cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3860
Views
0
Helpful
9
Replies

SG200-26 and port security

sammycbmi
Level 1
Level 1

We have an SG200-26 and unfortunately one of it's ports is connected to it a dumb switch. Whenever this dumb switch is disconnected and reconnected multiple things happen. 

 

1. Port security kicks in and Dynamically locks the port even though all ports are set to the default of Classic lock. We haven't changed any settings from the default in Port Security

2. The Macro for "IP phone + desktop" runs as the dumb switch has multiple Cisco IP phones and PCs plugged into it. This caused the PVID (2) I have manually assigned to the switch (2) to changed to 1 which is the Default VLAN set in the "Default VLAN Settings".  

 

Is there any way to effectively disable port security or should I be disabling Smartport.  I'm assuming that what is causing Port Security to kick in is that the switch is expecting there to be only 1 or 2 MAC addresses and all of a sudden it's getting 10-20? I'm not sure but I can't think of another reason as it's not like we are plugging in new devices so it should have learned those MAC addresses already.

2 Accepted Solutions

Accepted Solutions

mdobiac
Level 3
Level 3

Mr. Sammycbmi,

 

You could turn off Smartport for that interface or manually change the port to be a switch port.  Since an unmanaged switch is connected to that interface.  However this may affect some functionality if you have phones and PCs connected off the unmanaged switch and different VLANs.

Another option is to change the port to Access mode and allow only the Data VLAN or Voice VLAN traffic.  Though with this you will need to take the appropriate steps for your network depending what you want off that interface/unmanage switch.

Hope this helps,

 

Michael D.

View solution in original post

Hi,

First of all to avoid issue with smart port macro and default VLAN you need to disable globally or per interface and set the trunk settings statically. The main difference between trunking on catalyst and small business switches is the fact that small business switches do not support VTP which on catalyst became source of security problems. That is why on catalyst you would avoid trunking unless is really needed. Also please bear in mind that Small Business switches are not supporting any Cisco proprietary protocols only industry standards.

One macro, called "the macro" serves to apply the desired configuration. The other, called "the anti-macro," serves to undo all configuration performed by 
"the macro" when that interface happens to become a different Smartport type. But have not tested exactly how it could work in your case.

Regards,

Aleksandra

View solution in original post

9 Replies 9

mdobiac
Level 3
Level 3

Mr. Sammycbmi,

 

You could turn off Smartport for that interface or manually change the port to be a switch port.  Since an unmanaged switch is connected to that interface.  However this may affect some functionality if you have phones and PCs connected off the unmanaged switch and different VLANs.

Another option is to change the port to Access mode and allow only the Data VLAN or Voice VLAN traffic.  Though with this you will need to take the appropriate steps for your network depending what you want off that interface/unmanage switch.

Hope this helps,

 

Michael D.

Hello,

And to add to what Michael suggested this is a known issue with default VLAN id in smartport macro and should be fix with the next release. For the moment the above mentioned settings can be used as workaround.

Regards,

Aleksandra

Thanks Michael and Aleksandra.

I'm not gonna mess with altering the individual macros as Aleksandra pointed out the IP phone and desktop ones being buggy.  I saw a post from a couple months ago you commented on Aleksandra.

This brings up a question I have.  If you go in and manually set a port to say be an UP/PVID of 2 and then be tagged 3T for phone traffic.  Lets say you haven't messed with the macros at all and your default VLAN is 1. When the macro runs when the switch reboots or say cable is unplugged and plugged back in should the macro override what you have manually set? I assume so since this is the point of SmartPort. And the point is to either turn off SmartPort for the whole switch or for the port in question?

What happens if I turn off Smartport and I manually set up the ports to be in the Vlans I want? I assume after a reboot that configuration will stay the same as long as I've saved it.

 

All my ports are set at the default of a Trunk port. The definition of a trunk is different here than a real Cisco switch. I'd have these as Access ports with a voice vlan in IOS.  But if I set these as access ports you can't have a voice vlan as well on this switch.  Anyways I think I messed around some time ago and a General port didn't work quite how I wanted either. So I ended up leaving everything as a trunk.  

What are the anti-macros I see in the source? I see that they have the options of turning off port security. Why is this here and when do these anti-macros run?

Hi,

First of all to avoid issue with smart port macro and default VLAN you need to disable globally or per interface and set the trunk settings statically. The main difference between trunking on catalyst and small business switches is the fact that small business switches do not support VTP which on catalyst became source of security problems. That is why on catalyst you would avoid trunking unless is really needed. Also please bear in mind that Small Business switches are not supporting any Cisco proprietary protocols only industry standards.

One macro, called "the macro" serves to apply the desired configuration. The other, called "the anti-macro," serves to undo all configuration performed by 
"the macro" when that interface happens to become a different Smartport type. But have not tested exactly how it could work in your case.

Regards,

Aleksandra

Thanks Aleksandra. This weekend I'm scheduling some time to disable Smartport globally.

Also how do you disable port security?  I'm hoping if I disable Smartport this won't still be a problem but if I pull the network cable between this switch and my dumb switch then port security will kick in.  And I've adjusted the macro up to like 50 MAC addresses.

Hi,

Well either way I guess is good. When Smarport macro is disable it would not run additional commands thus you will have the default  settings which is "unlocked". If smartport macro disabled globally or per interface it would never run if disconnect and reconnect link. I hope it helps.

Regards,

Aleksandra

I disabled globally this weekend. And, and this bugs me, when I disabled it it reset the ports that Smartport macros run on back to VLAN 1. I had a feeling it would do it do I wasn't surprised. I then manually set these ports to what I wanted them to be for voice and data.  Everything worked. I then tested.

 

1. Pulled the cable that goes to a dumb switch (formerly detected as IP switch + desktop by Smartport) and plugging it back in and all was well. The VLANs stayed what I wanted them to be because no Smartport and additionally port security didn't kick in as it was doing previously. Test good

 

2. Powered off the switch and back on. All VLANs were still at what I set them for and port security didn't kick in.  

 

It looks like Smartport when the macros rerun they can cause port security to kick in when a cable is unplugged.  Anyways I'm happy.

 

The next thing I'll do is update to the latest firmware, reset to factory defaults and reconfigure.  Previously this switch would auto-detect the correct voice vlan. It hasn't since a firmware update some time ago. No big deal now really since I've disabled Smartport.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Switch products supported in this community
Cisco Business Product Family
  • CBS110
  • CBS220
  • CBS250
  • CBS350
Cisco Switching Product Family
  • 110
  • 200
  • 220
  • 250
  • 300
  • 350
  • 350X
  • 550X