Cisco Switching/Routing :: 3750 Port-security Will Not Clear
Jun 5, 2012
We have several 3750 stacks across our campus that we are unable to completely clear port security on. We have mac address stick set up on all access ports. When we clear the sticky address on the port, the mac address is removed from the running config like normal, but we keep getting port-security voilations. If port security is taken off the port completely, i.e. no switchport port-security, traffic still doesn't pass the port. Even clear port security across the stack doesn't work. If we try to reload the stack, only the master reboots, and the other switches in the stack lose switch capabilities.
We have the port on the switch set like this: switchport port-security maximum 25 switchport port-security switchport port-security aging time 2 switchport port-security violation restrict switchport port-security aging type inactivity
In case a device connected to the port is inactive for more than 2 minues ( aging time ) the first frame/packet the device generates arrives to the port on the switch, but the switch does not forward it to the appropriate port ( discards it or whatever ).
So far I tested on 1 30 WS-C3750E-24PD 15.0(2)SE2 C3750E-IPBASEK9-M 2 30 WS-C3750E-24PD 15.0(2)SE2 C3750E-IPBASEK9-M 3 52 WS-C3750G-48PS 15.0(2)SE2 C3750-IPBASEK9-M
[Code].....
When we remove port security from the port, it works perfectly fine, as expected.
It seems this is not HW or IOS version related. It seems it is not a stack synchronization issue, it does not matter if a device is connected to the first or other stack member. I tested on C3560 too, here there are no problems, so seems it is 3750 related.
My group has recently started configuring traps on our switches to alert us of issues as they arise vs. waiting for the Helpdesk to receive user complaints and then responding.We have successfully configured the 2950 and 2960 switches to alert us when a port-security violation happens. However, the 3750 switches refuse to fire the port-security violation traps. The 3750's will fire an errdisable trap when the port goes down though.
And here is the output of the port-security debug:
2522070: Oct 21 16:37:04: %LINK-3-UPDOWN: Interface FastEthernet1/0/45, changed state to down 2522089: Oct 21 16:37:05: %PM-4-ERR_DISABLE: psecure-violation error detected on Fa1/0/45, putting Fa1/0/45 in err-disable state 2522100: Oct 21 16:37:05: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 0012.3f07.95d3 on port FastEthernet1/0/45.
All of the 3750's are running C3750-IPBASEK9-M, Version 12.2(53) SE2. Wireshark also shows the errdisable traps, but no other traps so I've ruled out the traps being missed. All of the switches have been reloaded and power cycled.
We have a 3750x switch with some issues on the arp. Our servers become unreachable for some time, buy when I clear the arp cache, I am able to ping the server again. I have tried adjusting the arp timeout but I don't think doing so would be the permanent solution.
We have a stack of switches that is at the max number of members allowed in the stack. Problem is we are running out of port density and need to add more ports. So instead of adding a whole new stack I would rather replace 2 of the 24-port swicthes with 48-port switches.
If the two 24-port swicthes we are removing are stack members and neither of them are the stack master, I should be able to replace the 24-port switches with the 48-port switches without bringing the master offline? If the new 48-port switches are running the same IOS version as the current 24-port swicthes, they should add themselves to the stack?Would I have to tell the new 48-port swicthes what switch numbers they are replacing in order for them to be added to the stack since we are at the max number of members?Also since the 48-port swicthes are replacing 24-port switches will the master give the 48-port switches the configuration for only the 24-ports?
I'm trying to enable port security on several 4507R's. When I try to configure a range of ports the switch will randomly put 1 or 2 in err-disable. It's different every time I apply the config to the same group of ports. However if I do them one at a time it seems to work. But I really don't want to configure 6 fully populated switches one port at a time. We also have a lot of 3750's and they gave me no problem using a port range. [code]
I have a 3750 switch with IP routing enabled and have lots of VLANs configured on this switch.What is the best way to prevent VLANs from talking to each other?At the same time, hosts inside their respective VLANs should not be blocked from reaching any private networks as they could be doing some L2L with another site.Blocking the VLANs from accessing/telnetting the switch was very simple as I was able to do this in the VTY line section. However blocking VLANs from accessing the other VLANs on the switch seem to be hard and I think there has to be a recommended way of doing this. For example, if hosts in one of my VLANs, in this case VLAN-204 (10.10.10.0/24) want to hack or scan hosts on one of my other VLANs, in this case VLAN-330 (10.20.20.0/24), how can I accomplish this without blocking VLAN-204 hosts from accessing another network they have a site to site tunnel with with the same destination address of 10.20.20.0????
The stack cable connected to Switch 1 Port 1 and Switch 4 Port 2 will not come back online. The logs show that there was a Stack line change. I have replaced the 1 meter Stack cable from Switch 1 to Switch 4 three times and it still does not come back online. This is the part that is interesting.. I have disconnected Port 1 Switch 4 and connected it to Port 2 Switch 4 and then Switch 4 came back online. This made me think Port 2 on Switch 4 was working correctly. Then I disconnected Port 2 Switch 1 and connected it to Port 1 Switch 1 and then Switch 1 came back online.
have a cable i think is bad, is it possiable to switch the cable out without causing any downtime to the switch or connected devices?
HQ-1st-Flr-Stack#show switch stack-ports summary Switch#/ Stack Neighbor Cable Link Link Sync # In Port# Port Length OK Active OK Changes Loopback Status To LinkOK
I am trying to configure a 3750 48 port switch and having trouble with getting it to see the sfp. I just want to set up the router with a pretty basic set up since I am using it for a ping test between 2 buildings, via fiber. How I can enable the sfp port?
Was wondering how to set port security on the 881. I have all the FE ports shutdown except one and want to limit that port to one specific MAC address.
I have configured SPAN in cisco 3750 switch as below mentioned. but the destination port protocol is down.switch(config)#monitor session 1 source interface gigabitethernet1/0/1switch(config)#monitor session 1 destination interface gigabitethernet1/0/11 ingress vlan 1
Been dealing with a strange problem for several days now. It started out with a problem that I thought was VTP related but ended up being something else. I setup a span port on a 3750 that I am connected to that was mirroring the trunk connection coming into the switch.
Never saw an VTP traffic come across the connection but doing a sh vtp status indicated the traffic was arriving and getting processed. When I found some debug commands (debug sw-lan vtp), I was also able to see the packets go between switches. Seeing this issue concerns me that there is other traffic that isnt showing up during a span session.
I know that doing a span on a switch, especially using a trunk port as a source, isnt a good idea. Since I didnt have a TAP at time, this was my only choice. I have since borrowed a NetOptics TP-CU3 tap from a good friend and was able to confirm the VTP traffic was going across the trunk connection between switches.
I have 3750 core/distribution switches with routing enabled in two offices connected with copper link and L3 port channel interfaces. NewOffice#2 has moved about 5 miles farther away from office#1 and I have to deploy new core/distribution switch connect it to old core#2 via F.O and move all access switches with it. Old core will stay in old #2 offices as a bridge between office#1 and new office#2 Office#1core<->copper (Ethernet) <->oldoffice#2core<->f.o. <->new office#2core How I should configure port channels ports on oldoffice#2 core to act as bridge between office#1 core/dist and newoffice#2 core/dist without changing anything else (ip, etc) on whole network
There 's a Cisco IP phone that sits between a PC and the switch port. On the switch port, no MAC address is learned. However, the switch is able to detect the IP phone and deliver power to it: [code] Switch is Catalyst 3750 with IOS version 12.2(58)SE1.
I have a non-cisco router with a public WAN address. This is conencted to a 3750 switch internally. The switch is the default gateway for all VLANs, and the gateway router has static routes back to the 3750. The Router provides NAT, no NAT is done on the switch.My requirement is to port forward port 29 000 so that I can access a server on VLAN4 via this port.
So, I have: Router: Port 29000 map to 192.168.4.1 (Switch VLAN4 address)
The question is, how do I route port 29000 from the 3750 to the server on 192.168.4.42 ? what exactly I should add in order to port forward port 29000 incoming form my router, to my server on 192.168.4.42.
I would like to ask about 3750 stacking and some Cat6 stuff...
1) How do we monitor 3750 stacking port in LMS? 2) Let say if I stack 3 switches, middle switch should be Master. Uplink should be at Top and Bottom. Is best practice? 3) Can we mixed 3750G and 3750X and what is result internal BW - fallback to 32Gps? 4) is there any Qos difference between WS-X6816-10G-2T and WS-X6816-10G-2TXL? 5) is there any Qos difference between MSFC5 PFC4 and MSFC5 PFC4XL? 6) What is main difference between PFC4 and PFC4XL in Sup2T? 7) Pls share more about Central and Distributed Switching in Sup2T and which card support Distributed DFCXL?
We have computers that are connected to a switch stack of 3 - 3750 switches. Randomly, we experience pcs that fail to communicate on the network. At first thought I figured the port went into err-disabled state, however the port shows up fine on the switch and moving the pc to another port on the same switch in the stack fails to fix the problem. To add to the confusion, if I immediately connect a different machine into the problematic port the newly connected machine has no issue and operates normally. Connecting back the first machine still results in no connectivity.
The only way to gain back network connectivity is to move the pc to a different switch in the stack. shut/no shut doesn't work.The IOS the stack is running is 12.2 and the switch ports are configured using cisco port macros.
I have a stack with a lot of stack-port changes, but on all the ports, how can I determine the faulty switch in the stack, cables are already verified. We did also a restart of the whole stack power off/on
running version
WS-C3750-48P 12.2(55)SE C3750-IPBASEK9-M
This is the output after 6weeks
Switch#/ Stack Neighbor Cable Link Link Sync # In Port# Port Length OK Active OK Changes Loopback Status To LinkOK -------- ------ -------- -------- ---- ------ ---- --------- -------- 1/1 OK 4 1
I'm trying to configure a mirror port on a 3750. This configuration needs to replicate data from local ports, but I need that also act as a regular access port.
With the initial configuration, SPAN port, there is no problem, all the data of the configurated ports is replicating in the configurated port. On the port configurated as mirror there is a PC connected for audio recording. When the port is not operating as SPAN there is communications without problem over the LAN. But when I configure the port as SPAN, communication is interrupted.
Here is the actual configuration:
SWITCH1-PISO7#sh monitor session 1 Session 1 --------- Type : Local Session
I am building a new network and intended on using the min-link feature on my port-channels between a 3750-X series switch and Nexus 4k.
However reading further into this it seems this feature is only supported on higher end models. I cannot find any reference to the min-links feature in the 3750-X configuration guide. Is this an available feature?
The 3750-X model is WS-C3750X-24T-L running IOS 12.2(55)SE3 IP Services
My thoughts is that the is only an LACP supported feature so I may not see the command until I have entered an LACP specific command on the port-channel but unfortunately I do not have a 3750X to verify this on at present.
I have a 3750 catlyst switch in my network and it is like a distubation switch,And for the nating and dhcp nomadix is using as gateway in the same network. for one of my local PC i need to config the port forwarding in 3750 switch. How to config the port forwarding on 3750 switch,
I'm trying to setup a port on a catalyst 3750 so it will pass traffic for 2 vlans. It connects to a (watchguard) firewall which I've configured with a primary IP (for vlan 27) and a secondary IP (for vlan 29).
However I can't seem to find the correct commands to enter on the cisco switch port (I've tried a variety).
FYI the current configuration is... interface FastEthernet1/0/38 description ## Connection to WG vlan27 and vlan 29 ## switchport trunk encapsulation dot1q
We have QoS configured throughout the company, but the standard config we have applied across the 3750 switches only includes the below: We have IP phones (not cisco) attached that are marking with EF, and the PC is an untrusted end device (so needs to be by default marked as zero).Is the above enough to trust VOIP DSCP EF without resetting it to DSCP 0, or do I also need to add a trust line (i.e.: mls qos trust dscp)?
On 45XX catalyst , bandwidth is allocated across six 8-port groups, providing 1 Gbps per port group. Example for the following line card : WS-X4448-GB-SFP
I want to know if there is the same mecanism on 3750X switches. I mean is bandwidth allocated across a group of ports like on 4500 catalyst ?
We have a switch that, when configuring auto qos on and edge port facing video equipment, the upstream port channel drops. I was wondering if no auto qos would have to be configured on the member ports of the port channel prior to enabling auto qos on any other ports.
We have a number of 3750 stacks used as access layer switches connecting Siemens VOIP phones and then a PC that connects to the phone.
For example if I plug PC A to the phone that connects to port 13 I pick up an IP addressand all works as predicted now if I plug in PC A to any other VOIP phone that connect to another port on the same switch it goes in error disable state ITs like the switch is holding my PC mac address and locks it down with the port which in my case is Gi2/0/13.
Is it possible to rate limit on a L2 trunk port on a 3750?
current port config and ios are as follows;
interface GigabitEthernet1/0/50 description *** Connection to Fiber Link *** switchport trunk encapsulation dot1q switchport trunk allowed vlan 1,172 switchport mode trunk end flash:c3750-advipservicesk9-mz.122-46.SE.bin
i was wondering if the "srr-queue bandwidth limit 10" command would work to limit the output from this interface to be 10 % of the port bandwidth and then the same command could be done on the other side.
We would like to setup a link to our DR site that is separate from our main network traffic. This link will be used by an EMC VNX SAN for replication traffic. The SAN will be plugged into a fiber port on a 3750 switch and going out from the same switch (going in as multimode, going out as single mode) into a patch panel that runs over to the DR site (about a mile away). At the DR site it will go from the fiber panel into another 3750 switch which ends up going back out of that switch into our DR SAN.
I'm wondering what the best way would be to configure the fiber ports to accomplish this. I'm affraid that the replication traffic will find it's way over through another route and congest our main network unless configured appropriately.
I am experiencing the same problem described in this post {URL}. I have seen this happen on different networks, with different equipment attached. It happens on both 2960 and 3750 switches. Basically the connection drops, and we see in the web interface "Port is Disabled". This appears to happen every 10 minutes.
On the CLI, the status shows as connected.
Port Name Status V lan Duplex Speed Type Fa0/38 connected 1 a-full a-100 10/100BaseTX
I have ran cable diagnostics while the drop out is occurring.
Interface Speed Local pair Pair length Remote pair Pair status --------- ----- ---------- ----------------- ----------- ------------------- Fa0/38 100M Pair A 28 +/- 15 meters Pair B Normal [code]...
During the outage, I see the duplex fluctuate between full and half. The outage occurs for approx 90 seconds. If I fix the duplex and speed at both ends, the outage reduces to around 30 seconds. If I apply spanning-tree port fast the outage reduces further to around 10 seconds. Before I change any configuration on the port, the logs show the interface going down
Aug 16 13:06:51.875: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/38, changed state to down Aug 16 13:06:52.874: %LINK-3-UPDOWN: Interface FastEthernet0/38, changed state to down [code]...
However, once I apply the configuration nothing is logged. However we can still see the connection is disappearing for around 10 seconds. I suspect the issue wasn't resolved for the person reporting the problem in the link above, but because the outage is minimized, and not being logged it is going unnoticed.
I was wondering if there is a workaround to have a mac access-list bond to a port security violation action our need is the following: we have a range of 10 mac addresses that can use any port on the 3750, we only want to allow those ones yet we also need to tak action if a denied mac appears on any port of the switch.the only work around I found is to basically go into a port-rage mode and list all the allowed mac addresses under all the ports of the switch. I would also add to that a port violation action. did not test it but should work. problem is, it would be a huge config.I did read that we can create a mac access list and then bind that mac to physical ports wich will actually simplify our solution yet I did not find a way to bind the mac list with a port violation action.