DHCP SNOOPING IN CISCO SF200-48 SMALL BUSINESS SWITCH

Similar Messages

• LMS 3.2 and Cisco Small Business Switches

  Hi there,
  I'm currently using LMS 3.2 to monitor my network. We've recently purchsed a few of the Cisco Small Business Switches, the SF 300-24 model to be exact. They're considered 'managed switches' (tho thier CLI is terrible) and I would like to monitor them in CWLMS. My problem is that once I add it to CS, it doesn't resolve to anything, just sits there as a blue box with a question mark. I'm assuming this means that these devices are not (currently) supported by LMS 3.2 - do you know if that will change, or how I can go about managing this device with LMS 3.2?
  Thanks

  Unfortunately that series of products is not supported in any version of LMS (or even Cisco Network Assistant - CNA).
  Cisco provides the FindIt utility to manage them:
  http://www.cisco.com/en/US/products/ps10660/tsd_products_support_series_home.html
  Hope this helps.

• SG200 Small business switch - vlan issue

  I have the wonderous task of remotely configuring a few SG200 small business switches.
  I need to create a vlan and move a few ports into that vlan, doesn't sound too difficult.
  I have created the vlans but when I go to add the ports into the vlan the only option I seem to have is General?
  If I specify access I can't say what vlan the port should be in?
  What am I doing wrong?
  All ports are currently in VLAN 1 and are in mode trunk
  I have created 2 new vlans and just want to put 4 ports in VLAN 2 and 4 ports in VLAN 4
  Can anyone impart any wisdom?
  Thanks
  Roger

  Hi Roger,
  Did you try this guide?
  http://sbkb.cisco.com/CiscoSB/Loginr.aspx?login=1&pid=2&app=search&vw=1&articleid=80
  Are you configuring it from GUI or CLI ?
  Regards
  Mariusz

• Best small business switch for 100-300 user UC deployments

  Hello,
  The SMART Designs state that both the ESW500 and 300-series switches should not be used for deployments of over 100 IP phones.
  But now that both the UC560 can go up to 138 (128 IP phones) and the BE3000 can go up to 300 users is this design restriction still valid or is the Catalyst 2960 and above the only options?
  The QPT is still showing both the 300- and ESW500  switches as options for all versions of the UC560, and the 300- and 2960  switches are shown as valid options in the LAN for the BE3000.
  Thanks.

  Hi All,
  I would agree with the folks at smartdesign, but for a very differerent reason as suggested by kmacpherson..
  But think about the Business Edition 3000 (BE3000) and how it's supported.  BE3000 is supported by the traditional Cisco TAC that also supports the catalyst 2960S etc....
  The 300 series switch is supported by the wonder folk at the  Small Business Support Center (SBSC) . 
  300 series of switches are generations ahead of the ESW switch in terms of switch silicon/features/GUI/supported CLI/IPv6 support  etc..it is a tremendous switch series..
  From my perspective, even though there is now a lot of dialogue between TAC and SBSC these days, it sorta makes a lot of sense in my mind to position Catalyst switches  in conjunction with  BE3000 for your end users,  and 300 series small business switches as a lower cost alternative.
  This will mean there will be pretty seamless TAC support for a BE3000,  catalyst, ISRG2 solution.
  regards Dave

• Help blocking certain website and IP on a SG 300-20 Small Business Switch

  Hi,
  I like to block certain IP and website on the SG 300-20.
  Being new to Cisco Small Business switch I she tried with no positive result. Could someone give me some steps or maybe direct me where I can find a step by step resource.
  Thank you

  Hello, 
  Thank you for contacting us for support with your device.
  Unfortunately what you are trying to do is not possible with any Small Business switch.
  It is true that this switch can be used in layer 3 and it will be able to route your traffic on the inside of the network, but it will not be able to route your traffic to the Internet as it doesn't do any NATting.
  If you need to block any websites you will need to configure it on your router or firewall.
  Just to be completely clear, this switch won't be able to block any websites.
  I hope this was helpful

• Small Business switches and POODLE

  Has Cisco done any research into small business switches being vulnerable to POODLE?  I know they're working hard on the enterprise side, but I'm not finding any information on the small business side.
   

  Hi,
  All Cisco product will be checked and results are posted on the same page as for enterprise:
  http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20141015-poodle
  Regards,
  Aleksandra

• Issues with Small Business Switch config

  Hi, I know that if I read the documentation I will come to the answers but I would really like some input from someone with more knowledge than me. I have an issue with Cisco SF300 , one of the Small Business Switches. I have a single interface on my router and I need to separate my internal networks , I thought that one way would be to use VLANs. On my two internal networks one network only has unmanaged D-Link switches, the other has the Cisco SF300 so I did as follows. 
  On the Cisco Switch, all ports default to Trunk ports. I have changed FE1-FE24 and GE1-2 to access ports.
  Created two VLANS and placed FE1-FE24 in VLAN10 (also my management VLAN) , GE3 is a trunk Port for VLAN20 untagged, VLAN 20 uplinks to my DiLink Switches. This way traffic from my unmanaged switches comes in on a trunk port untagged on VLAN20.
  GE4 is a trunk port and I have assigned  VLAN1 untagged, VLAN10 tagged and VLAN20 tagged. VLAN 10 and VLAN 20 then forward to my Router.
  The plan was to connect GE4 to my router however I had two things happen I can not explain.
  Firstly as soon as I connected my D-Link to GE3 the LAN on VLAN20 went down, I could not ping Servers from PCs etc, all devices are connected to the unmanaged D-Links. Secondly the VLAN Assigment changed on GE3 and GE4 , VLANs 10 and 20 disappeared and only the default VLAN was assigned, also under VLAN Settings my VLAN interface state for VLAN20 shows Disabled. Also one of my access ports FE12 keeps changing VLAN.
  Can anyone offer any suggestions as to what might have crashed the LAN and why my VLANs change. I did write my running config to the start up config by the way.
  I added two screen shots. 
  I would seriously appreciate some help.
  Thanks 
  Bob

  Hi Garrett, thanks for your reply to my post, I hope you are well. I called Cisco support, they told me that they could not understand why this was happening and suggested a firmware upgrade, usually something I should have considered right from the beginning. This solved the issue for me.
  Thanks
  Bob

• [solved] DHCP snooping in environment with core and access switches

  Hello,
  I'd like to know what steps are needed to configure DHCP snooping in my environment:
  1) two core switches Catalyst 6500 (VSS): VLAN defined here, DHCP server connected here
  2) access switches Catalyst 3750: clients connected here
  Access switches are connected to core ones via trunk ports (fiber optics).
  How many snooping databases are required?  One for core and next for each stack?

  Hi Marian,
  If your network is properly designed and connected so that clients, including DHCP clients, are attached to the access layer switches, then the DHCP Snooping should be run only on access switches. Running DHCP Snooping on core switches is not going to increase the security because the DHCP communication has already been sanitized on the access layer.
  If you intend to save the DHCP Snooping database then each switch performing the DHCP Snooping needs to have its own database if you intend to use a persistent storage for it. However, you can always have the switch to save the database to its own FLASH, alleviating the need for a centralized networked storage.
  I am not sure if this answers your question so please feel welcome to ask further.
  Best regards,
  Peter

• Small business switches and CDP

  what switches in the small business category support CDP?
  I took a look at the SGE and SFE series but nothing was mentioned about CDP support.  I would like something lower grade than the ESW series if possible.

  You may want to take a look at the Cisco Small Business 200 and the 300 Series switches, both switch lines now support CDP.

• How to setup Private VLAN in Small business switch SF200-24

  Dear All,
  According release notes 1.4 , private vlan is supported. I've upgraded my SF200-24 with firmware 1.4.0.88 and boot 1.3.5.06. The system information show firmware version 1.4.0.88 and boot version 1.3.5.06 after reboot. I can't find private vlan setup command on GUI. Please help me to setup private vlan. Thanks.

  Hi,
  Unfortunately PVLAN is not supported on 200 series. However you might be able to overcome this using general port concept.
  for example:
  isolated port - general 10P (PVID), 30U, drop tagged traffic
  community - 20UP, 30U, drop tagged traffic
  promiscuous - 30UP, 10U, 20U
  Note: primary vlan 30
  does it address your requirements?
  Aleksandra

• So, does STP just not work on the Small Business Switches?

  Hi All,
  I have an SG500-52P switch, and a catalyst 3650 switch.  I want to connect two links between the switches, and have STP block one of them for redundancy in the event of a link failure.  When I set this up, I got a duplicate IP address discovered message in the 500 switch, followed by the network crashing/locking up from what I can only assume was an STP loop.  Show spanning-tree on the 3650 before the crash showed that both of the ports were in FWD state - meaning that STP was not blocking redundant paths.
  Verification that STP is running and BPDU's are flooding on the 500 can be found below:
  SW500A#show spanning-tree
  Spanning tree enabled mode RSTP
  Default port cost method:  long
    Root ID    Priority    24577
               Address     a0:ec:f9:ef:6a:00
               Cost        20000
               Port        gi1/1/43
               Hello Time  2 sec  Max Age 20 sec  Forward Delay 15 sec
    Bridge ID  Priority    32768
               Address     2c:3e:cf:ff:11:82
               Hello Time  2 sec  Max Age 20 sec  Forward Delay 15 sec
  SW500A#show spanning-tree bpdu
  Global: Flooding
  SW3650#show spanning-tree
  VLAN0001
    Spanning tree enabled protocol ieee
    Root ID    Priority    24577
               Address     a0ec.f9ef.6a00
               This bridge is the root
               Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
    Bridge ID  Priority    24577  (priority 24576 sys-id-ext 1)
               Address     a0ec.f9ef.6a00
               Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
               Aging Time  300 sec
  SW3650#show spanning-tree  sum
  Switch is in pvst mode
  Root bridge for: VLAN0001, VLAN0003
  Extended system ID           is enabled
  Portfast Default             is disabled
  PortFast BPDU Guard Default  is disabled
  Portfast BPDU Filter Default is disabled
  Loopguard Default            is disabled
  EtherChannel misconfig guard is enabled
  UplinkFast                   is disabled
  BackboneFast                 is disabled
  Configured Pathcost method used is short
  The only thing I see is that the cost method in the 500 is long, while the cost method in the 3650 is short.
  Am I missing something?

  Hi
  from your outputs seems that both switches understand each-other BPDU's (at least via one link!), because SW500A is not root bridge for that segment and accepts SW3650 to be root bridge.
  > spanning-tree on the 3650 before the crash showed that both of the ports were in FWD state
  I hope this is correct behavior as SW3650 is root bridge. This means that all ports on root bridge are designated ports and thus are in FWD state.
  The switch-port which should be blocked must be on opposite (non-root) switch SW500A.
  But be careful in your scenario: there could be potentially compatibility issue as:
  SW500A is using Rapid STP (single - common - instance over all VLAN's)
  SW3650 is using PVST+ (Per VLAN Spanning Tree)
  the compatibility works in this scenario only in case, that all links between SW3650  and SW500A use VLAN1 as untagged VLAN.
  That means: to allow Cisco SW3650 switch running rapid PVST+ or PVST+ to form a common spanning tree with SW500A switch running RSTP or STP, vlan1 (the native VLAN) must be configured as untagged on the SW3650 ports connected to SW500A switch.
  If this is not met, it can leads to switching loops. And that could be your case.

• SMALL BUSINESS SWITCH SLM 2024

  Hi , for some reason, i cannot access the switch via the web interface. i reset the switch to factory settings , and the same thing happens. i tried to access the switch via a diferrent pc and still the same, i would appreciate some help on this.

  Ishal,
  Are you able to ping the device?
  Have you changed the management vlan on the device by chance?
  If all else fails have you Tried resetting the switch and plug directly into it and get into it with the default ip address of 192.168.1.254?

• Can I use DHCP snooping and IOS DHCP server on the same switch stack

  Hello,
  I am shortly going to be deploying a Cisco CallManager solution for a customer whose network comprises stacks of Catalyst 3850 switches.
  There is no separate core/server farm switch so the CallManager servers, voice gateways and IP phones will all plug into the same stack and be in the same VLAN (not my choice!).
  For security we want to enable DHCP snooping and were planning on using the IOS DHCP server on the Catalyst switch stack.
  Will this work? - when I enable DHCP snooping in networks with separate access layer switches I set the uplinks to the core as trusted links.
  I am not sure whether DHCP snooping will work in this case. Do I need to set the VLAN interface on the switch as trusted, is this even possible?
  Unfortunately I do not have access to a layer 3 switch to test this at the moment.
  Thanks

  Nope.  That's the issue.
  They'll sync on a third device acting as a hotspot, but the device sending a signal is not "on" the network it creates so the airport is all by itself on that network.  At least that is what it looks like to me.  Anyone have another take on it?  Seems pretty silly that an iPad can put out a wifi signal, an Airport Express can receive a wifi signal, and yet there is no simple way to get them to communicate under this particular condition.

• ISE and dhcp snooping

  Hi all,
  The ISE configuration validator says we should have DHCP snooping enabled on our network access devices (switches) so we do it. However I have never understood what this accomplishes. (In terms of ISE/NAC. I understand what DHCP snooping is).
  Can anyone explain? Thanks.

  Thanks for the reply, Vattulu.
  Interesting article/section, but I don't see where it says anything about the relationship between dhcp snooping and profiling. It seems to be talking about the use of dhcp snooping option 82 to convey the 802.1x user info to the dhcp server. The dhcp server can then act on this information to assign specific IPs to specific users. I can see how ISE would get this information via ip-helper or maybe by snmp bulk query, but don't understand how that would assist with profiling. I mean, ISE already has the 802.1x user identity from the radius request, right? Maybe you can enlighten me.
  Googling around I found this article/section:
  http://www.cisco.com/c/en/us/td/docs/security/ise/1-1-1/user_guide/ise_user_guide/ise_sw_cnfg.html#wp1059679
  which seems to imply that dhcp snooping info can be used when applying DACLs. Interesting, because I thought that was based on the ip device tracking table only. But, it says that dhcp snooping is optional, and doesn't go into any detail.
  Still digging, I would like to understand this. Thanks for your help.

• Ip dhcp snooping issue

     Hi all,
  I am having trouble getting the dhcp snooping to work on a stacked 3750 when a rogue DHCP server is plugged in to the network. I have configured dhcp snooping on one of our user switches with the following commands.
  ip dhcp snooping
  ip dhcp snooping vlan 11
  no ip dhcp snooping information option
  int range fa1/0/1 - 48
  ip dhcp snooping limit rate 100
  VLAN Name                             Status    Ports
  11   JKT_Net_DHCP_1 
  interface FastEthernet1/0/43
  description  DHCP Subnet 1
  switchport access vlan 11
  switchport mode access
  switchport port-security maximum 3
  switchport port-security aging time 1440
  switchport port-security violation restrict
  switchport port-security aging type inactivity
  no logging event link-status
  no snmp trap link-status
  spanning-tree portfast
  spanning-tree bpduguard enable
  ip dhcp snooping limit rate 100
  end
  The configuration works in ther fact that users are still getting their IP address info from the DHCP server and i can see all the dhcp snooping bindings on the switch. But I'm having issues where when a rogue dhcp device is plugged in to one of the user ports i.e fa1/0/43 on the user subnet, and do an ipconfig /release /renew on a machine on the same VLAN, i am still getting a DHCPOFFER from the rogue device and the machine ends up with the wrong IP address.
  Currrently the real DHCP server sits off a network behind the firewall, with a layer 3 link (running OSPF) between the user switch to the distribution switch. I have enabled the dhcp snooping on the link from the distribution switch to the real DHCP server (shown below).
  DHCP snooping trusted interface
  interface GigabitEthernet1/0/9
  description JKTADC01 - LAC 1
  switchport access vlan 21
  switchport mode access
  no snmp trap link-status
  ip dhcp snooping trust
  end
  I have also attached a network diagram of the network setup.
  I would like to stop the rogue server from being able to give out ip addresses.
  Can someone shed some light on this topic please?
  Kind regards,
  Philip

  Pawan,
  Based on the error messages it looks like you have a mis-configuration. Looks like
  one of the trunks/ports does not have DHCP trust configured on it. Can you
  track mac address 34dc.fde5.2c40 to what port it's connected to and verify
  that it has DHCP trust enabled?.
  Haihua