Cable modem through smart switch vlan

-Dragon-

2[H]4U
Joined
Apr 6, 2007
Messages
2,316
I've got two servers setup working on making them HA backups of each other part of that involves running a firewall on one connected to the cable modem through a switch so if it fails the firewall restarts on the other box and reconnects to the modem. Currently it works just fine running through a small 5 port dumb switch but I was hoping to be able to get rid of that switch and use a VLAN on a Cisco SG200 for the modem network instead. The problem is it just REALLY doesn't want to work on the smart switch at all.

I've got the desired ports set to QinQ currently since that should provide the maximum issolation from the rest of the network, and it appears that the two ports are talking at least somewhat as the xmit on the modem is close to the RX on the active server port, the active server port xmit and modem RX isn't quite as close so I might be losing some packets there. The lights indicate the ports are talking to each other though, if I unplug the cable modem the server connection light slowly flickers as it polls and a few seconds after plugging the modem back in to a port configured for the modem vlan the both lights flicker quickly.

Am I missing something painfully obvious here or will this modem just not work when hooked up through a vlan or QinQ tunnel on a smart switch for some reason...
 
QinQ seems like overkill, a simple VLAN with the cable modem and outside interfaces of the servers as untagged ports should do it.

You might need to use wireshark to see what's going on. You may also be dealing with an ARP table issue on the cable modem, since I assume the MACs on the servers are not the same.
 
QinQ is total overkill but that was kinda the point, 100% issolation from the switch.

Its not failing during a switch over it can't even get online if there's only one server and the modem on the vlan. Heck it can't even get online if I make the two devices the only ones on the switch vlan'd or otherwise. The VM has a statically assigned MAC address anyway just to prevent the ARP issue you refered and is the same on both boxes (I'm using failover clustering so it's really just one VM that can move to whatever server is up).

I'm guessing it has to do with one or more of the numerous 802.x protocols the smart switch runs vs none for the dumb switch but I've tried disabling all the ones I can find with no luck...

It does support both port and vlan mirroring though so doing the wireshark thing shouldn't be too bad... I was just hoping maybe someone had seen something like this before. Could just be my modem brand too, an Arris MTA, might work better on a newer modem like a D3.0 compattible one...
 
Probably too many active MACs being seen by the cable modem. I had the same problem a while back and just went back to using the dumb switch. Some ISPs will only allow up to a certain number of active MACs behind it. In my case it was three. I would guess the modem is seeing several MAC addresses, one for the switch, one for each VMware host and then the MAC for your VM at a minimum. If you can get into your cable modem's management page you should be able to see how many and which MAC addresses it is treating as active.
 
The servers are set to not use that particular LAN port for anything on the host (all features disabled), 100% pass through to one VM that is only powered up on one of the servers so only 1 MAC there and the switch shouldn't be broadcasting anything at all on this particular vlan since it's not the management vlan... Verified from the modem interface that its only seeing one host behind it.

I even just tried running a cable from the dumb switch to the smart switch to see if the modem picked up an extra host but it didn't, still just 1 host even with all the 802.x protocols on. Looks like I'm going to have to try the wireshark thing some night to see what exactly is going on...
 
It was STP, once I disabled that (well and every other sort of discovery protocol its possible it was multiple things), everything started working as expected with the modem port setup as a vlan access port and the server ports setup as trunks with the internet vlan tagged, meaning I can actually use those ports for other traffic now too.

Moral of the story, cable modems do NOT like STP
 
Last edited:
I realize that this is a bit of an old thread but I looked for info specifically regarding cable modems and the SG200-18 before I finally just took the plunge and bought it after finding inconclusive information. (I have the "Hell with it. I'll figure it out myself." mentality.)

I am posting my results so that the next poor bastard looking to purchase this awesome switch doesn't spend hours looking for solid info (like I did) and will be well-informed and confident in their purchase. (This info applies to all SG200 Small Business switches. Likely it applies to all Cisco switching devices and routers.)

It took me about half an hour of enabling/disabling services and rebooting both my cable modem and SG-200-18...but I have narrowed it down perfectly.

===START SUMMARY===
It is NOT the Spanning Tree Protocol (STP). It's the Cisco Discovery Protocol (CDP) that's causing your modem to log the additional MAC address and designate it for an IP address.

The IP will only be given if DHCP/Auto-Config is enabled in the switch, though. Generally, those of us using a cable modem who are buying this switch for specific reasons are not going to need DHCP enabled as we will be assigning a static LAN IP to the switch.

Re-enable STP, Bonjour and LLDP services. DISABLE CDP. Your cable modem WILL NOT see the switch.
===END SUMMARY===

There is another way, though. If you actually DO wish to use CDP on the switch so it can keep track of Cisco devices, you can disable the CDP service per-port. Just disable CDP for the cable modem's port.

===START SPECIFIC PROCEDURE===
**NOTE: Make sure you disable any pop-up blockers for the IP of the switch!
1.) Enable the CDP service.
2.) Switch to: Discovery - CDP > Interface Settings.
3.) Find the port that your cable modem's ethernet port is connected to on the list.
4.) Select the cable modem's port using the corresponding radio button then click the "Edit" button at the bottom. A pop-up window** should appear.
5.) The port number that you selected should show in the "Interface" drop-down box. Make sure that it does show the "GExx" port of your cable modem.
6.) There are four other elements listed in the pop-up window. Uncheck the "Enable" box for all of the following options then click "Apply" to save the config:
-----CDP Status
-----Syslog Voice VLAN Mismatch
-----Syslog Native VLAN Mismatch
-----Syslog Duplex Mismatch
7.) You'll need to reboot the cable modem (again...) to clear the SG200's MAC from the cable modem's list of recorded MAC addresses.
===END SPECIFIC PROCEDURE===

As long as you are telling the switch to not broadcast CDP to the cable modem's port, it will not see the SG200. The STP, LLDP and Bonjour services will not cause the cable modem to record the SG200's MAC address.

Here is the info about my current config for the switch. All LAN devices do have internet access through my gateway server's LAN port (GE15) on VLAN1. The gateway server's WAN port (GE16) is configured on VLAN2. (With the cable modem, you'll notice.) The cable modem does NOT detect the SG200's MAC address.

Here's my current, WORKING config:
VLAN1: Ports GE1-GE15 (GE15 is my gateway server's LAN port).
VLAN2: Ports GE16 (gateway server's WAN port), GE17 ("DMZ") and GE18 (cable modem).

Spanning Tree Protocol (STP), Link Layer Discovery Protocol (LLDP) and Bonjour are all ENABLED for all ports.

Cisco Discovery Protocol (CDP) is globally disabled. Remember that you CAN run it per-port if you wish. (Although there doesn't seem to be much point in enabling this unless you have other Cisco devices on your network such as routers, switches and IP phones.)

There you have it. (^_^)
 
Last edited:
I just got my SG-500 in and had to set this up all over again, couldn't get it working with LLDP enabled, had to disable CDP, smart port, and LDP for the modem port.
 
Understanding VLAN is simple....

A simple vlan will completely create a separate collision and broadcast domain for your cable modem. No special protocols are needed.
 
Riiiiiiiight but managed switches tend to put all kinds of crazy protocols on all ports by default and the point of this thread was to figure out the right ones to turn off because most cable modems only allow 1 MAC address and if the switch does ANYTHING on that port, it can grab the modem before the VM can.
 
Riiiiiiiight but managed switches tend to put all kinds of crazy protocols on all ports by default and the point of this thread was to figure out the right ones to turn off because most cable modems only allow 1 MAC address and if the switch does ANYTHING on that port, it can grab the modem before the VM can.

? Not sure what you mean?
 
This thread had nothing to do with understanding or configuring VLANs, it has to do with getting a cable modem to connect to a NIC on a gateway in a VM through one using smart or managed switches, which for the sake of ease of management and configuration tend to use multiple general and vendor specific protocols to sense what they're connected to. Due to the nature of cable modems, which often times refuse to connect to anything once they see ANY MAC doing ANYTHING on layer 2 until they're rebooted, any sort of discovery protocol or attempts to be "smart" will result in the CM seeing the switch MAC before the gateway even has a chance to try to request DHCP. In order to use a CM through a VLAN you have to determine which protocols are broadcasting the MAC and disable them at least on the CM port.
 
I do exactly this with my old Allied Telesyn and Netgear FSM726SUK switches, to get my cable modem 'directly connected' to a virtual interface on an ESXi VM.

I did disable STP on both switches as it didn't appear to want to play ball until then. May have played with some other settings too though, can't remember.
 
Back
Top