -
ACL allowing some traffic with DENY
Good day all,
I have been trying to apply ACLs to a vlan interface and have not been able to make it work,
I configured them as follows:
Extended IP access list 160
10 deny ip 10.0.0.0 0.0.255.255 10.0.24.0 0.0.0.255
20 permit ip 10.0.24.0 0.0.0.255 host 8.8.8.8 log
30 deny ip 10.0.24.0 0.0.0.255 any
40 deny icmp 10.0.24.0 0.0.0.255 any
50 deny ip any any
Extended IP access list 161
10 deny ip host 4.2.2.2 10.0.24.0 0.0.0.255
20 deny ip host w.x.y.z 10.0.24.0 0.0.0.255 - firewall outside address
30 permit icmp host 10.0.2.3 any
40 deny icmp any any (5 matches)
50 deny ip any any
60 deny udp any any
interface Vlan600
ip address 10.0.24.3 255.255.255.0
ip access-group 161 in
ip access-group 160 out
no ip route-cache cef
no ip route-cache
no ip mroute-cache
end
The problem is that i can still ping 4.2.2.2 and 8.8.8.8 which i only want to limit to 8.8.8.8. I was also able to ping yahoo.com and others The pings from the other subnets fails and any from the 24 subnet to the external address of the firewall fails which are both required results.
I tried to debug the ping test with the debug ip packet command but didnt see anything show up on my log server. I then tried the same lines in a program called acl editor simulator and it comes up as a no match. Can someone please help me figure how to block all web and 4.2.2.2 traffic in and out.
Thanks
MichaelMichael
It looks to me like you have your in and out reversed. VLAN 600 is subnet 10.0.24.0. In access list 160 we find that 10.0.24.x are the source addresses. So this access list should be applied as "inbound". And in access list 161 we find that references to subnet 10.0.24.0 have it as the destination, so it should be applied as "outbound".
So if you change the access-group configurations and apply 160 in and 161 out you should find more hits in the access lists.
But even if you change the direction of the access lists there will not be any successful traffic in and out of the subnet. I note that access list 160 has only a single line with a permit statement and it permits traffic to host 8.8.8.8. I also note that access list 161 has only a single line with a permit statement. And it permits only ICMP packets from host 10.0.2.3. So the amount of traffic permitted will be very small.
HTH
Rick -
No ACL deny logs for Traffic not matched by Static Object NATs and ACL. Need Help.
I start noticing that I do not see any denied traffic coming in on my ACL. To better explain, lets say I have this config.
### Sample Config ###
object network webserver
host 192.168.1.50
nat (dmz, outside) static X.X.X.X service tcp www www
access-list inbound extended permit ip any4 object webserver eq www
If I generate a traffic from the outside let's say a traffic that is trying to access X.X.X.X via TCP Port 8080 which obviously does not have any NAT entry to it going to my DMZ, I don't see the ACL denies it anymore but instead comes back with a Drop Reason: (nat-no-xlate-to-pat-pool) . On the packet trace I got this. (Below) it seems that does not even hit the ACL as there is no xlate found for it, at least to what the drop reason says.
Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
MAC Access list
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 Outside
Result:
input-interface: Outside
input-status: up
input-line-status: up
output-interface: Outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (nat-no-xlate-to-pat-pool) Connection to PAT address without pre-existing xlate
Before, using a regular Static PAT on ASA Versions 8.2(5) below, I could get the deny logs (ASA-4-106023). Generally, I use these logs, and are quite important for us specially during auditing.
My question is how can I generate logs for these type of dropped traffic on the ASA 9.1 Version?
Any comments/suggestions are gladly appreciated :)
Regards,
JohnI believe, but am not 100% sure, that the reason you are not seeing the ACL drop but a no NAT matched is because of the changes from 8.2 to 8.3 in the order of how things are done. In 8.3 and later you need to secify the real IP address when allowing packets in, and this is because NAT happens before the ACL is matched. So since there is no match on the NAT the packet is dropped then and there, never reaching the stage where ACLs are checked.
As to seeing drops in the ACL log...You might want to try adding an ACL that matches the NATed IP...but I don't think you will have much success with that either. My guess is that there is no way around this...at least no way I know of.
Please remember to select a correct answer and rate helpful posts -
WLC web authentication ACL to allow internet surfing only
Hi forumers'
I would like to restrict web authentication user to access to my other network devices. web authentication user only cna goto internet, that's all.
according to my attachment, am i writing the right ACL syntax and apply this at the web authentication interface?
i also try on this ACL at my core switch but seem not success.
ip access-list extended ACL-VLAN-20
permit tcp 172.16.20.0 0.0.0.255 host 1.1.1.1
permit tcp 172.16.20.0 0.0.0.255 host 2.1.1.1
permit tcp 172.16.20.0 0.0.0.255 any eq 80
permit tcp 172.16.20.0 0.0.0.255 any eq 443
deny tcp 172.16.20.0 0.0.0.255 172.16.1.0 0.0.0.31
deny tcp 172.16.20.0 0.0.0.255 host 172.16.1.100
int vlan 20
ip access-group ACL-VLAN-20 in
any problem with it?
well, as long as can block web authenticaiton user only goto internet then serve my purpose
thanks
NoelThis should work
deny ip 172.16.20.0 0.0.0.255 172.16.1.0 0.0.0.31 (deny all IP traffic from guest to internal)
permit udp 172.16.20.0 0.0.0.255 any eq 53 (or list the specific servers you want them to use)
permit tcp 172.16.20.0 0.0.0.255 any eq 80 (allows HTTP but only outside as the deny stops internal)
permit tcp 172.16.20.0 0.0.0.255 any eq 443 (allows HTTPS but only outside as the deny stops internal)
but you need to add a permit for UDP 53, so that the client can talk to DNS as well, as added above. I also put the deny the access to the internal resources higher in the list, otherwise they are allowed to access your internal HTTP/HTTPS servers. If you want to allow that, it's better to permit the explicit servers
You don't necessarily need to allow the 1.1.1.1 and 2.1.1.1 assuming one these are your virtual interface address
When you do the ACL on the WLC, you need to do the inverse ACL as well. So you need to allow teh 172.16.20.0 and the any to 172.16.20.0
But I'd recommend that you put the ACL on the L3, that way it's easily visible to all the network engineers incase there are issues.
HTH,
Steve -
ACL to secure SNMP - I need help on this please
Hi,
I have addedd the following standard ACL to my router to limit SNMP access only to my Ciscoworks LMS server or SNMP Server but I don't know if I need to enforce it with an access group or not? i beleive that i need but I am not sure how?
access-list 90 permit host 10.1.1.139
access-list 90 deny any log
snmp-server community XXXXXXX ro 90
please help me understand the need for the access-group and if I need it, would it be sonething like this:
access-grup 90 in
applied to ether Interface?
this is my Internal gateway router. all of the users have the ether0 address of this router as their default gateway.
Thx,
MasoodI believe that Masood starts from a valid understanding of an important principle of access lists: after you create an access list you must assign it (creating an access list without assigning it does not affect any traffic). If you want the access list to filter packets on an interface you use the access-group command to assign the access list to the interface.
And Tim is correct that to use an access list to control SNMP access to the router all you need to do is to add the access list number on the command that defines the community string. This is the assignment of the access list. So Masood does not need to take any additional action.
HTH
Rick -
SFE2000 & ACL to stop VLAN traffic
Hi All,
I have setup a new SFE2000 switch to work in Layer 3 mode using the IP address 192.168.100.254 on VLAN 1
Additional VLAN's are:
VLAN2 192.168.102.x To be used for guest wireless access
VLAN3 192.168.103.x
VLAN4 192.168.104.x
I would like VLAN1, 2, 3 and 4 to be able to communicate with each other while VLAN2 (Guest) needs to be restricted from everything except web access and dhcp assignment from our server.
I have been playing with various ACL's in an effort to accomplish this but so far I have drawn a blank in getting this working.
Can any one draw any light to a managed switch newbie
Thanks in advance
JamesI was able to get this working with ACLs and setting a static route from the router (in my case Sonicwall TZ 180) back to the SG300 network. I have enclosed screen shots of the config from the GUI. You need to bind the ACL to whatever
ports you want to filter the guest traffic either where they would connect a hard wired connection or where you would connect your Wireless AP. The ACL I have created allows VLAN 13 to get a DHCP address and communicate through DNS but nothing else. 192.168.9.254 is the Sonicwall router which I wanted on a different VLAN.
Hope this helps others with their setup.
Maybe you are looking for
-
How can i change backgroud color of global template in fusion cloud?
Hi all. someone of you could help me? How can i change backgroud color of global template in fusion cloud?
-
Windows Media feature pack for Windows 8.1 PRO N version?
Hi, I want to install media feature pack on win 8.1 (PRO N) however its not working as installed application. says 'this is not for your computer'. I got the link from your public forums (link mentioned in your forums) My windows details mentioned b
-
Hello everybody, I have a problem with the creation of info set (tcode : sq00 and sq02) I need your help, i have to develop a query with a number Purchase Order and number of invoice. For example : for a number of invoice : 5105617263 i have with TOA
-
This all started after I updated the iOS from 5 to 6. My girlfriend does not have this problem, and she hasn't updated her iOS yet. This would make it easy to conclude that the operative system is the sinner. This was (and is) my only Apple product,
-
Does Single Country Subscription offer the following features? 50% off online Number Voice Mail I am using Unlimited US and Canada and Online Number. Since I don't make calls to US and Canada any more, I would like to cancel the Unlimited US and Cana