Cisco Switching/Routing :: 2950 - Bridging Loops / STP Protection
Jan 20, 2012
I have a network where if an end user attaches an hub to the network, or rather one of those cheap unmanaged 8-port mini-switches and then plugs the two ends of the same cable into two ports of that mini-switch, all the network goes down. Loops are generated and many uplinks are shut down in err-disable state due to the loopback reason.
I know I could discourage the use of those mini-switches using port security. I even have NAC (cisco) deployed on the network, but there are cases where that mini-switches are allowed by the managment.In those cases, is not possible to exactly know wich hosts (mac addresses), and even how many of them will attach the network concurrently.As I know, they could even chain many mini-switch one to another. Of course, when even a single mini-switch is allowed on the network, it raises as a security hole.
Is there a way to allow the use of those devices without the risk of network outages? Some STP protection method? The best would be to have the Cisco access switch to get aware of the loop on its affected switchport (where the mini-switch is attached), immediately shutting down that port (to avoid loops on the network) and maybe sending an SNMP trap or a syslog message.
We are using Cisco Catalyst 2950 and 2960 for our access layer.
View 5 Replies
ADVERTISEMENT
Dec 14, 2011
Any opinion on what could cause loops on nexus 5000 ports that are connected to esx hosts ?
View 3 Replies
View Related
May 22, 2013
We have an environment where users create a lot of bridge loops. We have tried to send E-mails about it and educate the users but it is almost a lost cause at this point. The loops are created when users don’t pay attention and they plug a patch cable coming off of an access port up to ANOTHER access port by mistake.
All of our access ports are from 3750 stacked switches. The way we tried to deal with this in the beginning was with BPDUGuard and ERRDiable (BPDUGuard) auto recovery. We turned BPDUGuard on globally and left BPDUGuard auto recovery at the default value (I believe it was 30 seconds). so a loop would be detected and after 30 seconds, the switch would try to enable the port and if the loop still existed, close the port for 30 more seconds. Then we started having problems with printers getting "fried". Their NICs would die out and the control board would need to be replaced. After a lot of troubleshooting and testing, it was determined that allowing the ports to come out of ERRDisabled state would flood the network and the packets would generate in the millions per second range and fry the NIC of these printer.
The fix for this and saving the printers was terrible. We removed ERRDisable auto recovery and just let the ports that are looped stay in an ERRRDisabled state. We wait for the user to figure out the loop and try to use the port and then put in a work order. Then we physically visit the site and verify the port was shut (ERRDisabled) from a loop and we bounce the port (shut/no shut) and everything is resolved. I did lab tests with a switch looped and a printer on the switch and watched it fry. We have had no printers fry after we removed the auto recovery protocol at every location. Only the locations where loops existed and auto recovery protocol running were printers going bad. What I found during my lab tests was that each time the port was auto-recovered (yes, for that millisecond while it checks if a loop still exists), more packets were re-generated and eventually enough was re-broadcastthat printers would go down. We never had a problem with computer NICs. I guess the cheaper printer NICs couldn’t handle the broadcast storms created by this. I tried playing with the auto recovery timers and even the highest setting would eventually re-create these storms.
So my question is what best practices are others using? Should we get rid of BPDUGuard and just try to let spanning-tree handle these bridge loops? Is there something else I can try? I’m not CCNA by any means, just trying to do what I can in my environment. Manually visiting sites when loops occur is becoming more and more my job, though and I have plenty of other things to be doing.
View 9 Replies
View Related
Feb 22, 2012
Stange problem which I encountered today, I have a Cisco 2960 which is connected to a netgear. The switch started showing itself in CDP and was running STP. I checked the cables physically today and noted 3 uplinks to the netgear, all port on the Cisco active and forwarding and green lights.
The Cisco was running STP, I changed it to R-PVST and the lights on the Cisco went crazy and I got the message port flapping on the switch but the switch did not block any ports (all ports on same vlan).
There after I changed it back to stp and the switch blocked the other up links apart from one.
Sure R-PVST is far superior than STP?
View 5 Replies
View Related
Jul 24, 2011
It is understood that sub-50 ms ERPS convergence can be achieved with certain HW/SW combinations.
1) What are the platforms supported (and with what FW/SW) has this been tested ?any results that can be shared?
2) Link failure detection in GigE on Copper is slower compared to GigE over "pure" Fibre; so no sub-50ms would be possible with Copper ring ports.is sub-50ms convergence achievable with "combo SFP ports" ?
View 1 Replies
View Related
Feb 19, 2012
we recently had on our network a simple layer 2 loop problem, with big effects.Here is the situation: we have a C3750 switch, with STP activate on all ports.We don't have total control on this switchs, and for some reasons, it is possible that people connect a 2d switch on it (Cisco or non-Cisco).What happened several times is a classic case: a person interconnect 2 ports of this 2d switch, creating a loop. As the loop is created on the 2d switch only, the 1st switch detect no loop, the the uplink port keeps up.Afer this loop created, a broadcast storm occurs through the link between 1st & 2d switch .. and the storm propgates all over the LAN.I try to find some solutions to avoid that. One thing I would like to do is to find a mecanism on the first switch, which can permit to block the uplink port on the 1st switch if it sees the same MAC address as source in the 2 directions.Note that storm control, even configured to a quite low value (ie: 2Mbps) is not efficient enough to protect equipment (we have had big CPU impact on LAN equipments).
View 3 Replies
View Related
Apr 17, 2012
Do Cisco Catalyst (IOS) and specially Cisco SG300/500 support a similar feature to HP's Loop Protection or DLINK's Loopback Detection? This is an interesting feature to avoid loops caused by unmanaged switches.
View 6 Replies
View Related
Feb 20, 2013
I am trying to have F4 (the WAN interface) bridged to a VLAN interface. I have put my VLAN interface and my F4 in the same bridge-group, set an IP in the BVI Interface, and made sure that VLAN was properly trunked and configured on one of the router's switch ports
In other words, I need F4 to be treated as a switchport in access mode on my VLAN 10.
(...)
bridge irb
(...)
interface FastEthernet0
description trunk
switchport trunk native vlan 10
[Code].....
A ping in my vl10 VRF to 10.0.0.1 does not work. ARP does not resolve.
View 1 Replies
View Related
Apr 24, 2013
I am trying to bridge the traffic(including different vlan traffic) from rtrA to rtrB using "bridge-group" functionality.I achived the same using a 7200 using the below configuration. [code] When I tried the same using 7600 router ping failed between rtrA and rtrB. Then from the documents it seems "bridge irb" is not supported in 7600.Is there any other way we can achieve the same fuctionality ( eg: using switchport also fine) ?
View 3 Replies
View Related
Mar 25, 2013
I have following requirements to implement on cisco asr1001 router.
1.G0/0/0 and G0/0/1 interfaces are connected to a swith through trunk. Multiple customers are will be using this trunk interface . Each customer will have subinterface with dot1q tag.
2 I want both sides of the ASR1001 to be in same segment .
3 If above two is possible I would like to implement shaping on each customers sub-interface level
is above implementation is possible on asr1001. configration and ios information. I found a technology called EVC . but I am not sure is that the one suited for me.
network diagram is attached seperately.
View 3 Replies
View Related
Aug 6, 2012
I have 2 networks.
NETWORK 1:EOC connection fro ISP going into a router (not the RV042) with a static WAN address from ISP. This router is hooked up to a switch that all the computers are connected to. All the computers on this network are using 192.168.1.x addresses. Most of these addresses are static, but the router is running DHCP in case we hook up temporary computers like laptops or client machines to this network.
NETWORK 2:DSL connection going into a router (not the RV042) with a static block of IPs from ISP. (8 IPs, 5 usable for the WAN interface, 1 static IP is being used for WAN interface). This router has a VPN connection set up for remote access to the linux machines on this network. This router is running DHCP on the LAN interface for this network with addresses 172.16.1.x. All the computers on this network are tied together with another switch, completely seperate from the 192.168.1.x network switch.
PROBLEM:We needed computers on the 192 network to be able to access computers on the 172 network. Someone decided to just run a cat 5 cable from the 192 switch to the 172 switch (not the routers, the switches). This "worked" - badly. Appearently there is a DHCP conflict (or something else going on) that was causing the router on the 172 network to try and assign addresses to the 192 network computers, and it was also "resetting" a connection about once an hour. This crashed our server on the 192 network. I disconnected that cat 5 cable between the two siwtches, and now each of the two networks are working properly, but they are now completely isolated from one another.
I need to create a bridge between the 2 networks so that machines on the 192 network can access machines on the 172 network while filtering out DHCP broadcasts from either network router to the other network. (I may need to filter out other protocols as well, but don't know yet.)So, I see 3 potential ways of doing this but don't know if they will work:
1) Can I just set up multiple subnets on the LAN interface of the RV042 and just run 2 cat5 cables from each switch on the two networks to the LAN ports of the RV042?
1a) If I do set up multiple subnets on the LAN interface of the RV042, do I need to assign the two ports to different VLANs? (I don't see any way to set each port to a specific IP address.)
2) Can I set up the 2 WAN ports on the RV042, one static for each network, and will the RV042 route traffic from 1 WAN port to the second WAN port?
3) Is there some other way I should consider setting this up?
Finally, someone mentioned that once I get the RV042 set up correctly as a bridge, I will need to route 172 addresses on the 192 network to the 192 interface of the RV042 via the DHCP router on the 192 network, and conversely, I will need to route 192 addresses on the 172 network from the DHCP router to the 172 IP interface of the RV042. I think this will be easy enough to set up in each of the DHCP routers...
View 3 Replies
View Related
Jan 19, 2012
I currently have a 2811 and a LAN setup via a sub-interface FA0/1.3 and using a HWIC-AP I have a sub-interface dot11radio 0/1.5. I have them setup to work and surf the inet great, but I have recently been overly annoyed with the fact that the wifi cannot access windows shares on desktops and visa versa with the laptops.
The trick to make this happen is currently they are not on the same subnet. I know the answer is bridging the interfaces but when I do this using the simple commands:
bridge 1 protocol ieee
interface x & y
bridge-group 1
Although what should be simple has failed (good thing I tftp'd my working config). Here is my current configuration.
interface FastEthernet0/1.30
encapsulation dot1Q 30
ip address 192.168.3.1 255.255.255.0
[Code].....
View 3 Replies
View Related
Jan 30, 2012
Cisco 3725
IOS: (C3725-ADVENTERPRISEK9-M), Version 12.4(15)T9
Wireless Module NME
Brief current running config below:
interface FastEthernet0/0
description WAN LINK
bandwidth 8192
[Code].....
View 2 Replies
View Related
Aug 13, 2012
I need to bridge 2 subinterfaces; F0/0.301 and F0/0.302 on a single router.The router interfaces with a Cisco 2960 (LAYER-2) switch.QUESTION is, does a Cisco router support bridging on subinterfaces on the same physical interface?Currently this is NOT operational Spaiing-tree on F0/0.301 and F0/0.302 is down, switch side is forwarding for both Vlans.show ip interface brief shows up/down status of F0/0.301, F0/0.301 and BVI6 is down/down?
:
SETUP:
bridge irb
!
!
Interface F0/0
no ip address
[code]....
View 1 Replies
View Related
Jan 23, 2013
I have faced a problem with configuring Cisco 3750G series switches as Sever farm switches with redudance.
servers have 2NIC (1GBps) and both are bridged for redundant connections.In both switches all ports get green coluor except one port on Secondary SW. I saw some Spanning tree block port status on that switch.when i type Show cdp neghbor command on switch i can see other switch through a server connected port. Also Spannig tree root bridge election is occured through that port . Simply i need to configure both switches to pass traffic through there uplinks them selves.. but it seems like Secondry switch pass its traffic through primary switch ( i think according to STP ) usinginterconnection of bridge port of a server. [code]
View 1 Replies
View Related
Jan 1, 2013
I have a Cisco 2801 with a 4 port Layer2 switch card installed (HWIC-4ESW).
How do I bridge Ethernet0/1 to the 4ESW so if you were to plug a computer into the 4ESW, it would be on the same network as Eth0/1? see my config below:
interface FastEthernet0/1
description Internal Interface
ip address 10.1.2.1 255.255.0.0
[Code].....
View 2 Replies
View Related
Aug 27, 2007
We have a customer that is relocating thier headquarters. They have a temporary requirement to bridge multiple vlans or a router T3 link to the new location as they cannot change the IP subnets. Setup is 3560 switch connecting to a 3845 then T3 to remote 3845 and 3560. I need to bridge multiple VLANs. I have seen a good example on how to do it over sonet but I don't see how to translate that to an HDLC or Frame Relay encapsulation for the T3 Link.
View 5 Replies
View Related
Feb 11, 2012
Is there a way to get more messages out of a 2950 set to syslog? I've turned every logging option I can find to DEBUG, but all I get in my syslog are LinkUp/Down messages and "Configured from console by console". I'd love to see more information such as configuration changes, or even someone attempting to set up DTP on a switchport set to access mode.
View 2 Replies
View Related
Jun 22, 2012
One of my wi-fi site having 2nos cisco 2950 switchs. in that network some D-link unmanageble swithes also there and access points also connected to cisco switchs and D-link switchs.after one or two days i am not able to connect the wi-fi, then i need to restart the access point then only wi-fi is working fine.I upgraded the latest ios also.I connected some access points to the cisco switch ports, those ports are showing crc error messages like below. [code]
View 18 Replies
View Related
Apr 25, 2013
I have a server windows 2008 that I would like to have a nic teaming configuration, the server has two nics, each nic is connected to a different switch. One is connected to cisco 2960 and the other is connected to cisco 2950. I have read here in forums about nic teaming but using the same switch. I have not found using different switch. Is this possible?
View 1 Replies
View Related
Jan 11, 2012
2950 switch has a IOS on flash , but i would like to set the swith like...
1. switch IOS to be loaded from TFTP server .if it fails
2. Loaded from local flash IOS1 , if it fails
3. IOS loaded from local flash IOS2.
does 2950 switch support this feature.
View 2 Replies
View Related
Jun 11, 2012
I have a problem with an etherchannel between a cisco 2950 and a couple of catalyst 4506. The cisco 2950 is connect via an etherchannel to the catalyst 4506A. The channel consist of two port on both side and is in trunk mode, encapsulation dot1q.Now i have the necessity to connect the 2950 to the other catalyst, 4506B. So, i copy the same configuration on the 4506B, but when I unplug the two rj45 cables from the catalyst 4506A to plug them in the 4506B the etherchannel doesn't go up in any way.
View 8 Replies
View Related
Dec 14, 2011
I have a cisco catalyst 2950 switch (flash:c2950-i6q4l2-mz.121-22.EA1b.bin), in remote location with public IP,how to upgrade ios remotely, by that time running configuration will go?how much down time is required and ?
View 7 Replies
View Related
Jun 12, 2012
I have 10 2950 switches on my network that support only 64 vlans on each one. I actualy have requrement to cleate around 100 vlans acros them, can I switch off vtp and create required vlans manualy? I will have more or less following set up:
router
|
2950 - vlan 1,2,3,4,5,6,7,8,9,10
[Code].....
View 12 Replies
View Related
Dec 9, 2011
c2950-i6q4l2-mz.121-22.EA10a.bin is the image name of the 2950 switch i have in my office. what is the meaning of " i6q4l2 "? I saw some IOS like IP base, adv-security. but i didn't see anything like this before.
View 2 Replies
View Related
Jul 15, 2012
What are the security issues in connecting a notebook to a console of the 2950 switch? Can virus or Trojan enter into a switch during configuration session? If the answer is yes, what precautions must I take to prevent such case?
View 2 Replies
View Related
Oct 26, 2009
i am having 2950 switch. Now i login through telnet but as per the company standard i have to login through ssh. Is there any possible to enable the SSH in 2950. Any IOS supporting this operation.
flash:/c2950-i6q4l2-mz.121-19.EA1c.bin
View 8 Replies
View Related
Feb 8, 2013
After setting up the domain name I try to use the crypto key and it is no where to be located. Below is some of the information I copied from TeraTerm
Switch-1(config)#ip domain-name justin.lab.comSwitch-1(config)#crySwitch-1(config)#cry?% Unrecognized commandSwitch-1(config)#crypto key ?% Unrecognized commandSwitch-1(config)#crypto key ^% Invalid input detected at '^' marker.
Switch-1(config)#?Configure commands: aaa
View 6 Replies
View Related
Jun 10, 2012
I configured rate limit on cisco 2960 switch sexuss fully, but i could not configure in cisco 2950 (verson 12.1 (22).To confiure the same on 2950
View 4 Replies
View Related
Dec 9, 2011
I am experiencing high cpu utilization in my 29501 switch. see the copied sh process cpu output.
CPU utilization for five seconds: 99%/95%; one minute: 89%; five minutes: 37%
PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process
1 0 2 0 0.00% 0.00% 0.00% 0 Chunk Manager
[Code].....
View 4 Replies
View Related
Apr 18, 2012
I am trying to test the gigabit ports on a Cisco 2950 switch. 1000Base-SX. I have the internet or dhcp server connected to port 24 on the first switch and my pc hooked up to the (any) port on the second switch. Both switchs are connected with a fiberoptic cable with MTRJ connectors on either side.
Now when I use gi0/2 on both switchs all works fine. I get a dhcp address from the router on the other end of the first switch. but when ever I include gi0/1 on either end of the fiber optic cable neither of the ports will initialize (neither of the leds above the ports light up). I have deleted all the config files before booting up the switchs so they should have a default blank configuration.
When looking at the Http web page for the switch I dont see any issues with the port. what can I do to make sure these ports are working or can be configured?
I will not be able to post back any more information about the switch until next tuesday. Im off till then.
View 5 Replies
View Related
Apr 27, 2012
Stumped again with my Catalyst 2950. Everything is working perfectly with wan/dhcp/router on fa 0/1 with all ports assigned to vlan1. All devices plugged in connect to the router correctly with ip's being assigned via dhcp.Instead of hooking up by console port I want to be able to SSH or telnet in to the switch using any port while still maintaining the above functionallity. Is it possible to assign a dhcp assigned ip address to vlan 2 and have vlan1 and 2 bridged? Or is there a better way of doing this ?
View 3 Replies
View Related
Jul 4, 2012
spam up the boards with the same basic CCNA level stuff, but I have a couple of questions about ios differences, limitations, and references. I have the following three switches. One appears to be considerably dated in regard to software version. My confusion/ignorance stems from managing VTP settings.
2924XL 12.0 5 WC8
2950 12.1 22 EA6
2950 12.1 22 EA6
When I set either 2950 switch as the VTP server, and the other as a client, the client inherits the server settings as expected. However the 2924 requires that I go into the vlan database from priv exec and manually set vtp client. That's pretty similar to setting any switch to client mode. The problem I am observing is that after setting the 2924 to client, it still doesn't inherit vtp version settings or pruning settings. I still have to manually configure those. Additionally, if I copy run start the 2924 after making these manual settings, and then reload the switch, all the settings are lost and it defaults back to server mode with all features disabled. From my searches, it looks like vlan information is stored in vlan.dat, but all the documentation I've found is on 12.1 ios which doesn't appear to use vlan database for vtp setup, meaning it might still be an issue, but not one I'm focused on at the moment.
Is the vlan database dumped at reload? I've read vlan.dat is stored in nvram and should be saved after a copy run start, but that is not the case for me.I have since set the 2924 as the server, manually configured the server from vlan database, executed copy run start, and reloaded the switch. Oddly, my manual settings saved from the reload, meaning I only lose settings when the switch is in client mode.Am I missing additional necessary client commands to save the config, or is this just a limitation of either the 2924XL or the 12.0 ios?On a related but completed out of scope topic, without a cisco service contract, how am I supposed to make heads or tails of all the different versions of ios, along with the letter-based features and what-not? I can't even find my 2924 in the list of platforms when searching for ios upgrades.
View 5 Replies
View Related
