SG300 VLAN ISE

Hello,
customer is using lots of 2960-Switches and plans to implement ISE for dynamic VLAN-Assignment. Should be no problem.
For lots of small offices he wants to purchase SG300 Switches. I recommended Cisco Compact Switches, but they are too expensive.
So the question is: Is it possible to configure the SG300 Switches to communicate with ISE to do allow dynamic VLAN-Assignemt?
Any response will be helpful.
regards
Hubert

Hubert,
Barry is absolutely correct. From the switch side, it is setting radius config in the switch to the ip for the ISE and supplying the key, 802.1x setup and ports will be next. Please refer to the sg300 admin guide. pg 391 and 392 specifically for radius-assigned-vlans. Please review Chapter 19 in total. It will inform you as to certain configuration parameters that will and will not work. For the ISE, it can be a location based rule or an attribute for particular users.

Similar Messages

  • Cisco SG300 VLAN rate-limit

    I have a Cisco SG300 small business switch and 541 APs. There are 2 VLANs in our network. One must be limited by bandwidth. Does anyone have an idea for configure vlan rate-limiting on SG300? And please describe CIR & CBS for me. Thanks.

    http://www.cisco.com/en/US/partner/products/ps10898/prod_command_reference_list.html
    Cisco Small Business 300 Series Managed Switches Command Line Interface Guide Release 1.3
    Select CIR and CBS according to your design. You can use a larger CBS when performance is not ideal.
    49.23 rate-limit (VLAN)
    Use the Layer 2 rate-limit (VLAN) Global Configuration mode command to limit the
    incoming traffic rate for a VLAN. Use the no form of this command to disable the
    rate limit.
    Syntax
    rate-limit vlan-id committed-rate committed-burst
    no rate-limit vlan
    Parameters
    • vlan-id—Specifies the VLAN ID.
    • committed-rate—Specifies the average traffic rate (CIR) in kbits per second
    (kbps). (Range: 3-57982058)
    • committed-burst—Specifies the maximum burst size (CBS) in bytes.
    (Range: 3000-19173960)
    Default Configuration
    Rate limiting is disabled.
    Committed-burst-bytes is 128K.
    Command Mode
    Global Configuration mode
    User Guidelines
    Traffic policing in a policy map takes precedence over VLAN rate limiting. If a
    packet is subject to traffic policing in a policy map and is associated with a VLAN
    that is rate limited, the packet is counted only in the traffic policing of the policy
    map.
    This command does not work in Layer 3 mode. It does not work in conjunction with
    IP Source Guard.
    Example
    The following example limits the rate on VLAN 11 to 150000 kbps or the normal
    burst size to 9600 bytes.
    switchxxxxxx(config)# rate-limit 11 150000 9600

  • SG300 Vlan IP-Helper Address issues

    hi,
    I am trying to set a ip-helper address on my sg300 though getting the following.
    DNSWITCH01#configure
    DNSWITCH01(config)#interface vlan2
    DNSWITCH01(config-if)#ip helper-address 192.168.1.1
    % missing mandatory parameter
    DNSWITCH01(config-if)#DNSWITCH01#
    DHCP server is server 2008 R2 and the range is active for that vlan and can route to vlan and devices set statically fine

    Hi Konrad, DHCP cannot be used for IP helper since the switch has a DHCP-RELAY service.
    -Tom
    Please mark answered for helpful posts

  • SG300 VLAN Trunk?

    I have recently been putting a SG300 through testing, and while the configuration is working, I am now at the stage of making sure everything is secure.  At this point I've reached a question I can't quite find the answer to:
    Current Setup:
    1 Port - Trunk Mode (1UP + Various VLANs Tagged)
    Other Ports - Access Mode (Various VLANs Untagged)
    The question comes as to how to deal with the Trunk Port.  Per Cisco's own "Virtual Lan Security Best Practices", the default/native VLAN should be cleared from all Trunks... unless I am misunderstaing I see no way to accomplish this with the SG300's port in Trunk Mode (it forces 1UP, and admit-all).
    The only other options I see as being possible are:
    Change Port to General Mode, and switch policy to admit-tagged-only, and leave 1UP on the trunk
    -or-
    Change Port to General Mode, and remove 1UP (but this forces the system to add 4095P, which per the documentation states it immediately disables all other VLANS?)
    Are either of these options valid/usable... or is there a better way to accomplish this?

    Well, to put an end to this saga:
    This really doesn't do what I thought it would, and I proved this out by sticking a BSD machine on the port and sniffing the interface with tcpdump:
    switchport mode general
    switchport general allowed vlan add 101,102,103 tagged
    switchport general acceptable-frame-type tagged-only
    switchport general pvid 4095
    This really does nothing.. it is the same as leaving the interface in just the default trunk mode with tagged vlans... control traffic is all sent out the interface untagged.
    Playing around with this some more, this is more interesting:
    switchport mode trunk
    switchport trunk allowed vlan add 101,102,103
    switchport default-vlan tagged
    This changes the interface to Trunk: 1T, 101T, 102T, 103T, 4095P (and makes web interface go goofy if you try to change it). Now control traffic (other then STP) is coming down the VLAN's as tagged.
    Oh well.... upstream device will just be configured to drop everything that is untagged and move on

  • Dhcp sg300 vlan

    Okay. I have two scopes for two vlans configured on the sg300. When I put my laptop in vlan 1 I get an ip from 192.168.0.0/24. I then release the ip, I put the port my laptop is in into vlan 20 and try to renew to get an ip from 172.20.20.0/24 subnet associated with vlan 20 but I get an ip from 192.168.0.0/24 which is associated with vlan 1. The only way to get this to work is I have to go into the sg300 and delete the dhcp binding and then renew and I then get an IP address from 172.20.20.0. I would have thought that if I put the laptop in vlan 20 and released and renewed the sg300 would give me an IP address from 172.20.20.0 not 192.168.0.0 which is associated with vlan 1. What am I missing? Why is the sg300 responding with an ip from different vlan?
    Sent from Cisco Technical Support iPad App

    I've also experienced this and there was a similar post unanswered this month I believe.  It may not be considered a bug or a problem since hosts aren't expected to change vlans like they do when we use are PCs for testing.  Personally I would think that each vlan would have it's own isolated binding table as well as every other table, array or structures.  Maybe some one can explain a solution or the reason why this is normal.

  • SG200 to SG300 VLAN

    Hi All,
    I have a customer with several SG300's providing VLAN1 for data and VLAN10 for voice. The PC's are piggy backing off the phones and showing up in the SG300 fine:
    One department has recently employed more people so we have an SG200 switch to connect the computers and phones to. I don't seem to be able to get any connectivity between the new switch and the SG300 it is connecting to. I have setup VLAN1 and 10 as per the images below:
    Am I (most likely) missing something obvious here?
    Thanks in advance.

    If all ports are 1u, 10t between both switches then there is a different problem.
    I guess it's possible the new SX200 switch can be just acting wonky. Did you upgrade any firmware before installation?
    I'd probably load the newest software and reset the switch to make sure it isn't being weird with you.
    -Tom
    Please mark answered for helpful posts

  • Sg200-sg300 vlan help

    I am experimenting with a setup carrying vlan's to other parts of a building through switches.
    My current config doesn't work. Anyone care to lend some brainpower?
    Here is a crude drawing. https://dl.dropboxusercontent.com/u/45775353/nc-vlan-lab.pdf
    Basically I want to give devices access to Vlan's 10,20, and 30 on another side of the building. We have LAG groups tagged with each vlan going to each switch. On the final switch we are using general instead of trunk port settings for the last mile to the wap.
    I tried it with access, and ingress filtering on/off. Nothing worked.
    I am obviously missing something.

    It would be nice if they showed you all the memberships in the same screen. It does look like that for the LAG group.

  • SG300 + SG500 = intervlan headache

    Ok so I am pulling out my hair with this one and now it's time to ask the people with experience.  Basically I have a  sg500 stack running a router-on-a- stick setup.  I have run out of virtual ports on the sonicwall and am now trying to get internet to route between vlans by taking the sonicwall out of the equation.  I have had NO luck and can ner get any vlan other than 50 to see the internet.  So here it goes.
    Main SG500
    - Vlan 50 contains a direct trunk connection to the sonicwall on gi 13
    - Vlan 50 contains a direct trunk connection to sg300 on gi 42
    - 14-41 are in vlan 50 as access ports (internet is ok)
    - Vlan 50 is set for ip address 192.168.50.1
    - Sonicwall ip is 192.168.50.254
    Remote SG300
    -Vlan 51 is access ports 1-5 ip address 192.168.51.1
    -Vlan 52 is access ports 6-9 ip address 192.168.52.1
    -Vlan 53 is access ports 10-11 ip address 192.168.53.1
    -Vlan 50 is trunk port 20 ip address 192.168.50.2
    -dhcp is setup on each interface as well
    I am not even sure this is possible but I need to somehow route the 192.168.51.1 to 192.168.50.254 so it can get online.  However no matter what I try in the routing table I constantly get stuck behind the vlan gateway.  So if im on 192.168.52.10 and I trace route out to 192.168.50.1 or 192.168.50.2 or 192.168.50.254 it ALWAYS stops at 192.168.52.1.  Any idea's?  Suggestions?  I'm about ready to give it up and just throw them all together.  I have spent far to long on this already.
    Just to give you an idea what this is for, there are 3 rental offices that all three need internet but should not be able to talk to eachother.  Private ports would work but these offices have multiple ethernet ports and if they plug in a printer and PC they won't be able to talk.  Any idea's would be greatly appreciated

    I will try to whip something up for you shortly.  I thought the tagging would work as well but I seem to have hit another brick wall.  I will draw something up later but basically it's
    SG500
    gi13-42 Vlan 50 ip 192.168.50.1
    gi13 trunk 50U 51T 52T 53T to Sonicwall 192.168.50.254
    gi42 trunk 50U 51T 52T 53T to SG300
    SG500
    gi1-5 access Vlan 51 ip 192.168.51.1
    gi6-8 access Vlan 52 ip 192.168.52.1
    gi9-11 access Vlan 53 ip 192.168.53.1
    gi20 Trunk Vlan 50 ip 192.168.50.3  50U 51T 52T 53T
    Looking at this I am thinking haveing vlan 50 on two different ip's may cause some confusion.  Either way i'm sure I tried without with no luck

  • SG300-10 VLAN Questions

    My apologies if this has been asked before, but I have some questions regarding the setup of my new switch and network. I have never worked with switches before, so this is quite a learning experience. The picture above describes the current layout of my network. Here is how I have tried to set it up, so far.
    VLAN 1 [Ports 1-4, Untagged, Trunk] (172.16.1.1/24)
    Workstation A (Wired)
    172.16.1.2/24
    Server B (Wired)
    172.16.1.3/24
    VLAN 2 [Ports 5-8, Untagged, Trunk] (172.16.2.1/24)
    Server C (Wired)
    172.16.2.2/24
    Server D (Wired)
    172.16.2.3/24
    Server E (Wired)
    172.16.2.4/24
    Server F (Wired)
    172.16.2.5/24
    VLAN 3 [Ports 9-10, Untagged, Trunk] (192.168.1.1/24)
    Laptop G (Wireless)
    DHCP via Router
    Laptop H (Wireless)
    DHCP via Router
    Laptop I (Wireless)
    DHCP via Router
    Wireless Router
    192.168.1.254/24
    Now, my goal is to have all 3 VLANs be able to talk to each other but also have VLAN 1 access the internet, through the wireless router. In the future I would also like Server B to be able to expose services (http & ssh) to the outside. VLAN 2 shouldn't have internet access at all. I know I can add static routes to the wireless router, if need be. All three laptops, can access the internet through the wireless router, without any problems.
    So my questions are:
    1) Is there anything inherently wrong with the design of this network? If so, what could be changed?
    2) Is VLAN 3 really necessary?
    3) What would I need to do, to get the 3 VLANs communicating with each other?
    4) What should the gateway be, to get VLAN 1 internet access?
    5) What would I need to do, to expose Server B services to the outside?
    6) What static routes do I need to add?
    Thanks in advance!
       Jer

    Hello Jeremy,
    Thank you for your interest and patience.
    You are on the right track here. However, several important changes must be made. Consider the following concepts:
    The concept of a native VLAN. The link between the router and the switch must be part of VLAN 1. Otherwise, information from the router will not be distributed correctly on the switch due to the current PVID of 3.
    The VLAN IP Interface (VLAN IP Address) identifies the subnet for the VLAN. Therefore, thinking of the switch as a router, you are correct that the default gateway for each client should be the respective VLAN interface on the switch. The switch will automatically route between directly connected IP Interfaces and their subnets.
    However, in order for your clients to get to network that the switch doesn't know about, (the internet), there must be a default route to the router.
    Additionally, in order for the router to forward information from the internet back to the VLANs on the switch, the router must know how to reach the different VLANs.
    The folloing linked figure (Fig. 1) describes an appropriate sample setup. See here.
    In this scenario, a SG300-10 is configured with 3 VLANs:
    VLAN 1 - Default VLAN, used for management - 192.168.1.x/24 - Ports 9-10 - 1U - Trunk Mode
    VLAN 2 - Servers - 192.168.2.x/24 - Ports 5-8 - 2U - Trunk Mode
    VLAN 3 - Workstations - 192.168.3.x/24 - Ports 1-4 - 3U - Trunk Mode
    VLAN 1 is used to communicate to the router. Therefore, the following default route must be added to the switch's configuration:
    ip route      0.0.0.0      0.0.0.0      192.168.1.1
    The switch will automatically build the routes between the VLANs local to the switch. Visualize Server C going togoogle.com. Its IP address is 192.168.2.2. Its default gateway should be the VLAN 2 IP Interface on the switch (192.168.2.254 in this example). Because the default route is configured, the switch will forward the internet request to the router. The router will then forward the request to your ISP out the WAN where it will eventually reach Google.
    However, when the request comes back into the router, the router must know to route it to the 192.168.2.x subnet. So, in order for this to work, routes that accomplish the following must be configured on your router:
    Subnet IP               Mask                    Gateway                                              Interface
    192.168.2.1             255.255.255.0        192.168.1.254 (SG-300 IP Interface)         LAN
    192.168.3.1             255.255.255.0        192.168.1.254 (SG-300 IP Interface)         LAN
    As you have already discovered, there are several limitation to using a router that does not support 802.1Q tagging. Chiefly, your clients will not receive either DHCP or DNS automatically from the router. To mitigate this, you can do either of the following:
    Run a DHCP server with multiple DHCP scopes on a device connected to your switch. You can then use Option 82 on the switch to route DHCP requests and DNS info between VLANs on the switch.
    Statically configure IP and DNS information. You could enter Open DNS Servers or Google's DNS servers on your clients.
    Ideally, you would want to use a router that supports 802.1Q tagging. In this figure here (Fig. 2), you can see the VLANconfiguration page for a Cisco RV180W, a very capable and affordable small business router that I highly recommend. Port 1 on the RV180W is configured as a trunk port and carries VLANs 1-3 to the switch. The clients automatically receive IP addresses and DNS information from the correct DHCP pool on the router.
    Do not hesitate to contact us. We are always happy to help.
    All the best,
    -David Aguilar
    Cisco Small Business Support Center
    1-866-606-1866

  • No internet access on VLANs with RV042G and SG300

    I'm trying to set up a network for a small business which will have different offices, and so I want to separate them all by VLAN so that they cann't access each other's files. The problem is that I can't access the internet from any of the VLANs, including the default.
    The RV042G router is connected to the internet through the WAN1 port and has a static IP address of 10.4.1.1. I enables multiple subnets and added one for each of the VLANs (1 - admin, 10, 20, 30, 100 - guest). I also created static routes to the SG300 switch, which has an IP address of 10.4.1.2, 10.4.10.2, etc. The switch is in Layer 3 mode and is functioning as the DHCP server. I also have a wireless access point set up that broadcasts an SSID for each VLAN, however this is not the issue since no internet connection can be established wirelessly or with a wired connection.
    I am fairly certain it has something to do with the data not being correctly routed through from the internet to the client, however I can't seem to find what is configured incorrectly. If anyone could offer some suggestions it would be appreciated. Please let me know if you need more info, I have attached some of the configuration screens for reference.

    Hi Paul,
    Thanks for the suggestion, but I changed it from Gateway to Router and this didn't fix the problem, still no internet access.
    I have a cabel modem box that connects to the RV042G through WAN1, and then the RV042G connects to the SG300 through port 1 on the RV042G. On the RV042G, this port is set to VLAN1, while the port on the SG300 is set as a trunk port. The SG300 is then assigning IP addresses to the clients. It has 4 different VLANs created that go to different offices. Does this help you understand the setup any better?

  • WLC, FlexConnect, ISE: Dynamic VLAN not working

    Hi,
    Not sure if this is a WLC or ISE problem, but since I am unsure of the WLC config I will try here first.
    Equipment:
    WiSM2 7.2.111.3
    ISE 1.1.1.268
    AP 3502 in FlexConnect
    What I want to achive:
    One SSID, multiple VLAN
    Devices gets profiled in ISE and based on type of device it gets asigned to a VLAN
    Problem:
    When the device connects the first time it ends up in native VLAN and not switched to the right VLAN, but when I reconnect then it is added to the right VLAN.
    WLC config (I know you like images so here you go ):
    I must be missing something but I can't figure out what. I will be attaching a debug aaa event enable for when the client connect the first time.
    In ISE I have an Authorization Profile that just say VLAN ID/Tag 158 (the VLAN that the device should go to) an it is added to the Authorization rule of the profiled device. CoA is set to Reauth.
    When the client connects I get three events in ISE:
    1.
    Authentication failed :
    22056 Subject not found in the applicable identity store(s)
    2. Authentication Success. With the results:
    UserName=00:18:DE:A2:BC:3A
    User-Name=00-18-DE-A2-BC-3A
    State=ReauthSession:c20e8b2f0000027e50ed27f8
    Class=CACS:c20e8b2f0000027e50ed27f8:ISE01/144259326/671335
    Termination-Action=RADIUS-Request
    Tunnel-Type=(tag=1) VLAN
    Tunnel-Medium-Type=(tag=1) 802
    Tunnel-Private-Group-ID=(tag=1) 158
    cisco-av-pair=profile-name=AX-Intel-Device
    3.
    Dynamic Authorization failed :
    11213 No response received from Network Access Device
    Has anyone got this to work? Do I need to add FlexConnect groups? If so then why?
    Regards,
    Philip

    I think you're hitting CSCua58554
    The bugtoolkit description is horrible....  From what I recall when I ran into it, I believe that Flex connect is having a problem with Mac filtering based AAA override on open wlans (and/or CWA based).  In general, AAA override works fine when it is from like an eap authentication.
    We had to use a 7.3 ES to resolve it.....
    Looks like it is implemented in 7.4 though.....     If you dont want to join the 7.4 bandwagon quite yet, you might could ask TAC for an ES of 7.3,  don't think they have a 7.2 build.

  • SG300-28 Firmware 1.1.2.0 and 1.2.7.76 - Dynamic VLAN+freeRADIUS - Client get rejected

    Hello ladies and gentlemen,
    I am using several SG300-28 Switches with firmware version 1.1.2.0.
    I have dynamic VLAN enabled. As RADIUS server I am using freeradius 2.1.12.
    Authentication is only based on the MAC address. (I configured that on the switches)
    On the switches I created three VLANs. VLAN100 for the authenticated clients, VLAN200 for Management interface and VLAN300 as Guest VLAN. After a wrong authentication the clients should be put into this Guest VLAN immediately (I configured this on the switches).
    I am using Windows XP and Windows 7 clients in my network. I did not configure any EAP settings because I just wnat to use the MAC address.
    In most cases the dynamic VLAN assignment and authentication is working fine. The switch log says that the client is authenticated and the same I can see on freeradius log. But in some (rare) cases the client is rejected. The CISCO log says "MAC aa:bb:cc:dd:ee:ff was rejected on port ge17" but when I look at the freeradius log then this MAC address was successfully authorized.
    The problem is that the client gets an IP address based on the Guest VLAN300 but after that the switch seems to "switch" the VLAN on the port and then the client is authenticated correctly on the right VLAN but the client does not request a new IP on the new VLAN.
    If I unplug and re-plug the LAN cable in most cases the client get the correct VLAN and the correct IP.
    This is happening randomly on nearly all my PCs.
    I would really appreciate your help. Do I have to set some timers higher ? I don't think it is a problem between switch and RADIUS but a problem between communication of the host and the switch.
    Thank you very much for your help!
    Regrads
    Alexander Wilke

    This is from my CISCO log. The computer is always online but there are repeatingly rejects and then with a delay of some minutes an accept.
    2147483395
    2012-Aug-09 21:40:05
    Informational
    %SEC-I-PORTAUTHORIZED: Port gi8 is Authorized       
    2147483396
    2012-Aug-09 21:38:23
    Warning
    %SEC-W-SUPPLICANTUNAUTHORIZED: MAC 00:19:99:0b:8d:b3 was rejected on port gi8        
    2147483397
    2012-Aug-09 21:38:23
    Warning
    %SEC-W-PORTUNAUTHORIZED: Port gi8 is unAuthorized       
    2147483398
    2012-Aug-09 21:16:05
    Informational
    %SEC-I-PORTAUTHORIZED: Port gi8 is Authorized       
    2147483399
    2012-Aug-09 21:13:42
    Warning
    %SEC-W-SUPPLICANTUNAUTHORIZED: MAC 00:19:99:0b:8d:b3 was rejected on port gi8        
    2147483400
    2012-Aug-09 21:13:42
    Warning
    %SEC-W-PORTUNAUTHORIZED: Port gi8 is unAuthorized       
    2147483401
    2012-Aug-09 21:04:04
    Informational
    %SEC-I-PORTAUTHORIZED: Port gi8 is Authorized       
    2147483402
    2012-Aug-09 21:03:50
    Warning
    %SEC-W-SUPPLICANTUNAUTHORIZED: MAC 00:19:99:0b:8d:b3 was rejected on port gi8        
    2147483403
    2012-Aug-09 21:03:50
    Warning
    %SEC-W-PORTUNAUTHORIZED: Port gi8 is unAuthorized       
    2147483404
    2012-Aug-09 20:52:02
    Informational
    %SEC-I-PORTAUTHORIZED: Port gi8 is Authorized       
    2147483405
    2012-Aug-09 20:49:02
    Warning
    %SEC-W-SUPPLICANTUNAUTHORIZED: MAC 00:19:99:0b:8d:b3 was rejected on port gi8        
    2147483406
    2012-Aug-09 20:49:02
    Warning
    %SEC-W-PORTUNAUTHORIZED: Port gi8 is unAuthorized       
    2147483407
    2012-Aug-09 20:40:04
    Informational
    %SEC-I-PORTAUTHORIZED: Port gi8 is Authorized       
    2147483408
    2012-Aug-09 20:39:10
    Warning
    %SEC-W-SUPPLICANTUNAUTHORIZED: MAC 00:19:99:0b:8d:b3 was rejected on port gi8        
    2147483409
    2012-Aug-09 20:39:10
    Warning
    %SEC-W-PORTUNAUTHORIZED: Port gi8 is unAuthorized       
    2147483410
    2012-Aug-09 20:16:06
    Informational
    %SEC-I-PORTAUTHORIZED: Port gi8 is Authorized       
    2147483411
    2012-Aug-09 20:14:29
    Warning
    %SEC-W-SUPPLICANTUNAUTHORIZED: MAC 00:19:99:0b:8d:b3 was rejected on port gi8        
    2147483412
    2012-Aug-09 20:14:29
    Warning
    %SEC-W-PORTUNAUTHORIZED: Port gi8 is unAuthorized       
    2147483413
    2012-Aug-09 19:28:01
    Informational
    %SEC-I-PORTAUTHORIZED: Port gi8 is Authorized       
    2147483414
    2012-Aug-09 19:25:08
    Warning
    %SEC-W-SUPPLICANTUNAUTHORIZED: MAC 00:19:99:0b:8d:b3 was rejected on port gi8        
    2147483415
    2012-Aug-09 19:25:08
    Warning
    %SEC-W-PORTUNAUTHORIZED: Port gi8 is unAuthorized       
    2147483416
    2012-Aug-09 19:15:59
    Informational
    %SEC-I-PORTAUTHORIZED: Port gi8 is Authorized       
    2147483417
    2012-Aug-09 19:15:16
    Warning
    %SEC-W-SUPPLICANTUNAUTHORIZED: MAC 00:19:99:0b:8d:b3 was rejected on port gi8        
    2147483418
    2012-Aug-09 19:15:16
    Warning
    %SEC-W-PORTUNAUTHORIZED: Port gi8 is unAuthorized       
    2147483419
    2012-Aug-09 19:04:00
    Informational
    %SEC-I-PORTAUTHORIZED: Port gi8 is Authorized       
    2147483420
    2012-Aug-09 19:00:27
    Warning
    %SEC-W-SUPPLICANTUNAUTHORIZED: MAC 00:19:99:0b:8d:b3 was rejected on port gi8        
    2147483421
    2012-Aug-09 19:00:27
    Warning
    %SEC-W-PORTUNAUTHORIZED: Port gi8 is unAuthorized       
    2147483422
    2012-Aug-09 18:27:59
    Informational
    %SEC-I-PORTAUTHORIZED: Port gi8 is Authorized       
    2147483423
    2012-Aug-09 18:25:55
    Warning
    %SEC-W-SUPPLICANTUNAUTHORIZED: MAC 00:19:99:0b:8d:b3 was rejected on port gi8        
    2147483424
    2012-Aug-09 18:25:55
    Warning
    %SEC-W-PORTUNAUTHORIZED: Port gi8 is unAuthorized    
    Any ideas ?

  • Cisco ISE 1.2.1.198 Guest Portal Vlan Override at Mobile Device (android,IOS) not working

    Hi Guy, 
    In my ISE deployment, once the guest succcesful authenticated will be assign guest VLAN for internet access.
    we are using guest portal to do the vlan override once user authenticated.
    Window 7 Internet explorer (Active X), Chrome (Java Aplet) is working fine.
    but Android,Apple IOS devices unable to release the DHCP and get new DHCP.
    because from ISE and WLC we can see the Vlan have change, how mobile devices initiate dhcp release for Guest Portal
    Kindly advice.
    Regards
    Freemen

    I don't have such documentation nor I could find any on Cisco's site. With that being said, it doesn't mean that it doesn't exist. I just know that Active X is windows specific framework and Java is not supported on either iOS nor Android:
    http://www.java.com/en/download/faq/java_mobile.xml
    The good news is that Cisco appears to be steering away from Java so it is possible that in the future this will be supported. 
    Hope this helps!
    Thank you for rating helpful posts!

  • SG300: How to set up routing between VLANs?

    I have recently purchased a Cisco SG300-10.  I need it to perform routing between two VLANs on the switch. Seems like this should be quick and easy to do from the built in GUI. When I configure it according to the documentation, it does not ropute between the VLANs.
    I have set the system mode to L3 (for level 3 switching).
    I have followed the instructions on pages 26 through 33 of the attached PDF (which I obtained from the Cisco site). I used the same ports on the switch and the same IP addresses as shown in the document.
    Everything works until I attempt the step "ping 10.1.1.10" on page 33. This is the step to verify the level 3 switching between the 2 PCs (on separate VLANs).
    The switch Firmware Version (Active Image): 1.3.5.58
    I have attached the running configuration from the switch. It is the file named "running-config.txt".   
    The 2 PCs that I am using are running Windows 7 and Windows 8.

    Hi jkst,
    There is a very minimum requirement to obtain layer 3 intervlan routing
    1- 2 VLAN in layer 3 mode assigned an IP address
    config t
    vlan database
    vlan 2
    int vlan 1
    ip address 192.168.1.1 /24
    int vlan 2
    ip address 192.168.2.1 /24
    2 - Active link state on each VLAN - Define a port for the second vlan then connect an IP device to that port and another device to another port since the rest of the ports will default to vlan 1
    config t
    int gi2
    switchport mode access
    switchport access vlan 2
    3 - Assign your device #1 that connects to any port an ip address on the same subnet as vlan 1
    Computer in vlan 1 IP info=
    192.168.1.100
    255.255.255.0
    192.168.1.1
    Computer in vlan 2 IP info-
    192.168.2.100
    255.255.255.0
    192.168.2.1
    Assuming these devices respond to ping and do not have external wireless communication, this will provide basic IP connectivity through the switch across vlans.
    -Tom
    Please mark answered for helpful posts

  • SG300 - Separating network using vlan?

    I am wondering what the best way to separate a network, both data, on a cisco SG300. I do not want network 1 to able to communicate with network 2 or vice versa.  I have one server for DHCP for network 1, 192.168.1.X. I would like network 2 to have ip of 10.0.0.X, can the cisco SG300 do dhcp for this vlan?
    Thank you for your help,
    Brian

    Hello Brian, the SX300 series do not support any DHCP service, you will need a router or a DHCP box for this. The SX300 can separate traffic with VLAN. However, as the default layer 2, all request will go to your router then route to the destinations. As the switch in layer 3 mode, you may have local connectivity, however, if your router does not support the vlans or dot1q encapsulation, the router would require static routes for those subnets to be able to correctly route to the internet.
    -Tom
    Please rate helpful posts

Maybe you are looking for