This topic has been marked solved and closed to new posts due to inactivity. We hope you'll join the conversation by posting to an open topic or starting a new one.
Access restrictions on a GS108Ev3 ProSAFE Plus switch
Hello.
I am trying to restrict web access to a few authorized management stations on a NETGEAR ProSAFE GS108Ev3 Plus Switch. This switch has the most recent firmware (V2.06.03EN) and bootloader (V2.06.01). I have read these documents, not very helpful on this case:
I have tried anything I can imagine without any luck:
Access control lists: not available on the GS108Ev3 (why?).
Virtual LANs: setting up the default (management) VLAN 1 on some ports and another VLAN on the remaining ports does not help either, the web interface remain accessible from all ports, any VLAN. VLANs are working on this set up, workstations on VLAN 1 cannot reach workstations on VLAN 2 or vice versa; however all these workstations can access the web management interface on this switch.
Restriction by address pool. The web management interface can be reached from external networks, web interface is not restricted to the network were the switch has been configured.
Is there any way to restrict access to the web management interface on this switch to only a few workstations, an address pool or a VLAN? I do not want to serve an unencrypted (HTTP only) web interface to the world.
Re: Access restrictions on a GS108Ev3 ProSAFE Plus switch
@ProSAFEr wrote: Is there any way to restrict access to the web management interface on this switch to only a few workstations, an address pool or a VLAN?
No.*
@ProSAFEr wrote: I do not want to serve an unencrypted (HTTP only) web interface to the world.
The service processors for the Smart Managed Plus switches - almost unmanaged - have a marginal resources, even the availability of the Web UI in plain http is kind of "magic" for these switches.
*The release notes show that the processing capabilities are limited, e.g when it comes to the flow control or exact timely ICMP multicast handling.
Re: Access restrictions on a GS108Ev3 ProSAFE Plus switch
@ProSAFEr wrote: Is there any way to restrict access to the web management interface on this switch to only a few workstations, an address pool or a VLAN?
No.*
@ProSAFEr wrote: I do not want to serve an unencrypted (HTTP only) web interface to the world.
The service processors for the Smart Managed Plus switches - almost unmanaged - have a marginal resources, even the availability of the Web UI in plain http is kind of "magic" for these switches.
*The release notes show that the processing capabilities are limited, e.g when it comes to the flow control or exact timely ICMP multicast handling.
Re: Access restrictions on a GS108Ev3 ProSAFE Plus switch
Thank you for your detailed answer. I know this device has an underpowered service processor. A service processor like this one is not so bad as it sounds; the device draws only between three and four watts and runs really cold. I am not against an unencrypted management interface either iff it can be restricted to a few ports, a single management VLAN or a few authorized IP addresses. Even the cheaper GS105Ev2 supports an access control table.
Ok, it is time to look for another use for these switches that obviously should not be connected to public or untrusted networks. We are running a few air gapped networks where these switches would fit better.
Model: GS108Ev3|ProSafe 8 ports Gigabit Plus switch
However, there is a Note: Models GS108Ev3, GS108PEv3, and GS308E do not support access control.
Similar, the "big" XS512EM and XS724EM 12-/24-Port 10-Gigabit/Multi-Gigabit Ethernet Smart Managed Plus Switch with 2 SFP+ Combo don't come with the Access Control (as of writing) either.
Thank you for your detailed answer. I know this device has an underpowered service processor. A service processor like this one is not so bad as it sounds; the device draws only between three and four watts and runs really cold. I am not against an unencrypted management interface either iff it can be restricted to a few ports, a single management VLAN or a few authorized IP addresses.
Did not intended to be negative - an absolutley amazing switch category! We challenged Netgear about getting the Management VLAN control as available on the XSxxxEM (different platform, different service processor) on the other Smart Managed Plus models, but were told this is technically not possible.
