I have 2 3560 switches that are running 12.2(25)SEE2. Port security is enabled on some of the ports. Whenever there is a power failure, when power is restored, 1 port on each switch goes to err-disabled. The mac address that causes this is a valid address for that port. Below is the configuration on one of the ports.
View 1 RepliesFor many years we've had the following vlan and port security config on our 3560s: [code] This has worked great on 12.2(37)SE1, 12.2(40)SE and 12.2(46)SE. However since 12.2(50)SE, and I've tried all the versions since then, we have a problem with 7900 phones and ATA186s taking upwards of 20 minutes before they can get a valid IP number.The problem on the newer IOSes seems to be related to the inactivity aging.On the older IOS versions the mac address of the voice device appears on the voice vlan straight away.
On the newer IOS versions the mac address of the voice device appears on the DATA vlan and seems to be stuck there until the inactivity aging removes it. It then gets re-learned, sometimes on the voice vlan, and sometimes on the data vlan. If you're unlucky and it gets re-learned on the data vlan you've got to wait until the inactivity time ages the address out again. Repeat until the mac address eventually gets learned on the voice vlan. I don't want to be stuck on 12.2(46)SE forever.
Problem is that at some C65K I have directly connected Unix servers and the don't show MAC address at port, and same has happened at 3560 switched where I have too Unix based equipments connected. When use show mac-address interface XXXX, nothis appears at port and tested them with other equipments that worked fine.
View 2 Replies View RelatedOur customer has a Cisco ME3600X with the IOS me 360x-universalK9-mz.122-52.EY3.They are saying that is not possible to configure the "switchport port-security mac-address sticky" in the interfaces and want to know whether any additional license is needed.As far as I know there isn't any extra license to activate this feature and also I believe the ME3600 switch should have this feature with the universal IOS, isn't that right?
View 1 Replies View RelatedI have 2 x 3560e-24td-s
2 x ASA5510
2 x 2821(no modules)
2 x 2901
I'm trying to figure out power draw in Amps for my new cabinet. I looked at the data sheet for the 2821 and it says 3A for the 110V under the row AC Input Current, Would that be accurate if I did that for all the models and then just added up the total?
I have an issue with a 3560 in my network, after sometimes it fails to give out power to some ip phones,while others are not affected and below is the message i get
"Power given, but Power Controller does not report Power Good"
output of sh power inline and sh env all : everything seems to be ok on the switch
#sh power inline
Available:450.0(w) Used:48.0(w) Remaining:402.0(w)
Interface Admin Oper Power Device Class Max
(Watts)
--------- ------ ---------- ------- ------------------- ----- ----
Gi0/1 auto off 0.0 n/a n/a 15.4
Gi0/2 auto off 0.0 n/a n/a 15.4
Gi0/3 auto off 0.0 n/a n/a 15.4
[code].....
It's solved by a reboot of the switch, i could have suspected a power environnment issue but it's the only equipement disturbing in the network.
I have upgraded my C3560-PS-S switch to the latest IOS version 12(2)55-SE4 and it is not providing PoE anymore? It used to work before this upgrade? I searched Cisco bugtrack and there is bug defined for this IOS/Switch.
Switch(config-if)#do show power inline Available:370.0(w) Used:0.0(w) Remaining:370.0(w)
Interface Admin Oper Power Device Class Max
(Watts)
--------- ------ ---------- ------- ------------------- ----- ----
Fa0/1 auto off 0.0 n/a n/a 15.4
Fa0/2 auto off 0.0 n/a n/a 15.4
Fa0/3 auto off 0.0 n/a n/a 15.4
Fa0/4 auto off 0.0 n/a n/a 15.4
Fa0/5 auto off 0.0 n/a n/a 15.4
Fa0/6 auto off 0.0 n/a n/a 15.4
Fa0/7 auto off 0.0 n/a n/a 15.4
Fa0/8 auto off 0.0 n/a n/a 15.4
Fa0/9 auto off 0.0 n/a n/a 15.4
Fa0/10 auto off 0.0 n/a n/a 15.4
Fa0/11 auto off 0.0 n/a n/a 15.4
Fa0/12 auto off 0.0 n/a n/a 15.4
Fa0/13 auto off 0.0 n/a n/a 15.4
Fa0/14 auto off 0.0 n/a n/a 15.4
Fa0/15 auto off 0.0 n/a n/a 15.4
Fa0/16 auto off 0.0 n/a n/a 15.4
Fa0/17 auto off 0.0 n/a n/a 15.4
Fa0/18 auto off 0.0 n/a n/a 15.4
Fa0/19 auto off 0.0 n/a n/a 15.4
Fa0/20 auto off 0.0 n/a n/a 15.4
Fa0/21 auto off 0.0 n/a n/a 15.4
Fa0/22 auto off 0.0 n/a n/a 15.4
Fa0/23 auto off 0.0 n/a n/a 15.4
Fa0/24 auto off 0.0 n/a n/a 15.4
I just recieved a new 3560-x switch with the C3KX-PWR-715WAC. It looks like Cisco is now using a different AC power cable. Not the StackPower connector, but the standard AC power cable. My data center is setup to supply 208v using C13 power cables. The switch uses a C15 power cable, and comes with a standard NEMA 5 to C13 power cable. Does Cisco make, or officially support a C13 to C15 power cable? Can I still use a 208v power supply with these switches?
I'm using an APC AP8861 power distribution unit, see [URL]
while the 3560 switch is running? Is it hot-pluggable?
WS-C3560X-48P is the switch and I would be adding a C3KX-PWR-1100WAC
I have an all gigE 3560. I don't use the management FE0 port on the back. I was thinking to use that for a 100Mbps WAN connection.
Seems to work just fine when I plugged in an test. But I am not routing across that link yet as I still need to setup the far end.
Is there any reason this would not work? I would like to not burn a gig port if the max throughput of the circuit is 100Mbps.
Does a portable RPS device either from Cisco or another manufacturer exists, that would allow you to move primary power for a switch without causing an outage? I realize that for the Catalyst 3560 for example, you can get an RPS 2300 or 675, but my understanding is that these are made for a more permanent installation, not to mention rather costly.
It looks like the RPS 675 is rather inexpensive after all, especially in the secondary market, but still rather large for toting around.
I've beating my head against the the above said problem for a quite a while. Our client has a very strict security policy and they require all standard protocol to comply with the expected behaviour. It was discovered that their 3750 switch running c3750-ipservicesk9-mz.122-25.SEE3 software and configured to sync its time with an external public NTP server triggers IPS signature - DNS Info leak. The problem is that the switch initiates the packet on UDP port 53 and not as I would expect on port 123 for NTP. Of course I can tune the IPS sensor and make it not to fire this signature but the client needs to know why it is happening and if it is faulty IOS software that doesn't comply to the rules.
View 2 Replies View RelatedEverytime the console port is plugged in, the alarm contacts (1-4) randomly assert (trigger) and then clear themselves in random orders. Nothing is plugged into the ALARM port and all Alarm setting are default. Below is the syslog message and Alarm Settings:
CGS2520-C#show env allSYSTEM TEMPERATURE is OKSystem Temperature Value: 45 Degree CelsiusPOWER SUPPLY 1A TEMPERATURE is OKPOWER SUPPLY 1B TEMPERATURE is DisabledPOWER SUPPLY 1A Temperature Value: 49 Degree
[Code]......
i'm using some catalysts 3560 with 10 VLANs and inter vlan routing. we use a windows deployment services server to install our workstations. the pxe boot works fine. the image is loading, and when the windows 7 PE is booting, the dhcp request failes. when i use a small not manageable switch between the computers and the catalysts, it works fine.all other things work fine.
View 9 Replies View RelatedWe have a server connected to a 3560 switch which in turn connects to 6500s. The gateway interface is on the 6500. We will be changing the 6500s so the mac address for the gateway will change, however the IP address will remain the same. As we change out the 6500s the uplink connections to the 3560 will go down. This will flush the old mac address from the 3560.When the 3560 removes a MAC address does it update servers so they have to relearn the correct MAC address?
View 4 Replies View RelatedWe have observed that one of the 3560 switch was rebooted with "System returned to ROM by address error at PC 0x0, address 0x0"
View 1 Replies View Relatedwe have a 3560 switch configured with EIGRP with dhcp. We have a user that we cannot ping, however the interface show up / up and no errors on interface. the ip address is 10.2.0.199 - however we have dhcp configured to exclude the range from dhcp ip dhcp excluded-address 10.22.0.1 10.22.0.200 how can this work station get a dhcp address if we have that ip range excluded from the dhcp pool?
The user is off a different switch that is a uplink to this distribution switch. Traceroutes shows that the problem is with the distribution switch.
I have Cisco 3560x layer 3, but there is one problem with MAC ACL. Here is sample scenario:
I have two V LANS 2 & 3. There is one device (D1) on V LAN 2 and three (D2,D3,D4) devices on V LAN 3. D1 can talk only to D2 and D3. D4 can talk only to D2 and D3. D1 and D4 cannot talk at all. I got the IP access list all set, but I was asked to get the MAC ACL on it. The problem is that as soon as packet is routed, its MAC addresses will change, correct? Is there way of preventing device with same IP but different MAC from talking to device it should not to, keeping in mind that the packet will be routed?
I'm trying to enable port security on several 4507R's. When I try to configure a range of ports the switch will randomly put 1 or 2 in err-disable. It's different every time I apply the config to the same group of ports. However if I do them one at a time it seems to work. But I really don't want to configure 6 fully populated switches one port at a time. We also have a lot of 3750's and they gave me no problem using a port range. [code]
View 4 Replies View RelatedI've set up my 3560 to do routing. Now, I'm looking for a way to apply acl restrictions to the vlan interface ip address itself.
View 1 Replies View RelatedI have some Ethernet-connected cameras that all have the same Ethernet MAC address FF:FF:FF:0A:0A:0A. They were originally designed to directly connect to a Windows PC, but they can also connect through a simple unmanaged switch.A Catalyst 3560 switch won't forward packets to or from anything with that MAC address, at least not by default. Is there a way to convince the switch to do so?
It was my hope to replace the dedicated connections we have for these cameras with a separate VLAN for each camera, and switch them through our existing switch network. Given that all of the cameras use the same MAC address, putting them on the same network is out of the question, but different VLANs, where the only two devices on each VLAN were the camera and the PC that uses it, would be fine.
The switches run IOS 12.2(55) SE through SE3. I learned the camera MAC address from the PC's ARP table while the camera software runs; it turns out the cameras don't have a full IP stack either and don't even do ICMP.
I have a 3560 8 port switch. Int gi0/9 is trunked to another switch downstream. When I try to configure int gi0/10 to trunk to a switch upstream the interface on the switch goes down and I have to either reboot the switch or plug directly into the switch and telnet into it to turn off trunking on the interface. When I configure trunking on the interface on the upstream switch that connects to this interface the same happens on that switch. The upstream switch is a 3750 with 12 sfp ports. Several interfaces are trunking to other switches from this switch. Spanning tree is not configured on the 3750 at all , and is not configured on either gi0/10 or gi0/9 on the 3560. I was consoled into the 3560 during a reboot after the interface went down, a message came up that said something like "Spanning Tree returning gigabit ethernet 10 to constant state" Why would I get this message if spanning tree is not enabled on the gig ports on either end of the trunk? There is no loop to require spanning tree to shut down an interface. I have several other 3560's configured as I would like to configure this switch and they are trunking without issue.
View 8 Replies View RelatedI've just installed 2 of these in my workplace on a PLC network.I'm now looking to set one of the ports up as my diagnostic port and would like to be able to mirror any of the other ports to this port.I believe it is called SPAN on Cisco switches.The only reference I can find to it is configuring via Telnet which I haven't got a clue about.On my old Wiedmuller switches it was just a few clicks away.
View 3 Replies View RelatedI have a 3560 switch with the following ports config [code] I would like to use theses ports on a different vlan to connect 4 pc's to them. Can I just remove them from the vlan, remove the trunk switchport and set up on the vlan i want them on with no trunking?
View 5 Replies View RelatedOur enviornment includes 3560 switches and 2800 routers. We have a few remote offices using an application on TCP port 1677 that use far to much bandwidth. Our WAN provider can throttle and police this for us, if I can TAG this traffic, for example all Traffic from Florida using the Groupwise app on TCP uses TCP port 1677 and I want it tagged with CoS 3.
View 1 Replies View RelatedWe have just purchased and installed a 4506-E chassis. It contains a supervisor, two POE blades and 3 non-poe blades. Version is 12.2(53)SG1. Anyhoo, one of the ports isn't providing power to an IP phone. We can plug the phone into any of the other POE ports and it works fine. Is there a way to test an idividual port for POE problems? What could the problem be? The port works for normal data but will not provide power.
View 12 Replies View RelatedI want to implement port-based and MAC-based in these two switches: 2960 & 3560 (both of them have this IOS version: 12.2(55)SE1). And I haven't found a way to implement both of them at the same time. This is what I got:
ip dhcp use subscriber-id client-id
ip dhcp subscriber-id interface-name
ip dhcp excluded-address 192.168.0.0 192.168.0.2
ip dhcp excluded-address 192.168.0.251 192.168.0.255
[code]....
With this configuration I can use port-based, but not MAC based. If I remove the first two lines and change the last line for this one:
address 192.168.0.7 client-id 0112.ae1d.af58.60
Then, the computer with that MAC address got the correct IP, but then the port-based doesn't work. Also, I got this line in the interface what I want to use MAC-based:
ip dhcp server use subscriber-id client-id
I am using 3560.IP rouitng is being turned off on this.Curious to know if I will create etherchannel or port channel.I think etherchannel.Correct me if I am wrong.On connecting switches I have vlan10,20,30 to be allowed.I am sure I need to allow these all vlan in 10,20,30 which are on the trunk port on each side switch.Post that will add channel-port lacp and make it in active mode.Is that correct.This way traffic will be load-balanced/aggregated on minimum 2 ports who are the part of this.
View 2 Replies View RelatedAssume I had Catalyst 3560X/3750X with 24 ports. The partnumber is WS-C3560X-24P-LI would like to how is the numbering defined if the switches have a C3KX-NM-10G installed with 4 SFP-GE-L.
View 1 Replies View RelatedWe have 7 3560's in 7 different locations connected to our providor for wan access. Our provider has given us a copper cable at each point and we have connected it directly to our 3560 switch at each location. Each port is configured the same way at each location. Each switch is running eigrp.All of the switch ports on each switch are configured as a trunk and vlan 299 had the ip address for the eigrp connection: [code] This setup is working as each switch see's all of the other switches as an eigrp neighbor. We have also made sure that the switch at our head office has spanning tree priority for vlan 299.
So the problem is, if there is a change in the topology at one of the locations it usually causes one or more of the other connections to go down for some reason. We just cannot pinpoint what is causing this change. There are no log's or anything other than an eigrp hold time expired message.?
I have a pair of 3560's configured with dot1q trunks between them carrying a number of VLANs.
Once deployed there will be a requirement for these physical trunks to be disconnected from time to time. Knowing that this is inevitable I am trying to minimise the period of time for the trunks to recover once the physical connectivity is reinstated.
All of the VLANs on the switches are configured for Spanning Tree Rapid PVST. Current time for the trunks/VLANs to come up is around the 4 second mark.
My actual Scenario
1 x 4500 and 1 x 3560?They are gateways of 8 Vlans?They are doing HSRP in each of those Vlans?The 4500 is the Active?There is a DHCP Pool for each of those Vlans on both gateways using "ip dhcp excluded-address" I ensured that the range of provided ips by each DHCP server will not be overlapped Obs.: Reducing the lease time, I ended with the calls bringing related problems.
OK, every thing is blue, every thing is fine.But the network diagram is realy complex(41 switchs, 89 uplinks), and depending of how is the network flow, one or other server answer first or latter.
For many reasons I would like that the secondary DHCP server would answer only if the primary DHCP server goes down.To me, the bigger reason is that DHCP database would be only in one DHCP server.But there is other reasons.
I passed by many frustrated solutions:Try to force a delay on the answer on one of the servers. - Impossible.Try to disable DHCP server, and, using EEM, enable it only if router became active in HSRP. - I couldn't do It.
What I'm thinking now is use the HSRP resource to resolve it.On both routers I would put a "ip helper-address" pointing to an Virtual_HSRP_IP.And depending on which router is the active, him will answer the request.
My first doubt is:Would it work?The second doubt is:Could I use the same Virtual_HSRP_IP that exists on that Vlan(see example 1),or I would need to point it to a Virtual_HSRP_IP in a different Vlan(see example 2)?
Example 1
-----------------------------------
| 4500 |
-----------------------------------
interface Vlan1
ip address 10.10.0.2 255.255.0.0
ip helper-address 10.10.0.1
standby 1 ip 10.10.0.1
[code]....
I am using 3560 switch senerio is that we have dhcp server on and I want that switch filter mac on whole switch ports not on a some port. Switch only give IP to the mac whcih is in mac table of switch/particular which we enter manually.I have read chapter 62 of port security but it doesnot fulfill my requirements.I am also using 3com 5500Ei switch in which we dont have to bind a mac on every port, we just enter a mac in the switch and it filter itself by using simple commands.DHCP server is not in our hands, we cant do any things there.
View 1 Replies View Related