[Cisco] SG300-20 Tries to be the root-bridge via STP!

Just received and configured a Cisco SG300-20 Small Business Switch. A few minutes later someone called and said “there is a problem with the network!!”. After having a look at the logs I noticed two major problems:

  1. The Cluster Netscreen in NSRP configuration failed over!
  2. The Cluster Core Switch (3750’s) in HSRP configuration Failed over!


When the cluster Netscreen device failed over I received an email that looked like this:

[00001] 2011-04-19 16:47:49 [Root]system-critical-00015: Peer device 2456832 in the Virtual Security Device group 0 changed state from init to primary backup.

[00002] 2011-04-19 16:47:44 [Root]system-critical-00015: Peer device 2456832 in the Virtual Security Device group 0 changed state from inoperable to init.

[00003] 2011-04-19 16:47:29 [Root]system-critical-00015: Peer device 2456832 in the Virtual Security Device group 0 changed state from primary backup to inoperable.

and when one of the core-switches failed over I received an email that looked like this:

001223: Apr 19 16:47:42.251 EDT: %HSRP-6-STATECHANGE: Vlan1 Grp 0 state Active -> Speak

Apr 19 16:47:21.229 EDT: %HSRP-6-STATECHANGE: Vlan1 Grp 0 state Standby -> Active

None of the above should have happened when the Cisco SG300-20 Small Business Switch was plugged into the network via a trunk port! After speaking with Cisco I was notified that it was the SB switch that caused the failovers. The problem has to do with Spanning Tree (STP) being enabled by default on the SB and not being stable. The SB switch was trying to make itself the root-bridge when connected to the network. The resolution for now, until another firmware is released is to either:

  • Disable STP
  • Manually configure STP priorities

The current firmware for this SB switch is: I am told by Cisco that a fix should be out within the next month or two.

In my case Manually Disabling STP on the Small Business Switch did not fix the problem. I noticed it was still trying to be the root-bridge even when STP was disabled! I resorted to just increasing the priority on the SB-Switch from the default of 32768 to the max of 61440! Unfortunately, this did not save the problem either!

This entry was posted in Security, Uncategorized. Bookmark the permalink.

4 Responses to [Cisco] SG300-20 Tries to be the root-bridge via STP!

  1. Per says:

    Also in the process of configuring a SG300-20.
    not working at the moment.

    • swinful says:

      Hi Per,

      Is this the only switch on your network? I think it’s a pretty good switch (considering the features you get and the price) despite the issues we had with it forcefully trying to become a root-bridge when we told it not to! -:)

      • Per says:

        I believe it’s a good switch and I value cisco support.
        I have a Dlink des 3225G + bridges+ APs that are running STP.
        Plus a number of unmanaged switches.
        Just now I’m in a verify state. I’m Integration & Verification person. 😉
        I hade an issue with changing default vlan id that is resolved.
        Basically you need to use serial consol+web to configure.

        I’m new to Cisco equipment and STP in vlan environment.
        I run the sg300-20 in layer 3 mode.
        Intention is to use SG300-20 for Gbit+ jumbo frames to 100 Mbit fragmentation and let 3225g handle the old non critical stuff.

        When I connected sg300-20 to the DES 3225g GVRP and vlan trunk is kind of working.
        I lost connection to the web interface and had to reboot to get it back or I have web interface and no traffic.
        It can be a configuration question and Cisco support is very helpfull so I’m confident.
        I’m missing a real serial console interface.

  2. Anonymous says:

    This is a pretty old post, but I thought I’d leave it here for future users. I use SG300s at our branch offices for a mid-size enterprise and they are pretty tricky to use at the enterprise level.

    1. Make sure the SG300/500 is upgraded to the current code level. At the time of this writing you need to load sx300_fw_1.3.7.18.ros before you upgrade to version 1.4 or higher or you end up having problems with STP, etc. later.

    2. I wouldn’t bother trying to learn the GUI on the switch, it’s confusing as hell. Also, I always turn off the smartport functions as they DO NOT WORK!

    3. Although the IOS in command line is similar to a catalyst switch, the SG300/500 series all has different commands for ACLs, errdisable recovery from loopback, and lines.

    4. If you want to run voice on SG300s, they use the old style configuration of voice trunking. Here’s how to properly trunk voice and data on an SG300:

    interface %GiXX%
    switchport mode trunk
    storm-control broadcast enable %OPTIONAL%
    storm-control broadcast level 20 %OPTIONAL%
    switchport trunk allowed vlan add %VOICE VLAN ID%
    switchport trunk native vlan %DATA VLAN ID%

    5. The QoS functions on the SG series is pretty limited so I would run those somewhere else. All the QoS commands are different and not traditional iOS

    6. There is one bug on an SG300 I never figured out, but if you set static speed and duplex on a device and plug it into the SG300 with static configuration as well, the SG300 will automatically drop the interface config into half-duplex regardless of what duplex is defined. I usually have to leave one side auto to defeat this.

    Do I recommend SG300s for branch offices? They kind of work but you lose a LOT of features like packet marking (properly) and layer 2 security (wont work with ISE for example.) Spanning tree also ignores a lot of settings and prefers to only look at the spanning-tree priority setting of a switch to determine the root bridge. There’s also errors connecting to 6509 chassis that I believe got corrected in May of 2015.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s