Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
J
J
Jan2014-03-22 11:01:32
Cisco
Jan, 2014-03-22 11:01:32

Cisco SG300. How to solve the problem with access and trunk ports and routing between vlan?

Standard config:

config-file-header
v1.3.7.18 / R750_NIK_1_35_647_358
CLI v1.0
set system mode router
file SSD indicator encrypted
@
ssd-control-start
ssd config
ssd file passphrase control unrestricted
no ssd file integrity control
!
exit
vlan database
vlan 1,101,102
exit
ip dhcp relay address 192.168.0.2
ip dhcp relay enable
bonjour interface range vlan 1
ip ssh server
!
interface vlan 1
 name Server
 ip address 192.168.0.1 255.255.255.0
!
interface vlan 101
 name User
 ip address 192.168.1.1 255.255.255.0
 ip dhcp relay enable
!
interface vlan 102
 name Guest
 ip address 192.168.2.1 255.255.255.0
 ip dhcp relay enable
!
interface gigabitethernet1
 description Server
 switchport access vlan 1
!
interface gigabitethernet2
 description User
 switchport access vlan 101
!
interface gigabitethernet3
 description User-Guest
 switchport trunk allowed vlan add 101,102
!
exit

GE1: DHCP-server
GE2: Regular computer connected directly by copper to the switch.
GE3: Hypervisor with virtual machines or Wi-Fi AP with two SSIDs with different vlan ids.
We arm ourselves with Advanced IP Scanner / Nmap, try to scan the network (range 192.168.0.1-192.168.3.255) first from a computer connected to the access port. We see only ourselves, switch, broadcast and computers that are on GE3 with vlan101 tags.
We are trying to repeat the same thing from the vlan101 computer, but which is behind the trunk port. We see all computers of all vlans (1,101,102). The same story if we scan vlan 102 behind the trunk port from the computer. It is visible to everyone. And not only you can see it, but you can also feel it =) Log in via SSH, get on a share in another vlan. Well, that's all!
Tried to hang on vlan102 ACL like:
ip access-list extended "vlan102"
permit ip 192.168.2.0 0.0.0.255 any
deny ip any any
It did not help.
Actually, a question. How can vlan be isolated from each other? At the same time, while maintaining the ability to dhcp relay and forwarding some ports from vlan to vlan.

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

1 answer(s)
Report
T
throughtheether, 2014-03-22
@throughtheether

I have not worked with Linksys equipment, but my thoughts are:
1) access between vlans is observed, because, presumably, the SG300 routes traffic between vlans. You can check using (Cisco IOS CLI command, in Linksys the syntax may differ):
show ip routeWhy, when connecting to Gi2 (if I understood correctly), hosts in other vlans were not available - you need to figure it out separately (probably incorrect default gateway address on the host, connected to this port)
2) If you want to block all traffic on vlan 102 from entering other vlans, try (again, assuming Cisco IOS CLI syntax):

ip access-list extended vlan102-in
ip access-list extended vlan102-out
interface vlan 102
 ip access-group vlan102-in in
 ip access-group vlan102-out out

Similar questions
A
anatoly_tim2014-07-07 13:33:31
Link aggregation issue in Oracle VM Server 3.2.8. What could be the problem with dropped packets on interfaces? How can I find out what these packages are? 2Reply
K
Konstantin Kozhin2016-08-01 10:24:28
What can be taken as an alternative to the Cisco SPA50x? 1Reply
2
2k212022-02-25 12:48:25
Which network equipment to choose for 100+PCs (VLAN,VPN)? 3Reply
V
Vladimir2016-08-05 13:53:24
How to set up traffic routing between three points through the central one? 2Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question