Cisco Switching/Routing :: 3750 Switches Refuse To Fire The Port-security Violation Traps
Oct 20, 2010
My group has recently started configuring traps on our switches to alert us of issues as they arise vs. waiting for the Helpdesk to receive user complaints and then responding.We have successfully configured the 2950 and 2960 switches to alert us when a port-security violation happens. However, the 3750 switches refuse to fire the port-security violation traps. The 3750's will fire an errdisable trap when the port goes down though.
And here is the output of the port-security debug:
2522070: Oct 21 16:37:04: %LINK-3-UPDOWN: Interface FastEthernet1/0/45, changed state to down
2522089: Oct 21 16:37:05: %PM-4-ERR_DISABLE: psecure-violation error detected on Fa1/0/45, putting Fa1/0/45 in err-disable state
2522100: Oct 21 16:37:05: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 0012.3f07.95d3 on port FastEthernet1/0/45.
All of the 3750's are running C3750-IPBASEK9-M, Version 12.2(53) SE2. Wireshark also shows the errdisable traps, but no other traps so I've ruled out the traps being missed. All of the switches have been reloaded and power cycled.
I'm using packet tracer, I enabled port security on fa0/18 and set it to shut down when a violation occurred, I set it to only allow 1 mac address, so I tested it by plugging in another PC and the port shut down so the security was working, however when I plug the old pc back into the port it still stays shut down, how do I activate it again.
FastEthernet0/18 is down, line protocol is down (err-disabled)
We have several 3750 stacks across our campus that we are unable to completely clear port security on. We have mac address stick set up on all access ports. When we clear the sticky address on the port, the mac address is removed from the running config like normal, but we keep getting port-security voilations. If port security is taken off the port completely, i.e. no switchport port-security, traffic still doesn't pass the port. Even clear port security across the stack doesn't work. If we try to reload the stack, only the master reboots, and the other switches in the stack lose switch capabilities.
We have the port on the switch set like this: switchport port-security maximum 25 switchport port-security switchport port-security aging time 2 switchport port-security violation restrict switchport port-security aging type inactivity
In case a device connected to the port is inactive for more than 2 minues ( aging time ) the first frame/packet the device generates arrives to the port on the switch, but the switch does not forward it to the appropriate port ( discards it or whatever ).
So far I tested on 1 30 WS-C3750E-24PD 15.0(2)SE2 C3750E-IPBASEK9-M 2 30 WS-C3750E-24PD 15.0(2)SE2 C3750E-IPBASEK9-M 3 52 WS-C3750G-48PS 15.0(2)SE2 C3750-IPBASEK9-M
When we remove port security from the port, it works perfectly fine, as expected.
It seems this is not HW or IOS version related. It seems it is not a stack synchronization issue, it does not matter if a device is connected to the first or other stack member. I tested on C3560 too, here there are no problems, so seems it is 3750 related.
Is it possible to use Port Security mechanism between two switch (3750 or 3560) ports while trunk has been configured? If it's not possible, is there any other way to ensure that no other Switch can be connected other then the one switch which has been configured/placed by a network engineer?
I configured port security on my 2960 switches with the following commands: [code]
The problem is that when I should change someone's PC, first I disable port-secirity, then I clear all the mac addresses learned on the interface, then I plug the new PC and enable port-security. The new PC couldn't connect to the network and it's mac address has not be learned on the interface. Why?Which commands should I use to clear an old mac address and enable port-security with the new mac address.
We have a stack of switches that is at the max number of members allowed in the stack. Problem is we are running out of port density and need to add more ports. So instead of adding a whole new stack I would rather replace 2 of the 24-port swicthes with 48-port switches.
If the two 24-port swicthes we are removing are stack members and neither of them are the stack master, I should be able to replace the 24-port switches with the 48-port switches without bringing the master offline? If the new 48-port switches are running the same IOS version as the current 24-port swicthes, they should add themselves to the stack?Would I have to tell the new 48-port swicthes what switch numbers they are replacing in order for them to be added to the stack since we are at the max number of members?Also since the 48-port swicthes are replacing 24-port switches will the master give the 48-port switches the configuration for only the 24-ports?
If I have two stackable switches one switch uplinks to one 6509 core switch and the other connection uplinks to another 6509 core switch, and also the other stackable switch does not connect to the core switches. Because I am using hsrp and also we are not using vss then one uplink to the core is not in used only ones is so then how does creating an etherchannel between does two uplinks to both core switches benefit me in anyway such as more bandwith and using both uplinks at the same time or I'm I wrong?
If I have two stackable switches were only one stackable switch has two uplinks one uplink goes to one core 6509 switch and the other uplink goes to the other 6509 core switch can a Layer 3 etherchannel be used if each uplink go to a different core switch, by the way hsrp is running between both switches and also can you give an example how data will be routed from the stackable switch through the ethernetchannel to one of the core switch accross the WAN to another core switch?
I'm trying to enable port security on several 4507R's. When I try to configure a range of ports the switch will randomly put 1 or 2 in err-disable. It's different every time I apply the config to the same group of ports. However if I do them one at a time it seems to work. But I really don't want to configure 6 fully populated switches one port at a time. We also have a lot of 3750's and they gave me no problem using a port range. [code]
I have a 3750 switch with IP routing enabled and have lots of VLANs configured on this switch.What is the best way to prevent VLANs from talking to each other?At the same time, hosts inside their respective VLANs should not be blocked from reaching any private networks as they could be doing some L2L with another site.Blocking the VLANs from accessing/telnetting the switch was very simple as I was able to do this in the VTY line section. However blocking VLANs from accessing the other VLANs on the switch seem to be hard and I think there has to be a recommended way of doing this. For example, if hosts in one of my VLANs, in this case VLAN-204 (10.10.10.0/24) want to hack or scan hosts on one of my other VLANs, in this case VLAN-330 (10.20.20.0/24), how can I accomplish this without blocking VLAN-204 hosts from accessing another network they have a site to site tunnel with with the same destination address of 10.20.20.0????
I am using a 3750 as a default gateway for multiple Vlans on a few 2960 switches. The trunk lines are configured and working and I have assigned ip addresses to each of the Vlan interfaces on the 3750. My issue is that I can only ping the ip address on the Vlan interface of the 3750 if I have a working computer plugged directly into the Vlan on the 3750. I only have 3 vlans on the 3750 that have hosts directly connected (vlans 2, 10 and 40) the other vlans ( 20 and 70) don't have any clients plugged into them on the 3750 but the hosts reside on 2 different 2960s that connect via trunk ports. How do I keep the vlan interface on the 3750 switch pingable when I don't have hosts directly connected in that vlan on the 3750? (yes, I have enabled ip routing on the 3750)
I have a simple design with 3750. I configured a route-map which define a next hop. I defined this route-map on a policy on a vlan interface.When I test some ping and a debug ip policy and it seems that my policy never match.Is there any mechanism that prevent the switch from using PBR? I think of CEF .
I have a simple design with 3750.I configured a route-map which define a next hop.I defined this route-map on a policy on a vlan interface.When I test some ping and a debug ip policy and it seems that my policy never match.Is there any mechanism that prevent the switch from using PBR?
Switch A connects to Swich B and C using port channel. I am going to bring down one link on each.
switch A is server farm , switch B and C are core 01 and 02 . and all are 3750 switches.
1. what will be the impact on the network in terms of spanning tree recalculation 2. what duration are we talking about until the spanning tree convergence happens? 3.I plan to shut down the link from CLI to bring down the links
The stack cable connected to Switch 1 Port 1 and Switch 4 Port 2 will not come back online. The logs show that there was a Stack line change. I have replaced the 1 meter Stack cable from Switch 1 to Switch 4 three times and it still does not come back online. This is the part that is interesting.. I have disconnected Port 1 Switch 4 and connected it to Port 2 Switch 4 and then Switch 4 came back online. This made me think Port 2 on Switch 4 was working correctly. Then I disconnected Port 2 Switch 1 and connected it to Port 1 Switch 1 and then Switch 1 came back online.
I am trying to configure a 3750 48 port switch and having trouble with getting it to see the sfp. I just want to set up the router with a pretty basic set up since I am using it for a ping test between 2 buildings, via fiber. How I can enable the sfp port?
I have a small campus network using 3750 stackable switches and a 3725 router (see diagram below). Currently the 3725 router is handling inter-vlan routing for the campus and it looks like it's not able to handle the amount of traffic we're pushing. The router CPU sometimes hits above 90% due traffic load. What I would like to accomplish is move L3 process over to the 3750 MDF stack and the IDF1 stack. I am thinking creating SVI's on both MDF stack and IDF1 stack, run HSRP between the two stacks and may be do load balance traffic between the two stack as well.
Looking for feedback from other organizations that have large 3750 stacks. I've got one stack of (8) 3750's composed of (6) 3750G's and (2) plain 3750's. This particular stack is usually unresponsive to SNMP queries and often fails to write config when we make changes. After a couple tries it will finally go. Part of my probably here is likely the plain 3750's that always boot faster and come up as the master. I should manually set the master to one of the G's. What I'm wondering is who else has 7-9 3750's stacked and are they performing well for SNMP, telnet, etc? I've got another newer stack of 7 3750E's that I need to add one more switch to. Need to decide if I want extended downtime to break the stack up or just add the 3750X to make member 8 and hope it performs well. I have 50+ 3750 stacks working great on our campus.
We currently have a site with a very simple topology that uses a 3750X switch stack for a collapsed core. Everyday, the users have a conference call and experience poor voice quality.Its not bad when users call from several conference phones, but when everyone calls in on individual phones, there is choppy and almost inaudible voice quality experienced. The voice traffic flow would be as follows: Phone <-> 3750 switch <-> Voice GW We have packet captures showing that RTP packet loss is occuring from the phone to the voice gateway, but none from the voice gateway to the phones. We also have drops in the output queues that match drops on the asics. I can reset the counters and they will be clear until the call, and then they increment significantly during the call. The voice gateway and phones are non-Cisco. The switch stack has 6 switches. We are trusting the DSCP settings on the phones. All the queue drops from the phones are usually in queues 0-3, but all drops on the voice gateway is in queue 0. Below are the QoS settings; they are mostly default and we have not changed any queuing, thresholds, or buffers. Should we specify larger buffers and threshold for a designated queue and send EF traffic to that queue?
MySwitch#sh mls qos QoS is enabled QoS ip packet dscp rewrite is disabled Typical Port GigabitEthernet1/0/4 trust state: trust dscp
I have a small network using a 24 port 3750 switch. I need to add five computers in another room and only have one Cat 6 cable running there and no room left on the 3750. I got a 3650 to put in the new room with the new computers. The problem is, whenever I plug the new switch into the 3750, it shuts down the port and gives me an err-disable. I can do a shut/no shut and re-enable the port. I searched the web and read about trunking and clusters. I'm not sure which, if either, is appropriate. I see various documentation that shows you can put one switch behind the other. But nothing tells me the configuration which will allow it.
If I have two stackable switches one that connects to the 6509 core switch and the other switch does not, do I have to uplink the switch to the other switch so that switch has route to the core switch or because the switches are daisy chain there is not need to cable one switch to to the other switch connected to core switch?
I am trying to do ios upgrade on 5 stacked 3750 switches. All the switches have different model number, so i am wondering which image file i should download. As far as i understand all the stacked switches should have the same IOS, i may be wrong. The switches have the following model numbers and SW images;
I have client who has two distant offices with 3750 L3 as core (do all vlan routing for local office) and multiple L2 access switches with multiple VLAN’s connected to it. First 3750 is hub also connected to internet, second 3750 is spoke and acting as a router on stick. We have eigrp configured on both side ISP provided client 100Mbps link as a trunk with two vlan; vlan10 for voice and vlan20 for data. We assigned two small subnets to these vlans 10.15.17.0/29 and 10.15.17.9/29. Hub addresses are 10.15.17.1 and 10.15.17.9 respectively. How to force voice over VLAN10 and data via vlan20, but still do some load balancing? How to setup default route on second (router on stick) switch?