Cisco Switching/Routing :: 3560 / STP Loop Guard Blocking Vlans?
Mar 24, 2013
I have a strange issue where spanning-tree is blocking vlans through a mesh network.Here is my set up.
2-Cisco 3560's that have two trunk ports set with do1q and a native vlan of 2. I'm allowing a client vlan (2) and a voice vlan (103) to come over the trunk. They have a native vlan of 2 so the mesh APs can get an address through DHCP. Spanning-tree loop guard is also enabled.
When connected to the mesh network, the voice vlan is being blocked by spanning-tree. I get the following erros:
000129: *Feb 28 19:24:58.289 EST: %SPANTREE-2-LOOPGUARD_BLOCK: Loop guard blocking port FastEthernet0/1 on VLAN0103.000130: *Feb 28 19:24:58.448 EST: %SPANTREE-2-LOOPGUARD_UNBLOCK: Loop guard unblocking port FastEthernet0/1 on VLAN0103.
Eventually the loop is cleared and the port is set back to a forwarding state from a blocking state. I don't want to disabled spanning-tree loopguard since I don't want to create a loop. The mesh network is supposed to act as a P2P connection between two switches. As a test I disconnected the APs from their trunk ports. I then used a cross over cable to connect the switches and no spanning tree loops occured. The mesh doesn't have STP enabled on it and should just be acting as an over-the-air connection from one switch to another.
View 1 Replies
ADVERTISEMENT
Feb 17, 2013
I have a Catalyst 3560-X PoE that suddenly stopped working. I plugged in via console and below is the output I received. It scrolls constantly and I am unable to enter ROMMON mode or stop it from scrolling. I've read of a possible problem with the IOS version but I'm unable to verify due to not being able to stop the scrolling.
Switch uptime is 4 minutes, 4 seconds
cisco WS-C3560X-24P (PowerPC405) processor (revision A0) with 262144K bytes of memory.
Processor board ID FDO1522R2AY
[Code].....
View 5 Replies
View Related
Nov 7, 2012
I have a couple of 3560 switches running c3560-advipservicesk9-mz.122-44 and they are randomly experiencing the following:
- The switch locks up with no preceding error message in the log (I am forwarding syslog to Splunk).
- Upon reboot, the switch goes through the normal startup sequence with no error messages, then for some reason reloads the flash and starts all over again. (refer to doc)
This could happen after days or weeks. Sometimes they will go through two of these reloads on boot and be fine for awhile, and other times they will be stuck in the loop infinitely. I am using this same image with all of our 3560s, but am only having this issue with two of them.
View 2 Replies
View Related
Apr 25, 2012
I have a connection between switches, There are a 3560 (Gi0/37) and a 2960 (Gi0/1), the problem is in the port Gi0/37 of the 3560 switch and this is the log. [code]
I dont understand what is the problem, actually i have added the command power inline never on the port and the problem is solved, but we haven´t changed configuration.
View 3 Replies
View Related
Jan 24, 2013
We have a 3560 switch running IOS universalk9-mz.150-1.SE3.bin.Recently, we saw two problems with this switch:-
1. if we try to enable subinterface on any routed interface , for eg. gig1/1, it says invalid input detected. It doesnt accept encapsulation command also. Following was done to enable subinterface:
int gig1/1
no ip address
int gig1/1.2000
ip address 1.1.1.1
under the gi1/1.2000 subinterface, it doesnt present the option of ip address.
2. we created a layer 2 vlan 2000 like: vlan 2000 When we do an exit after creating this vlan , it gives following error:-
%SW_VLAN-4-VLAN_CREATE_FAIL: Failed to create VLANs 2000: extended VLAN(s) not allowed in current VTP mode
View 6 Replies
View Related
Feb 23, 2012
I have configured vlans in 3560G switch but vlans notable to accessing Internet
View 6 Replies
View Related
Mar 31, 2013
I am not sure if what I am trying to accomplish is possible. On my internal network I have the following VLANs setup (102, 104, 106) and they map one to one to a subnet (ie: 102 = 192.168.102.0/23, 104 = 192.168.104.0/24, etc).All interVLAN routing is done on a 3560 via vlan SVI. Connected to the 3560 via a routed port is a ASA 5510. The routed port has IP 192.168.100.1 and the ASA interface on the other side of that routed port has IP 192.168.100.2. I use 802.1x on the wired network to assign users (based on their department) into a specific VLAN. I want to extend this concept to Remote VPN access. Therefore I setup multiple Group Policies (policy is applied based on an LDAP attribute) where each policy defines a different DHCP scope. This has successfully allowed me to login wtih different users who get assigned to different Group policies and they obtain the correct DHCP IP address from the internal DHCP server (ie: an engineering person logins remotely and gets an IP in 192.168.102.0 range). However the issue (and as I was planning this out I knew this would come up) is that traffic can be routed out from the VPN client to its destination but there is no return path.
View 3 Replies
View Related
Aug 27, 2007
We have a customer that is relocating thier headquarters. They have a temporary requirement to bridge multiple vlans or a router T3 link to the new location as they cannot change the IP subnets. Setup is 3560 switch connecting to a 3845 then T3 to remote 3845 and 3560. I need to bridge multiple VLANs. I have seen a good example on how to do it over sonet but I don't see how to translate that to an HDLC or Frame Relay encapsulation for the T3 Link.
View 5 Replies
View Related
May 22, 2013
We have an environment where users create a lot of bridge loops. We have tried to send E-mails about it and educate the users but it is almost a lost cause at this point. The loops are created when users don’t pay attention and they plug a patch cable coming off of an access port up to ANOTHER access port by mistake.
All of our access ports are from 3750 stacked switches. The way we tried to deal with this in the beginning was with BPDUGuard and ERRDiable (BPDUGuard) auto recovery. We turned BPDUGuard on globally and left BPDUGuard auto recovery at the default value (I believe it was 30 seconds). so a loop would be detected and after 30 seconds, the switch would try to enable the port and if the loop still existed, close the port for 30 more seconds. Then we started having problems with printers getting "fried". Their NICs would die out and the control board would need to be replaced. After a lot of troubleshooting and testing, it was determined that allowing the ports to come out of ERRDisabled state would flood the network and the packets would generate in the millions per second range and fry the NIC of these printer.
The fix for this and saving the printers was terrible. We removed ERRDisable auto recovery and just let the ports that are looped stay in an ERRRDisabled state. We wait for the user to figure out the loop and try to use the port and then put in a work order. Then we physically visit the site and verify the port was shut (ERRDisabled) from a loop and we bounce the port (shut/no shut) and everything is resolved. I did lab tests with a switch looped and a printer on the switch and watched it fry. We have had no printers fry after we removed the auto recovery protocol at every location. Only the locations where loops existed and auto recovery protocol running were printers going bad. What I found during my lab tests was that each time the port was auto-recovered (yes, for that millisecond while it checks if a loop still exists), more packets were re-generated and eventually enough was re-broadcastthat printers would go down. We never had a problem with computer NICs. I guess the cheaper printer NICs couldn’t handle the broadcast storms created by this. I tried playing with the auto recovery timers and even the highest setting would eventually re-create these storms.
So my question is what best practices are others using? Should we get rid of BPDUGuard and just try to let spanning-tree handle these bridge loops? Is there something else I can try? I’m not CCNA by any means, just trying to do what I can in my environment. Manually visiting sites when loops occur is becoming more and more my job, though and I have plenty of other things to be doing.
View 9 Replies
View Related
Jan 12, 2012
I have 2 3550 12G switches that I use as core fiber switches. Switch 1 is the primary for 1/2 the V LANs and Switch 2 is the primary for the others using MST with 2 instances (I am not including the default 0 instance). I am using HSRP to provide redundancy. So far so good.
Recently a tenant in my building would like to use their own switch for data but still needs access to a V LAN on mine for voice. Again not a problem as I can configure a trunk port and give them what they need. My concern is that if they try to configure STP on their switch can they take down mine. Are there some preventions that I can put into place, such as root guard, that work with MST? What happens if they too set up MST can they kill mine?
Switch 1 is the root for 1/2 the v lans and Switch 2 is the backup root. The scenario is flipped for the other 1/2.
View 3 Replies
View Related
Dec 15, 2012
in my LAN the all access layer switchs/stacks are connected directly to core backbone switch (cisco 6509) via sfp fiber-optic, i want to protect my spanning tree setup with the "root guard" command.
1. where would i set this ? on uplink ports on access layer switches ? or on core backbone ports to which the access layer swithes connect to?.
2. can this be set on active (production) ports without downtime?
View 5 Replies
View Related
Sep 29, 2012
I've just set up DHCP Snooping and IP Source Guard on our SG500 series switches. It seems to work quite well, except when a wireless host roams from one AP to another (on a different switch port), all traffic from that host gets blocked.
I can understand why this is occuring, but I don't know what I can do to work around this problem.had success with roaming WiFi machines in conjunction with IP Source Guard?
View 6 Replies
View Related
Sep 29, 2011
I have no router inplace that can do trunking (5505 basic license )I have 2 VLANS 10 Data 20 voice I have given both VALNs IPs lets say
-VLAN10 192.168.1.1
-VLAN20 192.168.2.1
Enabled IP routing and set the router as the gateway of last resort.Now becuase the L3 switchis doing the routing I have had to set the default gateway as the VLAN IPs. So PCs on VLAN10 get a gateway of 192.168.1.1 and phones on VLAN20 get a gateway of 192.168.2.1
Any real downside to having the 3560 doing the VLAN routing, is this the "correct "way to do things in the event I don't have a trunkable router?
View 8 Replies
View Related
Jun 6, 2013
I am trying to reproduce a Spanning-Tree loop in my lab that occurred on Ops, and for the life of me I cannot break it. The loop is very simple:
Cisco 2960------------FW that doesn't forward STP traffic-----------Cisco 2960
This created an STP loop. In my lab, I am substituting the FW for another Cisco 2960 with STP disabled and BPDUFilter on ingress/egress ports to stop the switch from sending BPDU's to the downstream switch to keep it in the dark, as the FW did on Ops.
View 1 Replies
View Related
Nov 24, 2012
We have a couple of cisco SGE switches connected to a single DELL, between the cisco switches we have a trunk interface. I'm not sure which setting should be configured on the switches to get it working because a loop is occuring.
View 1 Replies
View Related
Apr 14, 2007
We recently wanted to swap our existing WS-SUP720-base with a WS-SUP720-3B in a 6513 chassis.Had the existing configuration config saved in a txt file and replaced the supervisor. Booting went fine and we pasted in the original config. There was one failure message about unnsupported command but didnt take further notice."boot system flash sup-bootflash:" was probaly the line that the 720-3B didnt support.After wr mem and reload it went in continious loop and rebooting due to inncorrect boot device. Had to put back the old supervisor and have now the 720-3B in a 6504 chassis. Tried some commands in rommon, but are not getting any further.
View 8 Replies
View Related
Mar 1, 2012
I Like To Intentionally Create A Layer 2 Loop in My LabI have 2960 and 3750 switches and servers with multiple NIC's and also Some PC's and Hubs. Connections and Commands And Features Which Sould Be Disabled or Enabled)
View 4 Replies
View Related
Oct 25, 2011
I am having an issue with this device after setting the ip address and rebooting. I have tried renaming the config.text file without success. I have also tried the steps mentioned here: [URL]
View 1 Replies
View Related
Feb 19, 2012
we recently had on our network a simple layer 2 loop problem, with big effects.Here is the situation: we have a C3750 switch, with STP activate on all ports.We don't have total control on this switchs, and for some reasons, it is possible that people connect a 2d switch on it (Cisco or non-Cisco).What happened several times is a classic case: a person interconnect 2 ports of this 2d switch, creating a loop. As the loop is created on the 2d switch only, the 1st switch detect no loop, the the uplink port keeps up.Afer this loop created, a broadcast storm occurs through the link between 1st & 2d switch .. and the storm propgates all over the LAN.I try to find some solutions to avoid that. One thing I would like to do is to find a mecanism on the first switch, which can permit to block the uplink port on the 1st switch if it sees the same MAC address as source in the 2 directions.Note that storm control, even configured to a quite low value (ie: 2Mbps) is not efficient enough to protect equipment (we have had big CPU impact on LAN equipments).
View 3 Replies
View Related
Jan 18, 2012
I have an Extremely Old switch that I need to connect to my network. Because it is so old I don't want it to become the Root Switch.
what is the command to change the priority. (Honestly I don't remember if it has to be a lower number 1 or a higher number ). Always get that mixed up. I've read about root guard, but I would like to prevent it manually. (It is a small network after all)It is a Cisco 2950.
View 3 Replies
View Related
Apr 17, 2012
Do Cisco Catalyst (IOS) and specially Cisco SG300/500 support a similar feature to HP's Loop Protection or DLINK's Loopback Detection? This is an interesting feature to avoid loops caused by unmanaged switches.
View 6 Replies
View Related
Jun 7, 2012
I have a bunch of 3750x switches that each have a 10 gig routed link back to a central 4507 (loopback = 172.30.255.255).We carved up a /24 (of course, the /24 doesn't really exist except in our address tracking spreadsheet) into a bunch of /30's for routed WAN links and /32's for loopback addresses.We started on the low end for /30 subnets (ie 172.30.255.0/30, 172.30.255.4/30, etc.).We started at the high end for the /32 loopbacks (ie 172.30.255.255/32, 172.30.255.254/32, etc.)
Well, when I try pinging 172.30.255.255 from the access layer 3750x switches, the 3750x seems to be treating it as a broadcast ping where it lists each member that responds instead of the regular !!!!! response (this makes think something is odd with the 3750x). Of course, only one member responds (the core). But even the core seems to respond with the other end of the /30 instead of the actual /32 loopback (which makes me think something is odd in the core). I could have sworn that I've setup similar topologies without problems (ie, using 10.0.0.0/32, 10.255.255.255/32, etc as loopbacks) and as long as the mask is a /32, it should work.Also, I can ping/ssh to that loopback if my laptop is on a directly connected subnet. But I can't do it from any of the 3750x switches (which are also directly connected).I've double checked for overlapping subnets, but nope. I don't see any. Routing looks fine. The actual /32 is being propagated everywhere properly.
View 3 Replies
View Related
Jan 19, 2012
I have a 3925 Router with a 48 port switch module (part number SM-D-ES3G-48-P). I have no problem accessing the 3925 Router, but when I go into the 48 port, I get an error that reads
Error Hardware not supported by firmware. Try loading a newer software instead. System Resetting...
I know that the wrong IOS is installed on the switch, but the problem is that this is an endless loop. The switch resets then comes back to the same error. How to get the switch out of this loop so that I can load the correct IOS.
View 1 Replies
View Related
Aug 18, 2012
The following error was seen on the switch and the Diagnostic Test Loop back failed following a new WS-6748-SFP module installation.Fabric in slot 5 detected excessive flow-control on channel 3 (Module 4, fabric connection 1)
Tried Hard reset of the module and still the error persist.
View 4 Replies
View Related
May 9, 2012
i have recently tried to change the catos on a Catalyst 2948G-L3 and since then i have the following message in a loop :I know that the solution would be to download a new valid image from tftp via the rommon prompt but what i dont undertand is why i cant access the rommon prompt. It justs boots with the message above in a loop
View 0 Replies
View Related
Feb 5, 2013
We have a Cisco 3750G Core switch which has physical connections, each configured as trunks to two HP Access switches. The client who uses these access switches would like to put a link between the two, but this would create a loop.
------- Core Switch -------
| |
| |
[Code]....
View 12 Replies
View Related
May 15, 2013
I'm trying to configure an LACP channel trunk between a CatOS C6000 and a Dell PowerConnect.
I use mode active in both sides and it works great.
But, when I connect a Catalyst 3750X to the Dell PowerConnect the channel between C6000 and PWC shutdown:
2013 May 16 09:08:20 CEST +02:00 %SPANTREE-2-CHNMISCFG: STP loop - channel 5/19-20 is disabled in vlan/instance 20
2013 May 16 09:08:20 CEST +02:00 %SPANTREE-2-CHNMISCFG2: BPDU source mac addresses: 00-04-6d-43-a4-e2, 70-ca-9b-27-46-99
View 3 Replies
View Related
Apr 6, 2012
Here is my Lab Setup: 2691 is BGP nei to R4 router and they are not directly connected. 2691 and R4 are in same AS 6500. 2691 Config---router ospf 1 network 3.3.3.3 0.0.0.0 area 0 . Its advertising its loop back IP to OSPF domain.
router bgp 6500
no synchronization
bgp log-neighbor-changes
neighbor 6.6.6.6 remote-as 6500
neighbor 6.6.6.6 update-source Loopback3
[code]...
R4 Router
router ospf 11
log-adjacency-changes
network 6.6.6.6 0.0.0.0 area 0
[ code].....
We can see that 2691 and R4 are BGP neis and 2691 has 200.1.x.x routes in its route table. My question is why from 2691 router i am unable to ping any route learned by BGP from R4?
2691Router# ping 50.1.1.0 Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 50.1.1.0, timeout is 2 seconds:.....Success rate is 0 percent (0/5)2691Router#ping 200.1.2.0 [ code]...
View 12 Replies
View Related
Oct 26, 2012
we are bringing up new ckt and nexus 7000's interface isn't coming up once telco gave a loop. and wee following msg when I do "sh int eth1/1".
(UDLD Tx Rx loop, port: error)
what does "(UDLD Tx Rx loop, port: error)" it mean?before loop. interface was showing as "Link not Connected".
View 2 Replies
View Related
Sep 14, 2012
I am trying to configure a loop back interface like so: [URL], on the following device:
C3550 Software (C3550-IPSERVICESK9-M), Version 12.2(50)SE, RELEASE SOFTWARE (fc1on port gig0/1 which is using a 1000Base-SX adapter. This is for troubleshooting purposes and it does not appear to be a feasible option. Is there another way to accomplish in the IOS?
View 1 Replies
View Related
Oct 22, 2011
Recently we got a cisco catalyst 4500 and six 2960 access switches. I need assistance on configure spanning-tree and faster convergence on my network to avoid loop.
[code]....
View 10 Replies
View Related
Dec 16, 2011
I'm building this network and I stumbled upon a problem that I don't understand. Here is how my config looks:
PC -----------vlan5-------Cisco 3560----trunk3-5----Cisco AP1420
Vmware guest
Configuration of 3560:
interface Vlan3
description ID-180, wifi1
ip address x.x.x.x 255.255.255.224
ip access-group 115 in
[code] .......
Configuration of WIFI AP:
interface FastEthernet0
no ip address
no ip route-cache
[code]....
PC and vm ware are plugged in port 5 and 6, wifi in port 7. There if no V LAN ID set on the PC, but there is V LAN ID set on the VM ware esx interface. If I try to ping WIFI from PC or esx, ping doesn't get through. If I plug WIFI to port 5 or 6, I get access it.
View 19 Replies
View Related
Dec 8, 2010
I have a 3560 switch 48 ports ios version 12.2( 35)SE5
I want to run two data vlans on the same port. Currently the port is in access mode and set to vlan30 I want to add vlan 40
I wanted to use multi mode, on this switch not an option but private-vlan is, ? what version of ios do I need to run the multi mode or can I do the same thing with private-vlan.
View 6 Replies
View Related
