VLAN on 2 SG300-28

Similar Messages

• Dynamic VLAN assignment on SG300

  Cisco documentation states that dynamic vlan assignment via RADIUS should provide the following IETF values:
  The RADIUS user attributes used for the VLAN ID assignment are:
  IETF 64 (Tunnel Type)—Set this to VLAN.
  IETF 65 (Tunnel Medium Type)—Set this to 802
  IETF 81 (Tunnel Private Group ID)—Set this to VLAN ID
  I have done so with an Aruba Clearpass RADIUS server - but the Access-Accept message being sent below:
  Radius:IETF:Tunnel-Medium-Type     6
  Radius:IETF:Tunnel-Private-Group-Id     4
  Radius:IETF:Tunnel-Type     13
  is being received by the SG300 in some way that's not being interpreted correctly. Log files indicate that the IETF values are not what is expected:
  07-Aug-2014 18:58:41 :%SEC-W-SUPPLICANTUNAUTHORIZED: username teststudent with MAC 00:11:25:d8:42:83 was rejected on port gi2 because Radius accept message does not contain VLAN ID
  07-Aug-2014 18:58:41 :%AAAEAP-W-RADIUSREPLY: Invalid attribute 65 ignored - tag should be 0
  07-Aug-2014 18:58:41 :%AAAEAP-W-RADIUSREPLY: Invalid attribute 64 ignored - tag should be 0
  Is there something I'm missing here? These same values sent by the Clearpass RADIUS server are working for other switches such as Extreme and Brocade.
  Thanks,
  Aaron

  Hi Aleksandra,
  Here are the values from a packet capture of the Access-Accept message:

• SG300-28 & SG200-26 VLAN routing

  I have a SG300-28 and a SG200-24. Both are running the latest firmware.
  I am having some major issues getting mutliple vlans to route across the two switches.
  On the SG300 I am in Layer 3 mode. I have configured 4 vlans 192.168.1.0/24, 192.168.2.0/24, 192.168.3.0/24 and 192.168.4.0/24 (vlan 1-4). Each vlan interface is configured with .1 of the respective vlan.
  I have the SG200 connected to the SG300 via the last available port on each switch. They are set to trunk. I have created the VLANS on the SG200. 
  What I would like to do is set ports 1-4 on the SG200 to VLAN 2. Ports 7-12 on VLAN 3, and the rest on VLAN 4. 
  First off I am assuming this is possible. I have tried the configuration multiple ways, I've tagged ports, not tagged ports, etc. I'm not sure where to go from here.
  Any help would be appreciated.                   

  Hello Thomas,
  I am assuming you have created these VLANs on the SG300 (not just Layer 3 interfaces) as well. Also, the ports are automatically in Trunk mode. But you need to manually add VLANs that need to be tagged on those ports.
  http://sbkb.cisco.com/CiscoSB/Loginr.aspx?login=1&pid=2&app=search&vw=1&articleid=78
  If you have done all these steps, can you please be more specific on the issues you are facing?
  Regards,
  Nagaraja

• SG300-24P VLANs

  I'm moving from a WS-C2960-24PC-L to a SG300-24P.  Most things are working ok.  I'm seeing one thing that isn't coming over as expected, but it might be a syntax problem.  I have two ports that are setup on two VLANs.  Here is the port config from the 2960:
  interface FastEthernet0/1
  switchport trunk native vlan 4
  switchport trunk allowed vlan 4,40
   switchport mode trunk
  interface FastEthernet0/2
   switchport trunk native vlan 4
   switchport trunk allowed vlan 4,40
   switchport mode trunk
  Here is the port config from the SG300
  interface gigabitethernet1
   switchport trunk allowed vlan add 40
   switchport trunk native vlan 4
  interface gigabitethernet2
   switchport trunk allowed vlan add 40
   switchport trunk native vlan 4
  The SG300 doesn't accept the same commands so this was as close as I could get.  Should this work as expected?  What I'm seeing is that VLAN 40 works ok, but not VLAN 4.

  I figured it out with the following:
  interface gigabitethernet1
   switchport trunk allowed vlan add 4,40
   switchport trunk native vlan 999
  interface gigabitethernet2
    switchport trunk allowed vlan add 4,40
   switchport trunk native vlan 999
  I created a fake VLAN 999 and set it to native. 

• SG300 series duplicate IP on VLAN

  I know this question has been asked a few times before, and I've looked through all of those discussions on the board. None of those have been answered successfully, and I hope that maybe I can describe the problem in a way that will help someone here to find out what I'm missing.
  I'm configuring a stack of switches to deploy in a new A/V/L network and I'm running into a duplicate IP error that's showing up ONLY on my SG300 series switches. Here's the setup I'm configuring:
  - We have one 3750 Catalyst switch that is at the core of the network
  - There are three 2960 switches at the distribution level
  - There are nine SG300 small business switches at the access level
  GENERAL SETUP STEPS
  - IP routing is enabled on the 3750
  - I've configured trunk ports to connect all switches together, but I have not activated any access ports
  - I created management vlan 255 on all switches 
  - The management IP scheme I'm trying to use is this:
            10.201.255.1/24  = Vlan 255 on the 3750
            10.201.255.2/24  = Vlan 255 on 2960 switch
            10.201.255.3/24  = Vlan 255 on 2960 switch
            10.201.255.4/24  = Vlan 255 on 2960 switch
            10.201.255.5/24  = Vlan 255 on SG300 switch
            10.201.255.6/24  = Vlan 255 on SG300 switch
            10.201.255.7/24  = Vlan 255 on SG300 switch
            10.201.255.8/24  = Vlan 255 on SG300 switch
            10.201.255.9/24  = Vlan 255 on SG300 switch
            10.201.255.10/24  = Vlan 255 on SG300 switch
            10.201.255.11/24  = Vlan 255 on SG300 switch
            10.201.255.12/24  = Vlan 255 on SG300 switch
            10.201.255.13/24  = Vlan 255 on SG300 switch
   THE ISSUE
  While I'm logged into ANY of the SG300 switches I see an error. This error does not happen with the 2960 or the 3750 switches. Here is the error:
  %IPADTBL-N-IPDUPLICATE: Duplicate IP address 10.201.255.5 from MAC 88:5a:92:09:ab:98 was detected on VLAN 255, port gi18, aggregated (6)
  The ip address changes and matches the ip of whatever SG300 switch I'm working on. The MAC address (88:5a:92:09:ab:98) is the MAC address of the trunk port on the 3750 at the core. When I unplug the trunk port on the 3750, I stop getting the error on all of the SG300 switches. I have not programmed any other ip address on the 3750 other than 10.201.255.1 255.255.255.0.
  WHAT I'VE TRIED TO DO TO FIX IT
  - Remove the ip address from Vlan 1 on an SG300 switch using
           #int vlan 1
           #no ip address
       Once I did that, I can no longer reach the switch using the IP address assigned to vlan 255.
  - Assigning Vlan 1 as the default vlan using:
          #vlan database 
          #vlan 1
          #default-vlan vlan 1
          **then performed a restart of the switch
  Here's the output of #show ip interface from one of the SG300 switches:
  CR-FOH-PRONET#show ip int
    Gateway IP Address        Activity status       Type
      IP Address                I/F            Type         Status
  10.201.255.8/24     vlan 255       Static       Valid
                                                                           duplicated
  I realize the easy answer is, "Well, you've got a duplicate IP address". Please know that I only put in the ip address for each of the SG300 switches only once. I did not put them on the 3750 switch (which is stated as the source of the conflict in the error). I think it's interesting that the 2960 switches are not displaying an error.
  What are your thoughts? What am I missing?
  Thank you for your help! I can post anything you need to help figure out what's going on.

  Understand. perhaps the duplicate IP issue appears because you are using trunk ports between the 2960 Distribution and 3750 Core via mismatching native vlans.
  Trunk ports uses vlan 1 as the native vlan by default, but you can change the behavior using the command:
  switchport trunk native vlan 255.
  That way you keep vlan 255 as the management and native vlan for trunks and it prevents any mismatch or any issues that you observed when you removed the IP from Vlan 1 or when you tried diabling Vlan 1.
  Ideally if I look at your diagram, you should do this:
  1) Run only Layer 3 Routing on the 3750 using for example EIGRP or OSPF (it then becomes a real core layer - the Core layer normally only runs routing and not Vlans or Spanning-tree.
  2) Change the links between the 3750 and the 2960 to be Layer 3 routed interfaces instead of trunks, you can use point to point links subnet in each port going from the 3750 to the 2960
  3) Enable EIGRP or OSPF between the 2960 and 3750 so that they can exchange all the Vlan informations or Subnet information via routing protocols
  4) Run your Layer 3 Vlans on the 2960s (that makes them Distribution layer for Vlans) trunk those vlans to your access Layer so that you can assign them to the various hosts or PCs connected to the Access switches, the SG300.

• Spread vlans from SG300 to other SG300

  Hi,
  propagate vlans from one SG300 to other SG300
  i have Two switchs SG300-52, i would like configure my switchs to spread their vlans ?
  what's the difference between "General, Access, Trunk or Customer" on the Interface VLAN Mode ?
  Thanks for your help

  Hi Richard
  General mode allows multiple untagged vlans and also multiple  tagged vlans to exist on the same switch interface. I have never used this mode personally.
  Trunk mode allows ONE untagged vlan and multiple Tagged vlans to exist on the same switch interface.
  Access mode allows only one untagged vlan to exist on a switch interface.
  I find the default setting of trunk mode the most useful , and therefore leave this setting alone.
  It allows any port to be untagged in one vlan  and if needed tagged in many vlans, so this interface setting can be used for PC that are not vlan aware or Uplinks to other switches.
  You will notice at the top right corner of the configuration GUI,  a help option.  This option brings up a window giving help on the GUI page you have in front of you.
  Hope that answered your question.
  regards Dave

• 1 small office + 2 companies + shared resources = ? (SG300, SA520, WAP2000)

  I need to configure a network in 1 small office space that segregates 2 company domains but allows them to share an Internet connection, a WAP, a couple of printers, and a non-Cisco VoIP phone system. And, it needs to provide guest access to the internet and printers via wireless. I have a SG300-28P, an SA520W, and a WAP2000 to make it all happen. Here's the plan below. Will this work? Is there a better approach that uses the available equipment? Thanks in advance!!!
  VLANs:
  VLAN 1 - default, mgmt vlan, 192.168.1.0
  VLAN 10 - CompanyA-Data, 192.168.10.0
  VLAN 20 - CompanyB-Data, 192.168.20.0
  VLAN 30 - Guest, 192.168.30.0
  VLAN 50 - Printers, 192.168.50.0
  VLAN 100 - Internet, 192.168.100.0
  VLAN 200 - Voice, 192.168.200.0
  Device IPs:
  SG300 = 192.168.1.254
  SA520 = 192.168.1.1
  WAP2000 = 192.168.1.245
  DHCP Servers:
  VLAN 10 = SBS-A
  VLAN 20 = SBS-B
  VLANs 30,50,200 = SA520
  VLAN 1,200 = NO DHCP
  Wireless:
  SA520 is primary, WAP2000 is repeater (will it repeat multiple SSIDs???)
  SSIDA - VLAN10
  SSIDB - VLAN20
  SSID-Guest - VLAN30
  Switch Ports:
  SG300:
  1 = trunk, VLAN 1
  2-6, 25 = access, VLAN 10
  7-12, 26 = access, VLAN 20
  13 = access, VLAN 30 (unmanaged switch providing additional ports)
  14 = access, VLAN 50 (unmanaged switch providing additional ports)
  15-23 = access, VLAN 200
  24 = trunk, VLANs 10, 20, 30 (connect to WAP2000)
  27 = unallocated
  28 = trunk, all VLANs (connect to SA520 p4)
  SA520:
  1-3 = access VLAN 1
  4 = trunk all VLANs (connect to SG300 p28)
  Routing:
  SG300 in L2 mode using SA520 as router on a stick??

  Hi Rick,
  This is a great question that our Partner Design Support team can help you with.  Please go here to start chatting with them:
  https://supportforums.cisco.com/community/netpro/small-business/partnerzone/pds
  Refer the engineer to this post so that they can see what you have.
  Regards,
  Cindy Toy
  Cisco Small Business Community Manager
  for Cisco Small Business Products
  www.cisco.com/go/smallbizsupport
  twitter: CiscoSBsupport

• SG 300-28p vlan configuration

  Hello,
  I have been trying to setup vlans on a SG300-28p but they are not working.
  This is my setup:
  I want Switch1 to have ports 1-10 to access the DMZ, and 11-24 the LAN.
  Then i wan to add switch2-4 to extend the access to LAN.
  Is this possible?
  i tested with cisco 2960 switches by just telling what ports whould have access to
  DMZ and LAN but the small business switches are different..
  I really appreciate the help!

  Hi Francisco, assuming the 2960 worked and there was no configuration difference then the problem would be that you did not add the vlans to the trunk.  On a Catalyst you do not configure the vlans on a trunk since all vlans pass. On the SB switches you have to configure the vlans on the trunk otherwise only the native/default vlan works.
  -Tom
  Please mark answered for helpful posts

• VLANs unable to reach outside world

  I just purchased a Cisco 1941 ISR for my home lab and I'm running into a problem with getting all my devices behind it to get to the internet. Below is a layout of my network.
  I have 7 VLANs on an SG300-20 layer 3 switch. The switch is connected to my 1941 ISR. I have cable and my ISP is Comcast and they provide a cable modem/router as well. Unfortunately I cannot get rid of this device and I cannot turn off the routing functionality, however I don't actually think that this devices itself is causing any problems with the way I have it setup. I have a block of 5 static IP's from my ISP. I've used one of them as the IP address of my WAN link (G0/1), while the other interface is connected to my LAN (G0/0).
  I have interVLAN networking working just fine. I'm able to ping any VLAN gateway and/or host from any other device (this includes my switch and ISR). From my switch or any device behind it, I can ping the switch (10.1.8.1), I can ping my router (10.1.8.2), and I can even ping my router's WAN link (75.148.101.25). However, I cannot ping comcast's router (75.148.101.30). What is weird is that I can ssh into my ISR (which I can do from any device) and the Cisco router can ping the Comcast router and the outside world.
  If I try to ping 75.138.101.30 (Comcast external IP) from my switch or any device behind it, I get no response. If I try to ping 75.138.101.30 (Comcast external IP) from the Cisco 1941 I get a response.
  To me this looks like a problem with the Cisco router. It knows where to forward traffic but is refusing to do so for anything that does not originate from the router itself.
  Very lost at this point and looking for help.
  Thanks,
  Joshua

  Sure, no problem, happy to provide the full config. I'm very new to networking and just getting started, what command do I need to run to show the nat access list
  raynor#show running-config
  Building configuration...
  Current configuration : 1827 bytes
  ! Last configuration change at 23:18:53 UTC Sat Aug 16 2014 by jschaeffer
  ! NVRAM config last updated at 23:20:33 UTC Sat Aug 16 2014 by jschaeffer
  version 15.1
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  hostname raynor
  boot-start-marker
  boot-end-marker
  enable secret 5 $6$t7$FHadfus1vHhykVc2QolPwTz/
  no aaa new-model
  no ipv6 cef
  ip source-route
  ip cef
  ip domain name harmonywave.com
  ip name-server 75.75.75.75
  ip name-server 75.75.75.76
  multilink bundle-name authenticated
  crypto pki token default removal timeout 0
  license udi pid CISCO1941/K9 sn FGL172610ZP
  username jschaeffer secret 5 $1$IQxQ$DtfZuO78mBeiEbsVD95Afq1
  username ckrupa one-time secret 5 $1$HAnq$$faaybor7t7wqewOqFLm9u0
  ip ssh version 2
  interface GigabitEthernet0/0
   description WAN link
   ip address 75.148.101.25 255.255.255.248
   ip nat outside
   ip virtual-reassembly in
   no ip route-cache cef
   no ip route-cache
   duplex auto
   speed auto
   no cdp enable
  interface GigabitEthernet0/1
   description LAN link
   ip address 10.1.8.2 255.255.255.0
   ip nat inside
   ip virtual-reassembly in
   no ip route-cache cef
   no ip route-cache
   duplex auto
   speed auto
   no cdp enable
  ip forward-protocol nd
  no ip http server
  no ip http secure-server
  ip route 0.0.0.0 0.0.0.0 75.148.101.30
  ip route 10.1.10.0 255.255.255.224 10.1.8.1
  ip route 10.1.10.32 255.255.255.224 10.1.8.1
  ip route 10.1.10.64 255.255.255.192 10.1.8.1
  ip route 10.1.11.0 255.255.255.0 10.1.8.1
  ip route 10.1.12.0 255.255.255.0 10.1.8.1
  ip route 10.1.15.0 255.255.255.0 10.1.8.1
  no cdp run
  control-plane
  line con 0
   logging synchronous
  line aux 0
  line vty 0 4
   login local
   transport input ssh
  line vty 5 15
   login local
   transport input ssh
  scheduler allocate 20000 1000
  end

• Configure SG300 to work like an unmanaged switch

  Hi!
  How do i have to configure the SG300 so that it acts like any other completely unmanaged Switch. 
  I dont want to configure any vlans on the sg300. It should just work like there wouldnt be a sg300, but an unmanaged switch.
  The story behind:
  I want to use a SG300-28P as POE-Switch for FortiAP-Access Points, but it doesnt work out of the box cause FortiAP receives and sends some tagged and untagged VLAN-traffic.
  Everything works, if i use a cheaper, unmanaged POE-Switch, but i cant get it to work if i use a SG300.
  Thanks for any help.
  Tom

  Thanks for your help. After disabling CDP and LLDP it started working.

• SG300 Access Switch to TFTP for upgrading bootcode

  Hi all
  I want to upgrade the boodcode on two sg300 switches. They are in vlan 1002 10.195.52.0/24. I\’ve connected a machine in the same vlan on a sg300. I can connect to this machine, all seems ok. If I\’m now on ssh console on this switch I can\’t ping it. I haven\’t any connection. I can only ping the own ip of this switch, no other switches. What must I do, that I could upgrade those boodcodes?
  Thx
  Stefan

  Hi,
  No, there will not be any interruption to my internal clients when they do autodiscover if you set to split DNS.
  A split-brain DNS infrastructure enables different IP addresses to be returned for a given namespace based on where the client resides – if the client is within the internal network, the IP address of the internal load balancer is returned; if the client
  is external, the IP address of the external gateway/firewall is returned.
  This approach simplifies the end-user experience – users only have to know a single namespace (e.g., mail.contoso.com) to access their data, regardless of where they are connecting. A split-brain DNS infrastructure, also simplifies the configuration of Client
  Access server virtual directories, as the InternalURL and ExternalURL values within the environment can be the same value.
  I recommend that you refer to the following article to understand DNS planning in exchange 2013:
  Namespace Planning in Exchange 2013
  Hope this helps!
  Thanks.
  Niko Cheng
  TechNet Community Support

• Vlan on SG200 - Am I missing something?

  Hi.
  Im setting up a network with a vlan config  - one 'inside' and one 'outside' clan. Both vlans should not be able to talk to each other, but they should both be able to contact the default gateway and DHCP server.
  Therefore we have 2 vlans and 1 access port(?).  They use the same DHCP server, and also the same IP range and subnet.
  My question is this:
  1) Is this a good idea - 2 vlans with the same range and subnet?
  2) If it is ok, do I need anything else - i have a fear I need to buy another router (L3).  Because there is no bridging between subnets and ranges, I assumed that I could do it all without a router. If I do need to buy another router, can one (a simple one) be recommended, or should I return the SG200 and replace it with another device to make the number of  physical network devices low (we don't have a lot of wired connections...)?
  Many thanks.
  Regards,
  Andrew

  Hi Andrew
  2 vlans with the same range and subnet - its not a good idea and will not help you in any way.
  SG200 is a layer 2 switch.  As you already know you need a layer 3 capabilities to route between vlans.  An SG300 is the layer 3 big brother to the SG200 and costs a bit more.  If you're on decent terms your dealer might let you swap up.
  If the vlans are to be kept separate then you should be ok with theSG200.
  You can steer a car with your feet but it doesn't make it a good idea either (Chris Rock) (:

• SG300-10 VLAN Questions

  My apologies if this has been asked before, but I have some questions regarding the setup of my new switch and network. I have never worked with switches before, so this is quite a learning experience. The picture above describes the current layout of my network. Here is how I have tried to set it up, so far.
  VLAN 1 [Ports 1-4, Untagged, Trunk] (172.16.1.1/24)
  Workstation A (Wired)
  172.16.1.2/24
  Server B (Wired)
  172.16.1.3/24
  VLAN 2 [Ports 5-8, Untagged, Trunk] (172.16.2.1/24)
  Server C (Wired)
  172.16.2.2/24
  Server D (Wired)
  172.16.2.3/24
  Server E (Wired)
  172.16.2.4/24
  Server F (Wired)
  172.16.2.5/24
  VLAN 3 [Ports 9-10, Untagged, Trunk] (192.168.1.1/24)
  Laptop G (Wireless)
  DHCP via Router
  Laptop H (Wireless)
  DHCP via Router
  Laptop I (Wireless)
  DHCP via Router
  Wireless Router
  192.168.1.254/24
  Now, my goal is to have all 3 VLANs be able to talk to each other but also have VLAN 1 access the internet, through the wireless router. In the future I would also like Server B to be able to expose services (http & ssh) to the outside. VLAN 2 shouldn't have internet access at all. I know I can add static routes to the wireless router, if need be. All three laptops, can access the internet through the wireless router, without any problems.
  So my questions are:
  1) Is there anything inherently wrong with the design of this network? If so, what could be changed?
  2) Is VLAN 3 really necessary?
  3) What would I need to do, to get the 3 VLANs communicating with each other?
  4) What should the gateway be, to get VLAN 1 internet access?
  5) What would I need to do, to expose Server B services to the outside?
  6) What static routes do I need to add?
  Thanks in advance!
     Jer

  Hello Jeremy,
  Thank you for your interest and patience.
  You are on the right track here. However, several important changes must be made. Consider the following concepts:
  The concept of a native VLAN. The link between the router and the switch must be part of VLAN 1. Otherwise, information from the router will not be distributed correctly on the switch due to the current PVID of 3.
  The VLAN IP Interface (VLAN IP Address) identifies the subnet for the VLAN. Therefore, thinking of the switch as a router, you are correct that the default gateway for each client should be the respective VLAN interface on the switch. The switch will automatically route between directly connected IP Interfaces and their subnets.
  However, in order for your clients to get to network that the switch doesn't know about, (the internet), there must be a default route to the router.
  Additionally, in order for the router to forward information from the internet back to the VLANs on the switch, the router must know how to reach the different VLANs.
  The folloing linked figure (Fig. 1) describes an appropriate sample setup. See here.
  In this scenario, a SG300-10 is configured with 3 VLANs:
  VLAN 1 - Default VLAN, used for management - 192.168.1.x/24 - Ports 9-10 - 1U - Trunk Mode
  VLAN 2 - Servers - 192.168.2.x/24 - Ports 5-8 - 2U - Trunk Mode
  VLAN 3 - Workstations - 192.168.3.x/24 - Ports 1-4 - 3U - Trunk Mode
  VLAN 1 is used to communicate to the router. Therefore, the following default route must be added to the switch's configuration:
  ip route      0.0.0.0      0.0.0.0      192.168.1.1
  The switch will automatically build the routes between the VLANs local to the switch. Visualize Server C going togoogle.com. Its IP address is 192.168.2.2. Its default gateway should be the VLAN 2 IP Interface on the switch (192.168.2.254 in this example). Because the default route is configured, the switch will forward the internet request to the router. The router will then forward the request to your ISP out the WAN where it will eventually reach Google.
  However, when the request comes back into the router, the router must know to route it to the 192.168.2.x subnet. So, in order for this to work, routes that accomplish the following must be configured on your router:
  Subnet IP               Mask                    Gateway                                              Interface
  192.168.2.1             255.255.255.0        192.168.1.254 (SG-300 IP Interface)         LAN
  192.168.3.1             255.255.255.0        192.168.1.254 (SG-300 IP Interface)         LAN
  As you have already discovered, there are several limitation to using a router that does not support 802.1Q tagging. Chiefly, your clients will not receive either DHCP or DNS automatically from the router. To mitigate this, you can do either of the following:
  Run a DHCP server with multiple DHCP scopes on a device connected to your switch. You can then use Option 82 on the switch to route DHCP requests and DNS info between VLANs on the switch.
  Statically configure IP and DNS information. You could enter Open DNS Servers or Google's DNS servers on your clients.
  Ideally, you would want to use a router that supports 802.1Q tagging. In this figure here (Fig. 2), you can see the VLANconfiguration page for a Cisco RV180W, a very capable and affordable small business router that I highly recommend. Port 1 on the RV180W is configured as a trunk port and carries VLANs 1-3 to the switch. The clients automatically receive IP addresses and DNS information from the correct DHCP pool on the router.
  Do not hesitate to contact us. We are always happy to help.
  All the best,
  -David Aguilar
  Cisco Small Business Support Center
  1-866-606-1866

• No internet access on VLANs with RV042G and SG300

  I'm trying to set up a network for a small business which will have different offices, and so I want to separate them all by VLAN so that they cann't access each other's files. The problem is that I can't access the internet from any of the VLANs, including the default.
  The RV042G router is connected to the internet through the WAN1 port and has a static IP address of 10.4.1.1. I enables multiple subnets and added one for each of the VLANs (1 - admin, 10, 20, 30, 100 - guest). I also created static routes to the SG300 switch, which has an IP address of 10.4.1.2, 10.4.10.2, etc. The switch is in Layer 3 mode and is functioning as the DHCP server. I also have a wireless access point set up that broadcasts an SSID for each VLAN, however this is not the issue since no internet connection can be established wirelessly or with a wired connection.
  I am fairly certain it has something to do with the data not being correctly routed through from the internet to the client, however I can't seem to find what is configured incorrectly. If anyone could offer some suggestions it would be appreciated. Please let me know if you need more info, I have attached some of the configuration screens for reference.

  Hi Paul,
  Thanks for the suggestion, but I changed it from Gateway to Router and this didn't fix the problem, still no internet access.
  I have a cabel modem box that connects to the RV042G through WAN1, and then the RV042G connects to the SG300 through port 1 on the RV042G. On the RV042G, this port is set to VLAN1, while the port on the SG300 is set as a trunk port. The SG300 is then assigning IP addresses to the clients. It has 4 different VLANs created that go to different offices. Does this help you understand the setup any better?

• SG300-28 Firmware 1.1.2.0 and 1.2.7.76 - Dynamic VLAN+freeRADIUS - Client get rejected

  Hello ladies and gentlemen,
  I am using several SG300-28 Switches with firmware version 1.1.2.0.
  I have dynamic VLAN enabled. As RADIUS server I am using freeradius 2.1.12.
  Authentication is only based on the MAC address. (I configured that on the switches)
  On the switches I created three VLANs. VLAN100 for the authenticated clients, VLAN200 for Management interface and VLAN300 as Guest VLAN. After a wrong authentication the clients should be put into this Guest VLAN immediately (I configured this on the switches).
  I am using Windows XP and Windows 7 clients in my network. I did not configure any EAP settings because I just wnat to use the MAC address.
  In most cases the dynamic VLAN assignment and authentication is working fine. The switch log says that the client is authenticated and the same I can see on freeradius log. But in some (rare) cases the client is rejected. The CISCO log says "MAC aa:bb:cc:dd:ee:ff was rejected on port ge17" but when I look at the freeradius log then this MAC address was successfully authorized.
  The problem is that the client gets an IP address based on the Guest VLAN300 but after that the switch seems to "switch" the VLAN on the port and then the client is authenticated correctly on the right VLAN but the client does not request a new IP on the new VLAN.
  If I unplug and re-plug the LAN cable in most cases the client get the correct VLAN and the correct IP.
  This is happening randomly on nearly all my PCs.
  I would really appreciate your help. Do I have to set some timers higher ? I don't think it is a problem between switch and RADIUS but a problem between communication of the host and the switch.
  Thank you very much for your help!
  Regrads
  Alexander Wilke

  This is from my CISCO log. The computer is always online but there are repeatingly rejects and then with a delay of some minutes an accept.
  2147483395
  2012-Aug-09 21:40:05
  Informational
  %SEC-I-PORTAUTHORIZED: Port gi8 is Authorized       
  2147483396
  2012-Aug-09 21:38:23
  Warning
  %SEC-W-SUPPLICANTUNAUTHORIZED: MAC 00:19:99:0b:8d:b3 was rejected on port gi8        
  2147483397
  2012-Aug-09 21:38:23
  Warning
  %SEC-W-PORTUNAUTHORIZED: Port gi8 is unAuthorized       
  2147483398
  2012-Aug-09 21:16:05
  Informational
  %SEC-I-PORTAUTHORIZED: Port gi8 is Authorized       
  2147483399
  2012-Aug-09 21:13:42
  Warning
  %SEC-W-SUPPLICANTUNAUTHORIZED: MAC 00:19:99:0b:8d:b3 was rejected on port gi8        
  2147483400
  2012-Aug-09 21:13:42
  Warning
  %SEC-W-PORTUNAUTHORIZED: Port gi8 is unAuthorized       
  2147483401
  2012-Aug-09 21:04:04
  Informational
  %SEC-I-PORTAUTHORIZED: Port gi8 is Authorized       
  2147483402
  2012-Aug-09 21:03:50
  Warning
  %SEC-W-SUPPLICANTUNAUTHORIZED: MAC 00:19:99:0b:8d:b3 was rejected on port gi8        
  2147483403
  2012-Aug-09 21:03:50
  Warning
  %SEC-W-PORTUNAUTHORIZED: Port gi8 is unAuthorized       
  2147483404
  2012-Aug-09 20:52:02
  Informational
  %SEC-I-PORTAUTHORIZED: Port gi8 is Authorized       
  2147483405
  2012-Aug-09 20:49:02
  Warning
  %SEC-W-SUPPLICANTUNAUTHORIZED: MAC 00:19:99:0b:8d:b3 was rejected on port gi8        
  2147483406
  2012-Aug-09 20:49:02
  Warning
  %SEC-W-PORTUNAUTHORIZED: Port gi8 is unAuthorized       
  2147483407
  2012-Aug-09 20:40:04
  Informational
  %SEC-I-PORTAUTHORIZED: Port gi8 is Authorized       
  2147483408
  2012-Aug-09 20:39:10
  Warning
  %SEC-W-SUPPLICANTUNAUTHORIZED: MAC 00:19:99:0b:8d:b3 was rejected on port gi8        
  2147483409
  2012-Aug-09 20:39:10
  Warning
  %SEC-W-PORTUNAUTHORIZED: Port gi8 is unAuthorized       
  2147483410
  2012-Aug-09 20:16:06
  Informational
  %SEC-I-PORTAUTHORIZED: Port gi8 is Authorized       
  2147483411
  2012-Aug-09 20:14:29
  Warning
  %SEC-W-SUPPLICANTUNAUTHORIZED: MAC 00:19:99:0b:8d:b3 was rejected on port gi8        
  2147483412
  2012-Aug-09 20:14:29
  Warning
  %SEC-W-PORTUNAUTHORIZED: Port gi8 is unAuthorized       
  2147483413
  2012-Aug-09 19:28:01
  Informational
  %SEC-I-PORTAUTHORIZED: Port gi8 is Authorized       
  2147483414
  2012-Aug-09 19:25:08
  Warning
  %SEC-W-SUPPLICANTUNAUTHORIZED: MAC 00:19:99:0b:8d:b3 was rejected on port gi8        
  2147483415
  2012-Aug-09 19:25:08
  Warning
  %SEC-W-PORTUNAUTHORIZED: Port gi8 is unAuthorized       
  2147483416
  2012-Aug-09 19:15:59
  Informational
  %SEC-I-PORTAUTHORIZED: Port gi8 is Authorized       
  2147483417
  2012-Aug-09 19:15:16
  Warning
  %SEC-W-SUPPLICANTUNAUTHORIZED: MAC 00:19:99:0b:8d:b3 was rejected on port gi8        
  2147483418
  2012-Aug-09 19:15:16
  Warning
  %SEC-W-PORTUNAUTHORIZED: Port gi8 is unAuthorized       
  2147483419
  2012-Aug-09 19:04:00
  Informational
  %SEC-I-PORTAUTHORIZED: Port gi8 is Authorized       
  2147483420
  2012-Aug-09 19:00:27
  Warning
  %SEC-W-SUPPLICANTUNAUTHORIZED: MAC 00:19:99:0b:8d:b3 was rejected on port gi8        
  2147483421
  2012-Aug-09 19:00:27
  Warning
  %SEC-W-PORTUNAUTHORIZED: Port gi8 is unAuthorized       
  2147483422
  2012-Aug-09 18:27:59
  Informational
  %SEC-I-PORTAUTHORIZED: Port gi8 is Authorized       
  2147483423
  2012-Aug-09 18:25:55
  Warning
  %SEC-W-SUPPLICANTUNAUTHORIZED: MAC 00:19:99:0b:8d:b3 was rejected on port gi8        
  2147483424
  2012-Aug-09 18:25:55
  Warning
  %SEC-W-PORTUNAUTHORIZED: Port gi8 is unAuthorized    
  Any ideas ?