Currently it seems as our 3550's doesn't send traps when bpdu-guard sets a port in err-disable state. Or DFM doesnt recognize it.Is there a way to get a DFM alert when a 3550-port gets into err-disable state?
View 2 Replies
We have an environment where users create a lot of bridge loops. We have tried to send E-mails about it and educate the users but it is almost a lost cause at this point. The loops are created when users don’t pay attention and they plug a patch cable coming off of an access port up to ANOTHER access port by mistake.
All of our access ports are from 3750 stacked switches. The way we tried to deal with this in the beginning was with BPDUGuard and ERRDiable (BPDUGuard) auto recovery. We turned BPDUGuard on globally and left BPDUGuard auto recovery at the default value (I believe it was 30 seconds). so a loop would be detected and after 30 seconds, the switch would try to enable the port and if the loop still existed, close the port for 30 more seconds. Then we started having problems with printers getting "fried". Their NICs would die out and the control board would need to be replaced. After a lot of troubleshooting and testing, it was determined that allowing the ports to come out of ERRDisabled state would flood the network and the packets would generate in the millions per second range and fry the NIC of these printer.
The fix for this and saving the printers was terrible. We removed ERRDisable auto recovery and just let the ports that are looped stay in an ERRRDisabled state. We wait for the user to figure out the loop and try to use the port and then put in a work order. Then we physically visit the site and verify the port was shut (ERRDisabled) from a loop and we bounce the port (shut/no shut) and everything is resolved. I did lab tests with a switch looped and a printer on the switch and watched it fry. We have had no printers fry after we removed the auto recovery protocol at every location. Only the locations where loops existed and auto recovery protocol running were printers going bad. What I found during my lab tests was that each time the port was auto-recovered (yes, for that millisecond while it checks if a loop still exists), more packets were re-generated and eventually enough was re-broadcastthat printers would go down. We never had a problem with computer NICs. I guess the cheaper printer NICs couldn’t handle the broadcast storms created by this. I tried playing with the auto recovery timers and even the highest setting would eventually re-create these storms.
So my question is what best practices are others using? Should we get rid of BPDUGuard and just try to let spanning-tree handle these bridge loops? Is there something else I can try? I’m not CCNA by any means, just trying to do what I can in my environment. Manually visiting sites when loops occur is becoming more and more my job, though and I have plenty of other things to be doing.
I am testing 2960 24 S with storm-control and Errdisable Port timer interval 60s , connected HUB on fa0/17 to make traffic / loop.After Strom Control detection the interface goes down thats ok after 60s they will try to recover the interface and going up although the loop is still there.For my understanding if the interface detect still a loop on that interface they will disable the port again for 60s and will check again. [code]
View 7 Replies View RelatedWe have a number of 3750 stacks used as access layer switches connecting Siemens VOIP phones and then a PC that connects to the phone.
For example if I plug PC A to the phone that connects to port 13 I pick up an IP addressand all works as predicted now if I plug in PC A to any other VOIP phone that connect to another port on the same switch it goes in error disable state ITs like the switch is holding my PC mac address and locks it down with the port which in my case is Gi2/0/13.
interface GigabitEthernet2/0/13
switchport access vlan 726
switchport mode access
[Code].....
Which ports does send TCN inside the network? Only the Root Ports?
If one switch has his root port down, will it send TCN for his designated ports?
I have 2 3550 12G switches that I use as core fiber switches. Switch 1 is the primary for 1/2 the V LANs and Switch 2 is the primary for the others using MST with 2 instances (I am not including the default 0 instance). I am using HSRP to provide redundancy. So far so good.
Recently a tenant in my building would like to use their own switch for data but still needs access to a V LAN on mine for voice. Again not a problem as I can configure a trunk port and give them what they need. My concern is that if they try to configure STP on their switch can they take down mine. Are there some preventions that I can put into place, such as root guard, that work with MST? What happens if they too set up MST can they kill mine?
Switch 1 is the root for 1/2 the v lans and Switch 2 is the backup root. The scenario is flipped for the other 1/2.
We need IPM (LMS 4.1) to send and e-mail, sms o trap to NNM, is it possible??
View 2 Replies View Relatedthere are always some Traps more or less processed by LMS showing up in Fault Monitor View.Especially some Pass-Through or Unidentified Traps can be annoying if you want to keep the view clean.I wonder how to disable such Traps to not beeing displayd on the DFM Fault Monitor View?
View 1 Replies View RelatedI am cascading one new switch 3750G (int Gi1/0/1) with an existing 3750G (int fa1/0/26) switch.. But the interface fa1/0/26 goes in err-disable state even after NO SH.. also i have diable Spanning treebpdu guard and disable spanning tree portfast. But still the issue is not resolved.
View 6 Replies View RelatedOne of our Cisco 3750G switches keeps showing this warning:
Description: Gi4/0/43: Unexpected BPDU received. Port has been Disabled.
Recommendation: Check Configuration of the switch, also make sure devices connected to the switch. Enable this port again.
However, there is no thing connecting to the port Gi4/0/43 as shown this link: [URL]. Why do you get this warning?
I have a Catalyst 2950G when I activate the switchport port-security, but I want to empty the black list of mac address because every time I connect a device, the port is automatically désacative, here is the port configuration:
!
interface FastEthernet0 / 2
switchport access vlan 17
switchport mode access
switchport voice vlan 51
[code]....
I tried the following commands to clear the blacklist mac address of that port, but the problem is still relevant:
# Clear mac-address-table dynamic int fa0 / 2
# clear port-security all int fastethernet 0/2
# clear errdisable interface fa0 / 2 vlan
Is there a way to send an SNMP trap form the ASA when port 80 is trying to be accessed??
We use the ASA5510 and also use ScanSafe Web Security. Web Security is great but we find ourselves worrying if user has edited their Browser connection settings to remove the proxy settings that we push down using Group Policy. We also cut off the users ability to make changes to those settings but it interferes when I need to troubleshoot a special program that cant use a proxy server. It just makes it harder for me. The other thing is that Group Policy only works for IE. Google Chrome will inherit the system settings in IE. So we have Safari and Firefox as well as a lot of others to worry about not getting the configuration. There is also debate about limitting the use of anything but IE and FireFox.
Without laying down the law and getting all sorts of hate mail and death threats I would like to run ScanSafe in such a way as to make sure each user receives the Group Policy settings and that is all.
I would now like to just set up an SNMP trap on the ASA for ANY traffic that is trying to get to port 80. Either get in in my syslog server or have the asa email me directly. Scansafe sends the Internet traffic out on 8080 to the Proxy towers.
I could block port 80 outbound but again, I limit my ability to troubleshoot on the fly. I would have to break this every time I need to troubleshoot.
i have a 3550 catalyst and i configured it for bandwidth controlling i have used POLICE command its work fine and i saw it limit the bandwidth but there is a little problem when i limit the bandwidth at 1024000 and i useing all the bandwidth and monitor the bandwidth i see it shows the network uses half bandwidth.
View 6 Replies View RelatedI`m looking to automate some functions in a web application.Functions like enable/disable interfaces on a Cisco 3550 switch.
View 5 Replies View RelatedI'm using a Catlyst 3550 to supply power to a IP network surveliance camera. By default, the predecesor to POE, Cisco Inline Power allocates 15.4 W of power to a port ... What is the process for reducing this power output?
"For an IEEE device, the switch always allocates 15.4 W to the port. The switch does not display the IEEE class type in the show power inline privileged EXEC command output. Instead, it displays n/a."
How does the 3550 with enhanced image compare to the 3650 with enhanced image in terms of routing functionality?
View 5 Replies View RelatedMy group has recently started configuring traps on our switches to alert us of issues as they arise vs. waiting for the Helpdesk to receive user complaints and then responding.We have successfully configured the 2950 and 2960 switches to alert us when a port-security violation happens. However, the 3750 switches refuse to fire the port-security violation traps. The 3750's will fire an errdisable trap when the port goes down though.
Here is one of the port configurations:
interface FastEthernet1/0/45
switchport access vlan 5
switchport mode access
switchport port-security
switchport port-security mac-address sticky
[code].....
And here is the output of the port-security debug:
2522070: Oct 21 16:37:04: %LINK-3-UPDOWN: Interface FastEthernet1/0/45, changed state to down
2522089: Oct 21 16:37:05: %PM-4-ERR_DISABLE: psecure-violation error detected on Fa1/0/45, putting Fa1/0/45 in err-disable state
2522100: Oct 21 16:37:05: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 0012.3f07.95d3 on port FastEthernet1/0/45.
All of the 3750's are running C3750-IPBASEK9-M, Version 12.2(53) SE2. Wireshark also shows the errdisable traps, but no other traps so I've ruled out the traps being missed. All of the switches have been reloaded and power cycled.
Ages ago I was shadowing someone making a change on the network. I cannot remember which spanning tree version was running and cannot remember the config of any port either. What I do remember is that every switch port on the 2960 switch went orange and an outage occured, where the ports went into listening / learning mode. I assume that the STP was just the default ieee 802.1D.
View 3 Replies View RelatedI have in my work RV016 10/100 16-Port VPN Router, working Ok and connected with 3 ADSL internet lines.
1- The problem is that when any line disconnect from internet it supposed to log this disconnection in internet in system log but it does not
2- I can't understand the option of sending mail with the logs, does it send when i press the button EMAIL LOG NOW, or it supposed to send when any log is added? and how to configure it.
My Linksys router is connected to my desktop and modem and gets internet access but for some reason has stopped sending the wireless signal to other laptops in the house.
View 1 Replies View RelatedI have configured a SVI in my 4500 ( Sup 7-E 10GE,,,,,,and,,,,,cat4500e-universalk9.SPA.03.02.00.SG.150-2.SG.bin) switch and it is showing Down Down, because there were no active switch port in the vlan, I added one switch port to this vlan but this port also in the down state, so i added the SWITCH PORT AUTO STATE EXCLUDE command under this port, even after this also the SVI never came up, So i added one systen to the port so both the switch port and the SVI came up...So why SWITCH PORT AUTO STATE EXCLUDE command have no effect in this model of the switch..
View 4 Replies View RelatedMotion detection is setup - and I can see in the log and on the Live Video "Motion Trigger Indicator" that this part is working. I can also send test-emails, so the smtp is set up correct. In the Event Setup I have a valid server and a motion triggered event with the status ON. But no emails are sent . In the log there is also no indication of the server trying. Am I missing something - or is this not working for anybody?
And - there is no firmware beyond 1.0 for this model as far as I can see.
P.S. I am using a Gmail account for smtp, port 587 and using startTLS to send with,
I start my pc i get 2 local area connections instead of 1 and because of this my internet does not work unless i disable and enable again the network .After enabling only 1 network shows and i can connect to internet.It may be because i replaced my motherboard even tho i uninstalled the drivers?
View 1 Replies View RelatedWhere would I find instrutions on how to import CA certified identity SSL wildcard certficate ( like *.company.net - ) in ASA?,The CSR for the wildcard certificate was not generated out of the ASA unit.
View 1 Replies View RelatedI have a Catalyst 3550 switch and 2610XM router connected with an ethernet cable. Currently I cannot get the port on the switch to open (lights are dark.) I run 'no shut' on the port (#13) but nothing happens. If I unplug the cable to the cisco router and plug in a Netgear router (that leads to the internet) into the same port, the port flickers amber for a while, then flickers green from then on.) I switched the cables, both work fine when connected between the switch and the Netgear router.
This was working at one point a couple of days ago. I had the Netgear router plugged into another port on the switch and could ping from the cisco router through the switch to the Netgear router. I thought I had figured things out, but a reboot disavailed me of that notion. (I know, I guess I didn't save my configuration, but I obviously still need to understand more, so its better that I didn't.) (I guess.)
When the problem is occuring, the below is what I am seeing on the two devices.
ROUTER status
====================================
FastEthernet0/0 is up, line protocol is up
Hardware is AmdFE, address is 0017.9583.b740 (bia 0017.9583.b740)
Internet address is 192.168.1.90/24(code)
There is a vlan Finance in my office. The requrement : Vlan Finance is allow to access internet and selected host/network and not allow to access internal network. But from internal network can access to Vlan Finance (Full access). I want to configure using Reflexive ACL, but from Datasheet 4500 doesn't support Reflexive ACL. Intervlan routing is in 4500. Is there any ACL configuration to support my requirement without using Reflexive ACL?
View 1 Replies View RelatedI'm looking at implementing a cisco 3550 Layer 3 switch and would like to know if i can forward ports down to all of my different Subnet Servers/Pc's.
For example. See attached image.10.0.3.5 is a mail server. 4.2.2.2 is our public IP.
I would like to forward TCP port 25 down to our Mail servers IP. Any reason this will not work by using the cisco 3550? Currently we have a flat network (1 subnet) and port forwarding works fine.
How do I redirect my port 80 traffic to my Trend Micro IWSVA in my 3550 switch? How do I use PBR? Can I use WCCP in my 3550?
View 3 Replies View RelatedI'm trying to test port-security in my c3550 but when I show port-security int f0/23 shows it only "Disabled" as below:
run
interface FastEthernet0/23switchport access vlan 200switchport mode dynamic desirableswitchport port-security mac-address stickyspanning-tree portfast
I use Dell vostro 3550 as wireless spot but I'm have a problem with "WiFi mini port adapter". , when i try to enable "Intel My WiFi technology" . it's enable but WiFi card die after few minute, i can't see any signal of wireless network.....and of course,
my phone not see the signal wireless by my laptop. This problem appeared two months ago, before I use it very normal. I try reinstall driver wireless, window but ---> nothing change. My card wireless: Intel(R) Centrino(R) Wireless-N 1030.
While working at a client site today, I was troubleshooting some ICMP connectivity for a network we have created.I turned on 'debug ip icmp" on the 3550 switch int he middle, and was inundated with the following debug output:
Jan 25 11:01:14.641: ICMP: dst (172.16.1.7) port unreachable rcv from 172.16.1.5
Jan 25 11:01:14.641: ICMP: dst (172.16.1.7) port unreachable rcv from 172.16.1.5
Jan 25 11:01:14.641: ICMP: dst (172.16.1.7) port unreachable rcv from 172.16.1.5
Jan 25 11:01:14.641: ICMP: dst (172.16.1.7) port unreachable rcv from 172.16.1.5
[code]....
This output fires several times a second, and based on how often it is firing, I am curious if it may be a culprit with respect to the fact that the client has indicated that they have some slow internet.Should the next step be to look at the workstation at 172.16.1.5?
I have a layer 3 switch, 3550.I have several vlans on there just for playing around with. One of the vlans, has a vonage linksys box attached to it with a UK number attached. From time to time telemarketers call at 03:00 in the morning, this as I'm sure you can imagine is not much fun. The linksys box gets 192.168.3.3 as it's ip.The switch is connected to a non cisco router at 192.168.0.1
interface FastEthernet0/24
no switchport
ip address 192.168.0.2 255.255.255.0
I was thinking a time based access list would work best I have tried several variations but the phone still rings. I have tried access-list 1 deny host 192.168.3.3 permit ..... and more extensive lists but the phone still rings. I have not applied the time-range yet, so that's not the problem.I have applied the list to the vlan interface and to fa0/24 but it's not working.
find below logs we found on switch 3550
.Dec 17 19:58:06.193: %SPANTREE-5-TOPOTRAP: Topology Change Trap for vlan 15
.Dec 17 19:58:07.190: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/23, changed state to down
.Dec 17 19:58:07.190: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan20, changed state to down
.Dec 17 19:58:08.198: %LINK-3-UPDOWN: Interface FastEthernet0/23, changed state to down
.Dec 17 19:59:18.671: %SPANTREE-5-TOPOTRAP: Topology Change Trap for vlan 15
[code]....
