SG300-20 & SF302-08

I have a small network of 130 computers including ip base devices. i have recently decided to shift my network to cisco manageable switches. So i have recently purchase 8 switches of 300 series. i have got training of catalyst switches like(2950,2960,3550,3560) series but these switches are nexus series.
Now i have a problem to configure following configurations.
1. VTP and displaying the vtp status.
       i have applied these commands like to display status 'show vtp status' it displays unrecognized command. same way i am facing problem regarding vtp configuration.
2. Copyig flash to tftp server.
3. Displaying trunk configurations.
Guidance from any technical person will be highly appreciated.
Regards,
Majid Hussain
skype: abdulmajid.hashmi
email: [email protected]

Hello,
The 300 series switches support scriptable command line interface called 'Textview'.
300 series Admin Guide
http://www.cisco.com/c/dam/en/us/td/docs/switches/lan/csbms/sf30x_sg30x/administration_guide/78-19308-01.pdf
300 series CLI Guide
http://www.cisco.com/c/dam/en/us/td/docs/switches/lan/csbms/sf30x_sg30x/administration_guide/CLI_Nikola300_1_3_7.pdf
Cisco Small Business Support Center Contacts (Toll free Phone Support)
http://www.cisco.com/c/en/us/support/web/tsd-cisco-small-business-support-center-contacts.html
Thanks.
Yiu Kay Lee
Concentrix at Cisco
.:|:.:|:. CISCO | Yiu Kay Lee | SMB Pre-Sales | [email protected] | Phone +1 (855) 354-7776

Similar Messages

  • Sg300 - 802.1x NPS - mac authentication not working

    I configured 802.1x on a sg300 switch. It is working very well with some Windows 7 machines and a Windows Server 2008 NPS server.
    Now I tried to get the MAC authentication running, on a 3850X it is working without problems, but every access request sent from the SG300 is declined.
    My current port configuration on the SG300:
    interface fastethernet1
     dot1x guest-vlan enable
     dot1x max-req 1
     dot1x reauthentication
     dot1x timeout quiet-period 10
     dot1x authentication 802.1x mac
     dot1x radius-attributes vlan static
     dot1x port-control auto
     switchport mode access
    On the Windows NPS server there is following error to see:
    Authentication Details:
        Connection Request Policy Name:    Secure Wire
        Network Policy Name:        -
        Authentication Provider:        Windows
        Authentication Server:        myradius.local
        Authentication Type:        -
        EAP Type:            -
        Account Session Identifier:        30353030399999
        Reason Code:            1
        Reason:                An internal error occurred. Check the system event log for additional information.
    There is compared to the message from the 3850 the authentication type missing (PAP) and a not very helpful error message displayed...

    Still not working.
    I tried different settings and (also older) software versions on the SF302-08P.
    Also started to change the settings on the NPS (though it is working with the 3850X!), without success.
    The NPS reports following error:
    Schannel:
    The following fatal alert was received: 40.
    EventID 36887
    If I search for this error, every source is pointing to certificate errors, but there should not be any certificate involved?!
    ... is this a bug on the SF302-08P?

  • Cisco SF302-08P (SRW208P-K9-NA) Support for Cisco IP 7942 Phones

    Hi All,
    I am looking at quoting the SF302-08P for a client which will have three small offices interconnected via single mode fiber. I am planning on connecting them to a 3560 switch. Each office will have no more than 3 - 7942 phones. I reviewed the notes on this switch and it seems it should support this phone type without any issues. Could you advise if you have run into any support/reliability issues with this switch and the 7942s?
    Thank You,

    Hi RevereORL,
    My concern is there are;
    slight nuances or differences between the CLI configuration on the SG300 compared to the Catalyst range.
    I am also very very slightly concerned about post sales support interaction between TAC and SBSC, but these days there is much more cross talking between these two support groups.
    Different SFP SKU's for fiber connectivity GLC- series for catalyst and MGB series on 300, even though I have no issue with plugging the GLC SKU's into my 300 series product.
    The SF302-8P has a POE budget defined as 62W across all 8 ports or 62watts / 8 ports= 7.75 approx watts that can be drawn from each port.
    With the software upgrade to 1.1.1.8 the 300 series now also supports pre-standard POE as well as the 802.3af, power should not be a issue..
    I guess the beauty of buying from a distributor, and keeping the packaging, is that your can validate your application.
    Give it a try,.
    regards Dave

  • SG300-28 switch in boot loop after firmware upgrade

    After performing a firmware upgrade on an SG300-20 switch from ver 1.1.0.73  to 1.2.5.70 the switch now boots up with the following error and resets:
    30-Aug-2011 10:47:33 %L1Mngr-F-PARAMTOOLONG: csco-sb parameter %s is too long.
    The attached file contains a full output of the console boot process.
    I have tried loading different versions from the console, but all produce the same error.
    Has any one any idea how to resolve this issue?
    Thanks
    Des

    Hello Tom, Thanks for your reply,
    I had done the process before with the 3 firmwares offered in the cisco website. I did it again, and i get a boot loop again, with following error:
    %L1Mngr-F-PARAMTOOLONG: csco-sb parameter serialNo is too long.
    Any ideas?
    Thank you,
    Nico
    Console
         Startup Menu
    [1]  Download Software
    [2]  Erase Flash File
    [3]  Password Recovery Procedure
    [4]  Set Terminal Baud-Rate
    [5]  Stack menu
    [6]  Back
    Enter your choice or press 'ESC' to exit:
    Downloading code using XMODEM.
    -- Download complete --
    Calculating file's checksum...OK
    Erasing FLASH ->>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
    >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
    Writing to flash 0x6aa500 records...
    Setting checksum: 0x350925f6 , Address: 0x0
    OK.
    Flash programming success.
    Perform WARM BOOT ...
    Boot1 Checksum Test...............................PASS
    Boot2 Checksum Test...............................PASS
    Flash Image Validation Test.......................PASS
    BOOT Software Version 1.0.0.4 Built  08-Apr-2010  16:37:57
    Networking device with Marvell ARM CPU core. 128 MByte SDRAM.
    I-Cache 16 KB. D-Cache 16 KB. L2 Cache 256 KB. Cache Enabled.
    MAC Address   :  58:35:d9:96:7f:5d.
    Autoboot in 2 seconds - press RETURN or Esc. to abort and enter prom.
    Preparing to decompress...
    100%
    Decompressing SW from image-1
    100%
    OK
    Running from RAM...
    Board ID is 22
    Device ID 0xdf5111ab
    *** Running  SW  Ver. 1.2.7.76  Date  19-Jul-2012  Time  17:54:43 ***
    HW version is V
    Base Mac address is: 58:35:d9:96:7f:5d
    Dram size is  : 128M bytes
    Dram first block size is  : 101376K bytes
    Dram first PTR is  : 0x1900000
    Dram second block size is  : 4096K bytes
    Dram second PTR is  : 0x7C00000
    Flash size is: 16M
    19-Jul-2012 17:54:46 %CDB-I-LOADCONFIG: Loading running configuration.
    19-Jul-2012 17:54:47 %CDB-I-LOADCONFIG: Loading startup configuration.
    Device configuration:
    Slot 1 - SF302-08MP
    Device 0: GT_98DX1005 (AlleyCat)
    -- Unit Standalone                --
    Tapi Version: v1.9.5
    Core Version: v1.9.5
    19-Jul-2012 17:55:02 %L1Mngr-F-PARAMTOOLONG: csco-sb parameter serialNo is too l
    ong.
    ***** FATAL ERROR *****
    Reporting Task: ROOT.
    Software Version: 1.2.7.76 (date  19-Jul-2012 time  17:54:43)
    ***** DEBUG *****
    DEBUG LOG IS EMPTY
    0x16a614
    0x167054
    0x6bdc18
    0x490518
    0x4959e4
    0x495bac
    0x815674
    0x816b10
    0x817e64
    0x1d51e8
    0x1cb010
    0x121d3c
    *****************  SYSTEM RESET  *****************

  • How do I access the web utility with model cisco sf302-08p ?

    Hi,i have a problem with the model Cisco SB SF302-08PP Switch , i connect a cable rj45 to my pc and configure the adapter local area connection (ip address:192.168.1.252), the LEDs blink green, and go to the address bar and get the IP by default, which according to the manual is 192.168.1.254 and the result is: page not found. Is there any way to change the web utility? How do I access the web utility?

    restore  the switch by holding more than 30 seconds and try accessing with ip 192.168.1.254. username and password is "cisco". before change your base ip to 192.168.1.2-253.try to ping and check the connectivity

  • SG300 ssh strange error: "A client is already connected"

    Hi,
    I've  got a few SG300-52 switches running software version  1.3.0.62 which I configured for ssh management access with public key  authentication via:
    ip ssh server
    ip ssh pubkey-auth auto-login
    username mgmt password ... privilege 15
    crypto key pubkey-chain ssh
    user-key mgmt rsa
    key-string ...
    This is working fine if I connect interactively from my management system with:
    ssh -i mgmt_id_rsa mgmt@switch
    where mgmt_id_rsa is the name of a file containing the private key.
    I get a privileged command prompt as intended, without being asked for a password.
    However if I try to pass a command on the ssh command line like this:
    ssh -i mgmt_id_rsa mgmt@switch show version
    the command just hangs until I hit the Enter key a second time, and then emits the strange message:
    Received disconnect from 10.11.12.13: 2:
    A client is already connected
    (Exactly like that, including the line break after the "2:" and the blank before "A client".)The same happens if I pipe the command I want to send into ssh like this:
    echo show version | ssh -i mgmt_id_rsa mgmt@switch
    except the error message appears immediately and I don't have to hit Enter a second time.
    This is unfortunate as the objective of the whole exercise is to send commands to the switch from a script.
    Can anyone shed some light on why this is so? What is that strange message "a client is already connected" trying to tell me? Is that another bug in Cisco's ssh implementation? Ideas for a workaround, anyone?
    Thanks,
    Tilman
    PS: I already asked that question over in the "big business" support community before noticing there's a separate small business section, but got no answer there.
    PPS: The real objective of the exercise is to make scripted backups and updates of the switches' configurations, ie. what would be naturally expressed as
    scp -i mgmt_id_rsa mgmt@switch:running-config /var/backup/switch.config
    and
    scp -i mgmt_id_rsa /var/conf/switch.configchange mgmt@switch:running-config
    except it doesn't work that way because the SG300's ssh server lacks scp support. Trying to replace that by
    ssh -i mgmt_id_rsa mgmt@switch copy running-config scp://server/var/backup/switch.config
    and
    ssh -i mgmt_id_rsa mgmt@switch copy scp://server/var/conf/switch.configchange running-config
    led me straight to the problem above. Just in case someone feels inclined to ask the standard forum question: "Why do you want that anyway?" :-)

    Hi all,
    I've improved my expect script a bit to:
    allow specifying the SSH user and keyfile on the command line
    allow sending configuration mode commands
    correctly handle very long commands (line wrap) and commands producing no output
    Extended usage:
    ciscosb-exec confuser@myswitch -i ~/.ssh/confuser_id_rsa -c "ip ssh-client username memyself"
    ciscosb-exec confuser@myswitch -i ~/.ssh/confuser_id_rsa "copy scp://myserver/workdir/myswitch.configchange running-config"
    The "new and improved" script:
    #!/usr/bin/expect
    # Script to run an IOS command on a Cisco Small Business Switch via ssh
    # Prerequisites:
    # - Cisco Sx300 series switch with software version 1.3 or later
    # - public key authentication with auto-logon configured
    # Usage:
    #   ciscosb-exec [] [@]
    # Args:
    #         username on switch
    #         name or IP address of switch
    #      command string to execute
    # Options:
    #   -c          execute in configuration mode
    #   -i use SSH private key from
    #   -d          activate debugging output
    # Result:
    #   Switch response will appear on stdout
    # debug switches
    log_user 0
    exp_internal 0
    # configurable values
    set sshcmd "/usr/bin/ssh -c aes192-cbc"
    # end of configurable values
    # below matches prompts such as "switch#", "switch>", "switch$"
    set prompt "\[>#$\]\ *$"
    # getopt implementation snarfed from http://www2.tcl.tk/17342
    proc getopt {_argv name {_var ""} {default ""}} {
        upvar 1 $_argv argv $_var var
        set pos [lsearch -regexp $argv ^$name]
        if {$pos>=0} {
            set to $pos
            if {$_var ne ""} {
                set var [lindex $argv [incr to]]
            set argv [lreplace $argv $pos $to]
            return 1
        } else {
            if {[llength [info level 0]] == 5} {set var $default}
            return 0
    # parse command line
    set configmode [getopt argv -c]
    getopt argv -i idfile
    if {[getopt argv -d]} {
      log_user 1
      exp_internal 1
    if {[llength $argv] != 2} {
      send_user "Usage: ciscosb-exec \[\] \[@\] \"\"\n"
      send_user "Arguments:\n"
      send_user "        target username (default: current user)\n"
      send_user "          target host name or IP address\n"
      send_user "         command string to execute\n"
      send_user "Options:\n"
      send_user "    -c            execute in configuration mode\n"
      send_user "    -i    use SSH private key from \n"
      send_user "    -d            activate debugging output\n"
      exit 1
    set target [split [lindex $argv 0] @]
    if {[llength $target] == 1} {
      set device [lindex $target 0]
      set userid "$env(USER)"
    } elseif {[llength $target] == 2} {
      set userid [lindex $target 0]
      set device [lindex $target 1]
    } else {
      send_user "bad target: [lindex $argv 0]\n"
      exit 1
    set command [lindex $argv 1]
    if {[info exists idfile]} {
      set sshcmd "$sshcmd -i $idfile"
    eval "spawn $sshcmd -l $userid $device"
    match_max [expr 32 * 1024]
    # handle initial noise
    set timeout 20
    while { 1 } {
      expect {
        # command prompt
        -nocase -re "$prompt"     {break}
        # confirmations (unknown fingerprint etc.)
        -nocase -re "\\(yes/no\\)"  {send "yes\r"}
        # username prompt
        -nocase -re "name:|^login:" {send "$userid\r"}
        # password prompt
        -nocase -re "word:" {send_user "Public key authentication failed\n"; exit}
        # errors
        timeout     {send_user "Timeout waiting for command prompt\n"; exit}
        eof         {send_user "Connect failed: $expect_out(buffer)\n"; exit}
    # disable terminal formatting junk
    send "terminal datadump\r"
    expect {
        -nocase -re "$prompt"     {}
        timeout     {send_user "Timeout waiting for command prompt\n"; exit}
        eof         {send_user "Connection lost: $expect_out(buffer)\n"; exit}
    send "terminal width 0\r"
    expect {
        -nocase -re "$prompt"     {}
        timeout     {send_user "Timeout waiting for command prompt\n"; exit}
        eof         {send_user "Connection lost: $expect_out(buffer)\n"; exit}
    # switch to desired mode
    if {$configmode} {
      send "configure terminal\r"
      expect {
        -nocase -re "$prompt"     {}
        timeout     {send_user "Timeout waiting for command prompt\n"; exit}
        eof         {send_user "Connection lost: $expect_out(buffer)\n"; exit}
    # actual command may take a long time
    set timeout 180
    send "$command\r"
    expect {
        # skip command echo
        -re "$command\[\r\n\]*"   {exp_continue}
        # answer confirmation request
        -nocase -re " \\(Y/N\\).*\? *$" {
            # send confirmation, skip echo
            send "Y"
            expect -re "Y\[\r\n\]*"
            exp_continue
        # collect response, excluding next prompt
        -re "\r\n"                {send_user "$expect_out(buffer)"; exp_continue}
        -nocase -re "$prompt"     {send "exit\r"}
        timeout     {send_user "Timeout waiting for command prompt\n"; exit}
        eof         {send_user "Connection lost: $expect_out(buffer)\n"; exit}
    set timeout 20
    expect {
        # second exit needed for logging out from configuration mode
        -nocase -re "$prompt"     {send "exit\r"}
        timeout     {send_user "Timeout waiting for hangup\n"; exit}
        eof         {exit}
    expect {
        -nocase -re "$prompt"     {puts "Failed to log out, disconnecting"; exit}
        timeout                   {puts "Timeout waiting for hangup"; exit}
        eof                       {exit}
    HTH
    Tilman

  • SG300-10 (1.4.0.88) Layer-3 Mode

    I'm having an issue getting my SG300-10 into Layer-3 mode.  I had it in Layer-3 mode under version 1.3.7.18, performed a factory reset by holding down the hard-reset button for 10 seconds.  Updated boot loader to 1.3.5.06 and SW Firmware to 1.4.0.88.
    switchc4f42e#sh ver
    SW version    1.4.0.88 ( date  06-Aug-2014 time  16:55:55 )
    Boot version    1.3.5.06 ( date  21-Jul-2013 time  15:12:10 )
    HW version    V02
    Now I cannot find the option to switch it back into Layer-3 mode.  There is no "menu" option at the console (serial).
    switchc4f42e#
      boot                 Boot Commands
      clear                Reset functions
      clock                Manage the system clock
      configure            Enter configuration mode
      copy                 Copy from one file to another
      crypto               Cryptographic commands
      debug-mode           Exit from the EXEC to debug mode
      delete               Delete a file from the flash file system
      dir                  Display the list of files on the flash file system
      disable              Disable privileged commands
      dot1x                802.1x EXEC commands
      errdisable           Err-Disable shutdown commands.
      exit                 Exit from the EXEC
      green-ethernet       Green ethernet commands
      help                 Description of the interactive help system
      ip                   Global IP configuration commands
      login                Exit from the EXEC and Log in
      macro                Ports macros
      more                 Display a file
      no                   Negate command
      ping                 Send echo messages.
      reload               Halt and perform a cold restart
      rename               Rename a file                  
      renew                Renew DHCP address
      resume               Resume telnet session.
      set                  Set System Parameters
      show                 Show running system information
      telnet               Open telnet session.
      terminal             Set current session functions
      test                 diagnose
      traceroute           Discover the routes to destination.
      write                Write running configuration to memory or terminal
    switchc4f42e#menu
    % Unrecognized command
    switchc4f42e#
    What do I need to do to get this switch back into Layer-3 mode?

    Never mind, I found it ....
    switchc4f42e#set system mode router
    Changing the switch working mode will *delete* the startup configuration file and reset the device right after that. It is highly recommended that you will backup it before changing the mode, continue ? (Y/N)[N] Y

  • SG300-10 VLAN Questions

    My apologies if this has been asked before, but I have some questions regarding the setup of my new switch and network. I have never worked with switches before, so this is quite a learning experience. The picture above describes the current layout of my network. Here is how I have tried to set it up, so far.
    VLAN 1 [Ports 1-4, Untagged, Trunk] (172.16.1.1/24)
    Workstation A (Wired)
    172.16.1.2/24
    Server B (Wired)
    172.16.1.3/24
    VLAN 2 [Ports 5-8, Untagged, Trunk] (172.16.2.1/24)
    Server C (Wired)
    172.16.2.2/24
    Server D (Wired)
    172.16.2.3/24
    Server E (Wired)
    172.16.2.4/24
    Server F (Wired)
    172.16.2.5/24
    VLAN 3 [Ports 9-10, Untagged, Trunk] (192.168.1.1/24)
    Laptop G (Wireless)
    DHCP via Router
    Laptop H (Wireless)
    DHCP via Router
    Laptop I (Wireless)
    DHCP via Router
    Wireless Router
    192.168.1.254/24
    Now, my goal is to have all 3 VLANs be able to talk to each other but also have VLAN 1 access the internet, through the wireless router. In the future I would also like Server B to be able to expose services (http & ssh) to the outside. VLAN 2 shouldn't have internet access at all. I know I can add static routes to the wireless router, if need be. All three laptops, can access the internet through the wireless router, without any problems.
    So my questions are:
    1) Is there anything inherently wrong with the design of this network? If so, what could be changed?
    2) Is VLAN 3 really necessary?
    3) What would I need to do, to get the 3 VLANs communicating with each other?
    4) What should the gateway be, to get VLAN 1 internet access?
    5) What would I need to do, to expose Server B services to the outside?
    6) What static routes do I need to add?
    Thanks in advance!
       Jer

    Hello Jeremy,
    Thank you for your interest and patience.
    You are on the right track here. However, several important changes must be made. Consider the following concepts:
    The concept of a native VLAN. The link between the router and the switch must be part of VLAN 1. Otherwise, information from the router will not be distributed correctly on the switch due to the current PVID of 3.
    The VLAN IP Interface (VLAN IP Address) identifies the subnet for the VLAN. Therefore, thinking of the switch as a router, you are correct that the default gateway for each client should be the respective VLAN interface on the switch. The switch will automatically route between directly connected IP Interfaces and their subnets.
    However, in order for your clients to get to network that the switch doesn't know about, (the internet), there must be a default route to the router.
    Additionally, in order for the router to forward information from the internet back to the VLANs on the switch, the router must know how to reach the different VLANs.
    The folloing linked figure (Fig. 1) describes an appropriate sample setup. See here.
    In this scenario, a SG300-10 is configured with 3 VLANs:
    VLAN 1 - Default VLAN, used for management - 192.168.1.x/24 - Ports 9-10 - 1U - Trunk Mode
    VLAN 2 - Servers - 192.168.2.x/24 - Ports 5-8 - 2U - Trunk Mode
    VLAN 3 - Workstations - 192.168.3.x/24 - Ports 1-4 - 3U - Trunk Mode
    VLAN 1 is used to communicate to the router. Therefore, the following default route must be added to the switch's configuration:
    ip route      0.0.0.0      0.0.0.0      192.168.1.1
    The switch will automatically build the routes between the VLANs local to the switch. Visualize Server C going togoogle.com. Its IP address is 192.168.2.2. Its default gateway should be the VLAN 2 IP Interface on the switch (192.168.2.254 in this example). Because the default route is configured, the switch will forward the internet request to the router. The router will then forward the request to your ISP out the WAN where it will eventually reach Google.
    However, when the request comes back into the router, the router must know to route it to the 192.168.2.x subnet. So, in order for this to work, routes that accomplish the following must be configured on your router:
    Subnet IP               Mask                    Gateway                                              Interface
    192.168.2.1             255.255.255.0        192.168.1.254 (SG-300 IP Interface)         LAN
    192.168.3.1             255.255.255.0        192.168.1.254 (SG-300 IP Interface)         LAN
    As you have already discovered, there are several limitation to using a router that does not support 802.1Q tagging. Chiefly, your clients will not receive either DHCP or DNS automatically from the router. To mitigate this, you can do either of the following:
    Run a DHCP server with multiple DHCP scopes on a device connected to your switch. You can then use Option 82 on the switch to route DHCP requests and DNS info between VLANs on the switch.
    Statically configure IP and DNS information. You could enter Open DNS Servers or Google's DNS servers on your clients.
    Ideally, you would want to use a router that supports 802.1Q tagging. In this figure here (Fig. 2), you can see the VLANconfiguration page for a Cisco RV180W, a very capable and affordable small business router that I highly recommend. Port 1 on the RV180W is configured as a trunk port and carries VLANs 1-3 to the switch. The clients automatically receive IP addresses and DNS information from the correct DHCP pool on the router.
    Do not hesitate to contact us. We are always happy to help.
    All the best,
    -David Aguilar
    Cisco Small Business Support Center
    1-866-606-1866

  • Communication problem between Cisco 3560 and Cisco SG300.

    Dear Support,
    I have a Cisco SG300 and Cisco 3560 switches.
    3560 is my Core Switch and SG300 is access switch.
    From 3560 VLAN information is not passed to SG300.
    3560 Configuration:
    interface GigabitEthernet0/23
    switchport trunk encapsulation dot1q
    switchport trunk allowed vlan 1,2,10,11
    switchport mode trunk
    SG300 Configuration:
    interface gigabitethernet49
    spanning-tree link-type point-to-point
    switchport mode general
    switchport general allowed vlan add 2,10-11 tagged
    macro description switch
    Please suggest how this issue is resolve.
    Regards,
    JItesh Mahajan.

    Dear Aleksandra,
    Below Configuration is right or wrong for 3560 and SG300.
    3560 Configuration:
    interface GigabitEthernet0/23
    switchport trunk encapsulation dot1q
    switchport trunk allowed vlan remove VLAN 1
    switchport native vlan 1
    switchport trunk allowed vlan 1,2,10,11
    switchport mode trunk
    SG300 Configuration:
    interface gigabitethernet49
    spanning-tree link-type point-to-point
    switchport mode general
    switchport general allowed vlan add 2,10-11 tagged
    macro description switch
    Regards,
    JItesh Mahajan.

  • ASA5505 - SG300 VPN site2site problem

    Hello,
    I have a problem with a site2site VPN between a SG300 and an ASA5505. On the SG300 we have two internal connected networks, the second one is an alias. The VPN goes up and works correctly for hours or even for days. Then I don't know why, for some reason, the VPN is up but works only for one of the two networks. When the users try to connect I get this error on the ASA:  ASA-7-710006: ESP request discarded from SG300PubblicInterface to outside:ASAPubblicInterface. To solve this problem I have to restart the VPN or make a ping from the ASA's LAN to the SG's LAN that isn't working. We have other VPNs on both firewalls that work correctly. ASA's Software Version is 8.0(3). I saw that I'm not the only one having this problem but nobody found the right answer...

    Hi Vinay,
    As per your below config
    crypto map vpnmap 10 match address vpnfr
    crypto map vpnmap 10 set peer 193.242.9.126
    crypto map vpnmap 10 set transform-set myvpn
    crypto map vpnmap 20 ipsec-isakmp dynamic dynmap
    crypto map vpnmap 30 match address vpnsing
    crypto map vpnmap 30 set peer 203.126.186.226
    crypto map vpnmap 30 set transform-set myvpn2
    crypto map vpnmap 40 match address vpnbl
    crypto map vpnmap 40 set peer 61.8.153.122
    crypto map vpnmap 40 set transform-set myvpn2
    crypto map vpnmap 50 match address vpnde
    crypto map vpnmap 50 set peer 61.8.129.170
    crypto map vpnmap 50 set transform-set myvpn2
    crypto map vpnmap interface outside
    crypto map outside_map 1 match address outside_1_cryptomap
    crypto map outside_map 1 set pfs
    crypto map outside_map 1 set peer 193.242.9.126
    crypto map outside_map 1 set transform-set ESP-3DES-SHA
    vpnmap  is your original crypto map if this is the crypto map its applied to oustide interface which is correct
    now if you have added a new crypto map say " outside_map"  its not going to work as we can only apply one crypto map per interface i dont see any resundant ISP on the config so i suppose the crypto map 
    "outside_map" might be the newly added crypto map if that is true please try below config changes and let me know if it helps
    =============================================================
    crypto map vpnmap 60 match address outside_1_cryptomap <<<<
    crypto map vpnmap 60 set pfs  <<<<<<<<<<<<<<<<<<<<<<<<<
    crypto map vpnmap 60 set peer 193.242.9.126
    crypto map vpnmap 60 set transform-set ESP-3DES-SHA
    ===============================================================
    make sure the crypto acl  "outside_1_cryptomap" is mirrored on the remote end and you also have PFS enabled on remote end
    Thanks
    Rohan

  • No internet access on VLANs with RV042G and SG300

    I'm trying to set up a network for a small business which will have different offices, and so I want to separate them all by VLAN so that they cann't access each other's files. The problem is that I can't access the internet from any of the VLANs, including the default.
    The RV042G router is connected to the internet through the WAN1 port and has a static IP address of 10.4.1.1. I enables multiple subnets and added one for each of the VLANs (1 - admin, 10, 20, 30, 100 - guest). I also created static routes to the SG300 switch, which has an IP address of 10.4.1.2, 10.4.10.2, etc. The switch is in Layer 3 mode and is functioning as the DHCP server. I also have a wireless access point set up that broadcasts an SSID for each VLAN, however this is not the issue since no internet connection can be established wirelessly or with a wired connection.
    I am fairly certain it has something to do with the data not being correctly routed through from the internet to the client, however I can't seem to find what is configured incorrectly. If anyone could offer some suggestions it would be appreciated. Please let me know if you need more info, I have attached some of the configuration screens for reference.

    Hi Paul,
    Thanks for the suggestion, but I changed it from Gateway to Router and this didn't fix the problem, still no internet access.
    I have a cabel modem box that connects to the RV042G through WAN1, and then the RV042G connects to the SG300 through port 1 on the RV042G. On the RV042G, this port is set to VLAN1, while the port on the SG300 is set as a trunk port. The SG300 is then assigning IP addresses to the clients. It has 4 different VLANs created that go to different offices. Does this help you understand the setup any better?

  • Two questions about SG300 DHCP server

    Hi,
    I have two questions about the DHCP server on the SG300:
    On the Address Binding page, what does the "Declined" state mean? I have a NAS device that won't pull an address, and I think that the entry with a state of "Declined" corresponds to this device. It was previously pulling an address from a RV180, so the only difference is that it is now connected to the SG300. I worked around this by manually setting the address on the NAS device, but this won't scale if I run into a lot of other devices that can't pull an address.
    I configured a static address binding for a WAP321 and found that instead of pulling the configured address that it pulled a dynamic address. I checked the Address Binding page and see that the dynamic entry that corresponds with the WAP321 has a Client Identifier rather than a MAC address. I changed the static entry for the WAP321 to use the client identifier displayed in the dynamic entry, and now the WAP321 pulls the configured static address. Is this expected behavior?
    Thanks,
    Bob

    With the SX300/500 it is required the client identifier, it doesn't automatically insert it. If static DHCP is made on the switch and you didn't need client identifier, that is more or less fortunate behavior for you
    So to answer this question, the expected behavior is to configure client identifier for static DHCP entry.
    -Tom
    Please mark answered for helpful posts
    http://blogs.cisco.com/smallbusiness/

  • How do I get from a menu at login to CLI on a SG300-28 Switch?

    I have a SG300-28 and would like to configure through CLI not menu. How do I get to Cli from Menu?
      I am running Boot version 1.0.0.4 and SW version 1.0.0.27, Do I need to upgrade both boot and SW or Just SW?

    Hi rod3,
    Typically SSH/Telnet is disabled by default on devices.  In order to activate it you will need to go through the WEB GUI to Security > TCP/UDP Services and check the boxes that say SSH or Telnet then click apply.
    Then using a Terminal program of your choice you can connect to the switch and configure it.  Be advised that the CLI is not exactly the same as regular IOS.
    -Trent Good
    ** Please rate useful posts! **

  • Not able to get the all connected mac address with snmpwalk on sg300-28

     am having SG300-28 switch, I am using Opennms to monitor it, but somehow the snmpwalk on the switch is not returning me the whole mac table.
    the command i am using is snmpwalk -v 2c -c pex 192.168.x.x .1.3.6.1.2.1.4.22.1
    the output is 
    iso.3.6.1.2.1.4.22.1.1.100014.192.168.3.6 = INTEGER: 100014
    iso.3.6.1.2.1.4.22.1.1.100014.192.168.3.23 = INTEGER: 100014
    iso.3.6.1.2.1.4.22.1.1.100014.192.168.3.30 = INTEGER: 100014
    iso.3.6.1.2.1.4.22.1.2.100014.192.168.3.6 = Hex-STRING: 76 6B E9 2E xx xx
    iso.3.6.1.2.1.4.22.1.2.100014.192.168.3.23 = Hex-STRING: 74 D4 35 CF xx xx
    iso.3.6.1.2.1.4.22.1.2.100014.192.168.3.30 = Hex-STRING: 50 46 5D 06 xx xx
    iso.3.6.1.2.1.4.22.1.3.100014.192.168.3.6 = IpAddress: 192.168.x.x
    iso.3.6.1.2.1.4.22.1.3.100014.192.168.3.23 = IpAddress: 192.168.x.xx
    iso.3.6.1.2.1.4.22.1.3.100014.192.168.3.30 = IpAddress: 192.168.x.xx
    iso.3.6.1.2.1.4.22.1.4.100014.192.168.3.6 = INTEGER: 3
    iso.3.6.1.2.1.4.22.1.4.100014.192.168.3.23 = INTEGER: 3
    iso.3.6.1.2.1.4.22.1.4.100014.192.168.3.30 = INTEGER: 3
    it's showing me the three nodes  but actually there are 10 nodes connected, anyone having Idea what is wrong?
    Regards,
    Deepak

     am having SG300-28 switch, I am using Opennms to monitor it, but somehow the snmpwalk on the switch is not returning me the whole mac table.
    the command i am using is snmpwalk -v 2c -c pex 192.168.x.x .1.3.6.1.2.1.4.22.1
    the output is 
    iso.3.6.1.2.1.4.22.1.1.100014.192.168.3.6 = INTEGER: 100014
    iso.3.6.1.2.1.4.22.1.1.100014.192.168.3.23 = INTEGER: 100014
    iso.3.6.1.2.1.4.22.1.1.100014.192.168.3.30 = INTEGER: 100014
    iso.3.6.1.2.1.4.22.1.2.100014.192.168.3.6 = Hex-STRING: 76 6B E9 2E xx xx
    iso.3.6.1.2.1.4.22.1.2.100014.192.168.3.23 = Hex-STRING: 74 D4 35 CF xx xx
    iso.3.6.1.2.1.4.22.1.2.100014.192.168.3.30 = Hex-STRING: 50 46 5D 06 xx xx
    iso.3.6.1.2.1.4.22.1.3.100014.192.168.3.6 = IpAddress: 192.168.x.x
    iso.3.6.1.2.1.4.22.1.3.100014.192.168.3.23 = IpAddress: 192.168.x.xx
    iso.3.6.1.2.1.4.22.1.3.100014.192.168.3.30 = IpAddress: 192.168.x.xx
    iso.3.6.1.2.1.4.22.1.4.100014.192.168.3.6 = INTEGER: 3
    iso.3.6.1.2.1.4.22.1.4.100014.192.168.3.23 = INTEGER: 3
    iso.3.6.1.2.1.4.22.1.4.100014.192.168.3.30 = INTEGER: 3
    it's showing me the three nodes  but actually there are 10 nodes connected, anyone having Idea what is wrong?
    Regards,
    Deepak

  • Using SG300 directly as a router?

    Hello, I am building a new home with several Cat6 ethernet ports wired throughout (at least one to each room) and I want to connect them all through a rock-solid reliable gigabit switch like the SG300 or SG200.  I am also going to use wireless N (something like the E4200) but I would prefer not to use the wireless device as the router since I want a solid, reliable connection from my ethernet-connected devices and the Internet and I honestly don't trust consumer-level devices like the E4200 to be reliable without dropping my connection.  I have computers that need a constant VPN connection and I have other computers that do bittor...umm, network intensive activity that usually bring wireless routers to their knees  
    So what I would really like is to connect the internet cable modem (Ubee) directly to the business-class switch (SG300 or SG200), and have that business-class switch do the routing and NAT to my entire network, and I'd just use the E4200 as a wireless access point.  I'm not a network admin and the idea of the CLI scares me, but I can probably use it to at least switch the SG300 to Layer 3 mode...that looks simple enough.  I'd definitely want to use a web GUI for everything else.  From what I've read, the SG200 is a Layer 2 device so it couldn't be used as a router, but can the SG300 in Layer 3 be used as a router connected directly to the cable modem?  Will it support NAT and UPnP and all of the other features that the E4200 would (minus the wireless of course)?  For example one thing I will want is to be able to have multiple XBoxes connected to the switch all with an "Open NAT".
    If the SG300 can't do this, what's the best rock-solid business class device that I can connect directly to the cable modem that will support things like UPnP and NAT?
    Thanks everyone in advance for their advice!

    Hi Alan,
    Interesting comment "'ll probably be moderated for this"
    When this community was setup years ago, I recall that the moderators for this segments said they wouldn't censor.
    There were a few exceptions, unless you were rude and used foul language or were obviously demented.
    So you can have your say.
    Plenty of contributors , probably including myself may be moving towards demented in our thoughts. But until we all get really loony Alan,  your free to say what you want. II's all healthy discussion.
    I have seen many "interesting' posts but I suspect  your post will remain for years to come.  Once on the Internet, our comments and discussions are  left to embarrass us for years to come.
    regards Dave.

Maybe you are looking for