SG300-20 configure 1 ip pr port

We got 1 customer that would like us to configure a system based on SG300-20 linked up with an SG300-10SFP using trafficshaping ingress and egress limited to 40mbit.
This part of the case is solved using ingress/egress 40960 with an burtlimit a bith higher.
But he also wants each firewall configured on the net to only be able to have 1 ip on that spesific port.
this is an owner of a building that rents out to other companies. Each comapny is assinged a port on the SG300-20 and has theire own ip  (ie 100.100.12.34)  all of them are part of a /26 net and would use the same Gateway.
Is this possible ? 
that the company assigned to ie port 14 in switch 1 only can use 100.100.12.34/26 gw 100.100.12.1 and if they change to 100.100.12.36 it will not work.  This to prevent the endusers from changing and fu...g up the net for the rest :-)
and on port 16 on switch 1 they can only use 100.100.12.36/26 with gw 100.100.12.1
thnsk for any input
switches are in layer2 mode , but nothing is in production yet so i can change ot layer3 if thats what it takes.
regard
Thomas                 

Hi Thomas, your concept sounds correct.
This is how this works
Assuming your topology is this-
Internet -> Router -> Core switch (no client/customer) -> Access switch -> Client/customer
For argument sake, your uplink from access switch is port 18 which connects to port 18 of the core switch
Problem statement-
On access switch, your desire is to have a client or customer connect to the switch using a specific MAC address and IP address and no other
Possible solutions-
Dynamic ARP inspections statically MAPS and IP address to a MAC address, any connection using the same MAC but different IP will be dropped and any connection using the same IP but different MAC will be dropped
Create an access list to permit only the desire IP address on the INGRESS port and block any other traffic to that port
Solution work flow-
Enable dynamic ARP inspection
Security -> ARP inspection -> Properties -> Enable
Enable trusted interfaces - These interfaces will allow any traffic and not subject to your inspection list. Untrusted is subject to the inspect list
Security -> ARP Inspection -> Interface Settings -> Edit interfaces as desired
Build your inspection table
Security -> ARP inspection -> ARP access control -> Add ->
-Control name is an arbitrary value, it is a description
-IP address is the IP you want in the database
-MAC address is the binding to the IP address for the switch to look up in the data
If DAI is too stringent for you, you may create an access list as an alternative solution
Access Control -> IPV4 based ACL -> Add
-ACL Name is what you want to call it, a description -> Apply
Next define the access list by going to IPV4 ACE bu click IPV4-based ACE -> Add
-Priority is an ordering system, you should structure your rules in an order for the switch to look up the rules
-Action permit or deny, in your case you want to permit
-Protocol will be IP (all traffic)
-Source IP address will be your host connection 100.100.12.34
-Wildcard mask will be 0.0.0.0  (this is a single host wild card)
-Destination will be Any
Click apply
Once the access list is built, it then gets bound to an interface. The interface must be the interface where the traffic goes to and not leaving
Access Control -> ACL Binding (port)
-Check box for the port your customer/client connects
-Interface is where the customer/client connects to the switch
-Check box for Select IPV4-Based ACL
-Default action is Deny Any
-Apply
With this completed correctly, only your IP for all traffic will connect to that port and any other IP will not be allowed, will discard if connection through that same port.
-Tom
Please mark answered for helpful posts

Similar Messages

  • Can't configure both WAN ports on 1811 with SDM

    Hi,
    We recently procured an 1811 router to replace a SOHO linksys at a store we service. We needed redundant WAN interfaces to use the DSL as a backup to the main cable connection, and a Linksys RV082, while doing the job when it actually worked, died repeatedly. We decided after looking at the 1811's feature set to just get the Cisco and be done with it and not monkey with SOHO gear anymore.
    Where I'm having difficulty is SDM won't let me configure both WAN interfaces from the GUI, it only allows me to configure one. I have it configured, and the router is working nicely in the test lab but I need to get that other interface configured and failover enabled before I can put this thing into production.
    What am I doing wrong? Do I need to suck it up and learn IOS?
    Thanks,
    Todd Phipps
    Certco, Inc.

    I ended up figuring out the IOS commands to enable one fastethernet port as a primary and the other one as a backup (running both cable and DSL for redundancy; it's a grocery store that runs electronic transactions over IP so 100% availability is a must).
    The trouble I was running into in SDM is that while it would allow me to configure one WAN port through the GUI, the config options for the second one were grayed out. Now that both are configured through IOS the edit buttons for both WAN interfaces appear normally in SDM. It's almost as if Cisco didn't want users to be able to configure both interfaces graphically for initial setup.
    Now just to test it at the site before the store opens to see if the failover works...
    Todd

  • Can you configure a static port to use with certsrv.msc?

    I am trying to use certsrv.msc to connect from my workstation to the CA for administration purposes.  Workstation is Win7, CA is 2008 R2 Enterprise running Enterprise Subordinate on a dedicated box.
    I configured a static DCOM port for certsvc by following this article, including bouncing the service and also rebooting the CA box:
    http://social.technet.microsoft.com/wiki/contents/articles/1559.how-to-configure-a-static-dcom-port-for-ad-cs.aspx
    The static port was opened in the firewall from my workstation to the CA.  We also found that TCP 445 was required, so that has been opened as well, port 135 & other ports normally needed for autoenrollment should be open.  Sniffing the firewall
    showed that a random high numbered port that is not the static dcom port is being attempted - this is the only port showing dropped packets & no traffic on the static port.
    I am wondering if there is a way to configure a static port for this high-level random port to use with certsrv.msc as I was able to do with the certsvc dcom port?  I am trying to avoid having tens of thousands of network ports wide open going to my
    CA...  Thanks in advance!

    Hi Steve,
    I am sorry that I wasn’t able to find references about restricting certificate services only use one port in the random port range.
    However, we can configure RPC dynamic ports allocation to restrict port range. In the meantime, we should keep at least 100 ports open to keep necessary system services running.
    More information for you:
    How to configure RPC dynamic port allocation to work with firewalls
    http://support.microsoft.com/kb/154596/en-us
    Service overview and network port requirements for Windows
    http://support.microsoft.com/kb/832017/en-au
    Firewall Rules for Active Directory Certificate Services
    http://blogs.technet.com/b/pki/archive/2010/06/25/firewall-roles-for-active-directory-certificate-services.aspx
    Best Regards,
    Amy Wang

  • How to configure the eth1 port of NIcRIO 9024 to another IP address and subnet mask

    Hi ,
    I am using cRIO 9024 and am planning to configure it to be an MMS server that interacts with a client which is in another network with different IP and subnetmask. I want to run the server VIs from the host computer via the eth0 port and want to communicate the MMS messages through the eth1 port. the eth0 port is configured as a static IP as shown in the screenshot attached and would like to assign a separate IP and subnet mask to the other port . But when I try to save the configuration I get the error "Could not save your changes tot he target.The subnet mask for eth1 is invalid" .
    I have already directly cross connected the Crio and have disabled the firewalls and still am not able to configure it.
    1) is it possible to configure the ethernet ports to have separate IPs corresponding to different networks and thus the subnet masks?
    2) If its possible then what is the mistake i am doing while configuring it ?
    I would be extremaly grateful to have a reply on this as its pretty desperate to spend a lot of time just to set up the IP configurations..!!!!!
    Regards
    Abhinav

    Dear Abhinav,
    I'm sorry but what you are tryining to do is not suported by the Second Ethrnet Port on any cRIO and so you getting this error meeage.
    Here a abstract out ouf the KnowledgeBase How do I Configure the Dual Ethernet Ports on Real-Time Controllers?:
    Ethernet port 2 is currently not supported to communicate outside its own subnet. There is no capability of configuring the Default Gateway for Ethernet port 2 and therefore cannot connect to a large isolated intranet.  However, there appears to be a common misconception that this port can only be used for communication between NI products: this is not the case, though any communication through the secondary port must be within the same subnet.
    Kind Regards,
    SG3 | Applications Engineering | National Instruments | NIG |

  • PLEASE I JUST NEED TO CONFIGURE TO OPEN PORT 22

    Very sorry for the redundant post. I am in a desperate situation where the RAID on my NAS has been lost and I need remote tech analysis ASAP.
    Can anyone out there please help me configure so that Port 22 is open???
    I have a Thecus N5200 and an brand new Airport Extreme.

    bevatore wrote:
    Do I use the same Private IP address or do I use the Remote Management IP from Sharing in the computer's Preferences.
    The "Remote Management" IP address should be the LAN IP address that your router gives to your computer. That should be the same as a "private IP address".
    Also, do I need to to configure a DHCP Reservation for this IP in AirPort Utility?
    If you don't do that, the IP address of your computer could change between restarts, causing the mapping to fail. If you only have one wireless client, that's probably unlikely. However, reserving an IP address will guarantee that your computer always has the same IP address.

  • Change/Configure Host and Port for the Web Service Proxy with Server

    Hi,
    Is there a way to configure Host and Port in generated proxy for Web service depending upon server. (ADF 11g)
    Scenario:
    We are consuming Credit Card web service from a service provider and have different Host and Port details for development, QA and Prod.
    So we created proxy classes using wsdl for development and things work fine, but when deploying code to QA or Prod we need to change the Host
    and Port details.
    Is their a way we could user variable's for Host and Port which looks to some configuration file to evaluate their values
    based on server.
    I am a bit new to this web service .. will appreciate if someone could provide an example.
    Thanks.

    Are you using Web Service Proxy or Web Service Data Control?
    If you are using Web Service Proxy. Right click on your Proxy --> Properties --> Port Endpoints. Here you can change the IP & Port details for each port.
    Venkat

  • Can't configure tacacs-server port

    We're unable to configure a specific port, which is required for our customer for the tacacs-server.   One of the devices is a 7604 router running this image -
    c7600rsp72043-adventerprisek9-mz.122-33.SRD6.bin.  The other device is a 2960 switch with the following image - c2960-lanbasek9-mz.122-35.SE5.bin.
    We don't get the option to add a port after the tacacs-server host x.x.x.x command. 
    Any ideas would be greatly appreciated!
    Regards..

    Hi
    Please go through this link, this will be helpful regarding TCSACS Authentication and Fortigate configuration:
    http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.2/user/guide/acsuserguide.html

  • Configuring a Monitoring Port

    What is the correct configuration on the switch side (Nexus 5K) when configuring a monitoring port from the FIs?

    You don't have to...Just put a 1GbE SFP in the FI, plug your Laptop into it and start a monitor session.
    Regards,
    Daniel

  • Configuring additonal server ports

    Hi, if i'm using 2 server ports per chassis, and wish to add another 2, besides plugging in the cables and settings the ports on the interconnect for "Configure as Server Port" is there anything else that is needed and is there any disruption to traffic ?

    Hello David,
    Re-acknowledging the chassis does not reboot the blades. The links between IOM and FI are flapped and are included to carry traffic between blades and FI.
    ---->>>   What about changing from individual links to port-channel, will this require a re-acknowledgement as well ?
    {Padma]  Depends upon where we make the change.
    If you change it under Equipment > Policies > , you need to manually re-acknowledge the chassis for the links to form a port-channel.
    If the global policy is set to None for " Link Grouping Preference " and we are changing the policy for specific chassis ( Equipment > Chassis X > Connectivity Policy "  to port-channel, then this configuration change automatically re-acknowledges the chassis. You will get a warning before saving the changes.
    Fabric port channel is available when you have FI 62XX / IOM 220X / UCSM 2.0 hardware / software combination.
    --->>>  Using individual links what method does the FI use for sending traffic down 1 link as opposed to the other ?
    [Padma]  When using individual links between IOM and FI, traffic is distributed according to pre-defined configuration based on  number of physical links
    Supported physical links are 1,2 4 and 8.
    Let me know how your hardware model and current number of links used between IOM and FI.
    Padma

  • SG300-20 - Configure DHCP on VLAN interface

    I have been reading the various related discussions on the SG300 and SG500 switches regarding setting up VLAN's and DHCP on those VLAN's.  For whatever reason I have been unable to even get this simple task to work.
    First thing I did was to update my firmware and boot version as follows:
    SW version    1.3.7.18 ( date  12-Jan-2014 time  18:02:59 )
    Boot version    1.3.5.06 ( date  21-Jul-2013 time  15:12:10 )
    HW version    V02
    When I reloaded the SG300 after the SW/Boot updates the startup config was wiped out and I had to setup my switch from scratch.  The intent is to have two VLAN's:
    VLAN 1: all devices, servers, etc.
    VLAN 2: basic subnet that hands out DHCP addresses
    The SG300-20 is connected to an Asus RT-AC66U router on the 192.168.1.x subnet and provides internal network access and WiFi access (router IP address is 192.168.1.1 and is default gateway).  All that works with no issues.  So my task is simply to create VLAN 2 on 192.168.2.x subnet and use DHCP to allocate addresses.  I have spent many hours on this and I still can't get it to work.  When I connect a laptop to the port (GI8) assigned to VLAN 2, I end up getting some wonky 169.254.x.x address.  I certainly thought something this "easy" wouldn't be that hard to setup, but apparently I was wrong.
    The SG300 is running in L3 mode as shown in my running-config below.
    Does anyone happen to see something that might be preventing my laptop client from recieving IP addresses from the VLAN 2 DHCP interface that are not in the 192.168.2.x subnet?
    Any ideas / suggestions would be greatly appreciated!
    Here's my running-config:
    config-file-header
    MYSTICSW1
    v1.3.7.18 / R750_NIK_1_35_647_358
    CLI v1.0
    set system mode router
    file SSD indicator encrypted
    ssd-control-start
    ssd config
    ssd file passphrase control unrestricted
    no ssd file integrity control
    ssd-control-end cb0a3fdb1f3a1af4e4430033719968c0
    vlan database
    vlan 2
    exit
    voice vlan oui-table add 0001e3 Siemens_AG_phone________
    voice vlan oui-table add 00036b Cisco_phone_____________
    voice vlan oui-table add 00096e Avaya___________________
    voice vlan oui-table add 000fe2 H3C_Aolynk______________
    voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone
    voice vlan oui-table add 00d01e Pingtel_phone___________
    voice vlan oui-table add 00e075 Polycom/Veritel_phone___
    voice vlan oui-table add 00e0bb 3Com_phone______________
    bonjour interface range vlan 1
    hostname MYSTICSW1
    logging host 192.168.1.15
    logging origin-id hostname
    username cisco password encrypted b4a0fcf20b2cd9d80a55b06ab8f83277f9733904 privilege 15
    snmp-server location Office
    clock timezone " " -5
    clock summer-time web recurring usa
    clock source sntp
    sntp unicast client enable
    sntp unicast client poll
    sntp server 192.168.1.10 poll
    interface vlan 1
    ip address 192.168.1.254 255.255.255.0
    no ip address dhcp
    interface vlan 2
    name MysticWAN
    ip address 192.168.2.254 255.255.255.0
    interface gigabitethernet8
    switchport mode access
    switchport access vlan 2
    exit
    ip default-gateway 192.168.1.1
    Thanks in advance!
    Clint Lambert

    Tom,
    Thanks ... I followed the steps you outlined and it worked!  The only difference being that I have an Asus RT-AC66U router and the there is no "enable multiple subnet" option.  So, I just followed your instructions on creating the static routes in the RT-AC66U and everything worked.  The DHCP addresses were correct and I had internet connectivity when I plugged a laptop into the gi8 port.
    I did make one tweak to the Network Pools screen as follows:
    My DHCP configuration for gi8 on VLAN 2 now looks like:
    ip dhcp server
    ip dhcp pool network InternalWAN
    address low 192.168.2.1 high 192.168.2.99 255.255.255.0
    lease infinite
    domain-name MYSTIC
    default-router 192.168.2.254
    dns-server 8.8.8.8
    Previously I had followed your advice in the article "Need help configuring SG300-10 switch" and had setup everything using CLI.  However, I didn't think about needing the static routes.  So, I think it was probably setup correctly beforehand but had no chance to work because the routes were not setup.
    Thanks very much for your help!
    Clint

  • How do i configure the usb port on a draytek vigor 2820n router for use with my imac

    i have an imac connected to the internet through a draytek vigor 2820n router. this router has a USB port with a HP Deskjet 5560 printer attached (for use as a network printer for other machines on the network). How do I configure this printer on the iMAC?

    I checked on the HP web site. Your aswer is on the HP website under your printer type. Update your drivers and follow the instructions given by HP and the printer will work as you have it connected.
    Good Luck

  • Is there ANY way to configure the wired ports on Airport Extreme with 7.6.1 software?

    I need to connect a Cisco router to one of the wired ports because I'm creating a home lab with several switches and routers and attached hosts. I need the VERY BASIC ability to set (or even just to SEE) what IP address the AirPort is using/assigning, but with the current AirPort Utility, you apparently can't show the DHCP table for wired connections or set up a static pool of addresses to use or really, to do anything else that is ABSOLUTELY BASIC networking configurations for a router. I don't even know what range of IP addresses the AirPort is using for the wired ports.
    I love this device - it works much better than my old Linksys that I replaced a couple years ago, but this is the Apple Nannies taking things too far. Sure, make the products easy to configure and use, but stop taking away the ability for advanced users to actually use the product because all you're doing is ******* off your power users - which are the exact people whose friends always ask for recommendations on what products to buy. I've always recommended Apple products to everyone, but if they're going to engineer everything so that only stupid people can use them, then only stupid people will buy (and recommend) them. (Can you tell I'm annoyed that I've wasted so much time on a completely unnecessary and irrelvant side-issue when I should be already working on my actual work project?)
    /Rant-off
    So, does anyone know how to access the actual configuration of the AirPort Extreme so I can use a static IP address for my Cisco router that's plugged into one of the AirPort's wired ports? That's all I need.
    Thanks.

    The AirPort assigns IP addresses via DHCP in a range you specify. You may also elect to assign devices their own static IP addresses. That does not involve the Extreme at all, though you may "reserve" those addresses in its DHCP Reservations table.
    AirPort Utility > Network > Network Options...
    Assigning static IP addresses obviates any need to determine the IP addresses the Extreme assigns.
    Update its firmware to version 7.6.3.

  • Can i configure each ethernet port to fixed and auto ip adresses?

    Hi, i will be using a SSL Matrix Controller with Logic 9. This connects thru ethernet and requires a FIXED address. However, this Mac also needs to connect to the internet which doesnt use a fixed a address. Can I keep port one the way it is, and configure port two as fixed and have them both work properly? Are they completely independent of each ther?
    Thx

    Do you use a Router that you control?
    If so, you can have fixed addresses easily -- just assign an address Manually that is in the same range, but above or below the ones your Router is likely to pass out automatically.
    You can also assign a manual address to the second Ethernet port, but using it this way is complex. What does the device maker recommend?

  • Can Keyboard be configured to a port?

    Can we configure keyboard to a port and use socket program to read data from that port...

    please....This is not an elaboration of your requirement!

  • Determine NIF port used by VIF when configured in a port-channel

    I have recently just watched an excellent Cisco Live video on UCS performance troubleshooting which demonstrated how to trace network traffic within Cisco UCS. The speaker made a comment though, in order to determine which NIF is used by a VIF when port-channels are used between the FEX and FI there are different commands to run. Have to review the hash result or something he said. Unfortunately he never went into what these commands were.
    So when we have veths pinned to port-channels instead of HIFs and NIFs, what commands will show which path is being used?

    Duplicate of https://supportforums.cisco.com/discussion/12313436/determine-nif-port-used-vif-when-configured-port-channel

Maybe you are looking for

  • Server based Office 2013 - where do I save word templates on the server for all users to access from "New"?

    Wonder if anyone can point me in the right direction. I'm used to working with stand alone desktop MS Office products. We have a server connected to six desktop work stations. All stations have access to Microsoft Office 2013 on the server, and the p

  • After updating Time Capsule to 7.7.2, Airport Expresses can no longer connect

    After I update the Time Capsule firmware to 7.7.2, my three Airport Expresses can no longer connect to the Time Capsule (their orange lights blink and they appear inaccessible in the Airport Utility). When I downgrade, they are able to connect fine.

  • How to factory unlock iphone4

    hi i am dipan here i bought iphone4 in 2011 fromm my friend now they using that in overses but now i got problem it not working and says it not unlock. please advise me what to do for unlocking IMEI 012653002524512

  • Can't save preferences.

    So,all started after i reset firefox to solve a problem.After resetting firefox i tried to fix my settings (homepage,tabs on top,etc).After closing browser,and re-opening it everything was like i didn't change.I checked my firefox folder and saw user

  • Error OSStatus error -6602 on Time Machine

    Hello, i've been trying to setup my TM but im getting the error 'OSStatus error -6602' I have mounted my external drive (FAT32) and everytime that i select it from the Time Machine list of drives it prompts me for a username/password. I enter the sam