SG300 10 blocking ports?

dapolloxp · ‎10-01-2012

I just recently purchased an SG300 10 port switch. After reading through many of the threads here, I was finally able to get the different VLANs to route properly. However, I'm having a unique issue that I'm not sure if it's related to the switch or not. I currently have 2 VLANs configured on the switch.

ports 1-4 are native vlan 1 (192.168.1.X) ports 5-7 are VLAN 10 192.168.10.X (Trunk Port with VLAN 1 tagged and VLAN 10 untagged)

I have a Hyper-V server connected to both of these networks. The VMs are running on both VLANs on port 5. I have the following problem:

When I have a domain controller VM on VLAN 10, I notice that many of the DC communications failed. I took a network trace and noticed that many of the RPC port ranges were failing. I am able to ping all of the hosts on VLAN1 and vice versa. My question is as follows:

Does this switch have some type of security option that blocks high range ports? I can't seem to find the menu option indicating that this is the case. I have already set-up a NETBIOS UDP proxy, but this hasn't helped much. I still have problems connecting to machines on this VLAN range.

Tom Watts · ‎10-01-2012

Hi David, is the switch operating in layer 2 or layer 3? What does your network look like? I assume by DC communication you mean domain controller communications?

If the switch is layer 3, by default a router does not forward broadcast across vlans. This may require ip helper commands or better known as udp relay (within the GUI options).

If the switch is in layer 2, the router handles all route decisions.

-Tom
Please rate helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/

dapolloxp · ‎10-01-2012

Hey Tom,

The switch has the following running-config:

There are a few things that can be taken out, but i was trying everything to make this thing route (this was my first problem). Now I have Domain Controller to Domain Controller communication problems for some ports - specifically RPC.

I also have a gateway router (netgear that has a route back for the VLANs specified below 10, 20

config-file-header

switch4c6c7f

v1.2.7.76 / R750_NIK_1_2_584_002

CLI v1.0

file SSD indicator encrypted

@

ssd-control-start

ssd config

ssd file passphrase control unrestricted

no ssd file integrity control

ssd-control-end cb0a3fdb1f3a1af4e4430033719968c0

!

vlan database

vlan 10,20

exit

voice vlan oui-table add 0001e3 Siemens_AG_phone________

voice vlan oui-table add 00036b Cisco_phone_____________

voice vlan oui-table add 00096e Avaya___________________

voice vlan oui-table add 000fe2 H3C_Aolynk______________

voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone

voice vlan oui-table add 00d01e Pingtel_phone___________

voice vlan oui-table add 00e075 Polycom/Veritel_phone___

voice vlan oui-table add 00e0bb 3Com_phone______________

no ip arp proxy disable

ip dhcp relay address 192.168.1.216

bonjour interface range vlan 1

hostname switch4c6c7f

no passwords complexity enable

username cisco password encrypted aba3b899636930f54a01d01792050c6c87c31070 privilege 15

ip ssh server

ip telnet server

no security-suite deny syn-fin

security-suite syn protection mode disabled

!

interface vlan 1

ip address 192.168.1.254 255.255.255.0

no ip address dhcp

!

interface vlan 10

name backups

ip address 192.168.10.1 255.255.255.0

!

interface vlan 20

name test

ip address 192.168.2.1 255.255.255.0

!

interface gigabitethernet1

switchport mode access

!

interface gigabitethernet2

switchport mode access

!

interface gigabitethernet3

switchport mode access

!

interface gigabitethernet4

switchport mode access

!

interface gigabitethernet5

switchport trunk allowed vlan add 10,20

switchport default-vlan tagged

no macro auto smartport

!

interface gigabitethernet6

switchport trunk native vlan 10

switchport default-vlan tagged

!

interface gigabitethernet7

switchport trunk native vlan 10

switchport default-vlan tagged

!

macro auto disabled

ip helper-address 192.168.1.254 255.255.255.255 137 138

ip helper-address 192.168.10.1 255.255.255.255 137 138

ip helper-address all 255.255.255.255 53 137 138

ip route 0.0.0.0 0.0.0.0 192.168.1.1

Tom Watts · ‎10-01-2012

David, thanks for posting the config and a bit more clarifcation. The switch is in layer 3 mode. I'm not much of a Microsoft guy, but the switch doesn't block traffic unless it is told to.

Here is an interesting article I dug up;

http://blogs.technet.com/b/askds/archive/2007/08/24/dynamic-client-ports-in-windows-server-2008-and-windows-vista-or-how-i-learned-to-stop-worrying-and-love-the-iana.aspx

Let me know if this is applicable for you.

-Tom
Please rate helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/

dapolloxp · ‎10-01-2012

Hey Tom. The UDP relay piece makes sense as to why AD replication may not be working. I have a question, is there an easy and quick way to make this switch forward all UDP ports from one network segment to the other? The GUI is way to slow and only allows one port at a time.

Tom Watts · ‎10-01-2012

David, I'm not sure there is a way for all ports

If you want to, log in to the cli via console or if you navigate to tcp/udp services and enable telnet or ssh you can do this way

config t

ip helper-address all 255.255.255.255 portnumber

ip helper-address <- toggle

all <- all vlan interfaces

255.255.255.255 <-broadcast everywhere

The problem is going to be, if you don't specify the port number, it enables the 6 default services

Now, the thing is, you may specify the single port or a port list.

As example

ip helper-address all 255.255.255.255. 41000 42000 43000 44000

This will make an UDP relay for those 4 ports, 41000, 42000, 43000, 44000. The switch will hold 128 rules if I'm not mistaken. The problem is, there doesn't appear to be a way to specify a whole range such as 41k through 65k.

-Tom
Please rate helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/