Hi Kasun, thanks for your response

1. Sorry, I meant I want the school network's DHCP server to assign the IP addresses for the devices that I plug into my switch

2. Thanks for the tip. I have no idea about their config except for the fact that on the other side of the provided connection according to cdp its a switch made by extreme networks

3. This makes sense now. By the way the school's network has a MAC address filter and I put in the "Base MAC Address" (or something similar to that) as the MAC but the filter complains that the device is not connected to the network. Would MAC filtering on the school's side affect my switch's operation? And which MAC would I use if it would affect operation?

4. That's the DHCP server IP I get when I plug my laptop into the school network directly so I don't know ha ha

Thanks again

Christian

@coshiro1 

1,4 - this is OK. but you need to know back end for more clarity

2,3 - If your distribution switch doing MAC filtering, it will affect to your connection. distribution switch may allow 1 MAC or few MACs. it depends on the configuration.

Okay gotcha. I don't think its the switch doing the filtering its something at the campus's core. But where on the switch or in the console do I find the MAC address to use?

Thank you

@coshiro1 Actually, MAC address filtering normally do at Access level switches (end device connecting switches). you can use '#sh interface gi x/x' to see MAC address of specific switch port. but if you need MAC address of PC/Laptop, you need to check at the device.

Okay thank you so much for your help Kasun. So each port has its own MAC address then? So if i plug the uplink into a different port I'd have to provide a different MAC to the school's filtering?

@coshiro1 yes. you understood correctly. each physical port have different MAC Address.

Am I understanding correctly that if you remove the switch and plug in a computer that it works ok? If so it suggests that the school is mac filtering to allow single device access but not multiple device connections, which is what your switch would be. If the school is limiting access to a single device then your switch will not be useful there.

Thanks for your input, Richard! I never even thought of that as a possibility. So even if the uplink to the school's switch was set to "access" switchport mode, they can still block it?

Also. CDP is a Cisco protocol right? The school's switch is an Extreme network switch but still sending out CDP packets. So is CDP like a cisco-branded name for some ID protocol rather than a prorpietary protocol?

Christian

Yes even if the uplink was set to access they can still block it. There was some mention in the discussion of filtering, and it is possible that if there is filtering that this might be what is blocking you. But I wonder if that is the case. To help us understand better would you post the output of these commands on your switch:

- show vlan

- show interface status

Yes CDP is a Cisco protocol. I would be surprised if Extreme is generating CDP packets. But it is possible (and perhaps likely) that Extreme is forwarding CDP packets that were generated by some Cisco equipment in the network. Would you post the output of the command show cdp neighbor?

In reading through the discussion there were a few things that I noticed.

- you mentioned the possibility of configuring an interface as trunk. Given what you have described there is no reason why you would configure any interface as trunk. Trunk is useful when there are multiple vlans on the switch. And in what you describe trunk would not be useful. If the school connection is set up as access (which seems very likely) then there can be only a single vlan for that connection.

- if the school if connected on G0/2 and your laptop is connected to G0/1 but does not get an IP address. If you disconnect the switch and connect your laptop directly to the school does it get an IP address?

Hello Richard,

Once I get back I will definitely post the output of those commands for you. In the mean time, I this is what Wireshark came up with when I filtered for cdp packets:

---

- you mentioned the possibility of configuring an interface as trunk. Given what you have described there is no reason why you would configure any interface as trunk. Trunk is useful when there are multiple vlans on the switch. And in what you describe trunk would not be useful. If the school connection is set up as access (which seems very likely) then there can be only a single vlan for that connection.

---

Gotcha, thanks for the explanation

And as far as connecting my laptop directly goes, yes, any device that I connect directly to the uplink to the school gets an IP and gets internet connection (after I login on the captive page or add the MAC to the whitelist, that is.) I was also trying to figure out if the switch had a MAC address that I needed to whitelist on the school's side to get it to start working. But the filter is only to authorize a device to connect to the internet and the rest of the LAN so I'm not even sure if it is relevant.

Thank you for your guidance as always

Christian

Thanks for the additional information. Thanks for confirming that connecting your laptop to the uplink works and the laptop gets an IP and has connectivity. This does suggest that something needs to be done to identify the switch to the uplink. You mention login on the captive page and I don't know how you would do that on the switch, so perhaps the whitelist is the better alternative? I will be interested in following up on this when you get back.

Let me say a bit more about the CDP frames. As far as I know CDP is proprietary to Cisco and other vendors do not participate in that protocol. But it is quite possible that Extreme is forwarding frames generated by some other device. To understand this better let us think about 2 Cisco devices (perhaps CiscoA and CiscoB connected by a switch. There are 2 scenarios: the switch is a Cisco switch or the switch is non Cisco.

- In the first scenario the Cisco devices are connected by a Cisco switch. So CiscoA sends a CDP frame, the frame is received by the switch, the switch recognizes the frame and processes it and does NOT forward the frame, so CiscoB never sees that frame.

- In the second scenario the Cisco devices are connected by a non Cisco switch. So CiscoA sends a CDP frame, the frame is received by the switch, the switch uses layer 2 forwarding logic and forwards the frame to other devices in that vlan, so CiscoB will receive that frame. 

I believe that you are in scenario 2. Somewhere in the school is another Cisco device, It is sending CDP frames, and Extreme is forwarding those frames to your switch.

Here are the outputs from the aforementioned commands on my switch:

show vlan:

show interface status:

show cdp neighbors detail:

Thanks for the additional information. Thanks for confirming that connecting your laptop to the uplink works and the laptop gets an IP and has connectivity. This does suggest that something needs to be done to identify the switch to the uplink. You mention login on the captive page and I don't know how you would do that on the switch, so perhaps the whitelist is the better alternative?

---

I agree, however I'm not quite sure which MAC address to enter in. I tried the port's MAC (found using command "show int gi1/0/2 for port 2 on the switch) but the following message shows up:

Christian

Thanks for the outputs. Let me start with the cdp output. I believe that this confirms my suggestion that cdp was not generated by Extreme. And it suggests that my comment that "other vendors do not participate in that protocol" may need to be modified. I still believe that it is accurate to say that other networking vendors do not participate in the protocol. It appears that SecureStack, a network security company, is generating cdp packets. I assume that they are trying to detect/identify any Cisco gear that might be in the network. I am not sure if the cdp packets relate to the problem in getting your switch to work on the network. My first thought was that it was probably not related. But in thinking some more I wonder if they do detect your switch if they might do something to react to what they regard as an unauthorized device on the network. Is there a way that you could check with someone at the school about whether their network would support (would allow) your switch connecting to the network?

I would have thought that the mac of the switch G0/2 interface would have been the correct mac. In thinking about the error message that you posted mentioning only devices that are active can be enrolled, I wonder why they do not recognize your switch as active. I wonder if it might have to do with the fact that the switch does not have an IP address. I suggest that you configure interface vlan 1 (the SVI for vlan 1) and configure it to use dhcp to get an address. Try that and let us know if the behavior changes.