I have recently been putting a SG300 through testing, and while the configuration is working, I am now at the stage of making sure everything is secure. At this point I've reached a question I can't quite find the answer to:
1 Port - Trunk Mode (1UP + Various VLANs Tagged)
Other Ports - Access Mode (Various VLANs Untagged)
The question comes as to how to deal with the Trunk Port. Per Cisco's own "Virtual Lan Security Best Practices", the default/native VLAN should be cleared from all Trunks... unless I am misunderstaing I see no way to accomplish this with the SG300's port in Trunk Mode (it forces 1UP, and admit-all).
The only other options I see as being possible are:
Change Port to General Mode, and switch policy to admit-tagged-only, and leave 1UP on the trunk
Change Port to General Mode, and remove 1UP (but this forces the system to add 4095P, which per the documentation states it immediately disables all other VLANS?)
Are either of these options valid/usable... or is there a better way to accomplish this?
Not sure we are quite on the same page regarding this question:
In Trunk Mode, the switch is requiring a untagged VLAN (native vlan for the trunk) on the interface. Per my understanding (correct me if I'm wrong), the best practices is indicating you generally do not want untagged traffic on your trunks.
Now by default in Trunk Mode, the link is assigned 1UP (PVID 1, Untagged). It seems both the user interface and the cli interface will not allow you to keep a interface in Trunk Mode without having 1 assigned untagged VLAN.
I.E. (default Trunk):
#sh interface switchport GE1
Acceptable Frame Type: admitAll
Ingress UnTagged VLAN (NATIVE ): 1
I see no way of clearing this native VLAN from the trunk. In General Mode it is possible to specify admitOnlyVlanTagged, which may be accomplishing the same thing however.
It also seems you can also set PVID to 4095 in General Mode.... I assume then that all untagged packets would be discarded. At least from my limited testing it seems you can have something like:
General Mode: 100T, 200T, 300T, 4095P... and contrary to the documentation it does not seem to prevent you from using the Tagged VLANS.
Typically the native vlan or PVID is untag on a port. You may set the switchport differently such as;
switchport mode general
switchport general ingress-filter disable
switchport general pvid X
switchport general allowed vlan add x tagged
With this configuration all vlan tag or untag is accepted on the switchport.
The ingress filtering on trunk and access port cannot disable, therefore the switchport setting must match, which making a pvid untagged and any additional vlan tag to the port. Otherwise ingress filter on the ingress port will discard the packet.
You may sculpt traffic any way you wish... The IP address of the switch is simply for management not for network unless running in L3.
Please mark answered for helpful posts
The intent is not to accept any untagged traffic on this switchport at all (the best practices I list above come from Cisco's documentation for the Catalyst line of switches).
The native/pvid is used for control traffic (CDP, STP,...etc.) from my understanding, but the upstream device on this switchport is configured to only expect tagged traffic... I am not entirely sure what it will do with untagged traffic, but I highly suspect it will just drop/filter anything not properly tagged (haven't had time to validate)
I'm not worried about the IP address of the switch, since the management interface is not default/listens on a seperate tagged VLAN. Realistically, the only thing I wanted this switch for was VLAN support (to segement apart various classes of devices) so it will only ever operate in L2... the upstream devices handle everything else.
For now, I have configured this port as follows, and it apears to be doing what I'm trying to accomplish:
switchport mode general
switchport general allowed vlan add 101,102,103 tagged
switchport general acceptable-frame-type tagged-only
switchport general pvid 4095
This may be actually overkill, since it appears once you apply PVID 4095, all untagged traffic gets dropped anyway.
I may be a bit late on this one. If you change the native vlan on the trunk to a bogus vlan and then prune it from both ends of the trunk, untagged frames will be isolated to within the trunk. I believe this to be a Cisco best practice.
I have never worked with that device, however, the commands should be similar to this (vlan 99 being a bogus or "black-hole vlan):
Article ID:4006 Configure Secure Shell (SSH) Server Authentication
Settings on a Switch Objective Secure Shell (SSH) is a protocol that
provides a secure remote connection to specific network devices. This
connection provides functionality that is similar...
Article ID:4982 Access an SMB Switch CLI using SSH or Telnet Objective
The Cisco Small Business Managed Switches can be remotely accessed and
configured through the Command Line Interface (CLI). Accessing the CLI
allows commands to be entered in a termina...
Article ID:5735 Convert Configuration Files using the Configuration
Migration Tool on Cisco Small Business Switches Introduction The Cisco
Configuration Migration Tool allows you to convert configuration files
from previous generation of Cisco Small Busin...