Cisco LAN :: 6500 / 3550 - Method For Detecting Loops
Sep 23, 2012
I am a network tech at a local school district (easily enterprise network). I am just a worker bee, so have no say in the design of the networks. Our topo at a site goes WAN rtr---LAN rtr (6500 of 3550)----distro switches----access switches.
Now at most of our sites we use Extreme, which has a handy feature called ELRP Extreme Loop Recovery Protocol, despite the name, this mechanism just detects loops, in the logs we can see, ok...off the LAN rtr, port 2, then on port 2 we see whats hanging off it...ok, loop off port 5 of that switch.....and work your way down the room.
We do not have STP on our network (dont ask) and yes, logging is not set to standards also......what is the best way to detect loops? Commonly these loops come from classrooms that have mini-sw's that are looped onto themselves or a wall jack connected to mini sw and that mini sw then connected to another wall drop going back to same sw. Sometimes I disable all ports minus the WAN uplink on the LAN router, then enabled ports one by one while having a LR hooked up to a user facing rj45 port on the 6500 and when the LR (link runner) shows 100% util, I know that port is now suspect.
View 5 Replies
ADVERTISEMENT
Dec 6, 2012
What if i run ospf in all of the routers in network diagram ? does it caus loops ? if so how to prevent it ?
View 8 Replies
View Related
Jul 20, 2012
A friend of mine faced an interview, the question is what if there is no STP feature in the switches over the network and what would be the alternate method to avoid any sort of loops?
I guess we can think beyond till layer 3 devices by using some split horizon commands?
View 18 Replies
View Related
Jun 19, 2012
Have a number of organisations that I work with who are currently all changing their ISP to a different one. The company who are supporting this are introducing a new router and firewall to the network and removing the old layer 3 switch. Firewalling and filtering was previously done off site but will now be handled by the ASA 5505. I personally do not have permission to configure the ASA (nor would I know how to) So these places are set up with 2 ip ranges, so int 0 on the ASA is 10.0.0.1, int 1 is 10.0.1.1. The Cisco ASA has been configured with the same settings on it's required ports as the old layer 3 switch had, so nothing much has to change on the internal network. Problem is that the old layer 3 switch must have only been passing data through at layer 3, so basically not switching and not creating networking loops. It seems that due to certain required network topologies, switch A is connected to switch B, which is connected to switch C, which is connected to the ASA, but switch A will also be plugged into one of the interfaces on the ASA (creating a loop). As I've said, this was not a problem with the layer 3 switch but now the ASA must be switching at layer 2 (I guess...?) as well as routing to the internet (which is required for both ports, which are vlans) and so is messing up the lan with a switching loop.
can the ASA 5505 be configured so as to allow access to the internet for both vlans/ip ranges while also preventing switching loops being created? It seems definite that this is being caused by the introduction of the 5505 as the old setup was exactly the same, it's just that the 2 cables have been plugged into the 5505. We do not have the option of using STP here as the rest of the switches on the network are unmanaged.
View 11 Replies
View Related
Sep 6, 2012
For last few days I've been reading about Spanning Tree Protocol ,L2 protocol and understood how it prevents loop in network ,various steps in STP but one thing i wanted to know how STP actually detects the loops in network so that it can prevent it.Somewhere I read STP uses BPDU as probe and detects loops I mean how it happen is when switch send a BPDU with Destination Address as multicast and receive same BPDU again mean there is loop in network .But is it how STP detects loops in network?
View 5 Replies
View Related
Dec 14, 2011
Any opinion on what could cause loops on nexus 5000 ports that are connected to esx hosts ?
View 3 Replies
View Related
Jan 20, 2012
I have a network where if an end user attaches an hub to the network, or rather one of those cheap unmanaged 8-port mini-switches and then plugs the two ends of the same cable into two ports of that mini-switch, all the network goes down. Loops are generated and many uplinks are shut down in err-disable state due to the loopback reason.
I know I could discourage the use of those mini-switches using port security. I even have NAC (cisco) deployed on the network, but there are cases where that mini-switches are allowed by the managment.In those cases, is not possible to exactly know wich hosts (mac addresses), and even how many of them will attach the network concurrently.As I know, they could even chain many mini-switch one to another. Of course, when even a single mini-switch is allowed on the network, it raises as a security hole.
Is there a way to allow the use of those devices without the risk of network outages? Some STP protection method? The best would be to have the Cisco access switch to get aware of the loop on its affected switchport (where the mini-switch is attached), immediately shutting down that port (to avoid loops on the network) and maybe sending an SNMP trap or a syslog message.
We are using Cisco Catalyst 2950 and 2960 for our access layer.
View 5 Replies
View Related
Nov 15, 2012
I used to have the problem where QuickVPN keeps on trying to verify the network because the RV042 cannot get the final ping to the client.I then bought a RV042 HW version 3 on the VPN side and I installed RV042's at the clients as well.This may look like overkill but believe me, it gives peace of mind, it made things a whole lot better, everybody happy.I am going to set up tunnels but for the time being the clients use QuickVPN. The above setup is all good if people access the vpn from the same source.
I now have a problem where one of our people is in Vietnam and she cannot access the vpn due to the "verifying network" loop.Looking at the log everything looks great, I compared a successful connect with an unsuccessful one and the logs are identical.The only difference is that the final ping is blocked (recorded in the QuickVPN log on the client side).The client uses W7 with firewall on.No need to repeat suggestions, such as turing printer sharing off, I have been through all that. isn't this simply caused by the ISP in Vietnam blocking pings ?
View 2 Replies
View Related
May 22, 2013
We have an environment where users create a lot of bridge loops. We have tried to send E-mails about it and educate the users but it is almost a lost cause at this point. The loops are created when users don’t pay attention and they plug a patch cable coming off of an access port up to ANOTHER access port by mistake.
All of our access ports are from 3750 stacked switches. The way we tried to deal with this in the beginning was with BPDUGuard and ERRDiable (BPDUGuard) auto recovery. We turned BPDUGuard on globally and left BPDUGuard auto recovery at the default value (I believe it was 30 seconds). so a loop would be detected and after 30 seconds, the switch would try to enable the port and if the loop still existed, close the port for 30 more seconds. Then we started having problems with printers getting "fried". Their NICs would die out and the control board would need to be replaced. After a lot of troubleshooting and testing, it was determined that allowing the ports to come out of ERRDisabled state would flood the network and the packets would generate in the millions per second range and fry the NIC of these printer.
The fix for this and saving the printers was terrible. We removed ERRDisable auto recovery and just let the ports that are looped stay in an ERRRDisabled state. We wait for the user to figure out the loop and try to use the port and then put in a work order. Then we physically visit the site and verify the port was shut (ERRDisabled) from a loop and we bounce the port (shut/no shut) and everything is resolved. I did lab tests with a switch looped and a printer on the switch and watched it fry. We have had no printers fry after we removed the auto recovery protocol at every location. Only the locations where loops existed and auto recovery protocol running were printers going bad. What I found during my lab tests was that each time the port was auto-recovered (yes, for that millisecond while it checks if a loop still exists), more packets were re-generated and eventually enough was re-broadcastthat printers would go down. We never had a problem with computer NICs. I guess the cheaper printer NICs couldn’t handle the broadcast storms created by this. I tried playing with the auto recovery timers and even the highest setting would eventually re-create these storms.
So my question is what best practices are others using? Should we get rid of BPDUGuard and just try to let spanning-tree handle these bridge loops? Is there something else I can try? I’m not CCNA by any means, just trying to do what I can in my environment. Manually visiting sites when loops occur is becoming more and more my job, though and I have plenty of other things to be doing.
View 9 Replies
View Related
Feb 22, 2012
Stange problem which I encountered today, I have a Cisco 2960 which is connected to a netgear. The switch started showing itself in CDP and was running STP. I checked the cables physically today and noted 3 uplinks to the netgear, all port on the Cisco active and forwarding and green lights.
The Cisco was running STP, I changed it to R-PVST and the lights on the Cisco went crazy and I got the message port flapping on the switch but the switch did not block any ports (all ports on same vlan).
There after I changed it back to stp and the switch blocked the other up links apart from one.
Sure R-PVST is far superior than STP?
View 5 Replies
View Related
Mar 19, 2011
My mum is running Windows 7 Home Premium on her laptop, with AVG Free Anti-Virus. She uses Chrome, Firefox, and Safari. Cookies are enabled on all browsers.I'm running Ubuntu "Lucid Lynx" 10.04. I use Chromium and Firefox, occasionally Opera. Cookies are enabled on all browsers.I also have an iPad, which is running the latest software. Never had a problem with cookies before.My brothers use Facebook through Xbox. They can't log in either.My router settings are set to allow cookies, and according to my ISP, my internet is up and doing fine.Now, the issue ...My mum noticed a login loop when she tried to get into Facebook. Every time she tried to log in, it would just redirect her to the login screen. I tried the same thing to no avail. I can't log in to some other sites as well, such as Photobucket. I can't upload to tinypic either. However, as you may have noticed, I can log in to forums just fine - however, it only keeps me logged in for one session, even if I ask it to remember me.My neighbours don't seem to be having this issue - except for the neighbour that shares our internet. She can't log in to Facebook either. I thought it might have something to do with our IP, so I tried using the Tor/Vidalia proxy assistant to log in to Photobucket from a different server/location. It worked. So, we can log in to various websites via proxy, but not from our home IP.
View 5 Replies
View Related
May 7, 2011
My roommate has just gotten a second hand laptop and he's trying to connect it to the Wireless network so that he can browse the internet from his room.However, although all the settings are correct, attempting to connect to the network loops.It comes up showing the Wireless Networks available, I select the network and click connect, it then asks for the encryption key. I enter the key and hit connect again, it comes up with the 'Connecting' pop-up and then loops back to the Available Networks screen again.There are no error messages, it just goes back to the starting screen and it hasnt connected.The Laptop in question is a Lenovo T60 with a Intel PRO/Wireless 3945ABG card.The router is a TP-Link TD-W8960N.
View 5 Replies
View Related
May 12, 2013
I have a Cisco EA4500 wireless router. The only issue I have had with this router is when power gets disconnected or if I have a power outage, I have to go through some loops to get it to work again usually taking upwards of 45 minutes to fix.
View 1 Replies
View Related
Feb 3, 2012
Is 3DES on ISAKMP considered to be secured for your average site (other options are AES/DES)? I'd imagine AES should be much stronger but what about DES, is that considered adequate or broken? Is there any proof of concept attack against 3DES on ISAKMP (or ISAKMP in general)?
View 2 Replies
View Related
Dec 21, 2012
I've some VPN encryption method questions.Is it recommended to use different encryption algorithms for both VPN phases (phase 1 and phase 2)?I’ve read once that it is much secure to use different encryption algorithms for each phase.In my opinion, I would go for the AES256 algorithm in both phases. But maybe it is a better idea to use AES128 or AES192 in the first phase and AES-256 in the second phase… I don't know.After saying this, I’m also wondering about the best VPN encryption setup for a site-to-site VPN (IKEv2) when using a Cisco ASA like the 5510, 5520 or the 5515.Which encryption method is recommended for phase 1 and phase 2Which PFS / DH-group should be used (considering CPU load and security)
View 2 Replies
View Related
Nov 3, 2012
I have recently upgraded my company's network significantly, and in the process removed our Cisco edge routers and firewalls (gasp!), and replaced them with another vendor who gave a better price point for the router.However, i was only able to get ONE edge router, whereas before I had two, so I want to recycle one of my old 2921's as a cold standby (in case the brown sticky stuff hits the rotating air distribution blades, and $other-vendor router dies).Trouble is, the 2921 does not, I believe, have sufficient system resources to take the full routing table we're getting from our two ISP's.What I would like to ask is people's thoughts on the best method for me to configure the BGP setup on the 2921 to do the following:
-Accept the default route from each ISP and discard *everything* else in the route table
-Modify our advertisement (ad prepend) out the "secondary" ISP to reduce the priority of traffic coming in over this link.
-Configure the OUTBOUND priorities so that the "primary" link is used by preference for outgoing traffic (which will effectively shut down the secondary link for outbound traffic
View 6 Replies
View Related
Oct 14, 2012
As we know SNR (signal to noise ratio) is very important in communication special in wireless. So I wondering : How is SNR measured (by using practical method)?
View 2 Replies
View Related
May 9, 2011
we currently have 4x ACS 4.1 (1) build 23 windows based and we are going to migrate to ACS 5.2 appliance 11211.the first pair we are using simply local authentication for multiple vendor firewall and routers, with one custom radius vendor-specific attributes, with now she exec.the second pair we are using for wireless clients authentication through AD, with dynamic mapping.
in order to migrate what would be the most suitable migration, whether to use Migration utility or export those ACS objects and import them into the new ACS 5.2.
View 1 Replies
View Related
Apr 25, 2012
We have a scheduled office move where we are consolidating 2 remote offices into one. I’ve been asked to spec out the correct size UPS to support all of the network equipment for this new office.I went to the Cisco website and I see on the datasheet for the switches and router where they talk about the wattages and BTU’s but how can I go about deciphering from that information what my total wattage and BTU will be for each switch and router?What numbers should I be looking at? For instance, we have 3 3750 48 port PoE switches. So if I look at the datasheet for that switch they have 4 different columns, one for 100% throughput power consumption, one for 5% throughput, another one for 100% throughput for max PoE load and one for 5% throughput with 50% PoE loads?Is there a common method for deremining UPS requipments? For the switches I pretty sure I need to assume max PoE load in the event every port has a phone plugged into each port.
View 3 Replies
View Related
Apr 13, 2013
I am having some issues with my internet connection. release and renew method and using Google's DNS server.
View 1 Replies
View Related
Aug 6, 2012
is there any method to control an access to the different WLAN(PEAP) on the same ACS 5.2 and WLC?That is, there is two AD groups the one have access to domain network only the other group have access to internet only and may be third group that have access to both networks.Currently if i add new authorization policy the user will have access to both networks.
View 1 Replies
View Related
Jul 7, 2011
Any instructions to configure an ASA to allow authentication by certificate only on an AnyConnect vpn?I'm running an ASA 5505 with 8.4(1) and AnyConnect 2.4.7030 on an Android phone.I currently have the AnyConnect client connecting ok using username / password for authentication.
I have loaded the company root certificate (internally generated) into the ASA "CA Certificates" and generated an Identity Certificate for the ASA.
View 1 Replies
View Related
Feb 21, 2011
what is the easiest method permitting a local and a remote pc to access the same database ? They both have internet access.
View 3 Replies
View Related
Jul 15, 2011
I've got a weird problem that I can't figure out. I've de-authorized the switch in the RADIUS server to force an ERROR status to test the backup entries in the AAA authentication method list. However, after I do that and try to log in (through ssh), it just prompts me for my username's password and not the enable password. Here's the debug output:
1d02h: RADIUS: Marking server xxx.xxx.xxx.xxx:1812,1813 dead
1d02h: RADIUS: Tried all servers.
1d02h: RADIUS: No valid server found. Trying any viable server
1d02h: RADIUS: Tried all servers.
1d02h: RADIUS: No response for id 10
[code]...
View 14 Replies
View Related
Nov 6, 2012
I have been successfully able to setup Cisco AnyConnect VPN on ASA 5520 with 8.4 code. I have set it to authenticate against the RADIUS Server (Microsoft Windows 2008 NPS server). I have noticed one thing, on the server under "Constraints and Authentication Method". I picked MS-CHAP-v2, but it is considered Less secure authentication methods. I can click on Add and choose other Authentication methods like Smart Card or other Certificate, PEAP, EAP-MSCHAP v2. I picked PEAP but then the VPN does not work.
So first of all does it really matter if I just leave it to MS-CHAP-v2? Because from my understanding is that AnyConnect will authenticate to ASA and then ASA in the backend talks to the RADIUS server so from a security stand point this scenario shouldn't it be sufficient as no un encrypted or less secure information is available to the outside world? Secondly is there any documentation on using PEAP with Cisco AnyConnect?
View 4 Replies
View Related
Mar 29, 2011
I need to move our (secondary instance, version 5-2) ACS server to a different server rack and I have not been able to find a gentle way to shut down the appliance (not the windows version). Does one exist or is it just the power button/cord?
View 2 Replies
View Related
Jun 3, 2013
We have WCS and several WLCs (WISMv1, 5508, 4402) all running the 7.0.240.0 code. The "Guest" SSID is "garden-walled" from the corp LANs. We used to have web-auth page that required ID / PW. This became unreasonable as IT Dept was getting requests at all hours for immediate access from guest / resident family memebrs. So we changed the web-auth to remove the the ID / PW and just display corp policy and have to hit a "continue" button to gain access to Guest SSID. Healthcare staff on the floor are not tech-savvy enough to want to use or perform Hotel Ambassador functions.The issue now is that we have employees with smartphones, tablets and even personal laptops conecting the Guest SSID. Sr. Mgt wants to find a way to stop the abuse.I do not believe there is any perfect solution to prevent employees from gaining access, but have been asked to find a manageable method to deter most employees from connecting to the Guest network. Looked at seing up MAC filtering in WCS, it seems that you have to enter MACs that you *allow* on to the network - by default, other MACs are blocked. I would rather have the template block the MACs listed in the csv file and allow access as the default.. We have several SSIDs. Our corporate SSID uses 802.1x and we use Microsoft Server 2012 Network Policy Server (RADIUS) to pass user ID / PW to our AD for authentication. We do not have Cisco ACS. I am not sure if integrating RADIUS is the answer here either. I have had some webex sessions on ISE, NCS, and Prime infrastructure. We are only interested at the moment to monitor / control access to Guest. I have been told that ISE will have "sponsorship" functionality added in soon -- where user fills out info and ID / PW is sent via text or email to a cell phone or other device.
View 2 Replies
View Related
Jun 19, 2012
We have cisco wireless network throught the whole 8-floor building on Cisco WLC 4402 and Cisco LAP-1242 AP. There are no coverage holes, but sometimes clients are flapping between two access points at different floors with serious loss in throughput. Is there any method to limit roaming between different floors in the building?
View 7 Replies
View Related
Dec 26, 2011
How Can i Connect two switches 4505 using the trunking method,…
View 1 Replies
View Related
Feb 7, 2012
I´m facing to one issue with VACL. i have a network lan with 10.40.X.X/16 . in this network i have a Production v LAN 10 with 10.40.10.X/24 and i have created one vlan103 for Guest´ user as 10.40.103.X/24
My goals is to restrict the v LAN 103 to reach or access the v LAN 10, better to restrict Guest user access to the production v LAN. So i try to put this script with VACL method, but does n´t work.
Extended IP access list Restriction-Guest
10 permit ip 10.40.103.0 0.0.0.255 any
vlan access-map Guest 10
action drop match ip address Restriction-Guest
vlan filter Guest vlan-list 10
After that i still able to ping or access to the v LAN 10 form v LAN 103.
View 4 Replies
View Related
Dec 21, 2011
how can we upgrade 6500 non modular ios to normal 6500 ios?
View 5 Replies
View Related
Jul 10, 2012
Any method to renumber a FEX without causing service disruption?
1) Preprovisioning the new FEX number
2) Mirror the config
3) Change the FEX association on the FEX downlink ports on the 5548
but I'm certain this will cause a disruption to the connected hosts ports which are in production on the FEX?
View 2 Replies
View Related
Aug 8, 2012
I'm configuring AP in Hreap mode. Objective for me is th have a "plug & play" installation method for HREAP. I configure on HREAP AP, Native VLAN set to 1 and the WLAN and Vlan mapping for the current wlan is set to 1 too. WLC version is 7.0.230.0 and AP version is 12.4(23c)JA4
on my cisco switch (WS-C3560-24PS with 12.2(55)SE1), the port configuration is as below:
switchport trunk encapsulation dot1q
switchport trunk native vlan 45
switchport trunk allowed vlan 45,74
switchport mode trunk
no logging event link-status
no logging event power-inline-status
no snmp trap link-status
spanning-tree portfast trunk
spanning-tree bpduguard enable
AP receives a DHCP IP in Vlan 45 and users connected in vlan 45 too. I would like to undestand why the AP is working properly because normally vlan 1 is not configured as allowed vlan on my switch and the native vlan is dedicated only to untagged ethernet packet.
View 1 Replies
View Related
