SG-300 as Layer 2 switch to distribute 5 WAN addresses -
My goal is to distribute 3 of 5 dynamic IPv4 addresses from my business class ISP connection to 3 attached devices in my network via a Layer 2 managed switch. The topology is the Layer 2 switch will receive its WAN connection from a SurfBoard SB6120 Cable modem connecting on port 1; the 3 devices I intend to connect will be connected on ports 2-4 respectively on the switch. Those 3 devices I connect should be the only MACs acquiring dynamic IPv4 addresses from the ISP's DHCPv4 server.
I successfully deployed a Microtik RB260GS for this purpose and only recently replaced it with a SG-300 switch ... and the results were unexpected: rather than 3 Known CPE MAC Address, 5 were being allocated. Furthermore, when I logged in to administer the SG-300, it did not make sense as to why it was always prompting me to "Save" to the current running state AFTER I had previouslly thought I locked down the SG-300 settings and saved them to the current running state.
I will outline my configuration steps for the SG-300 shortly -- and my question to this forum is two fold: a) Is there a better configuration guide for what I need to accopmplish -- that will be secure; and b) If what I did should have worked and been secure, what could possibly explain the appearence of two unknown MACs on my broadband modem -- a situation that NEVER occurred when I had used the Microtik for the past 6 months?
NOTE: The MAC addresses that were registered are unknown to me -- I don't know of any hardware -- virutal or physical -- whose MAC address matched.
What follows are my general configuration steps -- keeping in mind I am a bit casual about the notation. If need be, I would be willing to share my unencrypted copy of running-config.txt that I created, saved and backedup -- PRIOR to the subsquent situation where I would log in and find the SG-300 settings must have changed, coincidentlly with the appearance of the two unknown MAC addresses registered on with the ISP.
Configuration of the Cisco SRW2008-K9-NA SG300-10 Managed Switch sx300_fw_22.214.171.124.ros (I was not able to update the boot firmware using TFTP from the default)
STEPS to configure:
1) Create new admin username/password; delete default admin of "cisco/cisco" 2) Dedicated Port 8 to be my "Administrative" management port -- meaning that administrative HTTPS access was allowed only from Port 8 connection via "active access profile" 3) Marked ALL ports to be "Protected" -- except for Port 1 which connected to the SurfBoard cable modem. Goal is to prevent any cross-talk between each of my 3 connected devices on ports 2-4 4) Restricted administrative access to HTTPS and serial console only 5) Upgraded firmware to 126.96.36.199. 6) Hard-coded administrative HTTPS interface to be 192.168.1.254 (Note: that is on the same subnet as the surfboard cable modem) 7) Removed checkmark from DHCP auto configuration
NOTE: I recall leaving an option somewhere indicating the SG-300 was to operate as a Layer 2 swtich, not a Layer 3 switch.
Again, with the above in mind, using the SG-300, two unknown MACs were registered with the ISP's DHCP servers; after this discovery, the Microtik RB260GS router was swapped back and since then, there hasn't been a reappearance of the two unknown MAC addresses. ALSO, that while the SG-300 was in use for a month, only in the past two weeks did the two unknown MACs appear ... and that coincided with the unexpected prompt by the SG-300 for me to "save" its configuration to the running configuration -- even when I had not made any changes beyond the initial configuration of 2 months ago.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :