Cisco Switching/Routing :: 3750 Switch NTP Time Synchronization Triggers IPS
Dec 20, 2011
I've beating my head against the the above said problem for a quite a while. Our client has a very strict security policy and they require all standard protocol to comply with the expected behaviour. It was discovered that their 3750 switch running c3750-ipservicesk9-mz.122-25.SEE3 software and configured to sync its time with an external public NTP server triggers IPS signature - DNS Info leak. The problem is that the switch initiates the packet on UDP port 53 and not as I would expect on port 123 for NTP. Of course I can tune the IPS sensor and make it not to fire this signature but the client needs to know why it is happening and if it is faulty IOS software that doesn't comply to the rules.
time.windows.com keeps showing error code? Error Code says:( An error occurred getting the status of the last synchronization.) I have even but the info. in manually and the same code appears.
I have a problem with the time synchronization via NTP between a Catalyst 2960 and Catalyst 6509. When I configure the 6509 switch as a NTP reference on the 2960, it does not synchronize with the 6509's NTP server. There is no reachability or ACL-related issue between both switches.
As soon as I configure a second Catalyst 6509 (which is completely identical to the other 6509 and in the same subnet) as a NTP server for the 2960, the time sync with the second 6509 happens immediality.
The first 6509 switch works as a NTP reference for at least 50 other switches and routers in the network - so why not for this one more switch? I checked some "debug ntp packet" and "debug ntp events" outputs and can clearly watch the NTP requests going out of the 2960, but on the 6509 just nothing happens - no debug outputs for this specific 2960, while requests from other devices come in all the time.
Maybe you have already experienced this strange behaviour in the past or got some deeper knowledge in the Cisco NTP server implementation. I could think of some sort of "maximum client limit" in the IOS NTP server, but could not find any mechanism like this in the standard NTP specification. Eventually, you can approve that this is a IOS-specific issue.
Everytime the console port is plugged in, the alarm contacts (1-4) randomly assert (trigger) and then clear themselves in random orders. Nothing is plugged into the ALARM port and all Alarm setting are default. Below is the syslog message and Alarm Settings:
CGS2520-C#show env allSYSTEM TEMPERATURE is OKSystem Temperature Value: 45 Degree CelsiusPOWER SUPPLY 1A TEMPERATURE is OKPOWER SUPPLY 1B TEMPERATURE is DisabledPOWER SUPPLY 1A Temperature Value: 49 Degree
I have 2 3560 switches that are running 12.2(25)SEE2. Port security is enabled on some of the ports. Whenever there is a power failure, when power is restored, 1 port on each switch goes to err-disabled. The mac address that causes this is a valid address for that port. Below is the configuration on one of the ports.
I have a Cisco Nexus Datacenter solution with this design:Every Nexus 5K is connected with every Nexus 2K with a Port-Channel and vPC.
What is the best way,to keep the configurations of the nexus switches synchronous? I have no DCNM (Mgmt.-Tool).
My problem is if I configure for example a Nexus2K-host port on one Nexus 5K, the change has no effect. Only when I make the same change on the second N5K the port-config really changes.
i have an issue to connect a trunk between cisco switch and extreme switch i have many vlans that i want to cross via a link between cisco 3750 switch and a Extreme Alpine 3800 switch
I have a simple question: In 6500 CatOS, we had that feature of image synchronization, which added the ability to download the image from the active supervisor to the standby via internal TFTP of the CatOS. Can this be done on IOS? I was looking fot this over the Internet and couldn't find anything.
I have two 3750-X configured to be a stack and I am planning to re-rack these somewhere else. What I would like to know is what are the effects of having the master switch itself lose power? Does it immediately just make the member take over master (there should be no election since there are only 2 switches??) and there would be no loss of connectivity?
some of my switches (3750s) are on the right time and some are not. i have them all pointed to the same DC for NTP and they all say they are synchronized. is it possible to have the switches pole the DC for the right time and update?
I have been looking into this for a while and I can't seem to figure out why my 2nd vlan is not able to connect properly to the net.
My switch has 12 ports where my devices connects directly, they are all on Vlan 1 and they all work perfectly. on Port 12 I have a dlink router that is connected to a cable modem. the dlink router has an Ip address of 192.168.0.20
I created a second vlan (vlan2) and enabled dhcp relay on it. then I assigned port 9 on the switch to (vlan2)my laptop which is connected to port 9 seems to get an ip address fine and able to ping only some devices on my network (vlan1) and is not able to go out to the internet. I think it has to do with the routes. [code]
I have the task of replicating the router config on a 3825 router on a 3750 switch. Reason is we are taking out the router and replacing it with the switch to make use of the router for other functions.
Below is main part of the router config:
! ip source-route ip cef ! ! multilink bundle-name authenticated ! license udi pid CISCO3825 sn FCZxxxxxxx ! vlan internal allocation policy ascending
[code].....
The 3750 switch I have runs C3750E-UNIVERSALK9-M, Version 12.2(55)SE3 on a LAN BASE license.
The first thing I have done is to order for a license upgrade to IP BASE which would give the support for OSPF routing.I do not see much of an issue with the Interface configs, however, I am not too sure about replicating the routing config on the switch.
My question is can I run the commands as shown for the OSPF routing on the switch? If not, can I get suggestions on how best to set this up on the switch?
I have been looking into this for a while and I can't seem to figure out why my 2nd vlan is not able to connect properly to the net. My switch has 12 ports where my devices connects directly, they are all on Vlan 1 and they all work perfectly. on Port 12 I have a dlink router that is connected to a cable modem. the dlink router has an Ip address of 192.168.0.20,I created a second vlan (vlan2) and enabled dhcp relay on it. then I assigned port 9 on the switch to (vlan2),my laptop which is connected to port 9 seems to get an ip address fine and able to ping only some devices on my network (vlan1) and is not able to,go out to the internet.
I'm running into what seems a basic ip routing config problem with a Catalyst 3750 (IP Base) switch. I have several VLANS configured on the switch with IP routing enabled, and the switch is connected to the inside interace of a new ASA 5520 as follows:
ASA5520 IP (Default gateway): 192.168.1.1Switchport Gi1/0/1 is configured as a routed port, IP address 192.168.1.3 255.255.255.0Example VLAN is VLAN 100, IP address 192.168.100.1 255.255.252.0 From the switch CLI, I can ping all VLAN addresses, as well as the ASA5520, and the client laptop I'm testing with from VLAN 100.
From the client laptop on VLAN 100, I can ping all switch interface and VLAN addresses (inter-VLAN routing is working), including 192.168.1.3, but I CANNOT ping the default gateway at 192.168.1.1.
Here is the relevant configuration information on the 3750:
! no aaa new-model switch 1 provision ws-c3750x-24 system mtu routing 1500
configure qos in Cisco 3750 switch.I have configured below template and applied on the vlan interface.But i am getting the hit on the access list but I am not able to get hit on the class map.
I had a bad expirience with Switch 3750-X. Because of an auditing security processess, my customer ran a software called "Nessus" to do a scanning of vulnerability on the network. When this software is point to switch, the process of the switch will next to 100% and reset. The software only do a listening on the ports to see what ports are opened and the switch should not reset because this. Bellow is the log os switch on the moment of test; we note that the processess 'HTTP' rise moments before the switch reset. I disable the HTTP service on switch but the problem persist. The test was made only one machine connected to switch.
We have three Cisco 3750 - 48port POE -LAN switches and i am trying to see if there are any issues when we stack POE and Non-POE type of switches.Aslo looking for information on the advanatage and disadvantage the stacking can provide on a Cisco 3750 48port.
The question is: Will a 3750 switch route Jumbo frame sizes (e.g. 9000 MTU)?
We know that we can change the System MTU to 9000, and someone on a previous thread said that we can change the Routing MTU to 9000 as well, although I couldn't figure out how to do that. However, regardless of how we configure the System MTU and Routing MTU, I don't think we're able to adjust the MTU on L3 VLAN interfaces, so if we want to actually "route" between VLANs on the switch, we're limited to 1500 MTU.
Our situation is that we have a customer connecting to our 3750 switch, and this customer wants to use Jumbo frames. The customer connects to our 3750 switch via their own VLAN, with their own L3 VLAN interface configured on the switch. The customer will point their traffic towards the L3 VLAN interface, then we want to route them onto another VLAN, via a different L3 VLAN interface, before forwarding their traffic. Because of the limitations noted above, specificially regarding the routing between these VLANs via L3 interfaces, I do not think we'll be able to support 9000 MTU frames on this 3750 switch. I think the L3 VLAN interfaces will limit us to 1500 MTU, regardless of what we configured via the global System MTU and Routing MTU settings.
How do you properly remove the QOS queues and configs from the switch.A was using auto qos which created a whole mess of qos configs on my running-config. I did "no mls qos" in conf term but that did not remove the queues.
i want to remove an access layer 3750 48 POE master switch and replace with a new 3750 switch in the stack. i want to copy the same configuration to new switch since the old switch is having POE issue and I got replacement of the malfunctioned switch. we have VTP domain is configured in the network...
I have Layer_3 " 3750-x " , so I can't do any routing on the switch , so if I need to Upgrade the IOS what is the proffered image that support hte routing , and Is it free or should I pay?
In Cisco 3750 facing high CPU utilization for specific period. During this period traffic response times across the switch degrades. Steps to identify interface potentially generating traffic. I have attached 'sh proc cpu history' , ' sh ip traffic', 'sh proc cpu sorted' during troubled period .
I have a 2 member 3750-x switch stack that was upgraded to 15.2 today via CNA. All the files were transfered and expanded correctly and it got to the step where the switches needed to be reloaded but on reload they froze.
I connected a console cable and power cycled the stack. I see the flash initialize and then the IOS image start to load. Lots of @ symbols and then nothing. It just sits there. The system light on the switches, while flashing green during the load, is now off. No light at all. But fans are running and the process will repeat itself if power cycled.
We currently have a stack of 5 x 3750 switches and i want to remove switch number 3 (it has the least number of things plugged in). What will happen to switch 4 and 5 will they be renumbered 3 and 4, and will the config automatically update this if it does?
I configured 3750 A switch with vlan 20 and its IP address 192.168.20.41Its default gateway was 192.168.20.3Then i configured 3750 B switch with same default gateway and vlan 20 IP 192.168.20.43My question is now when we stack it becomes single switch and now vlan 20 ip address is 192.168.20.43 thats only IP i can see.So how does stack switch choose vlan 20 IP?Does it choose highest IP address between two switches if they have same vlan 20 as in my case?Also when i go to switch 3750 b by session command and do sh ip route it does not show ip default gateway .Also it shows vlan 20 as admin down .
We have two 3750-x stacked switches with IP base license. We need to upgrade them to IP services license. I read some where that it is possible to install IP serivces license to only management switch and no need to purchase/install same license to other switches on the stack. But, I could not find/recall where I read it and as far as I know it was not official cisco documentation.
There 's a Cisco IP phone that sits between a PC and the switch port. On the switch port, no MAC address is learned. However, the switch is able to detect the IP phone and deliver power to it: [code] Switch is Catalyst 3750 with IOS version 12.2(58)SE1.
