Cisco Switching/Routing :: Cat 3750 Drops First Frame / Packet With Port Security
Mar 5, 2013
our C3750 like the one described here [URL]
We have the port on the switch set like this:
switchport port-security maximum 25
switchport port-security
switchport port-security aging time 2
switchport port-security violation restrict
switchport port-security aging type inactivity
In case a device connected to the port is inactive for more than 2 minues ( aging time ) the first frame/packet the device generates arrives to the port on the switch, but the switch does not forward it to the appropriate port ( discards it or whatever ).
So far I tested on
1 30 WS-C3750E-24PD 15.0(2)SE2 C3750E-IPBASEK9-M
2 30 WS-C3750E-24PD 15.0(2)SE2 C3750E-IPBASEK9-M
3 52 WS-C3750G-48PS 15.0(2)SE2 C3750-IPBASEK9-M
[Code].....
When we remove port security from the port, it works perfectly fine, as expected.
It seems this is not HW or IOS version related. It seems it is not a stack synchronization issue, it does not matter if a device is connected to the first or other stack member. I tested on C3560 too, here there are no problems, so seems it is 3750 related.
View 1 Replies
ADVERTISEMENT
Jun 5, 2012
We have several 3750 stacks across our campus that we are unable to completely clear port security on. We have mac address stick set up on all access ports. When we clear the sticky address on the port, the mac address is removed from the running config like normal, but we keep getting port-security voilations. If port security is taken off the port completely, i.e. no switchport port-security, traffic still doesn't pass the port. Even clear port security across the stack doesn't work. If we try to reload the stack, only the master reboots, and the other switches in the stack lose switch capabilities.
View 1 Replies
View Related
Nov 24, 2012
I've had a read through the docs for the 3750 series switches, but nothing that definately says that jumbo frame routing will work on a SVI.One part specifically I'd like clarification on is:The default maximum transmission unit (MTU) size for frames received and sent on all interfaces on the switch or switch stack is 1500 bytes. You can change the MTU size to support switched jumbo frames on all Gigabit Ethernet and 10-Gigabit Ethernet interfaces and to support routed frames on all routed ports. It says supported routed frames on all routed ports, but this in the past has meant physical ports, and not Virtual ones.
View 2 Replies
View Related
Feb 12, 2013
Lets say i have 2 3750 switches stacked via backend stack cables. Now if a packet needs to go from 1 switch in the stack to second switch in the stack, will it travel via stack cable or do we need to connect both switches via uplink ports (ethernet or sfp). I tried reading datasheet but it no wheres mention the actual frame path between switches in stack.
View 3 Replies
View Related
Oct 20, 2010
My group has recently started configuring traps on our switches to alert us of issues as they arise vs. waiting for the Helpdesk to receive user complaints and then responding.We have successfully configured the 2950 and 2960 switches to alert us when a port-security violation happens. However, the 3750 switches refuse to fire the port-security violation traps. The 3750's will fire an errdisable trap when the port goes down though.
Here is one of the port configurations:
interface FastEthernet1/0/45
switchport access vlan 5
switchport mode access
switchport port-security
switchport port-security mac-address sticky
[code].....
And here is the output of the port-security debug:
2522070: Oct 21 16:37:04: %LINK-3-UPDOWN: Interface FastEthernet1/0/45, changed state to down
2522089: Oct 21 16:37:05: %PM-4-ERR_DISABLE: psecure-violation error detected on Fa1/0/45, putting Fa1/0/45 in err-disable state
2522100: Oct 21 16:37:05: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 0012.3f07.95d3 on port FastEthernet1/0/45.
All of the 3750's are running C3750-IPBASEK9-M, Version 12.2(53) SE2. Wireshark also shows the errdisable traps, but no other traps so I've ruled out the traps being missed. All of the switches have been reloaded and power cycled.
View 3 Replies
View Related
Jan 27, 2013
I have catalyst 3750 I want to controle traffics on every port I have tried Frame-Relay Traffice shaping and Quality of service but there is no support for these commands in the switch.do we have any way to limit traffic on every port in catalyst 3750 and 2960 switches ?
View 4 Replies
View Related
Mar 9, 2013
I can see drops on the 6509 Queue for interface gi1/6 , qos is disabled globaly with qos disabled all packets are in one Queue using best effort my question is if I can see drops using the sh queueing int Gi1/6 command why I am not seeing any drops when I run the Sh int (interface number ) command. [code]
View 7 Replies
View Related
Nov 30, 2011
We are facing issue related to STP.I am getting MAC FLAP error on Cisco 4510 switch. The effect on network is intermittent Pkt drops in the network. When I checked the specific Ip address I am getting the same with two different. [code] Vlan is created on CORE switch and assign priority 0 than CORE switch should be the Root. but instead Root port is becoming the port where server is connected. Server at last connected to CORE switch via HP switch via other Vlan to CORE switch and creating a loop as shown in Diag. [code] The Priority of Vlan 102 is changed and Root port has been changed due to that. The Bridge ID is the same as CORE switch.
View 7 Replies
View Related
May 21, 2012
We have a stack of switches that is at the max number of members allowed in the stack. Problem is we are running out of port density and need to add more ports. So instead of adding a whole new stack I would rather replace 2 of the 24-port swicthes with 48-port switches.
If the two 24-port swicthes we are removing are stack members and neither of them are the stack master, I should be able to replace the 24-port switches with the 48-port switches without bringing the master offline? If the new 48-port switches are running the same IOS version as the current 24-port swicthes, they should add themselves to the stack?Would I have to tell the new 48-port swicthes what switch numbers they are replacing in order for them to be added to the stack since we are at the max number of members?Also since the 48-port swicthes are replacing 24-port switches will the master give the 48-port switches the configuration for only the 24-ports?
View 11 Replies
View Related
Mar 3, 2013
I have one server which run some application for wireless user. this server forward multicast packet to wireless user. server and wlc physically connect to cisco 3750 switch.i want the server forward the multicast packet to wireless users.server access vlan 4.wlc controller have 2 vlan: 90 and 110.and wireless user some of vlan 90 and some of vlan 110.i enable igmp snooping on wireless controller. and enable globally command but it is not working.which additional configuration i need on cisco switch.
Switch(config)# ip igmp snooping
View 16 Replies
View Related
Apr 30, 2013
We currently have a site with a very simple topology that uses a 3750X switch stack for a collapsed core. Everyday, the users have a conference call and experience poor voice quality.Its not bad when users call from several conference phones, but when everyone calls in on individual phones, there is choppy and almost inaudible voice quality experienced. The voice traffic flow would be as follows: Phone <-> 3750 switch <-> Voice GW We have packet captures showing that RTP packet loss is occuring from the phone to the voice gateway, but none from the voice gateway to the phones. We also have drops in the output queues that match drops on the asics. I can reset the counters and they will be clear until the call, and then they increment significantly during the call. The voice gateway and phones are non-Cisco. The switch stack has 6 switches. We are trusting the DSCP settings on the phones. All the queue drops from the phones are usually in queues 0-3, but all drops on the voice gateway is in queue 0. Below are the QoS settings; they are mostly default and we have not changed any queuing, thresholds, or buffers. Should we specify larger buffers and threshold for a designated queue and send EF traffic to that queue?
MySwitch#sh mls qos
QoS is enabled
QoS ip packet dscp rewrite is disabled
Typical Port
GigabitEthernet1/0/4
trust state: trust dscp
[code].....
View 1 Replies
View Related
Nov 13, 2012
I have a 3750 as a core and have a series of HP Procurve switches that are daisy chained using one port. I have two vlans on the port now (6 &9) and everything works fine, all switches communicate and end devices on the switches are also talking. There is a requirement to add a device towards the end of the chain which requires it to connect using Vlan1. Once I add Vlan1 to the port onthe 3750 I lose connectivity to all the HP switches.
View 4 Replies
View Related
May 15, 2011
I am seeing Interface output drops that appera to be incorrect. When I do "Show Interface gi1/0/20", I will get interface output drops of "4294961382". But, when I do the same command again it shows "0" drops. Is this a reporting error? I am ruinning c3750-ipservicesk9-mz.122-58.SE.bin on a 3750 stack with 2 switches in the stack. [code]
View 10 Replies
View Related
Feb 10, 2012
I feel that 3560 and 3750 perform differently with the following two commands:
srr-queue bandwidth shape 5 0 0 0
srr-queue bandwidth limit 50
On 3750, the bandwidth for queue 1 is limited to 100mbps x 50% / 5 = 10mbps
On 3560, the bandwidth for queue 1 is limited to the smaller value of BW / shape weight and BW x limit%.
Does it sound about right? is there a way to check for mls qos input queue drops? The show mls qos interface xxx stat only shows the output queue drops. Maybe for some reason the input queue never drops?
View 6 Replies
View Related
Mar 13, 2013
One of my Catalyst 3750 switch have many out drops, I execute "sh mls qos int g2/0/3 statist" command, there are many output drops in queue3 threshold3. [code]
View 8 Replies
View Related
Feb 7, 2012
How to mirror port only http get packet on 4948 or 6500 ?
View 4 Replies
View Related
Jul 26, 2012
I have always done my port monitoring (SPAN) on Cisco layer 3 switches with no issues. This time I am trying to do this on a Cisco 2901 router:
Cisco IOS Software, C2900 Software (C2900-UNIVERSALK9-M), Version 15.1(4)M2, RELEASE SOFTWARE (fc1)
System image file is "flash0:c2900-universalk9-mz.SPA.151-4.M2.bin
I need to have the source port gig0/0 and destination port gig0/1. There is something about the gig port enumeration (slot/port#) that makes the command rejected. It is self explanatory:
#sh ip int brie
Interface IP-Address OK? Method Status Protocol
Embedded-Service-Engine0/0 unassigned YES NVRAM administratively down down
GigabitEthernet0/0 xxx.xxx.xxx.xxx YES NVRAM up up
GigabitEthernet0/1 unassigned YES NVRAM up up
Serial0/0/0:0 unassigned YES unset up up
[code]....
It doesn't matter what slot or port number I use, it is always rejected. The command is rejected for Both destination and source gig interfaces. I tried a wide variety of slot/port numbers. To my best understanding the complete port names are: GigabitEthernet0/0 and GigabitEthernet0/1, so why does it think there has to be another digit after 0/0 or 0/1? Does it have anything to do with the Embedded-Service-Engine0/0 being administratively down?
View 4 Replies
View Related
Aug 13, 2012
I'm trying to enable port security on several 4507R's. When I try to configure a range of ports the switch will randomly put 1 or 2 in err-disable. It's different every time I apply the config to the same group of ports. However if I do them one at a time it seems to work. But I really don't want to configure 6 fully populated switches one port at a time. We also have a lot of 3750's and they gave me no problem using a port range. [code]
View 4 Replies
View Related
Jan 10, 2013
I've been fighting what seems to be an increased number of outqueue drops on our core stack and edge switches for the last 3 or 4 weeks.(The core consists of a stack of 5 3750s in 32-gig stack mode. The wkgrp switches are 3560s. all are at 12.2.52) The wkgrp switches are directly connected to users. We use Nortel IP phones with the phone inline with the user PC. auto-neg to 100/full. [code] However I have tried turning off QOS on a couple of workgroup switches (no mls qos, but left individual port configurations the same) but am still seeing drops.Since I have disabled qos on the switches in question (no mls qos) (not the core tho) I am presuming these commands have no affect on the switch operation and therefore cannot be related to the problem. With QOS turned off one would presume that it is general congestion - especially at the user edge where busy PC issues might contribute. So I wanted to see if I could see any instances of packets in the output queues building up.
I wrote some scripts and macros that essentially did a snapshot of 'show int' every 20 seconds or so, and looked for instances of 'Queue: x/' where x was greater than zero.What I found after several days of watching the core stack, and a few of the workgroup switches that are most often displaying the behavior, was that I NEVER saw ANY packets in output queues. I often saw packets in Input queues for VLAN1, once in a great while I would see packets on input queues for fa or Gi interfaces, but NEVER on output queues. [ code] Additionally, when I look (via snmp) at interface utilization on interfaces showing queue drops (both core and wkgroup), they are occurring at ridiculously low utilization levels (as low as 4 to 8%). I've tried to look for microbursts between the core and a wkgroup switch where the core interface was experiencing drops, but haven't seen any (using observer suite). [code] While the queue-drop counts aren't critically high at this point, they are happening more frequently than in the past and I would like to understand what is going on... In most cases, no error counters are incrementing for these interfaces. Is there some mechanism besides congestion that could cause output queue drops?
View 4 Replies
View Related
May 21, 2012
I have a 3750 switch with IP routing enabled and have lots of VLANs configured on this switch.What is the best way to prevent VLANs from talking to each other?At the same time, hosts inside their respective VLANs should not be blocked from reaching any private networks as they could be doing some L2L with another site.Blocking the VLANs from accessing/telnetting the switch was very simple as I was able to do this in the VTY line section. However blocking VLANs from accessing the other VLANs on the switch seem to be hard and I think there has to be a recommended way of doing this. For example, if hosts in one of my VLANs, in this case VLAN-204 (10.10.10.0/24) want to hack or scan hosts on one of my other VLANs, in this case VLAN-330 (10.20.20.0/24), how can I accomplish this without blocking VLAN-204 hosts from accessing another network they have a site to site tunnel with with the same destination address of 10.20.20.0????
View 2 Replies
View Related
May 22, 2012
What is the cause of having a huge number ( 875349) of total output drops on one of my gigabit utp port gi 2/12 which is connected to Cisco 1841 fa0/0 router by mean of cat5e cable.I did change the cable from cat5e to cat 6 and tried to increase hold queue to 4096 and to tweak wrr queue bandwidth
View 4 Replies
View Related
Dec 10, 2012
In our environment we have some HP chassis, and with them there are blade switches. Lately, we've been seeing some drops on few servers connected on the blade switch ports. The switch model is WS-CBS3120X-S. And below is the tx drop for two interfaces ( where the servers are connected to).
sh platform port-asic stats drop gi1/0/11
Interface Gi1/0/11 TxQueue Drop Statistics
Queue 0
Weight 0 Frames 0
Weight 1 Frames 0
[Code]...
View 1 Replies
View Related
May 19, 2013
I have a stack of 4 3750 Switches.
1. WS-C3750G-12S
2. WS-C3750G-12S
3. WS-C3750X-48P
4. WS-C3750X-48P
The stack cable connected to Switch 1 Port 1 and Switch 4 Port 2 will not come back online. The logs show that there was a Stack line change. I have replaced the 1 meter Stack cable from Switch 1 to Switch 4 three times and it still does not come back online. This is the part that is interesting.. I have disconnected Port 1 Switch 4 and connected it to Port 2 Switch 4 and then Switch 4 came back online. This made me think Port 2 on Switch 4 was working correctly. Then I disconnected Port 2 Switch 1 and connected it to Port 1 Switch 1 and then Switch 1 came back online.
View 1 Replies
View Related
Mar 11, 2013
have a cable i think is bad, is it possiable to switch the cable out without causing any downtime to the switch or connected devices?
HQ-1st-Flr-Stack#show switch stack-ports summary
Switch#/ Stack Neighbor Cable Link Link Sync # In
Port# Port Length OK Active OK Changes Loopback
Status To LinkOK
[Code].....
View 15 Replies
View Related
Nov 7, 2011
I am trying to configure a 3750 48 port switch and having trouble with getting it to see the sfp. I just want to set up the router with a pretty basic set up since I am using it for a ping test between 2 buildings, via fiber. How I can enable the sfp port?
View 3 Replies
View Related
Oct 25, 2011
Was wondering how to set port security on the 881. I have all the FE ports shutdown except one and want to limit that port to one specific MAC address.
View 7 Replies
View Related
Jun 18, 2012
I have configured SPAN in cisco 3750 switch as below mentioned. but the destination port protocol is down.switch(config)#monitor session 1 source interface gigabitethernet1/0/1switch(config)#monitor session 1 destination interface gigabitethernet1/0/11 ingress vlan 1
View 8 Replies
View Related
Dec 12, 2011
Been dealing with a strange problem for several days now. It started out with a problem that I thought was VTP related but ended up being something else. I setup a span port on a 3750 that I am connected to that was mirroring the trunk connection coming into the switch.
Never saw an VTP traffic come across the connection but doing a sh vtp status indicated the traffic was arriving and getting processed. When I found some debug commands (debug sw-lan vtp), I was also able to see the packets go between switches. Seeing this issue concerns me that there is other traffic that isnt showing up during a span session.
I know that doing a span on a switch, especially using a trunk port as a source, isnt a good idea. Since I didnt have a TAP at time, this was my only choice. I have since borrowed a NetOptics TP-CU3 tap from a good friend and was able to confirm the VTP traffic was going across the trunk connection between switches.
All of my 3750's are running 12.2.55.SE.
View 8 Replies
View Related
Dec 7, 2011
I have 3750 core/distribution switches with routing enabled in two offices connected with copper link and L3 port channel interfaces. NewOffice#2 has moved about 5 miles farther away from office#1 and I have to deploy new core/distribution switch connect it to old core#2 via F.O and move all access switches with it. Old core will stay in old #2 offices as a bridge between office#1 and new office#2 Office#1core<->copper (Ethernet) <->oldoffice#2core<->f.o. <->new office#2core How I should configure port channels ports on oldoffice#2 core to act as bridge between office#1 core/dist and newoffice#2 core/dist without changing anything else (ip, etc) on whole network
View 1 Replies
View Related
Apr 15, 2012
There 's a Cisco IP phone that sits between a PC and the switch port. On the switch port, no MAC address is learned. However, the switch is able to detect the IP phone and deliver power to it: [code] Switch is Catalyst 3750 with IOS version 12.2(58)SE1.
View 1 Replies
View Related
Dec 15, 2011
I have a non-cisco router with a public WAN address. This is conencted to a 3750 switch internally. The switch is the default gateway for all VLANs, and the gateway router has static routes back to the 3750. The Router provides NAT, no NAT is done on the switch.My requirement is to port forward port 29 000 so that I can access a server on VLAN4 via this port.
So, I have: Router: Port 29000 map to 192.168.4.1 (Switch VLAN4 address)
The question is, how do I route port 29000 from the 3750 to the server on 192.168.4.42 ? what exactly I should add in order to port forward port 29000 incoming form my router, to my server on 192.168.4.42.
View 17 Replies
View Related
May 24, 2012
I would like to ask about 3750 stacking and some Cat6 stuff...
1) How do we monitor 3750 stacking port in LMS?
2) Let say if I stack 3 switches, middle switch should be Master. Uplink should be at Top and Bottom. Is best practice?
3) Can we mixed 3750G and 3750X and what is result internal BW - fallback to 32Gps?
4) is there any Qos difference between WS-X6816-10G-2T and WS-X6816-10G-2TXL?
5) is there any Qos difference between MSFC5 PFC4 and MSFC5 PFC4XL?
6) What is main difference between PFC4 and PFC4XL in Sup2T?
7) Pls share more about Central and Distributed Switching in Sup2T and which card support Distributed DFCXL?
View 3 Replies
View Related
Apr 24, 2012
We have computers that are connected to a switch stack of 3 - 3750 switches. Randomly, we experience pcs that fail to communicate on the network. At first thought I figured the port went into err-disabled state, however the port shows up fine on the switch and moving the pc to another port on the same switch in the stack fails to fix the problem. To add to the confusion, if I immediately connect a different machine into the problematic port the newly connected machine has no issue and operates normally. Connecting back the first machine still results in no connectivity.
The only way to gain back network connectivity is to move the pc to a different switch in the stack. shut/no shut doesn't work.The IOS the stack is running is 12.2 and the switch ports are configured using cisco port macros.
here is how all the ports are configured.
switchport mode access
switchport port-security
switchport port-security aging time 2
switchport port-security violation restrict
switchport port-security aging type inactivity
macro description cisco-desktop
spanning-tree portfast
spanning-tree bpduguard enable
View 5 Replies
View Related
