Securing SG300 28P PoE Swtich.
Greeting's, I would like to start by apologizing. I have absolutely no knowledge in switch security management but I've been tasked with it given the shortage of personnel. I have a SG300-28P-PoE switch that needs to be securely configured. I've done the basics of upgrading the firmware to the latest. Given my lack of any experience whatsoever, please include complete procedures (hand holding, I'm sorry).
I wanted step-by-step guidance of:
1. Locking down ports by MAC address.
2. DDoS protection.
3. Lock down login from all but 1 IP and only allow browser based SSL login. No TELNET, SSH or other method.
4. Shutting down any services on the switch.
Any other recommended security steps to secure the switch.
Thanking in advance,
Parth
Hello Parth,
Thank you for using the Cisco Small Business forums. I am a eContent developer and part of the Small Business Support Community.
Looking over the questions that you've asked, I found a few articles that might help you with the configuration changes you'd like to make:
As Brandon mentioned, the Knowledge Base contains many documents with step-by-step procedures and screenshots for common tasks. Port-security is an excellent solution for the first problem. You can configure ports to lock down when a MAC address is changed:
Port Security
The SG300 security suite has many options for protecting against DDOS attacks:
DDOS
In regards to disabling/enabling services and restricting access to the web console, this article provides some guidance (uncheck the services that you do not wish to use-- in relation to your question, uncheck all except HTTPS):
Enabling SSH/Telnet/HTTP
I hope that these articles help to answer your question. Please remember to mark this question as answered and rate it if it helps to address your issue so other users can benefit from it, and feel free to ask any further questions you might have!
Best,
Gunner Grim
Cisco eContent Developer
Similar Messages
-
SG300-28P - POE not correctly supported on all ports - possible firmware or hardware issue
So, I spent some time this weekend troubleshooting the issues I've had with the new SG300-28P switch and POE to many of my devices in the office. As a recap, I cannot utilize all of the 24 POE ports on the switch for POE purposes. Really only every other port [with a few odd combinations thrown in between]. In addition, the SG300-28P switch, on occasion, is sending POE to non-POE devices [e.g. my Ruckus Zone Director 1106].
Here are my POE devices [all 802.3 af-compliant]:
3 Ruckus 7982 access points
1 Pakedge access point
2 home-automation controllers
2 Polycom voip phones
I called Cisco support several times in regards to this problem, and they figured it was a hardware issue - a faulty switch. So, Cisco sent me a replacement SG300-28P, which I hooked up today. The exact problem still occurs. Default configuration [fresh out of the box]. No way I can land, for example, the 3 Ruckus 7982 AP's on ports 1, 2, and 3 [or ports 1,13, and 2]. I have to put them on ports 1, 3, and 5 in order for them to power up. In addition, I can't plug any other POE devices on the ports either between or below them. I had to skip another port bay. This is very odd behavior!! Two Cisco SG300-28P's in a row with the same problem.
However, I also had one of the new Cisco SG300-10P switches in my possession for a recent project of ours. I decided to hook up the same POE devices to this switch. ALL POE devices were recognized and worked! No need to skip a port. And it didn't matter what device was plugged in first or not. I am now convinced that it is either a hardware issue [bad power supply/transformer?] inside all of the SG300-28P switches, or a firmware issue.
Both of the SG300-28P switches were running firmware 1.1.2 [the latest on Cisco's website]. So, I decided to install an older firmware version on the SG300-28P switch that I'm returning [installed 1.1.1.8]. Here's what I found out. I could then plug 2 POE devices [e.g. two Ruckus AP's] in adjacent horizontal ports, but not three in a row. In addition, not all adjacent ports. It's funky. For example, I could plug an access point in ports 20 and 21, but not in 21 and 22. No rhyme or reason in how it worked. And I still couldn't plug an access point in adjacent vertical ports [e.g. ports 1 and 13]. BUT...
It's interesting that the same exact switch that would not initially allow 2 horizontally-adjacent POE ports to be utilized WOULD allow 2 horizontally-adjacent POE ports to be utilized when running a different firmware version. It's also interesting to note that when plugged into a "non-working" POE port, the SG300-28P would actually make a small whining noise. Very subtle noise; I could hear it when approx. 1ft away from the switch. The noise was not noticeable when ports were skipped [and POE actually worked]. Therefore, I believe that Cisco has some SG300-28P firmware bugs [at least in the last two versions of firmware] that is not truly allowing all 24 ports to utilize POE correctly. This problem does not exist with the SG300-10P switch.
I'm really interested to hear what Cisco's reply and findings on this matter would be. And would welcome a reply from one of their senior support team members/managers who could actually experiment with this, too. In addition, I'd like to know when they think a solution could be created if it's firmware-related. If hardware-related, I don't think I'll be recommending any 28P switches in our projects. Perhaps just the regular SG300-28 with a separate SG300-10P. It's a shame because the SG300-28P is more of a bargain when compared to the two separate components.show power inline
Port based power-limit mode
Unit Power Nominal Power Consumed Power Usage Threshold Traps
1 On 180 Watts 13 Watts (7%) 95 Disable
Port Powered Device State Status Priority Class
gi1 Auto On critical class0
gi2 Never Off low class0
gi3 Auto Searching critical class0
gi4 Never Off low class0
gi5 Auto On critical class0
gi6 Never Off low class0
gi7 Auto On critical class2
gi8 Auto Searching low class0
gi9 Auto Searching low class0
gi10 Auto Searching low class0
gi11 Auto Searching low class0
gi12 Never Off low class0
gi13 Never Off low class0
gi14 Never Off low class0
gi15 Never Off low class0
gi16 Never Off low class0
gi17 Never Off low class0
gi18 Never Off low class0
gi19 Never Off low class0
gi20 Auto Searching low class0
gi21 Never Off low class0
gi22 Auto Searching low class0
[0mMore: , Quit: q or CTRL+Z, One line: gi23 Auto Searching low class0
gi24 Auto Searching low class0
show power inline gigabitethernet xx (for each device plugged in)
Port Powered Device State Status Priority Class
gi1 Auto On critical class0
Power limit (for port power-limit mode): 15.400W
Port Status: Port is on - valid resistor detected
Overload Counter: 0
Short Counter: 0
Denied Counter: 0
Absent Counter: 3
Invalid Signature Counter: 17583
Port Powered Device State Status Priority Class
gi2 Never Off low class0
Power limit (for port power-limit mode): 15.400W
Port Status: Port is off - user setting
Overload Counter: 0
Short Counter: 0
Denied Counter: 0
Absent Counter: 0
Invalid Signature Counter: 0
Port Powered Device State Status Priority Class
gi3 Auto Searching critical class0
Power limit (for port power-limit mode): 15.400W
Port Status: Port is off - detection is in process
Overload Counter: 0
Short Counter: 0
Denied Counter: 0
Absent Counter: 2
Invalid Signature Counter: 1
Port Powered Device State Status Priority Class
gi4 Never Off low class0
Power limit (for port power-limit mode): 15.400W
Port Status: Port is off - user setting
Overload Counter: 0
Short Counter: 0
Denied Counter: 0
Absent Counter: 0
Invalid Signature Counter: 0
Port Powered Device State Status Priority Class
gi5 Auto On critical class0
Power limit (for port power-limit mode): 15.400W
Port Status: Port is on - valid resistor detected
Overload Counter: 0
Short Counter: 0
Denied Counter: 0
Absent Counter: 0
Invalid Signature Counter: 0
Port Powered Device State Status Priority Class
gi7 Auto On critical class2
Power limit (for port power-limit mode): 15.400W
Port Status: Port is on - valid resistor detected
Overload Counter: 0
Short Counter: 0
Denied Counter: 0
Absent Counter: 0
Invalid Signature Counter: 0
Port Powered Device State Status Priority Class
gi13 Never Off low class0
Power limit (for port power-limit mode): 15.400W
Port Status: Port is off - user setting
Overload Counter: 0
Short Counter: 0
Denied Counter: 0
Absent Counter: 1
Invalid Signature Counter: 0
Port Powered Device State Status Priority Class
gi14 Never Off low class0
Power limit (for port power-limit mode): 15.400W
Port Status: Port is off - user setting
Overload Counter: 0
Short Counter: 0
Denied Counter: 0
Absent Counter: 0
Invalid Signature Counter: 0
show interfaces advertise gigabitethernet xx (for what ports are of interest)
Port: gi9
Type: 1G-Copper
Link state: Down
Auto negotiation: Enabled
1000f 1000h 100f 100h 10f 10h
Admin Local link Advertisement yes no yes yes yes yes
Oper Local link Advertisement - - - - - -
Oper Remote link Advertisement - - - - - -
Priority Resolution - - - - - -
Port: gi10
Type: 1G-Copper
Link state: Down
Auto negotiation: Enabled
1000f 1000h 100f 100h 10f 10h
Admin Local link Advertisement yes no yes yes yes yes
Oper Local link Advertisement - - - - - -
Oper Remote link Advertisement - - - - - -
Priority Resolution - - - - - -
Port: gi11
Type: 1G-Copper
Link state: Down
Auto negotiation: Enabled
1000f 1000h 100f 100h 10f 10h
Admin Local link Advertisement yes no yes yes yes yes
Oper Local link Advertisement - - - - - -
Oper Remote link Advertisement - - - - - -
Priority Resolution - - - - - -
Port: gi21
Type: 1G-Copper
Link state: Down
Auto negotiation: Enabled
1000f 1000h 100f 100h 10f 10h
Admin Local link Advertisement yes no yes yes yes yes
Oper Local link Advertisement - - - - - -
Oper Remote link Advertisement - - - - - -
Priority Resolution - - - - - -
Port: gi22
Type: 1G-Copper
Link state: Down
Auto negotiation: Enabled
1000f 1000h 100f 100h 10f 10h
Admin Local link Advertisement yes no yes yes yes yes
Oper Local link Advertisement - - - - - -
Oper Remote link Advertisement - - - - - -
Priority Resolution - - - - - -
Port: gi23
Type: 1G-Copper
Link state: Down
Auto negotiation: Enabled
1000f 1000h 100f 100h 10f 10h
Admin Local link Advertisement yes no yes yes yes yes
Oper Local link Advertisement - - - - - -
Oper Remote link Advertisement - - - - - -
Priority Resolution - - - - - - -
Problem with switch SG300-28P Poe and Avaya 1408 telephone
Hi Team
We have a model SG300-28P Switch 28-Port Gigabit PoE Managed Switch, in every port we are allowing the voice VLAN and data VLAN (trunk), happens to be off this type of phone, we reconnect the cable and port the switch is dropped, so that the voice vlan phone is lost and no longer work.
Thanks for your comments.
RegardsHi Yesenia, did you contact Avaya support? Did you configure the phone for a voice and data vlan?
I'm trying to dig through the Avaya website and looking at the fact sheet and user guide it has no mention of VLAN.
Is the switch supported for the usage of Avaya Aura Communication Manager call processing system?
-Tom
Please mark answered for helpful posts -
good morning, nice to saludoarles, I write because I have a problem with a model SG300-28p switch, I explain:
had run the company normally switch until one day we were completely without a net, the teams showed "Network cable unplugged" apparently the switch was off, but the surprise is that when I check it was on but no light encendia.
disconnect it and made several tests like changing electric outlet, try connecting the console, etc. .. All these attempts have been unsuccessful. when connected to the electrical outlet and turn the fans back link and poe leds light about half a second, then go off, the same happens when I disconnect the feeding.
I am looking for help and see if you can get up and running again, best regards and thanks for your attention
Pd: disculpme if I do not understand well, because my English level is very low and I am supporting in translators online.Hi John, It sounds like it is time to call SBCS support. It may need to be replaced. You may try to connect console cable and see if you see any interesting messages during boot.
http://www.cisco.com/en/US/support/tsd_cisco_small_business_support_center_contacts.html
-- please remember to rate helpful posts -- -
SG300-28P: System LED not on. everything else working.
Hi Everyone,
Nice to meet you all.
I received an used SG300-28P today and immediately I found its System LED never lits. I upgraded the firmware to the latests but did not make any difference. So far I have configured the switch for my environment and everything is working fine including VLAN, L3 routing and PoE works on all ports.
I am puzzled, not sure what's wrong with it. In the System Summary of the Web GUI it indicates the System LED is constantly on. But the physical one is just dead (never lits including boot)
I hope its just the LED itself, the switch is definately out of warranty. What diagnostics can I run myself to understand it?
Thanks,
MarkHello Siming,
If everything is working properly on the switch, then you shouldn't be worried about the system led. The system led itself is simply not working.
This is the information you need to know about the system led:
Off - If the system led is off, it means the switch is not powered on (which in your case is false, since you told us the switch is working as it should, so that means you have a faulty led)
Green - If the system led is green, it means the switch working normally. If the system led is green and it flashes constantly, it means the switch is using the factory default IP address (192.168.1.254) to access to the switch. If it is solid green, it means that the switch has either an IP assigned via DHCP, or statically by the administrator.
Amber - If the system led is amber, it means there is a problem with the switch
As you can see, you won't be able to get information about the system led when is green or amber, since it is not working.
I would suggest that you properly configure system logs on the switch, perform constantly backups to the running/startup configuration, and keep track of which IP address you are using to access the switch GUI/CLI, that way if you forget your IP address, or if there is a problem with the switch, you know where to find the correct information.
Please let us know if you have further questions.
Alejandro Moncada
SBCD Engineer
[email protected] -
SG300-28P noise level... (fan control)
Hello,
May be somebody can help me. In official information for SG300-28p noise level is 40.6 dB, but in fact its too noisy. Is it possible to change speed of fans? I use only 8 PoE ports.
Thanks in advance,
AndreyHi Andrey,
I placed a sound meter within 6 inches of the Right hand side of my SG300-28P and found a average dB level of 47
I rested a sound meter on top of my SG300-28P and found a average dB level of 59-60dB .
I used my motorola atria phone in conjunction with a Sound Meter ver 1.4.3 dB meter app to perform the measurements.
My measurements were not done according to any standards based approach for measurements of sound level of machines.
Conversation in restaurant, office, background music, Air conditioning unit at 100 ft
60
Half as loud as 70 dB. Fairly quiet
Quiet suburb, conversation at home. Large electrical transformers at 100 ft
50
One-fourth as loud as 70 dB.
Library, bird calls (44 dB); lowest limit of urban ambient sound
40
One-eighth as loud as 70 dB.
reference :http://www.industrialnoisecontrol.com/comparative-noise-examples.htm
My unit is no more than 3 feet from my left ear, and I do not find the sound distracting..but noise/sound is subjective.
The fans on the SG300-28P are not adjustable.
regards Dave -
SG300-28P and aironet access points
Dear support,
does Cisco SG300-28P provide enough PoE to power access points 1550 and 1600?
Thank youHi Mireille, it should. The 1550 is 802.3af compliant.
The 1600 may be interesting because it can actually draw up to 15.4 watt of power and you may run into limitations of cable. It is also 802.3af compliant.
-Tom
Please mark answered for helpful posts -
SG300-28P Multicast (IGMP) and IGMP routing..
A brief background on the setup:
I recently switched out my switch. It was a Cisco 3750 10/100 switch and I wanted to upgrade to Gig. The cost of a Gig+POE 3750 is too much to bite so I opted for the SG300. My router is a Cisco 891. Here is the setup:
Cisco 891:
two SVI's: vlan1 and vlan 100
Vlan1 = 10.0.1.1/24
Vlan100 = 10.0.100.2/24
Connected to SG300 via Fa0
DHCP Server for vlan1+vlan100
Cisco SG300-28P:
two SVI's: vlan 1 and vlan 100
vlan 1 = 10.0.1.21/24
vlan 100 = 10.0.100.1/24
Connected to 891 on via Gi18
The connection between 891 and SG300 = trunk, vlan1-u, vlan100-t
The problem:
With the 891+3750, I was able to add "ip pim sparse-dense-mode" on all the SVI's and hosts could join any multicast group, irregardless of which vlan the host was a member of.
Now I've changed switches, and I dont get the same love. I have the PIM statement on both SVI's on the 891, but Im unsure of what I need to configure on the SG300. I have enabled "Bridge multicast filtering" + "IGMP snooping". What can I do to get similar functionality using the SG300 + 891? I assume this is my lack of understanding IGMP in general, but was able to get away with it using the PIM statements on the 891+3750 stack.
JeffYou should be able to filter unregisted multicast on every port.
To be able to pass multicast over subnets two things must be certain, the node/device is able to send and receive multicast packets but also register the multicast address being listened to by the node so the local and remote routers can route the multicast packets.
When the switch learns a multicast address through IGMP snooping, this is a registered multicast. The switch will only forward multicast to ports that are registered to the multicast group. Where unregistered multicast comes in, is the multicast that is not statically defined or learned through IGMP which in turn will be forwarded to all ports of the vlan. -
Problems acccessing SG300-28P via management interface
I have a new SG300-28P, and have had occasional issues with being unable to connect to it via anything other than the serial port. I have connectivity between my machine and the switch (tested with ping each way), and in fact, have the same problem if I take a laptop to the switch and connect them directly.
What happens is that though the switch is operating normally, http, https, ssh and telnet attempts to access all fail in one way or another. Ssh and telnet either yields no response or a refused connection (even though those services are enabled). For http and https, I'll occasionally get enough of the web page to be able to tell what it is ... but attempts to log in just don't work.
While this is happening, the CPU and packet load on the switch is very, very low.
Rebooting didn't help entirely, though it may have made it better. Resetting to factory defaults and then reconfiguring makes it work.
This is using the latest firmware: 1.2.7.76.
Searching the web for this sort of failure doesn't yield any results -- maybe I'm the only one to see this?
I don't know what else I can do to diagnose ..... I've got it working without trouble now...I have this problem too. It seems to have started from either when I upgraded to the latest firmware and/or changed the management interface from the default (vlan 1) to vlan 11. It will stay up and pinging for anywhere from a few minutes to 3 hours, then I lose all connectivity until I reboot the device.
switch5782a5#show inventory
NAME: "1" DESCR: "SG300-10P 10-Port Gigabit PoE Managed Switch"
PID: SRW2008P-K9 VID: V01 SN: PSJ1522063N
switch5782a5#sh ver
SW version 1.3.5.58 ( date 10-Oct-2013 time 17:15:41 )
Boot version 1.3.5.06 ( date 21-Jul-2013 time 15:12:10 )
HW version V01 -
Error on a Switch Cisco SG300-52 PoE
Hi,
I get an error on a Switch Cisco SG300-52 PoE
error: %Box-F-INVALID-PARAM-SETTING: Function BOXG_poe_i2c_read_mem_byte: invalid param recv_byte_PTR value = 0 ***** FATAL ERROR ***** Reporting Task: HCPT. Sof tware Version: 1.3.7.18 (date 12-Jan-2014 time 18:02:59) 0x16adc8 0x166f34 0x6df974 0x48fd60 0x490670 0x490890 0x9af988 0x9be7d8 0x98a710 0x98ab8c 0x98ad60 0x98e6f4 0x990128 0x982ddc 0x994cf0 0x962c24 0x965604 0x94a960 0x94b688 0x1223fc ***** END OF FATAL ERROR *****
What does this error mean?
Thanks for help!
MartinHi,
I get an error on a Switch Cisco SG300-52 PoE
error: %Box-F-INVALID-PARAM-SETTING: Function BOXG_poe_i2c_read_mem_byte: invalid param recv_byte_PTR value = 0 ***** FATAL ERROR ***** Reporting Task: HCPT. Sof tware Version: 1.3.7.18 (date 12-Jan-2014 time 18:02:59) 0x16adc8 0x166f34 0x6df974 0x48fd60 0x490670 0x490890 0x9af988 0x9be7d8 0x98a710 0x98ab8c 0x98ad60 0x98e6f4 0x990128 0x982ddc 0x994cf0 0x962c24 0x965604 0x94a960 0x94b688 0x1223fc ***** END OF FATAL ERROR *****
What does this error mean?
Thanks for help!
Martin -
Boot image upgrade for SG300-28P
Hi,
I have an SG300-28P and I need to upgrade both the boot & firrmware versions.
The problem is I can't find the boot file anywhere, the only file available on the Cisco downloads page is the firmware file ('.ros')
These are my current versions:
show ver
SW version 1.3.5.58 ( date 10-Oct-2013 time 17:15:41 )
Boot version 1.0.0.4 ( date 08-Apr-2010 time 16:37:57 )
HW version V01
And I get this warning at boot...
** Boot version is incompatible with the system image. **
** Some new features have been disabled. **
** Please update to newest boot version. **
Hence the need to upgrade.
Cheers Ianian-heath,
When you download:
Sx300 Firmware Version 1.3.5.58
Sx300_FW_Boot_1.3.5.58.zip
The zip file ha a copy of the firmware and also a copy of the boot code. The boot code needs to be upgraded via tftp server. After the boot code is upgraded, download and install the latest firmware Release 1.3.7.18. (No boot code with this one)
- Marty -
Is there a function or command to program the fans to "automatic" so that they only come on when the temperature becomes elevated? We find the noise level annoying. Thank you.
Hi,
The SG300-28p does not currently support automatic fan speed reduction.
Regards,
Jake -
I have a new SG300-28P, I am unable to connect. After logging in the switch stops at 70% Processing Date. I have try Chrome, IE, and Firefox.
I am not sure of the fireware ver. I do not want to reset to the factory default because there is no backup and I am not sure of the
configuration.Hi Tony, this is going to be purely an issue with the computer/browser, etc.
I;d recommend swapping to a different computer or fully update the one you're using including latest Java.
-Tom
Please mark answered for helpful posts -
Hello, I have SG300-28Ps as the PSE's for my IP telephone system. The phones are tagging their voice packets as DSCP 46 as directed by auto voice vlan. The QoS settings on the switch are at default - Basic Mode, Trust DSCP, strict priority, etc.
On the PBX itself, DB programming allows me to program the 'Type of Service' for the voice packets. The recommended value in the manual was 184 which makes sense, as this decimal value for ToS corresponds to DSCP 46, CoS 5, etc.
The question comes though, do I need to change the trust mode on the switch? I'm not real clear on the differences between them.
Regards,
-BraytonHi Brayton,the trust mode doesn't need to be changed. 802.1p specifies a 3 bit field called a PCP within the etherner frame header when using tagged vlan frames. This will contain a class of service priority.
The CoS is able to map to DSCP values. The DSCP has a 6 bit field called diffserv (differentiated service). CoS values are able to be mapped to DSCP values. Video is generally CoS 4 while voice is generally CoS 5. Within the SX300 you are able to manually set the mapping to any value you'd like. With trust mode, the switch will basically accept and agree with whatever the tagged ethernet frame contains. Without trust mode, the switch will remark the packet based on the PCP and DiffServ value to fit in to the different categories.
-Tom
Please mark answered for helpful posts -
Hello,
How does one remotely access a SG300-28P?
Thanks, PetePete,
Of course you will need to have a default gateway(many people forget) and open a port though your router(as marty suggested) for inbound connections to the switch.
Hope this helps,
Jasbryan
Maybe you are looking for
-
How can I add a contact from a new text message
Is there a quick and easy way to add a new number (from a text message) into my contacts?
-
Hello, We are currently implementing a Devops solution with SCOM 2012 SP1 and TFS 2010 SP1 and we would like to synchronize APM alerts with TFS and the Operational Issue WorkItem. However we are not able to sync anything. Here is our environments : P
-
G5 iMac forgets its Admin password
My 3½ year-old G5 iMac running OS 10.4.11 forgets its Administrator password after running for a few hours. I discovered this problem when I tried to install the latest Security Update. The computer kept telling me that the password I was entering wa
-
i am using IDOC_INPUT_DESADV1 for updating Purchase Order Confirmation Tab Details. I dont want to create a Inbound Delivery for that. I only need confirmation details but not inbound delivery. Can anyone help me out ....
-
Operation name to query IT0207
Hi, Which is the operation name used to query IT0207 local tax authorities in Schema? I am unable to query it by using UTAXR.