When Switches Are Too Smart

Too smart for what? Too smart for me, apparently. I know, some switches are designed for very granular control of the network, and these are high end expensive features meant for locking down and fine-tuning networks. That’s not my typical scenario though, and this one tripped me up for a few hours.

The situation:

·         Dell PowerEdge R710 server, shiny and brand new.

·         ESXi 3.5 U3 booting from a memory stick.

·         iDRAC configured and working.

·         ESXi tested and working fine on NIC1.

·         1st NIC on the server is plugged into an HP Procurve switch.

·         2nd NIC on the server is plugged into a Cisco Catalyst Express 500 switch.

When I moved my VM from the first virtual switch (also hosting iDRAC and management network) to the 2nd NIC to allow it unhindered performance, DHCP stopped working.

Everything else seemed fine. DHCP was authorized. Scope was activated. Scope was in the correct subnet.

When I moved another VM into the same virtual switch, it could talk to the DHCP server just fine. Nobody else (on other virtual switches or other physical workstations) could.

After much troubleshooting, which I will spare you the painful details of, I discovered the problem:

The Cisco Catalyst switch had all of its ports set to the “Desktop” role, which includes security “to limit unauthorized access to the network” (and also to give IT guys headaches).

Once I switched the port to the “other” role (for unspecified devices, no security), DHCP went live against and all was well in the world.

Here is a breakdown of the roles for Cisco Catalyst switches, and the brief explanation of each role:

Desktop

·         Optimized for desktop connectivity

·         Configurable VLAN setting

·         Port security activated to limit unauthorized access to the network

IP Phone + Desktop

·         Optimized QoS for IP Phone + Desktop configurations

·         Voice traffic is placed on “Cisco Voice” VLAN

·         Configurable data VLAN

·         QoS level helps ensure that voice-over-IP (VoIP) traffic takes precedence

·         Port security activated to limit unauthorized access to the network

Router

·         Configured for optimal connection to a router or firewall for WAN connectivity

Switch

·         Configured as an uplink port to a backbone switch for fast convergence

·         Permits 802.1Q trunking

Access point

·         Configured for optimal connection to a wireless access point

·         Configurable VLAN

Server

·         Can be classified as trusted, critical, business, or standard server

o    Trusted—For use with Cisco Unified Communications Manager Express; same QoS setting as for voice (VoIP traffic is prioritized)

o    Critical—For crucial servers with QoS set higher than default

o    Business—Default setting; QoS higher than for desktop Internet traffic

o    Standard—For servers set to same level as regular desktop Internet traffic

·         Configurable VLAN

·         Port security activated to limit unauthorized access to the network

Printer

·         QoS settings for Printer are the same as for Desktop, Access Point, and Standard

·         Server

·         Configurable VLAN

·         Port security activated to limit unauthorized access to the network

Guest

·         Guests are allowed access to the Internet, but not to the company network

·         All guest ports are placed on “Cisco Guest” VLAN

·         Port security activated to limit unauthorized access to the network

Other

·         Cisco Smartports Other role allows for flexible connectivity of nonspecified devices

·         Configurable VLAN

·         No security

·         No QoS policy

Diagnostic

·         Customers can connect diagnostic devices to monitor traffic on other switches (configurable using Cisco Configuration Assistant only)

Tags: Cisco Catalyst, Network Security