SG300 - ip address restricted to specific port??

I have just set up an SG300 with protected ports so that different ports can not see the traffic on other ports. Now I am being asked to restrict specific ports to using only specific ip addresses. Is this possible with this switch?
Each port will need to allow several (5-6) addresses.
Thanks,
TonyT

ACL might work. Here are more details:
We provide off-site mirrored storage for about a dozen customers. Each one provides their own firewall and vpn equiptment. Each customer has use of one protected port on the SG300 connected to their equiptment.
We have a class-C IP range and we tell each customer what ip addresses they can use. For example, Joe can use .8-.15, Bob can use .16-.23, etc.
We want to protect Joe should Bob fat-finger an address and ends up using .9 (intending .19)  while Joe is already using .9. We want only Bob to get errors and not Joe.
Can it be done on a SG300?
Tx,
TonyT

Similar Messages

  • WRT54G: How do I limit access to specific ports, only to local IP's

    Using a WRT54G with Windows XP, and I've setup a web server that I'm still testing. Until I understand the security better, I want to limit access from outside IP's to the port that it's running on, but NOT limit access from the outside to services running on other ports. Is there a way to block a range of IP addresses (or conversely, only permit access for a limited range of IP addresses) to a specific port? So for example (assuming server's on Port 99, and IP address to the outside world is 99.99.99.99: Port 99: Blocked IP Range: 0.0.0.0-99.99.99.98, and 99.99.99.100-255.255.255.255 - OR Port 99: Allowed IP Range: 99.99.99.99 Alternatively, I would be interested to permit access to the web server port, only for certain MAC addresses. Is this pretty secure, and if so, how can this be done? I've poked around the router settings and spent a good deal of time researching this; any help would be greatly appreciated...

    Why do you want to block IP addresses:  "IP Range: 0.0.0.0-99.99.99.98, and 99.99.99.100-255.255.255.255" ?   This is everybody on the web, except your router!    If you really want to block all these people, just unplug your router from your Internet connection.  That is a block that cannot be hacked!
    Normally a server is assigned a fixed LAN IP address.  This address must be outside the DHCP server range of your router, and it cannot end in 0, 1, or 255.
    Next you forward a port (for example, 99) to the server's fixed LAN IP address.
    Data arriving at the Internet port of your WRT54G for port 99 will then be forwarded to your server.  If you have other Internet services (i.e. server B) running on port 1297, then data that arrives at the Internet port of your WRT54G for port 1297 will be directed to server B.   Assuming that you only have port 99 and port 1297 open, then any other unrequested data (for any other port) that arrives at the Internet port of your WRT54G will simply be ignored (and thereby blocked).    If you connect another computer to a LAN port of the WRT54G, connect to the Internet, and request data, then when that data arrives at the Internet port of the WRT54G, it will be allowed to pass, and it will be routed to your computer.
    In summary, by default, all router ports are closed.  The only way to get data through the router is either to open a port (using port forwarding, or alternatively, the UPnP function), or for someone (or some program) on the LAN to request data from the web.
    The router cannot limit the use of a port by MAC address.    When you open a port on your router, you are opening your server to invasion from anyone on the Internet.  So, your server must be setup to protect itself.   Rather than limiting server use by MAC address (which can be faked), your server should be setup to require a user name and password. 

  • Getting this message when trying to access our cameras, how to fix? This address is restricted This address uses a network port which is normally...

    Just installed Firefox for my boss, and ran into something I've not seen before. When trying to access our private camera system, that uses specific ports, I got this message: "This address is restricted - This address uses a network port which is normally used for purposes other than Web browsing. Firefox has canceled the request for your protection."
    Cannot find a setting in Firefox to correct this problem. Please help.

    Hello,
    Can you please check if either of these links help in the resolution of the issue
    # [http://kb.mozillazine.org/Network.security.ports.banned.override Firefox ports override]
    #[http://blog.christoffer.me/post/2012-02-20-how-to-remove-firefoxs-this-address-is-restricted/ Remove Firefox this address is restricted error]
    Thank you

  • Port-security MAC address restrictions and flexconnect

    Hi - has anyone else seen this issue?
    We use port-security on flexconnect ports limiting the maximum mac addresses to 100. The ports are configured so that the native vlan is the AP management vlan and we tag the wireless client vlan.
    Recently we had an issue where we were seeing MAC address restriction violations on the ports connected to AP's. Although we could not see the violations happen in realtime they were in the switch logs. In Cisco Prime we checked the client counts on the AP's and they were less than 10 at that time the error occurred.
    We then increased the max mac addresses to 200 and still saw the same issue. Removing port-security seemed to fix the problem.
    This was the model and version of the switches.
    WS-C2960X-24PS-L   15.0(2)EX4            C2960X-UNIVERSALK9-M
    Has anyone else had this? 
    Any help much appreciated.

    Hi - has anyone else seen this issue?
    We use port-security on flexconnect ports limiting the maximum mac addresses to 100. The ports are configured so that the native vlan is the AP management vlan and we tag the wireless client vlan.
    Recently we had an issue where we were seeing MAC address restriction violations on the ports connected to AP's. Although we could not see the violations happen in realtime they were in the switch logs. In Cisco Prime we checked the client counts on the AP's and they were less than 10 at that time the error occurred.
    We then increased the max mac addresses to 200 and still saw the same issue. Removing port-security seemed to fix the problem.
    This was the model and version of the switches.
    WS-C2960X-24PS-L   15.0(2)EX4            C2960X-UNIVERSALK9-M
    Has anyone else had this? 
    Any help much appreciated.

  • SG300-20 configure 1 ip pr port

    We got 1 customer that would like us to configure a system based on SG300-20 linked up with an SG300-10SFP using trafficshaping ingress and egress limited to 40mbit.
    This part of the case is solved using ingress/egress 40960 with an burtlimit a bith higher.
    But he also wants each firewall configured on the net to only be able to have 1 ip on that spesific port.
    this is an owner of a building that rents out to other companies. Each comapny is assinged a port on the SG300-20 and has theire own ip  (ie 100.100.12.34)  all of them are part of a /26 net and would use the same Gateway.
    Is this possible ? 
    that the company assigned to ie port 14 in switch 1 only can use 100.100.12.34/26 gw 100.100.12.1 and if they change to 100.100.12.36 it will not work.  This to prevent the endusers from changing and fu...g up the net for the rest :-)
    and on port 16 on switch 1 they can only use 100.100.12.36/26 with gw 100.100.12.1
    thnsk for any input
    switches are in layer2 mode , but nothing is in production yet so i can change ot layer3 if thats what it takes.
    regard
    Thomas                 

    Hi Thomas, your concept sounds correct.
    This is how this works
    Assuming your topology is this-
    Internet -> Router -> Core switch (no client/customer) -> Access switch -> Client/customer
    For argument sake, your uplink from access switch is port 18 which connects to port 18 of the core switch
    Problem statement-
    On access switch, your desire is to have a client or customer connect to the switch using a specific MAC address and IP address and no other
    Possible solutions-
    Dynamic ARP inspections statically MAPS and IP address to a MAC address, any connection using the same MAC but different IP will be dropped and any connection using the same IP but different MAC will be dropped
    Create an access list to permit only the desire IP address on the INGRESS port and block any other traffic to that port
    Solution work flow-
    Enable dynamic ARP inspection
    Security -> ARP inspection -> Properties -> Enable
    Enable trusted interfaces - These interfaces will allow any traffic and not subject to your inspection list. Untrusted is subject to the inspect list
    Security -> ARP Inspection -> Interface Settings -> Edit interfaces as desired
    Build your inspection table
    Security -> ARP inspection -> ARP access control -> Add ->
    -Control name is an arbitrary value, it is a description
    -IP address is the IP you want in the database
    -MAC address is the binding to the IP address for the switch to look up in the data
    If DAI is too stringent for you, you may create an access list as an alternative solution
    Access Control -> IPV4 based ACL -> Add
    -ACL Name is what you want to call it, a description -> Apply
    Next define the access list by going to IPV4 ACE bu click IPV4-based ACE -> Add
    -Priority is an ordering system, you should structure your rules in an order for the switch to look up the rules
    -Action permit or deny, in your case you want to permit
    -Protocol will be IP (all traffic)
    -Source IP address will be your host connection 100.100.12.34
    -Wildcard mask will be 0.0.0.0  (this is a single host wild card)
    -Destination will be Any
    Click apply
    Once the access list is built, it then gets bound to an interface. The interface must be the interface where the traffic goes to and not leaving
    Access Control -> ACL Binding (port)
    -Check box for the port your customer/client connects
    -Interface is where the customer/client connects to the switch
    -Check box for Select IPV4-Based ACL
    -Default action is Deny Any
    -Apply
    With this completed correctly, only your IP for all traffic will connect to that port and any other IP will not be allowed, will discard if connection through that same port.
    -Tom
    Please mark answered for helpful posts

  • Network ACL for two specific ports

    As far as I can tell there is no way to set Network ACLs such that only two specific ports are available. I'm using Oracle 11gR2.
    I'd like a HTTP port and an SMTP port open for the local loopback address. These are ports 7777 and 25. It's my understanding that you can have only one ACL per host. While it seems you can create more, any additional ACL's for the same host don't always work as expected. So does anyone have any advice as how I can do this? I'd rather not have every port between 7777 and 25 available but this is what I currently have...
    DBMS_NETWORK_ACL_ADMIN.ASSIGN_ACL(
    acl => 'local_loopback.xml'
    , host => '127.0.0.1'
    , lower_port => 25
    , upper_port => 7777
    );

    Billy  Verreynne  wrote:
    As far as I can tell there is no way to set Network ACLs such that only two specific ports are available. I'm using Oracle 11gR2.>Not so in my experience. An ACL can be for a specific target, but contain multiple ports for that target.
    E.g. I assign ports 80, 7777, 8080, and a few others, in a single web-acl.xml, to a network target (host or domain).
    Read the usage notes in Oracle® Database PL/SQL Packages and Types Reference.>Thanks I'll try that. I think we had problems in the past with separate ACL's containing rules for the same host, the response we got back from support was not to do that. This way didn't occur to me.

  • Show mac command...to tell me the MAC adress of a specific port - Linksys SGE 2010

    Hello together,
    we are using a Linksys SGE 2010 in our small business. I would like to know which devices (MAC-Address) is behind a specific port. Does the switch have this function? I can't type commands, because the SSH or telnet interface is a menu (see screenshot). Because I want to document which PC is on which port...therefore  I need the MAC behind every specific port.
    Thank You in advance.
    Kind regards,
    Manuel Zeiler

    Manuel
    Try this forum where they have experience with your switches -
    https://supportforums.cisco.com/community/5976/small-business-switches
    you should be able to move this post there.
    Jon

  • Using manual IP address only for specific networks

    For my home network I use DHCP with manual address because I have to forward some ports specifically to my computer. However this causes problems when connecting to other networks. For some reason this setting stays active even when using other networks. Therefore, I can't connect to say my school network because the setting has to be set to plain DHCP. Is there a way to use manual IP address only for specific networks?

    System Preferences > Network > Locations and add a location for your home with its manual settings. Add a location for other DHCP locations. Then when you want to connect at another DHCP location select that location from your locations dropdown.

  • Open IP to on specific port

    Hi!
    I have one internal IP and two external IP adresses. I want to use one adress for allowing mail to my server and one address for sending mails to mobile phones.
    I am not sure about how the NAT should look like. The ACL is no problem since I have two public adresses.
    How do i NAT specific ports for specific adresses? 
    10.1.1.2 should be NATted to 15.15.15.15 port 34
    10.1.1.2 should be NATted to 15.15.15.16 port 443
    /Lajja

    Hello,
    If you are running version 8.3 or above, you can apply the following commands:
    object network obj-10.1.1.2.34
    host 10.1.1.2
    nat (Inside,Outside) static 15.15.15.15 service tcp 34 34 nds:
    object network  obj.10.1.1.2.443
    host 10.1.1.2
    nat (Inside,Outside) static 15.15.15.16 service tcp 443 443
    If you are running version 8.2 or less, you will need to apply the following commands:
    static (Inside,Outside) tcp 15.15.15.15 34 10.1.1.2 34
    static (Inside,Outside) tcp 15.15.15.16 443 10.1.1.2 443
    Let me know how it goes.

  • Cisco WLC2125 Reporting Traps to a specific port

    Hi all,
    I am currently looking into reporting options for my Cisco WLC2125. From what I can see, I have two options, SNMP or Syslog however I would like to assign either Syslog or SNMP traffic via a specific port on the controller.
    The reason is because i want to keep this traffic seperate to my wireless network.
    My knowledge of controllers (and syslog and SNMP for that matter) but I can enter IP addresses for the servers however i cannot see how to assign this traffic to a specific port.
    Is this possible? If so how?
    Many Thanks,
    -c

    No, its not possible with a 2100.  Best practices say you should only have one connection from a 2100 controller to the network, so all traffic to the network would go out that port.
    https://supportforums.cisco.com/docs/DOC-11760

  • WRV200 Access Restriction on all ports for a time period?

    I have a system that needs to be restricted to only having internet access for a small window each day. I have been looking at the Access Restriciton tools for htis but it looks like I would need to block each possible port with its own policy. This seems very inefficient and complex. Is there a way to make a rule that blocks ALL ports for a time period?
    Thanks!

    Under Firewall>Access Restriction when you are creating an Access Policy under Blocked Services you can select TCP, UDP, or IP. If you select IP it will block everything instead of a specific port. You will have to create a rule for each IP on your network that you do not wish to have access outside of your selected window.

  • OS X Server 3 outgoing mail relay no longer supports a specific port

    Just installed OS X Server 3 on Mavericks. All is well, but for some reason it does not allow adding a specific port for "Outgoing mail relay: mailout.isp.com:587"
    OS X Server 2 used to allow this and i used it to connect to my smtp relay from my isp. It does not allow port 25 connections. If you try this in OS X Server 3 it just complains with "bad formatting"
    Can anyone confirm this?

    Found another thread discussing this.
    https://discussions.apple.com/message/23544605#23544605
    Answer from there:
    You need to edit the postfix main.cf file manually with your favorite text editor:
    sudo vi /Library/Server/Mail/Config/postfix/main.cf
    find the line
    relayhost = host.example.com
    change it to
    relayhost = host.example.com:587 (or some other port)
    then do a
    sudo postfix reload
    to reload postfix configuration files
    and
    sudo postsuper -r ALL
    to retry sending the e-mails again.
    NOTE: If you open OS X Server 3 app and go to Mail -> Relay outgoing mail through ISP -> Edit the Outgoing server address will show as BLANK, this is normal, just click cancel and leave it alone.

  • E4200 v2 - cant restrict based on ports

    Another piece of bleep that proves Cisco has no real interest in the Home Network marketplace. Constantly have to reboot to maintain any speed & access restrictions are the WORST I ave seen in ANY product. You can only restrict specific web sites - cant restrict based on ports.
    This 'Flagship' is worse than their last generation, which wasn't much to speak of.

    Is the router of the latest firmware?
    Yesterday is history. Tomorrow is mystery. Today is a gift.

  • How to choose a specific port via Palimpsest?

    I found out today that Palimpsest Disk Utility can access remote harddrives via the SSH protocol. But Im not running SSH on my server via port 22. How do I choose a specific port?

    galo,
    willkommen zu den Apple Diskussionen.
    You don't state which version of Keynote you're using. Keynote 3 offers an option to restart the presentation after an inactivity of x min (at least 1 min).
    Look at Document inspector on the Document tab.
    In German: Klick im Informationen-Fenster auf das weiße Blatt und ggf. den Dokument-Button. Dort findest Du:
    Präsentation als Endlosschleife
    Präsentation neu starten nach Inaktivität von
    Viel Erfolg.
    If this information is useful to you, please mark it as "helpful" or "solved" using the little buttons in the titlebar of this message. Thank you.
    PowerBook G4 17", 1GB   Mac OS X (10.4.7)   iMac G5 20"; iPod 3G, iPod Shuffle, iSight

  • How do I ping a specific port (from a specific por...

    Does anyone know of any software that will allow me to measure the bandwidth/throughput/travel time/etc of packets from a specific port to a specific port on another network? Ping gives the travel time, but doesn't allow specified ports. Iperf allows you to specify the port you connect to, but not the port you connect from. Wireshark doesn't send packets, though I think it does record traffic by port. Pathping is the same as ping in that it doesn't "do" ports & neither does tracert (and ping/pathping/tracert traffic may well be blocked where normal traffic isn't). So, does anyone have any ideas (or is friendly with their comapny's network admin)?

    Llama8
    did a quick google and came up with this:-
    http://www.elifulkerson.com/projects/tcping.php
    seems to do the trick but not sure you can specify the source port on the pinging machine
    its a start though
    Never tried this so caveat emptor
    banz

Maybe you are looking for