Re: Intermittent issues with daisy-chained Netgear switches

davebainum · ‎04-15-2010

Hi all,

Okay, now that things have settled down a little bit, here's some more information/request-for-advice on how to proceed with a little hiccup we ran into at a couple of our TB sites. I mentioned this earlier a few weeks back, hadn't really had time to delve into it, but now have some more time - so wanted to take a closer look.

Here's the scenario:

Single subnet, single VLAN, nothing exotic. When everything is plugged into just Cisco switches (either one 8 port ESW just for the trial, or two ESW's together to allow enough ports for the overall network), everything works great.

The minute we plug in another switch to daisy-chain (Netgear), strange things start happening - e.g. devices connected to the Netgear can't get DHCP assignments, etc., but no problems on devices directly connected to the Cisco's.

Any suggestions on things to try or check? The very same Netgear switches operate fine otherwise independently of being tied in to the Cisco switches. They had been used without issue in other applications. They are gigabit, unmanaged switches.

TIA,

-- Dave Bainum (dbainum@ritetech.net), PMP*
[PMP=PMI Certified Project Management Professional]
<Interested in great RP & other IT deals?? See tinyurl.com/plf8wz>
RiteTech LLC / www.ritetech.net / +1 (703) 561-0607
Creators of the www.RPConnect.net suite of applications

Brian Bergin · ‎04-15-2010

Had exactly the same problem you're having when we first put the ESW in place. No DHCP, no DNS, nothing. Thought I was going mad. The I stumbled on the port security settings. Boy was I surprised. So, given the symptoms, have you checked the crazy default port security settings on the ESW? It comes out of the box in locked down mode, like Cisco assumes the NSA/CIA is going to use them for their entire network! It's the only small biz switch I've ever seen with ports locked down so tight. Personally, I turned all that junk off, but you can use the Smartport Wizard to tell the switch what kind of device is attached to each particular port. The problem with that is you can NEVER change ports for testing without going back into the ESW and resetting the port security. So if you have a port you think may be bad you can't just go to the switch and move a cable, you have to go into the GUI first and change the port config. It's pretty stupid if you ask me. Perhaps someone at Cisco can explain their logic a bit more, but the right way to sell a switch, IMHO, is unlocked, the right way to sell a firewall is locked. They serve different purposes, but Cisco appears to believe that they both need to be locked down.

davebainum · ‎04-15-2010

Thanks, Brian. That's a great theory - we'll check into it further.

What specific setting(s) should we check or otherwise "unlock"? I am pretty sure (but not 100% sure) that we set the ports to daisy-chain as "switch" in SmartPorts Wizard...

-- DB

Marcos Hernandez · ‎04-15-2010

In our view, the way to daisy chain managed switches is by using trunking. For un-managed switches, using "Switch" smartport sole is correct. So, if you configured this profile and port security was not disabled by default, I would call this a bug. Can you confirm?

Marcos

Brian Bergin · ‎04-15-2010

According to http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps10143/data_sheet_c78-521740.html the "Switch" option in the Smartport Wizard does this:

• Configured as an uplink port to another switch or router Layer 2 port for fast convergence

• Enables 802.1Q trunking

So isn't that what you're saying about trunking? I don't see any other trunk options in the ESW.

The question still begs, why does Cisco think small businesses need, want, or desire a swtich to be out-of-the-box locked down like it is?

Marcos Hernandez · ‎04-15-2010

We just got this from Ivor Diedricks, PLM for the ESW switches:

Thanks for the heads-up. We have come to the same conclusion and will
loosen up the controls going forward.

Thanks,
Ivor

Marcos Hernandez · ‎04-15-2010

Also, I just confirmed with our ESW TME that port security should be automatically disabled when configuring the "Switch" smartport.

Marcos

Brian Bergin · ‎04-15-2010

Security is disabled when you configure it as a switch, it's just that you have to "know" that you have to do it that's the kicker. Maybe the ESW team can get us a new firmware to test deployment via Thunderbolt that would give us the new settings they plan to deploy We'd be a great beta group to test any changes with.