Cisco Smartports

In troubleshooting  a network problem recently, I was reminded about a feature set which is turned on by default on their Small Business and Catalyst Express Switches called Smartports Roles, and in their larger switches and routers they are called Smartport Macros (but are not enabled by default and used in the CLI). This is a love-it or hate-it feature of Cisco SMB switches. When we think of managed switches, how much feature set are we often using other than VLAN, QoS and perhaps high-throughput? The reality is that managed switches have a lot more feature and functionality to them which we often don’t configure. Cisco had made these feature also available as templates for small businesses. Which is great, unless you don’t realize they’re in-place. If you don’t know about Smartport rules you can spend hours chasing your tail.

The biggest gotcha you need to know is that by default most ports are configured in the “Desktop” role, which permits only one Mac address per port, and it disables spanning tree to permit fast network connectivity. If you connect in a switch you may notice that only the first node will actually work, and all others will fail to connect (this is port security).

In those cases you want “Switch” mode which permits multiple IPs (disabled port security) and enabled Rapid Spanning Tree (RSTP).

Here is the full list of Smartport roles:

Smartport Role Description
Desktop Apply this role to ports that are connected to desktop devices, such as desktop PCs, workstations, notebook PCs, and other client-based hosts.
  • Optimized for desktop connectivity
  • Configurable VLAN setting
  • Port security enabled to limit unauthorized access to the network
Switch Apply this role to ports that are connected to other switches.
  • Configured as an uplink port to a backbone switch for fast convergence
  • Enables 802.1Q trunking
  • Configurable native VLAN
Router Apply this role to ports that are connected to WAN devices that connect to the Internet, such as routers and Layer 3 switches with routing service capabilities, firewalls, or VPN Concentrators.
  • Configured for optimal connection to a router or firewall for WAN connectivity
  • Enables 802.1Q trunking
  • Configurable native VLAN
IP Phone+Desktop Apply this role to ports that are connected to IP phones.

A desktop device, such as a PC, can be connected to the IP phone. Both the IP phone and connected PC have access to the network and the Internet through the switch port. This role prioritizes voice traffic over data traffic to ensure clear voice reception on the IP phones.

  • Optimized QoS for IP Phone + Desktop configurations
  • Voice traffic is placed on Cisco-Voice VLAN
  • Configurable data VLAN
  • QoS level assures Voice over IP (VoIP) traffic takes precedence
  • Port security enabled to limit unauthorized access to the network
Access Point Apply this role on switch ports that connect to non-Power over Ethernet (PoE) and PoE-capable wireless access points (APs). Connected to the AP are mobile devices, such as wireless laptop PCs.
  • Configured for optimal connection to a wireless access point
  • Enables 802.1Q trunking
  • Configurable native VLAN

Note: Functionality of Cisco Wireless Bridges are more similar to that of a switch. So, Cisco recommends the Switch Smartport role for Wireless Bridges.

Server Apply this role to ports that are connected to servers that provide network services, such as Exchange servers, collaborative servers, terminal servers, file servers, Dynamic Host Configuration Protocol (DHCP) servers, IP private branch exchange (PBX) servers, and so on. This role is for Gigabit or non-Gigabit ports, based on the server type to be connected.
  • Configurable VLAN
  • Port security enabled to limit unauthorized access to the network

This role prioritizes server traffic as trusted, critical, business, or standard, based on the function of the server.

  • Trusted—For use with Cisco CallManager Express. The same QoS setting as Voice (VoIP traffic is prioritized).
  • Critical—For critical servers with QoS set higher than the default.
  • Business—The default setting. QoS is higher than desktop Internet traffic.
  • Standard—For servers set to the same level as regular desktop Internet traffic.
Printer Apply this role on switch ports that connect to a printer, such as a network printer or an external print server. This role prevents printer traffic from affecting voice and critical data traffic.
  • QoS settings for Printer are the same as Desktop, Access Point, and Standard Server
  • Configurable VLAN
  • Port security enabled to limit unauthorized access to the network
Guest Apply this role to ports that are connected to desktop devices and to APs to provide guest wireless access.
  • Guests are allowed access to the Internet, but not to the company network.
  • All guest ports are placed on the Cisco-Guest VLAN.
  • Port security enabled to limit unauthorized access to the network.
Other Apply this role on switch ports if you do not want to assign a specialized role on the port.

This role can be used on connections to guest or visitor devices, printers, desktops, servers, and IP phones. It allows for flexible connectivity of non-specified devices.

  • Configurable VLAN
  • No security policy
  • No QoS policy
Diagnostic Customers can connect diagnostics devices to monitor traffic on other switches (can be configured using Cisco Network Assistant only).

Enjoy