Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

SG-300 as Layer 2 switch to distribute 5 WAN addresses -

My goal is to distribute 3 of 5 dynamic IPv4 addresses from my business class ISP connection to 3 attached devices in my network via a Layer 2 managed switch.  The topology is the Layer 2 switch will receive its WAN connection from a SurfBoard SB6120 Cable modem connecting on port 1; the 3 devices I intend to connect will be connected on ports 2-4 respectively on the switch.  Those 3 devices I connect should be the only MACs acquiring dynamic IPv4 addresses from the ISP's DHCPv4 server.

I  successfully deployed a Microtik RB260GS for this purpose and only recently replaced it with a SG-300 switch ... and the results were unexpected: rather than 3 Known CPE MAC Address, 5 were being allocated.  Furthermore, when I logged in to administer the SG-300, it did not make sense as to why it was always prompting me to "Save" to the current running state AFTER I had previouslly thought I locked down the SG-300 settings and saved them to the current running state.

I will outline my configuration steps for the SG-300 shortly -- and my question to this forum is two fold:
a) Is there a better configuration guide for what I need to accopmplish -- that will be secure; and
b) If what I did should have worked and been secure, what could possibly explain the appearence of two unknown MACs on my broadband modem -- a situation that NEVER occurred when I had used the Microtik for the past 6 months?

NOTE: The MAC addresses that were registered are unknown to me -- I don't know of any hardware -- virutal or physical -- whose MAC address matched.

What follows are my general configuration steps -- keeping in mind I am a bit casual about the notation.  If need be, I would be willing to share my unencrypted copy of running-config.txt that I created, saved and backedup -- PRIOR to the subsquent situation where I would log in and find the SG-300 settings must have changed, coincidentlly with the appearance of the two unknown MAC addresses registered on with the ISP.

Configuration of the Cisco SRW2008-K9-NA SG300-10 Managed Switch
    (I was not able to update the boot firmware using TFTP from the default)

STEPS to configure:

1) Create new admin username/password; delete default admin of "cisco/cisco"
2) Dedicated Port 8 to be my "Administrative" management port -- meaning that administrative HTTPS access was allowed only from Port 8 connection via "active access profile"
3) Marked ALL ports to be "Protected" -- except for Port 1 which connected to the SurfBoard cable modem.  Goal is to prevent any cross-talk between each of my 3 connected devices on ports 2-4
4) Restricted administrative access to HTTPS and serial console only
5) Upgraded firmware to
6) Hard-coded administrative HTTPS interface to be (Note: that is on the same subnet as the surfboard cable modem)
7) Removed checkmark from DHCP auto configuration

NOTE: I recall leaving an option somewhere indicating the SG-300 was to operate as a Layer 2 swtich, not a Layer 3 switch.


Again, with the above in mind, using the SG-300, two unknown MACs were registered with the ISP's DHCP servers; after this discovery, the Microtik RB260GS router was swapped back and since then, there hasn't been a reappearance of the two unknown MAC addresses.  ALSO, that while the SG-300 was in use for a month, only in the past two weeks did the two unknown MACs appear ... and that coincided with the unexpected prompt by the SG-300 for me to "save" its configuration to the running configuration -- even when I had not made any changes beyond the initial configuration of 2 months ago. 

CreatePlease login to create content