Cisco Switching/Routing :: C3560 / Unexpected Behavior With SSH?
Feb 5, 2012
I have a weird situation with some switches.
Switch .55 can ssh into Switch .57 but cannot ssh into Switch .56.
Switch 56 can ssh into Switch 55 and ssh into Switch 57
Switch 57 can ssh into Switch 55 and ssh into Switch 56
The software on .56 is:
C3560 Software (C3560-IPBASEK9-M), Version 12.2(55)SE3, RELEASE SOFTWARE (fc1)
I noticed on .56, when I do a show ip ssh I get: SSH Enabled - version 1.5. It doesn't say version 1.99 like the others even when I configure version 2. Is this a bug I am running into?
View 9 Replies
ADVERTISEMENT
Dec 14, 2011
We have a lab network set up with a 7609 router as the central core. Scenario: Laptop with a SIP client. In the lab is a session border controller that will route signaling and media to a SIP gateway with a call agent (172.23.112.201) and a media "handler" (172.23.113.6). The call processing device will forward packets to an RF network (108.x.x.x) where an NCS cable modem sits.Call signaling works perfectly fine. However, RTP traffic from the laptop to the NCS phone is getting routed incorrectly. RTP traffic from the phone to the laptop works fine. [code]
Packet captures show the laptop to phone RTP packets are being routed back towards the corporate router. These time out with ICMP TTL exceeded packets. There are static routes for 172.23.113.0/27 to the optical interfaces that go to the SIP gateway. Interestingly, I can ping an IP on the SIP gateway (not used for media, but is pingable) in that static range (172.23.113.1) just fine from the 7609 (i.e. it's not getting routed to the corporate router). Unfortunately, the IP for the media endpoint on the SIP gateway is not pingable. Config for the 7609 is attached.
View 2 Replies
View Related
Oct 11, 2012
We have a Cisco switch in each office and every now and then the port that has the D-Link Wireless AP (DAP-1522) connected to it goes to err-disable state. Actually sometimes even a regular port that has a cisco phone connected may also go to err-disable state (less often). So I have to telnet into the switch and issue shut and no shut command on that interface to get it back to life, then it works for a few days or weeks until it happens again. Any suitable configuraiton for that interface, that would prevent that from happening or a workaround ?
Here's the info:
Model: cisco WS-C3560-24PS and cisco WS-C3560-48PS
Image:c3560-ipbase-mz.122-35.SE5.bin
This is the log from one switch:
31w5d: %PM-4-ERR_DISABLE: psecure-violation error detected on Fa0/2, putting Fa0/2 in err-disable state
31w5d: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 74e2.f592.f7f2 on port FastEthernet0/2.
31w5d: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/2, changed state to down
And from another, which is almost the same:
5d10h: %PM-4-ERR_DISABLE: psecure-violation error detected on Fa0/3, putting Fa0/3 in err-disable state
5d10h: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address d8a2.5e31.2cf6 on port FastEthernet0/3.
5d10h: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/3, changed state to down
5d10h: %LINK-3-UPDOWN: Interface FastEthernet0/3, changed state to down
Here's the configuration of fe interfaces (they are all alike):
interface FastEthernet0/2
description Voice & Data Combo Port
switchport access vlan 11
switchport mode access
switchport voice vlan 15
[code]....
View 3 Replies
View Related
Jan 30, 2012
Document at url... is quite interesting,One of these goes about the behavior of a switch (2960-S and 3750G) when QoS is not enabled vs the one when QoS is simply enabled with "mls qos".What additional commands, beside "mls qos", would be needed so as to simulate as accurately as possible the switch's behavior when QoS is not enabled?
View 3 Replies
View Related
Aug 14, 2012
I configure multiple static RPs and one of the ACLs denies a source will it move on to the next entry that covers it in another acl? [code] i.e. 1.1.1.1 will be used as the RP for 224 to 238 and 2.2.2.2 will be used as the RP for 239.Will that work correctly, i.e. if a source is trying to register with the router and its for the group 239.1.1.1, will it be denied against the first RP and then permitted against the second RP?
View 2 Replies
View Related
Oct 27, 2011
I've just been testing QOS on 3560 with version 15.0(1) and it seems the the default qos trust behavior on access ports has changed. By default the trust state of a port is not to trust anything, however rather than rewriting the DSCP value of the incoming packets and settign it to 0 the switch now seems to leave the DSCP value unchanged.
SW04-C3560(config)# do sh mls qos int g0/2
GigabitEthernet0/2
trust state: not trusted
trust mode: not trusted
trust enabled flag: ena
[Code]......
View 4 Replies
View Related
Feb 26, 2012
Last night, the C6509-E do a unexpected reload. In the crashinfo, I can see that the last error message before the reload, was as follows: %C6K_ PLATFORM-SP-2-PEER_RESET: SP is being reset by the RP
I consulted the cisco website about this error message and what I found was the following:C6K_PLATFORM-2.
View 1 Replies
View Related
Apr 17, 2012
i have several cisco 6500 switches, and user switched connected to them.in my example i have a global service vlan, where some access ports are directly connected on the 6500, and this vlan is also allowed on the trunks to the access switch.
now i am connected with ma laptop on a access switch, where my port is in the same vlan. when i do a show mac address-table on my access port, i can see my own mac-address, nothing else.when i start wireshark to see the traffic, all i should see is traffic from or to my MAC, or broadcasts/multicasts.
But i can see other unicast traffic with different source/destination mac than mine.It seem slike these packets get broadcasted over the whole VLAN, but its no broadcast MAC nor IP.
View 4 Replies
View Related
Feb 6, 2013
So I took a laptop with wireshark and plugged it into a nexus 5000 port that is configured as a trunk with 3 vlans allowed on it. The laptop was seeing all kinds of traffic on the wire, most of it was not involving my laptop.
For example: Server A VLAN 10= 10.10.10.1 Server B VLAN 20= 10.20.20.1 and wireshark laptop is plugged into a trunk port which is allowing those vlan's. The vlan's are routable.
10.10.10.3 is seeing the entire conversation when 10.10.10.1 backs up 10.20.20.1 even though it has no reason to see it. It is as if the trunk is spanning traffic to the laptop port. No span is setup however. It's really weird. This is not just broadcast traffic, but actual tcp taffic between Server A and B. Why would a trunk port see traffic between 2 other servers talking to each other on the vlan.
Trunk port configuration below:
Interface Ethernet 141/1/3
switchport mode trunk
switchport trunk allowed vlan 10, 20
View 5 Replies
View Related
Oct 24, 2012
I have a 3560-8PC in which the mgt vlan randomly (twice in one day or 2 weeks later) goes into the down state and will return w/o any interventaion 15-20 minutes later. Int G0/1 is the uplink to a 3750. I dont think its a layer1 issue at this time since i have seen it work just fine for over 2 weeks and drop again. I don't see any errors on the 3750 either.
WS-C3560-8PC 15.0(2)SE C3560-IPBASEK9-M
LOG:
----------------------------------------
.Oct 20 19:34:37.533 EDT: %LINK-3-UPDOWN: Interface GigabitEthernet0/1, changeds tate to up
[Code].....
View 5 Replies
View Related
Nov 23, 2012
I have C3560 switches in my work environment. I want configure ssh on that switch but the IOS what they have 'c3560e-universal-mz.122-58.SE2' not support. As per advised I was triying to upgrade 'c3560e-universalk9-mz.122-58.SE2" for all my access switches.
I successfully upgraded for two switches.
I have two problems now
01. I upgraded the IOS successfully one Switch but the Poe is not working. What is the reason ?
02. After upgrade the IOS, the out put is as follows
Switch Ports Model SW Version SW Image
------ ----- ----- ---------- ----------
* 1 30 WS-C3560E-24PD 12.2(35)SE5 C3560E-UNIVERSAL-M
Cisco#sh boot sys
[Code].....
View 4 Replies
View Related
Nov 21, 2012
I am in a doubt if the 3560-12-PC-S supports OSPF. Datasheet says we need IP Services image. But 3560-12PC doesn’t have the option with IP Services. Then I havigate to [URL] how?
So, any clues whether or not this box can run OSPF?
View 1 Replies
View Related
Feb 27, 2013
how to configure SLA monitorin for Dual Path default route in Layer 3 switches, like C3560?
View 2 Replies
View Related
Oct 24, 2012
#sh run | inc user
!
username USER0 secret 5 $1$passwordusername USER1 privilege 15 secret 5 $1$passwordusername USER2 privilege 15 secret 5 $1$password
!
#sh run | inc aaa
!
aaa new-modelaaa authentication login local_authen localaaa authentication login radius_authen group radius localaaa authorization consoleaaa authorization exec local_author localaaa authorization exec radius_author group radius localaaa session-id common
!
#sh run | begin line vty
!
line vty 0 4access-class 3 inexec-timeout 15 0authorization exec radius_authorlogging synchronouslogin authentication radius_authentransport input sshline vty 5 15!sh verCisco IOS Software, C3560 Software (C3560-IPSERVICESK9-M), Version 12.2(55)SE6, RELEASE SOFTWARE (fc1)
the intent of the above is that management connections will only be accepted via SSH, and all of those will be authenticated via RADIUS, unless it's down, then it will use the local username/pw combinations, most of which are given Privledge level 15. Telnet should never work.SSH works as expected (authenticates via RADIUS), but the problem is that Telnet also works, will ONLY use the local database (never RADIUS), and, for some reason, leaves the users at Privledge level 1, instead of the configured 15.Essentially, it seems that at every point I have told it to do something that isn't the default with regards to telnet, it ignores me.Prior to a recent IOS upgrade, the switch didn't support SSH, so the previous config was Telnet with RADIUS, and that worked fine.
View 10 Replies
View Related
Jun 17, 2012
Had a switch die over the weekend, a c3560, per our normal procedure I pulled the hardware put a very basic config on it(vlans, portchannel, uplink ports, ip of management vlan, con and vty security, snmp, enable secret, and hostname). Then I use solarwinds orion to upload a copy of the old config to bring the switch back to the same state as the one that failed. Its a system that has worked for us 3 or 4 times in the past. But this time when the base config was on the box it couldnt ping across the network.I have tried clearing the arp cache and the dynamic mac tables, i verified the routing tables and even removed the 10.1.185.128/27 route and re-added it, saw the routing update go across to the other 65k, tried bouncing the edge switch(i cant bounce the 65k's), took down the po between the edge and 65k.
View 2 Replies
View Related
Sep 4, 2012
I have a c3560 switch that has two gig fiber modules in it. I need to uplink fiber to one of these at 100mb. This is because this port will be rate limited to 20mb and 10 percent is the lowest you can go with the rate limiting command. Is there a 100mb fiber module i can insert in the 3560
View 1 Replies
View Related
Nov 24, 2012
We are seeing output drops on a C3560 switchport, this port does not have QoS enabled -- application does not need special qos treatment, as long as packets are not droppd, so I suppose all traffic will share the same queue? then how should I read the output of "show platform port-asic stats drop" which indicates that it is queue 3 weight 2 drop? I am wondering what is the best way to fix this? enable mls QoS and increase queue 3 bandwidth share on this interface or just increase the output queue depth?
switch#sh mls qos interface gi0/1
GigabitEthernet0/1
QoS is disabled. When QoS is enabled, following settings will be applied
trust state: not trusted
[Code]......
View 8 Replies
View Related
Mar 4, 2012
I am having an issue with VoiP phones giving me an insufficient bandwidth message. I have three remote locations connected to our main building using 2 Mb point to point ethernet solutions through TWC. Each remote location has a Cisco WS-C3560-24PS running IOS C3560-IPBASE-M, version 12.2(25) and have the cable modems plugged into port 1 on them. The remote buildings are labeled 192.168.101.xxx, 192.168.102.xxx, and 192.168.103.xxx. There are 14-16 VoiP phones in each remote building. The main building being in the subnet of 192.168.100.xxx. I have the 3560s connecting to a single port on a 2801 in the main building, all using the subnet of 192.168.253.xxx The phone server sits in our network at 192.168.100.203. I have created the ACLs, class maps, and policy maps on all of the equipment.
For the remote buildings I have the following:
ACL
===========
Extended IP access list VOIP
permit tcp any host 192.168.100.203 dscp ef
permit tcp any host 192.168.100.203 eq 5566
[Code]....
I have put a hub in to capture traffic via Wireshark to see if DSCP flags are being appropriately marked and I do see that all VoiP packets are getting marked with as EF. However, I have been receiving phone calls from people in the remote buildings stating that their phones will cut out, flash Insufficient Bandwidth on the LCD displays and then the call will cut back in. I am wondering if the 2801 is not applying QoS with the rate-limits in mind since it is set to 100 Mb, or is it an issue with trying to take 3 remote locations and bring them down into 1 port on the 2801?
View 6 Replies
View Related
Jul 23, 2012
Can a C3560-24PS switch with 32 MB flash be loaded with IOS 15? Will it be able to execute the code and function properly?
View 2 Replies
View Related
Feb 16, 2011
I have two layer 3 switches C3560 and C3750 Cisco switches with ios version "ipservices-mz.122-35.SE5".Now with the current ios version, these layer 3 switches are not supporting object group.so my question is , do i need to upgrade the ios, for this feature, if yes, which version ?
View 7 Replies
View Related
Jun 28, 2012
I need to configure the C3560-24TS, QoS control by IP or subnet.i tried to study books and videos many times but still feel i am not well known about QOs...
View 1 Replies
View Related
Oct 7, 2012
I just trying to setup a dhcp server in my catalyst 3560 switch for a nortel ip phones. I show you mmy configuration:
VOICE VLAN: 3
DATA VLAN: 1
S1:10.2.110.200
port:4100
Nortel IP Phones: IP 2002 (Firmware Version 0604D9H) & IP 1110 (Firmware Version 0623C7)
Switch Configuration:
aaa new-model!aaa session-id commonip subnet-zeroip routing!ip dhcp pool datos network 10.2.100.0 255.255.255.0 default-router 10.2.100.1 lease 0 2!ip dhcp pool voice network 10.2.110.0 255.255.255.0 default-router 10.2.110.200 option 191 ascii "VLAN-A:3" option 128 ascii "Nortel-i2004-A,10.2.100.200:4100,1,5." lease 0 2!!!!no file verify autospanning-tree mode pvstspanning-tree extend system-id!vlan internal allocation policy
[Code]...
View 2 Replies
View Related
Feb 19, 2013
I have a C3560-24P PoE switch, running on a very small network with nothing special about the endpoints or the configuration (5 laptops connecting via 1 wireless AP, 1 firewall uplink, a networked printer and one conference room phone using PoE. That's it.) I actually have inline power turned off on all the non-PoE device ports.
We are encountering a very strangle anomaly where if a client attempts to send a print job through the switch, to the network printer, the printer makes a noise as it if's begun to initialize and then the switch immediately goes into a reboot. Also the reboot appears to immediately drain all he batter power from the UPS unit that it's connected to. The unit is an APC SmartUPS 750 (500W, 750VA) and when the switch reboots the load on the UPS jumps to well above 100% until the switch appears to 'level out'. Is that kind of power draw normal when rebooting a C3560?
Switch details:
IOS version: c3560-ipbasek9-mz.150-2.SE1
128MB Memory
512K nvram
Model Revision: F0
View 3 Replies
View Related
Oct 27, 2011
I can´t configure speed in a giga port on WS-C3560-24PS-S switch(config-if)#speed ? no negotiate Do not negotiate speed
do you know if the port support speed 100??
because I need to connect with 2955C-12 switch in one port: 100BASE-FX (Multimode Fiber) uplinks, this port its only 100mbps?
and the switch C3750G-12S-E can I configure the ports on 100mbps?
View 4 Replies
View Related
Sep 9, 2010
I'm having some weird issues with our 3560 that's connected to an MPLS line. The speed of the port plugged into the providers equipment is 100Mb, but we're only allocated 10Mb of bandwidth from them, I tried to police our traffic out of the port using srr-queue bandwidth limit 10, however when I do that I get some really weird bandwidth results.
Using iperf I've run bandwidth tests with srr-queue bandwidth limit enabled and with it disabled, when it's disabled I get the full 10Mb as expected, however once I enable it I'm lucky to get 5Mb, and while the test is running connectivity between sites is almost useless (which is not the case if I disabled bandwidth limit). Is there anything special I should be doing when I have this enabled? I also have priority-queue out enabled with only one dscp marking placed in queue 1, with very little traffic hitting that queue, but regardless of what I do I can't get the expected bandwidth with the bandwidth limit command, even if I place my iperf traffic in that priority queue.
View 3 Replies
View Related
Jan 3, 2013
I need to replace an older 3560 with a new 2960-S and am wondering if the SX SFPs I already have will be compatible with the 2960-S. [code] I cannot find any way to get the part numbers of the SFPs.
View 7 Replies
View Related
Nov 16, 2011
My clients switch is running out of Spanning-Tree instances (c3560 only supports 128 instances). I know that running RSTP with VSTP can mitigate this that all instances over 128 will be handeled by RSTP, but before I implement this are there any other thoughts out there on how to mitigate this. Would MSTP be able to handle more STP instances or MISTP perhaps?
View 3 Replies
View Related
Sep 11, 2011
I have a c3560 that on Port 1 I can not get any device to talk to the DHCP server.Previously there was a client connected to this port however over the weekend he stated he lost connectivity.
In my troubleshooting I have connected that client to another port and now he is good to go...I connected my laptop and tried to connect to the network however I could not.I checked the logs and did not see anything that lead me to think it was having problems.
Is there another way to shut this down and hopefully start it back up without having to restart the entire switch?
View 4 Replies
View Related
Apr 14, 2013
We have two switches of the same model (WS-C3560-48PS-S) that are not providing PoE. I'm trying to remotely determine what the cause of the issue is.
Here is some output.
Hostname#show power inlineAvailable:0.0(w) Used:0.0(w) Remaining:0.0(w)
Interface Admin Oper Power Device Class Max (Watts)--------- ------ ---------- ------- ------------------- ----- ----Fa0/1 auto off 0.0 n/a n/a 15.4Fa0/2 auto off 0.0 n/a n/a 15.4Fa0/3 auto off 0.0 n/a n/a 15.4Fa0/4 auto off 0.0 n/a n/a 15.4Fa0/5 auto off 0.0 n/a n/a 15.4Fa0/6 auto off 0.0 n/a n/a 15.4Fa0/7 auto off 0.0 n/a n/a 15.4Fa0/8 auto off 0.0 n/a n/a 15.4Fa0/9 auto off 0.0 n/a n/a 15.4Fa0/10 auto off 0.0 n/a n/a 15.4(code)
View 1 Replies
View Related
May 23, 2012
I upgraded a pair of ASA 5520s from ASA 8.3 to ASA 8.4(4) this week and now my DMZ hosts cannot reliably communicate with eachother. I have a DMZ network of 10.20.20.16/28 configured. 10.20.20.17 is the ASA/Gateway and 10.20.20.19 is one host and 10.20.20.20 is another host. These two hosts had no problem communicating with eachother before the upgrade. Now, they usually cannot communicate with eachother. Occasionally they can communicate, but only for a few minutes. What is strange is I never had any access lists for these hosts to talk with eachother before the upgrade (because their traffic to eachother should have never reached the firewall) but now I needed to create an access list on the DMZ interface allowing these two hosts to talk. ICMP works fine, but only if the ACL is in place. TCP rarely works.
View 2 Replies
View Related
Aug 24, 2012
In case I configure duplicate IP addresses to the same VLAN(two interfaces in VLAN 1100 have IP address 192.168.2.2) I see following ARP messages rapidly(those six messages were received in less than 2ms time-frame)
View 2 Replies
View Related
Jun 5, 2012
I am researching on the behaviors of routers when MTU is increased beyond the MTU set in the routers. Also, when I use jumbo frames instead of normal MTU, how does it affect the network. So, what I plan to do is
LAN_A -- > blackbox --> WAN --------> WAN --> blackbox --> LAN_B
All the traffic coming from LAN_A will be of size 1500 Bytes or less. The blackbox in the center will add an overhead of 4 bytes, recalculate the CRC and transmit the packet on the WAN side. I wanted to know that:
1- if my LAN router and WAN router, both are set at 1500 MTU, then will WAN router drop the packet if it receives a packet greater than 1500B ?
2- If i keep my LAN side to 1500 MTU and I switch my WAN router to Jumbo frames, how will this configuration affect the complete network ? Will it work or not ?
3- I want to add the overhead on every packet coming in from LAN side, so, what options do I have to achieve this goal ?
PS. All types of traffic can come from LAN side.
View 2 Replies
View Related
Jun 21, 2012
In the last 8 month I have been upgrated at least 6 Cisco ASA 5505 from 8.2(1) to 8.4(3) without problems, I did a minor changes and all related to rules due a problem with the migration.
View 1 Replies
View Related
