Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
480
Views
3
Helpful
9
Replies

CBS220 options

Go to solution
00u1c1e8sgNfbgbZ15d7
Level 1
Level 1

‎07-23-2025 03:50 PM

Can Cisco 220 Series Smart Switches CBS220-24T-4G support :

a) AAA TACACS+ integration?

b) Remote access via ssh ( CLI)?

c) Can I add other "not-VLAN1" VLANs for management? 

d) This model is not PoE, but could I add voice vlan ( for phones with power injector)?

Could you please provide a link with best practice to configure securely these devices?

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
pieterh
VIP
VIP

‎07-31-2025 01:12 AM

the voice vlan-id is defined not per-port, but globally.
after defining globally you enable the use of voice vlan per port

switchxxxxxx(config)# voice vlan state auto-enabled  !
switchxxxxxx(config)# voice vlan state disabled           !
switchxxxxxx(config)# voice vlan state oui-enabled     ! -> use only ONE of those three variants of the command

switchxxxxxx(config)# vlan 350
switchxxxxxx(config-vlan)# exit
switchxxxxxx(config)# voice vlan id 350

switchxxxxxx(config)# interface gi1
switchxxxxxx(config-if)# voice vlan enable

you can find more details in chapter-41 of the cli manaual

 

View solution in original post

9 Replies 9

Go to solution
pieterh
VIP
VIP

‎07-24-2025 11:06 AM - edited ‎07-24-2025 11:09 AM

this is the point to start:
https://www.cisco.com/c/en/us/support/switches/small-business-220-series-smart-plus-switches/series.html#~tab-documents 

important document here is the administration guide:
You can assign authentication methods to the various management access methods, such as SSH, console, Telnet, HTTP, and HTTPS. This authentication can be performed locally or on an external server, such as a TACACS+ or a RADIUS server.

so a) is covered tacacs+/radius for AAA and b) for ssh

By default, VLAN 1 is the management VLAN, but this can be modified. The switch can only be reached at the configured IP address through its management VLAN.

so c) is also covered

also using the index look for voice vlan 
Configuring Voice VLAN 141
Configuring Voice VLAN Properties 143
Configuring Telephony OUI 143
Adding Interfaces to Voice VLAN on Basis of OUIs 145

so d) is also covered

also take a look at Cisco 220 Series Smart Switches: Tech Talk Videos  

 

Go to solution
00u1c1e8sgNfbgbZ15d7
Level 1
Level 1

‎07-24-2025 03:09 PM

Thanks so much for pieterh!!

Regarding external management, when you said:The switch can only be reached at the configured IP address through its management VLAN.

This management VLAN could be any VLAN, like for example the voice VLAN? Again avoiding to use VLAN1.

I do appreciate your help.

0 Helpful

Go to solution
00u1c1e8sgNfbgbZ15d7
Level 1
Level 1

‎07-25-2025 01:06 PM

Hello, today we tried to configure IP address for VLANs via CLI, but this model does not accept basic commands ( via CLI) like:

(config)#interface vlan XXX

or 

(config-if)#switchport trunk allowed vlan 1,XXX,yyy

so I can not assigned IP address for management or setup allowed VLANs in trunk BEFORE connecting to production uplink switch.

I left one port on VLAN1 only ( Gi24), could you please confirm, is there any way to access web administration page of this device? I heard about 192.168.1.254, and I can see it in "show version" output ( not in "sh runn")

IP Address : 192.168.1.254
Subnet Mask : 255.255.255.0
Model Number : CBS220-24T-4G

I do appreciate your help

0 Helpful

Go to solution
pieterh
VIP
VIP
In response to 00u1c1e8sgNfbgbZ15d7

‎07-26-2025 01:54 AM

the page i suggested also has a link to the CLI guide
https://www.cisco.com/c/dam/en/us/td/docs/switches/lan/csbss/sf220_sg220/command_line_reference/1_1_0_x/220_CLI_Guide.pdf 
see page 245 of the CLI guide

the commands needed are 
management vlan ip address <x.x.x.x> mask <y.y.y.y> The default IP address of the management VLAN is 192.168.1.254.
or management vlan ip dhcp client
management-vlan vlan <vlan-id>


>>> so I can not assigned IP address for management or setup allowed VLANs in trunk BEFORE connecting to production uplink switch. <<<
- when you change the vlan your client must also be moved to the new vlan
- when you change the management ip your client must also be reconfigured to use the new subnet too
to avoid this you can use the serial console on models that offer such a connection
if you access the switch over tcp/ip instead of serial console, you always have this kind of problems

if you first configure your uplink, then the cbs220 still uses the defalt vlan-1 and the default management ip-address 192.168.1.254
then you must first configure a client in vlan1 with matching ip-address in thus subnet (192.68.1.0/24) to reach the cbs220 over tcp/ip

using network connection you may need to configure using individul steps
- put your client in vlan1
- acces the defult management ip over tcp/ip
- create the new management vlan (let's say 999)
- configure some interface as  access port (untagged) vlan 999
- modify the management vlan to 999
- connect your client to the port in vlan 999
- reconnect to the defailt management ip (now using vlan 999
- modify the management ip to the desired ip in vlan 999
- reconfigure your client network setings to original.

if you have a DHCP-server in your management vlan,
you may consider configuring the management ip for DHCP before configuring the new management vlan 
prefferably ausing  permanent lease for the mac-address of the cbs220
this way the cbs220 is reachable when moved to the management vlan

 

 

Go to solution
00u1c1e8sgNfbgbZ15d7
Level 1
Level 1
In response to pieterh

‎07-30-2025 02:49 PM - edited ‎07-30-2025 03:15 PM

Hello Pieterh!!!

First at all I do appreciate your incredible help, including the configuration guide.

On last session I was able define a new VLAN 350 ( with real management VLAN), and assigned that VLAN to most of access ports.

But I was unable to assign an IP address to that VLAN ( like 10.10.2.200/24) as you can see on these outputs:

C220SW(config)#interface Vlan350
Unknown command
C220SW(config)# description VOICE vlan
Unknown command

C220SW(config)# ip address 10.10.2.200 255.255.255.0
Unknown command

 

So tomorrow we will connect again and (via console port) I will try to run this command:

"management vlan ip address 10.10.2.200 mask 255.255.255.0"   (where 10.10.2.200/24 is part of VLAN 350 on customer network).

 

HOW I can change Management VLAN from default VLAN 1 to VLAN 350?

So once I connected this switch to the network I could reach this device on VLAN 350 IP  address from another switch?

On your last reply you mentioned "create the new management vlan (let's say 999)" but I did not find a way to do that from console port or from WEBPAGE ( we connected to https://192.168.1.254) .

Can I use this command: "vlan default-vlan 350" to change management VLAN?

If so, do I need to run this command BEFORE running this one: "management vlan ip address 10.10.2.200 mask 255.255.255.0"???

 

I do appreciate your help

Enrique

 

0 Helpful

Go to solution
pieterh
VIP
VIP

‎07-31-2025 12:56 AM

>>> Can I use this command: "vlan default-vlan 350" to change management VLAN? <<<
-> use this command : management-vlan vlan 350

changeing the vlan befor or after changing the management ip-address depends on your connection.
when connected to a serial console it does not matter
when connected over the network -> look again at the order of steps I suggested

- your client vlan must match the switches vlan
- and the client subnet must match the switches subnet

0 Helpful

Go to solution
pieterh
VIP
VIP

‎07-31-2025 01:12 AM

the voice vlan-id is defined not per-port, but globally.
after defining globally you enable the use of voice vlan per port

switchxxxxxx(config)# voice vlan state auto-enabled  !
switchxxxxxx(config)# voice vlan state disabled           !
switchxxxxxx(config)# voice vlan state oui-enabled     ! -> use only ONE of those three variants of the command

switchxxxxxx(config)# vlan 350
switchxxxxxx(config-vlan)# exit
switchxxxxxx(config)# voice vlan id 350

switchxxxxxx(config)# interface gi1
switchxxxxxx(config-if)# voice vlan enable

you can find more details in chapter-41 of the cli manaual

 

Go to solution
00u1c1e8sgNfbgbZ15d7
Level 1
Level 1

‎07-31-2025 02:38 PM - edited ‎07-31-2025 02:39 PM

Hello Pieterh, after a great effort we were able to change management VLAN and also accessing switch from remote devices.

From switch i leave most of ports on data vlan ( 300) and i am able to ping all DHCP servers, but users are unable to get IP addresses from DHCP.

As you have done an INCREDIBLE HELP I accepted your solution !!!!! But if you can provide me any tip about current issue with DHCP will be welcomed. Just as last note these are the only dhcp related commands I have:

GLOBAL

ip dhcp snooping
ip dhcp snooping vlan 300,350

under TRUNK Port


!
interface gi1
switchport mode trunk
description "UPLINK"
ip dhcp snooping trust
!

Customer is using NAC services on their network, but no NAC related commands have been applied on uplink switch trunk that connects this new switch. And from new C220 switch I can reach all DHCP servers via ping.

THANKS AGAIN!!!!

0 Helpful

Go to solution
pieterh
VIP
VIP

‎08-01-2025 01:19 AM - edited ‎08-01-2025 01:25 AM

i see no reference in the CBS220 CLI manual about DHCP-relay, but the CBS250 manual does!
https://www.cisco.com/c/en/us/td/docs/switches/lan/csbms/CBS_250_350/CLI/cbs-250-cli/dhcp-relay-commands.html#:~:text=dhcp%20relay%20enable-,ip%20dhcp%20relay%20enable%20(Interface),agent%20feature%20on%20an%20interface
be aware, this could be version dependent

ip dhcp relay enable
ip dhcp relay address ip-address  (of dhcp-server)

hope that helps,

Pieter

p.s. Google-AI suggests to use the web-interface, but sometimes mixes information with features of other switch-models
(the add is not needed anymore because the vlan already existst)

pieterh_0-1754036614850.png

 

0 Helpful
Customers Also Viewed These Support Documents