Cisco Switches :: SG300-10 / Traffic Dropped As It Is Not Authorized
Apr 9, 2012
I have a SG300-10 in layer 3 mode attached to a Fortinet firewall (FG). The Fortinet syslog is reporting repeated traffic violations with the following info:
src: << IP of the interface that the SG is attached to >>
dst: << IP of system connected to another interface within the same VLAN on the FG >>
src port: 0
dst port: 1281
service: 5/1/icmp
The traffic is dropped as it is not authorized traffic but I'm wondering what this is....Googling the dst port came up with "healthd" but not sure how that plays into this connection - does the SG use healthd? I have not found any system behind the SG that can be pinned as the source and the ACL/ACEs on the SG are very strict (only allows tcp port 443 from systems behind the SG)
View 2 Replies
ADVERTISEMENT
Feb 6, 2013
We have problems with 3 switches in our network.
Users continues receive adresse via DHCP, but no traffic was forwarded. After reboot switch works fine about one week and problem arrives.
I telnet to one problem switch and try to found reason by reaply acl and source guard and saw some strange message:
nov-20(config)#int r gi1-48
nov-20(config-if-range)#no service-acl input
nov-20(config-if-range)#service-acl input 2
Exceeded the maximum ACE allowed in the system. -repeated 48 times
Configuration and log int attachment (show tech-support)
port 52 - uplink, 1-47 - users, 49-51 - downlink switches (SPS224g4) with aprox 200 pc connected. 48-ups
View 11 Replies
View Related
Aug 29, 2011
These are our first switches and seems like GUI is lot different than the online. Out intervlan routing is o not working. I am absolutely sure that I setup the switch in L3 mode since it allows me to create mutiple interfaces. I am hoping that this GUI issue is related to interVLAN routing.
Below is the blog I started for InterVlan issue [URL]
This is the link for online simulator and what I see in its IP tab. I know this switch is not SG300. [URL]
This is what I see on our switch.
Our switch version
switchd64684#show version
SW version 1.1.0.73 ( date 19-Jun-2011 time 18:10:49 )
Boot version 1.0.0.4 ( date 08-Apr-2010 time 16:37:57 )
HW version V01
View 1 Replies
View Related
May 26, 2011
1) I have a Cisco SG300-28P. I plan to add a SG300-52. Would it be possible to manage the new switch through the SG300-28P web browser ?
2) There are 2 fans in the POE model SG300-28P. How many fans are they in the non POE switch SG300-52 ?
View 2 Replies
View Related
Feb 8, 2012
Can I connect a single Cat5e cable between two SG300-28 and link them? If so what must I configure?
View 1 Replies
View Related
Jul 25, 2012
I have SG300-28P that I am using as layer-3 switch. Recently I ran in to SG300-52 switch and even though loading same firmware doesn't give me option to do layer-3 switching. For SG-300 I see options in GUI to create vlan interfaces under IP information section, while SG300-52 has IP information option only under the management section.let me know if these are 2 different hardware types and L3 is not possible on SG300-52. If its possible to enable L3 switching on SG300-52?
View 2 Replies
View Related
Jun 7, 2011
I have 7200 Router some flows are not forwarded and when i check ""show ip cache flow"" output i found the destination interface is going to Null i checked the access-list it permits these flows.
View 3 Replies
View Related
Feb 1, 2011
So I have an asa 5505 running ipsec and anyconnect and it has been working great for months. I have not made any changes to the config, but suddenly all of my anyconnect traffic is being dropped. The vpn uses the same subnet as the LAN. I tried putting a rule in to allow all traffic from the LAN subnet on the outside interface. Now I just get the WEBVPN-SVC Action-Drop in packet tracer.
View 1 Replies
View Related
Jun 13, 2011
I have a a firewall policy on a Cisco 2911 - the zone policy from OutZone>InZone basically drops everything apart from inspected traffic on the opposite direction and a few essential traffic generated externally (such as Outlook web access and E-mail exchanging). However, I seem to be getting a lot of firewall drops coming from the immediate gateway of the ADSL WAN address to the internal IP range on port 3. I get about 10 hits every 5 seconds.
Policy:
policy-map type inspect FWPol_Out-In
class type inspect CCP_PPTP
pass
class type inspect FCMAP_In-Email
pass
class type inspect FCMAP_In-OutlookWebAccess
inspect(code)
%FW-6-LOG_SUMMARY: 1 packet were dropped from IMMEDIATE WAN GATEWAY:0 => INTERNAL IP ADDRESS:3 (target:class)-(FWPair_Out-In:class-default), the immediate gateway would ping an internal IP address? Keepalive? Could this be stemming from another problem? The traffic wasn't generated internally as all InZone>OutZone is inspected.
View 1 Replies
View Related
Nov 29, 2011
As above, I got a problem with C3750e, ios c3750e-universalk9-mz.122-58.SE1.bin, when send AF41 traffic passing through it. My topolygy is as following
WAN link <----------> G0/0/2.100 - ASR1002 - G0/0/5 <---------> G1/0/1 - C3750e - G1/0/3 <--------> G0/0/1 - ASR1004
On this C3750e, I turned on mls qos, trust dscp on both G1/0/1 and G1/0/3 and no else is configured. ASR1002 G0/0/2.100, i applied the CB shaping fror AF41 traffic.
C3750e#sh mls qos
QoS is enabled
QoS ip packet dscp rewrite is enabled
C3750e#sh mls qos int g1/0/3
GigabitEthernet1/0/3
trust state: trust dscp
[code]....
Then, from ASR1004, i send ICMP traffic with TOS set to AF41 (136) and i found out that
1. The traffic is dropped on c3750e
sh mls qos int g1/0/3 statistics
GigabitEthernet1/0/3 (All statistics are in packets)
30 - 34 : 63 63 48 86 1534
2. The traffic never get hit into AF41 class in ASR1002 ? Why C3750e dropped this AF41 traffic? and what can I do to fix it?
View 1 Replies
View Related
Nov 21, 2011
I'm replacing 2 3COM 4500 Swithes with the SG300-52 Cisco switch. We have 3 VLANs, 10, 20, 100. The switch is set for Layer 3 and I have setup DHCP relay. what settings i should set on the Cisco for the following setups:
3COM Setup
#
interface GigabitEthernet1/0/1
[Code].....
View 2 Replies
View Related
Jan 1, 2013
We have several of the SG300 Serices switches. We use them to route VLAN traffic to Remote Offices, Internet Connections, and WiFi Access Points.In one remote office we have a SG300-10 setup to route the HQ Network and the remote Office Subnet. The SG300 is Connected to HQ via Fiber and has multiple Tagged VLANs on it. If I do speed tests over the Fiber Link on the Incoming Tagged Netwotk I get Decent performance, 80Mbs. If I switch to a networtk that is not priginating from HQ, and have the SG300-10 route packet, I get dismal performance. 15-20Mbs.
I Fireded up a New SG300-28P FW v1.2.7.76. Added a the HQ VLAN 101 and new VLAN 1025 . Mapped some Tagged and untagged ports for each. Switch was connected to HQ Network as untagged VLAN 101. I put a laptop on an Untagged VLAN 101 port. Ran some tests, cam back with 750-850Mbs. Great. Put the same laptop on a Tagged 101 Port, Configured the NIC for Tagged VLAN 101, Same test, same Speeds, 750-850Mbs.I then Configured laptop for Tagged VLAN 1025. Connected to tagged VLAN 1025 port. Ran speed tests, resuts were 15-20Mbs!
I then Configured laptop for Untagged VLAN 1025. Connected to unagged VLAN 1025 port. Ran speed tests, resuts were 15-20Mbs!It was only the Laptop and the Connection to the HQ net on the SG300-28P. Why is the performance of this unit soooooo poor when it needs to route?Other Switches have FW v1.0.0.27 or FW v1.1.2.0. They have Similar speed issues. All Configured for Layer 3.
View 10 Replies
View Related
Dec 18, 2011
does the SG300 switches can be used with Microsoft NLB in Multicast mode?I know on traditional Catalyst switches you can statically "map" IP's to mac's and then to multiple ports but this doesn't seem to work correctly on the SG switches - it gives an error about the mac not being not Unicast?
View 2 Replies
View Related
Aug 7, 2011
Any snmpset commands to add, modify and delete vlan table entries on SG300-10 switches? I checked url... however this information is apparently only valid for catalysts. The latest firmware is installed and the provided MIB files are used.
View 8 Replies
View Related
Aug 20, 2012
I'm going to have several SG300-28P switches to setup. I'll need to create multiple vlans for data, voice, and wireless traffic. I have the following questions in setting up this configuration:
VLAN 1 Management
VLAN 100 Data
VLAN 200 Wireless
VLAN 300 Voice
1) For managing the switches via IP, will LAN1 be the default management network? Should I create a seperate VLAN for managing the switches?
2) For uplinking the switches together, I plan to trunk a port to connect the switches together. What's the configuration on the trunk port to forward all vlans from one switch to another?
3) On some ports, I want to configure a trunk for two vlans (Data and Voice) where the phone has a pass through for PC. The phone supports tagging for the PC and the VoIP traffic. For example on port 10, would VLAN 100 and 300 be set to tagged?
View 3 Replies
View Related
Jan 19, 2012
I'm having alot of trouble trying to connect more that one LAG between two SG300-52 switches.Basically i have configured both switches with the same vlans. For 2 of the vlans i would like to connect them together between the two switches using LAG. Switch1 has Vlan 5 (ports 1-12) & Vlan 10 (Ports 25-36) with LAG configured on ports 1-2 and ports 25-26. I have setup the second switch identical to the first. But when i connect the LAG's there is no connectivty. If i disconnect one LAG the other starts working.Can you only have i interconnect LAG between switches?
View 1 Replies
View Related
Apr 22, 2012
I have two SG300 serie switches and two Gigabit connection between them. How do I configured these two links to work toghether like a one 2 Gigabit channel?
View 2 Replies
View Related
Feb 5, 2013
We have an issue with ACS server 5.1.0.44.X. We want make a one user with few commands: show ip route static-table(deny other show commands)configure terminal, terminal length 0 ip route (with all possible arguments). All works fine except ip route command, when i try to type it I see - "This command is not authorized".
View 1 Replies
View Related
Jan 9, 2013
it's probably just me but I have tried real hard to get a simple AnyConnect setup working in a lab environment on my ASA 5505 at home, without luck. When I connect with the AnyConnect client I get the error message "User not authorized for AnyConnect Client access, contact your administrator". I have searched for this error and tried some of the few solutions out there, but to no avail. I also updated the ASA from 8.4.4(1) to 9.1(1) and ASDM from 6.4(9) to 7.1(1) but still the same problem.
The setup of the ASA is straight forward, directly connected to the Internet with a 10.0.1.0 / 24 subnet on the inside and an address pool of 10.0.2.0 / 24 to assign to the VPN clients. Please note that due to ISP restrictions, I'm using port 44455 instead of 443. I had AnyConnect working with the SSL portal, but IKEv2 IPsec is giving me a headache. I have stripped down certificate authentication which I had running before just to eliminate this as a potential cause of the issue. When running debugging, I do not get any error messages - the handshake completes successfully and the local authentication works fine as well.
ASA Version 9.1(1)
!
hostname ASA
domain-name ingo.local
enable password ... encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
[Code] .....
View 9 Replies
View Related
Apr 8, 2011
Our Local Network is behind the CISCO ASA Firewall.Whenever we are accessing to Client VPN server,it is getting connected but after few Minutes (May be 5/10/30 Min),the sessions are terminating. The same traffic through PIX is no issue , only with ASA Firewall. See the following Error and request you give the possible root cause for this.
2011-04-09 16:15:09 Local4.Info 172.16.1.68 %ASA-6-302016: Tear down UDP connection 87447908 for OUTSIDE:68.22.26.66/4500 to inside:172.16.9.10/4410 duration 0:27:49 bytes 18653
View 1 Replies
View Related
Oct 4, 2012
We have an SG300 managed switch located in a small business of less than 10 PCs. There has been an ongoing issue with Internet speed. Is there any way that I can monitor the router for traffic so that I can see what might be causing the problem? I would like to focus on the WAN port and Internet activity particularly.
View 1 Replies
View Related
Dec 20, 2012
In my LAN environment, I'm using two cisco SG300-10 switches. Both switches are connected by GE10 on both switches, where both ports are set to trunk.Now on all ports 1-9 on both switches, I'm having client computers attached. So I set ports 1-9 to "access" mode.All interfaces on any switch is left in default vlan.
Is it normal that I see all traffic from all connected devices on any port where I connect a listening device?What I'd like to achieve is, that only traffic that is meant for a specific workstation is actually forwarded to this workstation. By now it seems that I get all the traffic from everybody.
View 6 Replies
View Related
May 9, 2011
I have a question, does the SG300-28 support VTP and STP?. I want to add it to my network's VTP domain so I don't have to manage vlans manually on the SG300-28 and also be able to configure STP to keep my network loop free.
View 2 Replies
View Related
Jul 19, 2012
On my SG300 I set up LAG for the last two ports.
I then plugged them into my SRW224G4P, once I do that I get dropped packets.
I was thinking maybe doing firmware upgrades to both switches?
View 3 Replies
View Related
Jan 29, 2012
I need to know how to configure each port in switch SG300-10 to vlans, i need to configure one port "trunk" with catalyst switch and assign 4 ports to different vlans. any solution?
View 2 Replies
View Related
Jun 20, 2012
In the CLI documentation for the SG 300 Series, it shows sh ip route rip as a command. I have installed the latest firmware and that command is no longer available. Does the SG300 series support RIP?
View 6 Replies
View Related
Jan 27, 2013
We purchased a SG300-52 last week to replace a 5yr old Dlink which has worked perfectly. 1 day after the SG300 went it it started crashing with this fatal error problem so I reverted the firmware back from 1.2.7.76 (latest) to 1.1.2.0 but I still get the problems. It crashes when I have it on my lan with users connected or if I just have the switch on my desk with just my laptop connected, so it cant be a load issue or a network topology issue. I already have a Cisco SGE2010 on my network without problems.
View 7 Replies
View Related
Mar 15, 2011
I have a question about ACL and binding. I have a SG300 28P and a couple of other linksys switches and Access points that are connected to it via trunks. The cisco SG300 28P is running in layer3 mode and i have created a couple of vlans and one of them is a guest vlan. Now to my question, i create an ACL and an ACE that vill funktion so that guest vlan only can connect to the internet and not the rest of the internal network. And then i must bound the ACL to an interface port or lag, what i can see it is not possible to bind it to an vlan? so if i have a port on some of the other switches that is member of the guest vlan, vill the ACL on the SG 300 stop guest vlan trafic to the internal network that is comming from some of the other switches?
View 1 Replies
View Related
Mar 25, 2012
I want to set up a vlan only for the wifi APs and wifi clients on my network. They can't access to any server, only internet acces. I already implement this configuration and its working, but now I want to allowed a couple of laptops to connect to servers in other vlan. what should I do? Should I do it using Mac address of laptops or IP?
View 9 Replies
View Related
Mar 1, 2013
Yesterday I upgraded my SG300-10P to firmware 1.2.7.76. I was curious about the new SYN Protection feature, but it seems to do nothing on my installation.
The switch is running in Layer 2 mode. I have ACLs in place and DoS prevention is not enabled. I also tried clearing ACLs and enabling DoS prevention. As I understood the Admin Guide enabling DoS in the Security Suite Settings is not necessary for using the SYN Protection.
In my firewall I see about 300 pps with SYN flags only arriving. What "they" do is sending me SYN packest to port 80 from forged IPs, so that my system should send SYN-ACKs to the victim system. In this case it is the Arab Bank. They are down at the moment...I think that is called a spoofed SYN flood attack.
So I thougt the SYN Protection feature should exactly solve that problem but it does not and does not show any "Last Attack" entries.
If I put a SYN filter in place it works, even if I put SYN Rate Protection in place. But that is just a dirty workaround. My firewall blocks those SYN packets with a SNORT rule.
View 1 Replies
View Related
Feb 14, 2013
Is there an SG300 or SG500 that has all ports as SFP ports?
View 1 Replies
View Related
Jan 26, 2012
I am using a couple cisco sg300 28P switches along with a sonciwall firewall/router. The sonicwall was already in place and working so they didnt want to replace it. I understand how to configure the vlan on the sonicwall, but could use some info on the cisco. I would basically like to create 3 vlans, 1 default for management, 2 for pc's on lan, and 3 for the cisco spa504g phones/'voip. Would i just go into the vlan managment, configure the 2 new vlans and give them two id's? These offices have one network drop, so the phones and pc's will be sharing the switch ports, however the phones have a setting to configure the vlan id so they know which one theyre on. Is there anything i need to do after that? I want to make sure that vlan 3 has the highest priority becuase its voice, is there some qos configurations i need to make on that switch as well? Also, the port that links the two cisco swtiches together, does that need to be set as "trunk" port? I understand what vlans are, but its just the first time ive run into these cisco models. .
View 0 Replies
View Related
May 10, 2013
I bought the SG300-10 Switch a few days ago and updated it to firmware 1.3.0.59, but i think there's a bug in this firmware. If I go to "IP Configuration" IPv4 Routes" in L3 Mode nothing is displayed. In the log file i see that:
21474773112013-Mar-16 09:51:34Error%HTTP_HTTPS-E-DIAGNOSTICS: ERROR - in <RL_vtLeadTableGet> tag, can not find the table rlInetRoutingDistanceTable in the MIB. 21474775182013-Mar-14 22:39:22Error%HTTP_HTTPS-E-DIAGNOSTICS: ERROR - in <RL_vtLeadTableGet> tag, can not find the table rlInetRoutingDistanceTable in the MIB., aggregated (1)
Reset of the Switch doesn't work.
View 4 Replies
View Related
