SG300 layer 3 to route through MetroE

Similar Questions

• Cisco SG300 / ASA 5505 intervlan routing problem

  Dear all

  I have a problem with the configuration correctly sg300 layer 3 behind the ASA 5505 switch (incl. license more security)

  The configuration is the following:

  CISCO SG300 is configured as a layer 3 switch

  VLAN native 1: 192.168.1.254, default route ip address (inside interface ASA 192.168.1.1)

  VLAN defined additional switch

  VLAN 100 with 192.168.100.0/24, default gateway 192.168.100.254

  VLAN 110 with 192.168.110.0/24, default gateway 192.168.110.254

  VLAN 120 with 172.16.0.0/16, default gateway 172.16.10.254

  Of the VLANS (100,110,120) different, I am able to connect to all devices on the other VIRTUAL local networks (with the exception of Native VLAN 1; is not the ping requests)

  From the switch cli I can ping my firewall (192.168.1.1) and all the other gateways of VLANs and vlan (VLAN1, 100, 110, 120) devices

  Asa cli I can only ping my switch (192.168.1.254) port, but no other devices in other VLAN

  My question is this. What should I change or installation in the switch configuration or asa so that other VLANs to access the Internet through the ASA. I will not use the ASA as intervlan routing device, because the switch does this for me

  I tried to change the asa int e0/1 in trunkport (uplink port switch also), to enable all the VLANS, but as soon as I do that, I can not ping 192.168.1.254 ASA cli more.

  Any help is greatly appreciated

  Concerning

  Edwin

  Hi Edwin, because the switch is layer 3, the only necessary behavior is to ensure that default gateways to the computer are set on the SVI interface connection to the switch to make sure that the switch is transfer traffic wished to the ASA.

  The configuration between the ASA and the switch must stay true by dot1q, such as the vlan all other, unidentified native VLAN tagged.

  Also, if I'm not wrong, on the SAA you must set the security level of the port to 100.

  -Tom
  Please evaluate the useful messages

• Cannot access my router through the Explorer configuration page

  I need to do a port forwarding on my router. My internet connection works (even if she falls occasionally) and I can also connect to other computers on my network. However, I cannot access my router through IE page (I get a message saying: page not found). When I go see the map in the options Vista network, the router is not displayed and when I clikc on "See the whole map", I get a message saying that Windows cannot detect any computer or devices.

  My connection to the router is connected, and it is a WRT54G Lyinksys. Any ideas how I can see my router or go to its page layout? Another thing, I went to CMD and the ping command returns a default gateway 192.168.1.1, which is what I have my using the address of the webb page.

  Thanks for any help.

  Hi JBHPUser,
  
  (a) other router configuration page, you are able to access other Web sites?
   
  (b) what operating system and Internet Explorer version do you use?
   
  This article can be very useful.
   
  You receive an error message in Internet Explorer: "Internet Explorer cannot display the webpage".
  http://support.Microsoft.com/kb/956196
   
  You can also access these links, which is primarily for Windows Vista, but are also applies to Windows 7
   
  
  Solve problems with computers not appearing is not in the network map
  http://Windows.Microsoft.com/en-us/Windows-Vista/troubleshoot-problems-with-computers-not-appearing-on-the-network-map
   
  Network connection problems
  http://Windows.Microsoft.com/en-us/Windows-Vista/troubleshoot-network-connection-problems
   
   
  
  Aziz Nadeem - Microsoft Support

• PIX: Dialin routing through a different VPN VPN

  Here's the scenario: I have 2 PIX firewall on various sites connected to the internet with public (PIX A and B PIX) IP addresses.

  There is a permanent VPN site to site between the two and there is a clear separation between subnets between the two sites (internal network behind PIX is 10.10.4.0/24 and the internal network behind PIX B 192.168.0.0/16).

  I created dialin VPDN access to PIX for laptops to dialin via VPN - it currently allows access to the subnet 10.10.4.0/24 without problem.

  Now - I need these users of portable computers, when connects via the VPN to PIX has to be able to access the other remote site and access the subnet 192.168.0.0/16 of routing through the VPN site to site of PIX B.

  Is this possible? I would be grateful to anyone who helps with that. Thank you...

  This is currently not possible on the PIX as the PIX will not route traffic back on the same interface, it is entered in the.

  This feature will be available in the upcoming v7.0 version, which is currently in beta, so look out for it and you're ready to go.

• AAA authentication for external router through PIX 515

  I have been in vain, to get the authentication AAA works to my external router, through the PIX.

  When I connect the router directly within that network (bypassing the PIX) AAA works fine, so I know the configuration of the AAA works between the router and the ACS server.

  Initially, I got the PIX configured with a static map between a global external address 192.x.x.12 and a 10.200.1.187 for the ACS server local address, but that didn't work either. So, currently I am using NAT exemption for the ACS server, but it does not work either.

  If I activate the debug on the PIX package, I see the ACS authentication request and response between the router and GBA when I try to connect to the router, but it is not successful. After the three way TCP handshake, the router repeats it is last receipt, and then the ACS asked an RST.

  The attached diagram shows the simple connection that I'm trying to create.

  The configuration of the PIX is also attached. (too large messages size):

  Thanks in advance for your help. I tried EAC for two days and have not found solutions that look like this.

  Ron Buchalski

  What to do is:

  1 PIX:

  -static map the ACS/GANYMEDE to a public IP address

  static (inside, outside) x.x.x.10 10.1.1.25 netmask 255.255.255.255

  -otherwise, if you have enough public IP, use the port forwarding for card IP ACS to PIX outside IP of the interface, IE x.x.x.2, via a specific TCP 49:

  public static tcp (indoor, outdoor) interface 49 10.1.1.25 49 netmask 255.255.255.255

  * allow ACS talk to external router via public IP

  Create/add entry for ACL applied to the outside interface to allow the GANYMEDE Protocol + switch router external to the ACS:

  access outside permit tcp host XXX1 host x.x.x.10 eq 49 list (Ganymede + use tcp 49)

  outside access-group in external interface

  * x.x.x.1 = outside the router

  2 ACS

  -Add the outside router IP (FastEthernet face PIX outside interface) interface as a client of the AAA

  -Making of course secret key is identical at ACS and router

  3. the outside router

  -Add the ACS as radius-server using its IP public, as mapped in PIX which is x.x.x.10.

  -check the key AAA statement is accurate.

  The test without saving the config is outside the router. Save ok once confirmed.

  I have similar facility before, and it worked very well.

  Pls note all useful message (s)

  AK

• router through comcast. When my laptop detects all networks, they are all together to connect automatically. It is causing me launch my own network. ?

  I have a router through comcast. When my laptop detects all networks, they are all together to connect automatically. It is causing me launch my own network. When I try to uncheck the other networks they remain just verified. I m not sure how to fix it

  You may contact Comcast or the manufacturer of your router support wireless.

• The SG300 - ACL support intervlan routing

  I have Setup SG300 - 52p mode switch layer 3.

  I have 3 VLAN (10,20,30) and the affected ports to each vlan.

  Each host can ping its own gateway (according to the VLAN).

  I want to enable some of the traffic of a vlan to a specific host (server) on a different VLAN. I try with ACL, but no can do.

  Can someone help me how to do this?

  Thank you very much.

  Hey Ruy,

  My isa very restrictive ACL.

  Restrict_FTP extended IP access list

  permit ip 192.168.10.0 0.0.0.255 192.168.20.10 0.0.0.0

  output

  It allows only the 192.168.10.0 network to get host 192.168.20.10 IP host.

  There is also perhaps (in red);

  Restrict_FTP extended IP access list

  permit ip 192.168.10.0 0.0.0.255 192.168.20.10 0.0.0.0

  deny ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255

  allow a full

  output

  I must confess that I prefer to use the GUI to produce my ACEs.  The table he creates shows how the ACL will work. and especially in what order.

  • The switch through ACEs in order from top to bottom as seen in the GUI.
  • The ACL that is attached to an interface, boss of matching incoming packages (coming into the switch).
  • ACE entries use reverse masking can be confusing.  Perhaps the following tehnote may be useful for understanding the inverse of masking;

  http://www.Cisco.com/en/us/products/sw/secursw/ps1018/products_tech_note09186a00800a5b9a.shtml

  What about Dave

• SGE2010 customers have need to route through ASA 5505 & 3750

  Please see the included diagram.

  I need to move out of the 3750 client machines (and DHCP dependence on it) to the SGE2010 and absolutely to carry their internet traffic on through the external interface on the 5505. They must also be able to communicate in the internal environment to communicate with the production servers.

  Customers use actuellement.254 speaking through a silent dell in the 3750 switch, but I'm trying to migrate more slowly at la.253. I know that the 2010 will not DHCP, so I put a DHCP server on this switch now. The 5505 will not let me add a statement additional nameif on one of the other eth0 / x interfaces and I don't know if this has something to do with its capacity to act as a DHCP server (it is not an option in the ASDM) or he has ability to use internet gateway for customers in 2010. (Quick notes: The 5505 has a base license and is currently also site to 1 VPN connection.) As the 5520, then all its interfaces are used as well).

  I have statically assigned a customer moved with an adresse.253 and plugged into the 2010. I tried to give the 2010 both an adresse.4 and an adresse.253 but neither will allow me to ping on the 5505 addresses. The 2010 auto shows routes to two subnets and I put its default route to 253.1.

  The link between 2010 and the 3750 works - clients receive an adresse.254 of the 3750 and can get out to the internet via the 5505 and reach as well production servers.

  Why don't the 2010 see the 5505 as a gateway and allow customers to access the internet and also browse the 3750 when they need to access the production network?

  Now, the key to monkey. The reason why I am not "just connect both cheating and call a day is because I need also Always go out production servers / web applications via the interface of 5520 out outside/inside."

  I have such a package of wire trouble my head around why I can't get my customers moved to the new switch, I have not yet figured out how I'll do it again.

  Any help would be greatly appreciated.

  Scott

  Hi Scott,.

  OK, you'll have several IP networks connected on the SGE2010... that's fine that the switch can operate in Layer 3 mode.

  But the ASA5505 or the SGE2010 may only be granted to PC customers who are hooked the switch SGE2010 default gateway ports?

  If the SGE2010 is made the default gateway for the PC clients, the SGE2010 will go to layer 3 packets between appropriate subnets.

  (depending on whether you have added a few static routes inside your SGE2010)

  If the SAA is the gateway to the host PC, the ASA will route traffic accordingly.

  Best regards, Dave

• SA520w routing through site-to-site VPN tunnels

  I have several offices that are connected using site-to-site VPN tunnels and all will use the SA520W (firmware 2.1.18). I currently have 3 routers in place, router tunnels created for the router B and c of router. I need assistance with the configuration to allow the guests to router site B get to the router site C. I have attempted to add a static route, but get a destination unreachable host trying to ping. Also, if I connect to the router site has via the Cisco VPN client, I'm not able to get resources on each site, B, or C.

  A - the site 10.10.0.0/24

  Site B - 10.0.0.0/24

  Site of the C - 10.25.0.0/24

  Any help is greatly appreciated.

  So, that's what you have configured correctly?

  RTR_A

  ||

  _____________ || ___________

  ||                                            ||

  RTR_B                                RTR_C

  Since there is no tunnel between B and C there is no way for us past that traffic through RTR_A for two reasons. The most important reason is that subnet 10.25.0.0/24 (rtr_c) is not allowed to pass through the IPSec tunnel (it's okay to IPSec?) of rtr_a ==> rtr_b. You can't just add a statement of road because your addresses are not routable which is the reason why it fails.

  Your only option is to create another tunnel between rtr_b and rtr_c. This may not be the ONLY option, but you should get what you need.

  I hope this helps.

• burned by another router through vpn

  Hello

  Here's the deal:

  RV042G <--------VPN------->ROUTER1 ROUTER2<---lan1--><---lan2--->

  I have a RV042G connected to a router '1' (LAN1) via a VPN. I have another ('2' for LAN2) router behind the local '1' with another network router (no bridge, a different IP address).

  For now, I PING the IP wan router "2" of the RV042G, but the distant RV042G, I can't access the devices behind the router '2' on LAN2. The opposite is true, the LAN2 I can ping all devices on any LAN included behind the VPN LAN

  On the RV042G, I put a static route to indicate that the IP address of the LAN '2' was available router WAN '2', but a traceroute always shows that I don't use the VPN and ask my gateway provider instead. The static route list does not show the road, that I put.

  At this point, I'm a little lost. What can I do to tell the RV that route to ROUTER2 is via the vpn and not my provider gateway?

  Thanks for any help (and sorry for my bad English)

  After reading this guide:

  http://www.Cisco.com/c/dam/en/us/TD/docs/routers/CSBR/rv0xx/administrati...

  ... take a look on page 110. Group "remote control" is where you would list the subnets that are accessible through the VPN. Currently this group must contain "LAN1", so you'll need to add "LAN2.

  see you soon,

  SEB.

• SG300-28 questions - InterVLAN routing

  Hi all

  I am trying to switch SG300-28 place and do work for several days, with a very simple configuration, but this device is just to stuborn giving me headaches. I hope that you will tell me a solution to my problem.

  So I configured the VLAN on the switch, assigned to all ports, given IP addresses for VLANs, etc.. But I digress not test phase where I try to rattle of two stations of different VLANS.

  I have pictures of the attached current configuration. Stations are on ports 4 (VLAN4) and port 15 (VLAN3). First good 192.168.30.x a station address with the default gateway 192.168.30.1. Second station address of the 192.168.5.x and gateway 192.168.5.1. The two stations can ping the two gateways, but not eachother. Traffic within a VIRTUAL local network works fine, so routing is the most obvious problem.

  There is no active ACLs.

  Please see attached photos and give me something to try, because I spent three days to experiment without luck!

  One of the biggest mistakes I see relies on 'ping' to see if things work. Do not forget that the 'ping' sends a request to echo, that does not force the customer to send and echo response. Ensure that stations are configured to respond to pings or try to access a share, or a service configured on clients. Another thing to consider, that the client ports access ports and not General, this can be a problem, but it should be allowed, as is.

  On a side note, the current configuration you cannot access anything out in the cloud. If you need to access cloud do not forget to add a default route on the switch.

  I hope this helps!

• Layer 3 intervlan routing

  Hi all

  I'm still working on how to route between the 7 VLANS I installed on my sg-300 in layer 3. When I look at the routes static ip4 I see that him vlan management is listed as local, but there is no other local interface. That's what confused me that some like all my VLAN has an assigned IP address.

  someone could make the light on how the 300 series to route between the VLANS, as it never stops timing when ping interfaces

  Hi, Patrick!

  Thank you for your participation in the community of support to small businesses. My name is Nico Muselle of Cisco Sofia HWC.

  You say that you have created the 7 VLANS, but you'll see as your default VLAN in the static as routes being local, if I understand correctly?

  When you checked this, are there had clients connected to other than the default VLAN? In fact, these static routes are added dynamically as soon as at least a client is connected to the VLAN. So if you connect a client Let's say VLAN 2 and refresh static routes, a route to VLAN 2 should be added as local.

  Please try it and let me know if it works.

  Best regards

  Nico glacier

  Senior Network Engineer - CCNA

• Static routes through site to site tunnel

  Hello

  I use a Cisco ASA 5505

  Here's a description of my topology.

  Seat = 192.168.201.0

  Customer X = 172.16.0.0

  Datacenter = 10.12.0.0

  A Site in Tunnels:

  Seat---> data center

  Data center---> customer X

  I want to ability for the computers on the subnet of the central administration to access the subnet of the Client X.

  I tried to configure a static route to push all the fate of traffic for 172.16.0.0 to the datacenter, but failed.

  Does anyone know a solution to how I can route all 172.16.0.0 through the tunnel.

  I tried ading a static route on my ASA but without success.

  

  You cannot route just the traffic of HQ through the website of the client.

  You enter the subnet of HQ and customer to the ACL crypto between the data center and the customer, as well as between Headquarters and data center.

  You also need to configure NAT exemption on the client side.

  Generally, the IPSec tunnel is configured with specific subnet, so you would need to include the additional subnet to be able to move HQ to the client and vice versa.

• PPTP VPN Cisco IOS router through

  Hi all

  I was wondering if there is a trick to get PPTP to work through a Cisco router.  He was in fact at some point, but I don't remember what has been changed over time... However, it no longer works.

  Current configuration includes:

  * CBAC applied inbound and outbound on the Internet interface (I needed to add incoming to fix a problem with the mode passive FTP doesn't work is not on a FTP server hosted behind this router)

  * CBAC inspects, among other things, PPTP

  * ACL applied inbound on interface Internet, GRE and TCP 1723 admitted any intellectual property

  * No other ACL on the router

  * IOS 15.0 (1)

  * Inbound configuration NAT for TCP 1723 (currently using the WAN IP address)

  One thing I saw was so Troubleshooting "IKE Dispatcher: IKEv2 version detected 2, Dropping package! - but I think that it is a wrong journal (router as the Cisco VPN configuration example).

  The server is definitely okay - we are able to connect over PPTP VPN from the local network to the server.  So I think it's a sort of NAT problem, because I don't see anything dropped by the firewall.

  Anyone able to point me in the right direction?

  Thank you

  Hello

  Thanks for fix the "sh run". Could you change the following:

  IP nat inside source static tcp 10.77.99.11 1723 1723 road-map repeating sheep ccc.ccc.ccc.ccc

  to do this:

  IP nat inside source static tcp 10.77.99.11 1723 1723 extensible ccc.ccc.ccc.ccc

  It would be prudent to proceed with this change in the removal of the map of the route if no one connects to the server via the PPTP VPN.

  Let me know.

  Kind regards

  ANU

  P.S. Please mark this question as answered if it was resolved. Note the useful messages. Thank you!

• Routing through a VPN.

  I was wondering if anyone knew a good article to explain via a VPN routing works.

  If you a SSL VPN with transatlantic lines in it are the routing table

  ----------------------------------------------------------------------------------------

  Route outside 0.0.0.0 0.0.0.0 204.90.21.1 1

  Route within xxxx 255.255.255.255 172.18.0.1 1

  Route inside 204.110.220.0 255.255.240.0 172.18.0.1 1

  Route inside 204.110.250.0 255.255.255.0 172.18.0.1 1

  The VPN works great, but I'm just wondeirng how it is possible to connect to the VPN

  and then with successful ping 192.168.1.1 or 204.110.210.0 when there is no route in the route

  table of the SAA.

  Maybe I just don't understand how routing works by the VPN through ASA so to speak.

  Well, basically once the VPN client creates a connection to the VPN server, if traffic matches to networks, pushed by the server, the traffic gets encrypted and sent to the peer it VPN using the default gateway to the client.

  The VPN server or peer receives the packet unencrypts he then sends it to the printer.

  The routing part works pretty all the only difference is that the package traverses encryped thruought Internet.