I've just completed a port security project at a site on numerous Cisco switches and all works well, however they have 2 Nortel 5520 switches (which I left until the end) which they would like to lock down. I have logged a message on the Nortel forums and I have heard nothing for days. I just need to lock 2 ports down to the Mac address of 2 computers stopping any other computer being plugged in.
View 2 RepliesI have a customer that wants to change their Nortel 5520 switches to a Cisco solution, and I wanted to ask what would be a good solution for this customer. presently they have 4 48 port PoE and 2 24 port PoE stackable 5520, and they are interested in redundant power supplies for the switches. I was thinking that the 3750 is good for this site.
View 4 Replies View RelatedI'm trying to establish a site to site ipsec tunnel between an ASA 5520 and a Nortel Connectivity box. Despite trying a number of different transform sets and IKE setups it keeps failing at phase 1 with:
Information Exchange processing failed
Received an UN-encrypted INVALID_ID_INFO notify message dropping.
I'm trying to enable port security on several 4507R's. When I try to configure a range of ports the switch will randomly put 1 or 2 in err-disable. It's different every time I apply the config to the same group of ports. However if I do them one at a time it seems to work. But I really don't want to configure 6 fully populated switches one port at a time. We also have a lot of 3750's and they gave me no problem using a port range. [code]
View 4 Replies View RelatedIf the ports on a 5508 can only perform etherchannel(no LACP or PAGP), only on mode, how does a 5508 create a bundle with a nortel switch?
View 1 Replies View RelatedWe have 2 x Nortel 8600s (now Avaya) that are 6-7 years old. They have 96 1GB ports on each and we only use about 30 and the CPU average is around 2% and memory is 40% (256mb). Going into 8600s we have 8 x Nortel 5520 48port gig switches.
We want to replace the 8600s at some point and I wondered roughly what Cisco device would possible suit us. We are not after the best high end switches that we will never utilise, but ones that will aid us grow for the next 5 years.
We have 3 Nortel RG 9150 remote PBXs installed at a branch location, and they have been functioning well for years plugged into 3Com 4500 10/100 switches. These switches have a very basic configuration; nothing special. We are transitioning over to Cisco 2960 switches with very basic configurations. The problem is that when we plug the 9150 into the 2960 switch, the RX light flashes like it should, but the TX light only flickers intermittently. We cannot ping it from the switch or local router. Everything in this building is in VLAN 1. I've tried turning on full duplex on the 9150 and/or hard-setting the speed/duplex on the 2960 switch. The company that maintains our 9150 sent a guy out who was completely puzzled by this too. In some ways this seems too basic to be a problem, but it is. The twist on this problem is that the 3Com switch, which the 9150s are plugged into, is connected directly into the Cisco 2960 that I can't make them work on. Plug them into the 3Com, they work; move them upstream to the Cisco, and they stop, even after I reboot them.
Here are the port configs of the 3Com and Cisco switches.
Cisco
interface FastEthernet0/15
switchport mode access
[Code].....
I have a Cisco 3560 connected via fiber to a Nortel 1612G. The connection is up/up, the V LAN's on the switch work as needed, but I can not ping the switch from the Nortel, and as a result I can not remote into the Cisco for management. I see in the configuration for the trunk that it is configured for a native v LAN, but I don't see it defined which v LAN's are allowed, could this be the issue? I will provide some of the config information for the Cisco side, I understand the issue may be on the Nortel end but if the Cisco part looks OK?
Port config for the trunk:
interface GigabitEthernet0/49
description port_6_1612G
switch port trunk encapsulation dot1q
switch port trunk native v LAN 120
switch port mode trunk
Native v LAN config:
interface Vlan120ip address 172.16.120.11 255.255.255.128
Connecting a legacy Nortel switch (425/450/470/BPS) to a Nexus 7000 via gigabit fiber? I have a customer trying to do it and they say that the connection never comes up. The support on the Nortel stuff is long since expired, so Avaya is not being particularly useful. Apparently Cisco says the issue is "fast link pulse to the BayStack to determine the capabilities of the uplink and the BayStack is returning all zeros." I have not verified this and actually have not yet gotten my hands on the Nexus side of things
View 2 Replies View RelatedI just trying to setup a dhcp server in my catalyst 3560 switch for a nortel ip phones. I show you mmy configuration:
VOICE VLAN: 3
DATA VLAN: 1
S1:10.2.110.200
port:4100
Nortel IP Phones: IP 2002 (Firmware Version 0604D9H) & IP 1110 (Firmware Version 0623C7)
Switch Configuration:
aaa new-model!aaa session-id commonip subnet-zeroip routing!ip dhcp pool datos network 10.2.100.0 255.255.255.0 default-router 10.2.100.1 lease 0 2!ip dhcp pool voice network 10.2.110.0 255.255.255.0 default-router 10.2.110.200 option 191 ascii "VLAN-A:3" option 128 ascii "Nortel-i2004-A,10.2.100.200:4100,1,5." lease 0 2!!!!no file verify autospanning-tree mode pvstspanning-tree extend system-id!vlan internal allocation policy
[Code]...
Was wondering how to set port security on the 881. I have all the FE ports shutdown except one and want to limit that port to one specific MAC address.
View 7 Replies View RelatedSwitch is a Nortel 5520
PC is Windows 7, with Intel 82579LM adapter
When PC was first attached to network, it could not ping gateway(switch). Turns out it was broadcasting for the gateway's MAC address, but never got a response. Tonnes of testing later, if I just change one number on the MAC address of the adapter, it receives a reply from the switch and can ping the gateway.
Why doesn't the native MAC address work?
Update: Just the vendor portion is the determining factor. As long as it starts with 2C-59-E5, it will not work. 2C-58-E5 will.
Update 2: Pinging anything in the same subnet works, just pinging the gateway interface of the switch doesn't happen. Tried on multiple drops, and there are other devices on those drops.
configure port security Cisco 500 Swich ? There is no CLI mode in this switch?
View 2 Replies View RelatedOne of my engineers issued a command to turn off port security on a number of ports using the range command. The command failed on the first attempt due to a tacacs auth failure which I suspect is due to a low tacacs timeout value. The engineer then reduced the number of ports in the range command and re-issued the config change after which the switch just crashed and rebooted.
The logging buffer on the switch displays the following:
000072: *Mar 1 00:03:00 GMT: %PLATFORM-1-CRASHED: System previously crashed with the following message:
000073: *Mar 1 00:03:00 GMT: %PLATFORM-1-CRASHED: Cisco IOS Software, C2960 Software (C2960-LANBASEK9-M), Version 12.2(50)SE3, RELEASE SOFTWARE (fc1)
000074: *Mar 1 00:03:00 GMT: %PLATFORM-1-CRASHED: Technical Support: [URL]
000075: *Mar 1 00:03:00 GMT: %PLATFORM-1-CRASHED: Copyright (c) 1986-2009 by Cisco Systems, Inc.
000076: *Mar 1 00:03:00 GMT: %PLATFORM-1-CRASHED: Compiled Wed 22-Jul-09 07:03 by prod_rel_team
000077: *Mar 1 00:03:00 GMT: %PLATFORM-1-CRASHED:
[Code]........
I have done some searching and this could be related to bug CSCsq71492. I have tried using the output interpreter but it is still down.
I have several SF300 switches deployed (SF300-08, SF300-24P). They are connected to IP Telephones (NEC) which communicate with the switch for auto voice VLAN on LLDP. The problem I am experiencing is that periodically the IP telephones are rebooted by the telephone vendor and when they do the switch puts that port into "Locked" port security mode and discards all traffic to the port. The IP telephones of course do not work. In other switch models, I have seen the ability to enable / disable port security switch wide or on a port by port basis. This model does not appear to have this feature. How to disable or why the phones would cause the switch ports to "lock"? There is usually one PC attached to each phone.
View 1 Replies View RelatedI have network consists of more then 20 cisco 2950/2960/3700 switches. I have configured port security in my switches. initially when i configured on my switches it worked fine....even for copule of months it worked fine. but suddenly it start creating issues and now i am not able to implement port security on switches. the configuration is same but there is no effect now. Same switches were fine but now even having same configuration it is not working. please see the configuration: [code]
View 5 Replies View RelatedWe have several 3750 stacks across our campus that we are unable to completely clear port security on. We have mac address stick set up on all access ports. When we clear the sticky address on the port, the mac address is removed from the running config like normal, but we keep getting port-security voilations. If port security is taken off the port completely, i.e. no switchport port-security, traffic still doesn't pass the port. Even clear port security across the stack doesn't work. If we try to reload the stack, only the master reboots, and the other switches in the stack lose switch capabilities.
View 1 Replies View RelatedI'm trying to test port-security in my c3550 but when I show port-security int f0/23 shows it only "Disabled" as below:
run
interface FastEthernet0/23switchport access vlan 200switchport mode dynamic desirableswitchport port-security mac-address stickyspanning-tree portfast
I try change the configuration the port in the switch catalyst express 500, i need disable switch port port-security, a try with http://10.1.1.1/exec and save configuration with wr command, if a check the configuration de port is correct but i reboot the switch and check the configuration the port appear the switch port port-security configuration again.
View 3 Replies View RelatedI configured port security on my 2960 switches with the following commands: [code]
The problem is that when I should change someone's PC, first I disable port-secirity, then I clear all the mac addresses learned on the interface, then I plug the new PC and enable port-security. The new PC couldn't connect to the network and it's mac address has not be learned on the interface. Why?Which commands should I use to clear an old mac address and enable port-security with the new mac address.
For many years we've had the following vlan and port security config on our 3560s: [code] This has worked great on 12.2(37)SE1, 12.2(40)SE and 12.2(46)SE. However since 12.2(50)SE, and I've tried all the versions since then, we have a problem with 7900 phones and ATA186s taking upwards of 20 minutes before they can get a valid IP number.The problem on the newer IOSes seems to be related to the inactivity aging.On the older IOS versions the mac address of the voice device appears on the voice vlan straight away.
On the newer IOS versions the mac address of the voice device appears on the DATA vlan and seems to be stuck there until the inactivity aging removes it. It then gets re-learned, sometimes on the voice vlan, and sometimes on the data vlan. If you're unlucky and it gets re-learned on the data vlan you've got to wait until the inactivity time ages the address out again. Repeat until the mac address eventually gets learned on the voice vlan. I don't want to be stuck on 12.2(46)SE forever.
Im trying to follow along documentation i see via train single videos and some online resources. I am trying to enable port security.I have a Catalyst 3546 XL when i type in "rtr1# switchport ?""port-security" is not only of the options to choose from. I have already set this as an access port.
View 4 Replies View RelatedOur customer has a Cisco ME3600X with the IOS me 360x-universalK9-mz.122-52.EY3.They are saying that is not possible to configure the "switchport port-security mac-address sticky" in the interfaces and want to know whether any additional license is needed.As far as I know there isn't any extra license to activate this feature and also I believe the ME3600 switch should have this feature with the universal IOS, isn't that right?
View 1 Replies View RelatedI have connected a 10BaseT device to a CISCO Catalyst 3560xPOE switch with dynamic port security. All seems to work fine when the distance between the two devices is closer then 200ft. When I connect to 10BaseT devices farther out near 300ft the response from the attached device is lost. It works ok on unmanaged switches at the longer distance. Is there a minimum response time from attached devices for dynamic port security to work properly? Is there any other explanation why it would work on cheaper switches, but not on the Port Secured Switch?
View 2 Replies View RelatedI have a 1941 that I am going to deploy with a HWIC-D-9ESW switch module (I only need 3 switch ports but need the PoE). I am going to hang a 1262 autonomous AP off one of the ports but I need to configure MAC address port-security so that only that AP can pass traffic. I know the switch modules are 'almost' exactly like a switch for commands but I can't seem to enable or configure any port-security settings. Is port-security no available on the switch modules?
View 3 Replies View Relatedour C3750 like the one described here [URL]
We have the port on the switch set like this:
switchport port-security maximum 25
switchport port-security
switchport port-security aging time 2
switchport port-security violation restrict
switchport port-security aging type inactivity
In case a device connected to the port is inactive for more than 2 minues ( aging time ) the first frame/packet the device generates arrives to the port on the switch, but the switch does not forward it to the appropriate port ( discards it or whatever ).
So far I tested on
1 30 WS-C3750E-24PD 15.0(2)SE2 C3750E-IPBASEK9-M
2 30 WS-C3750E-24PD 15.0(2)SE2 C3750E-IPBASEK9-M
3 52 WS-C3750G-48PS 15.0(2)SE2 C3750-IPBASEK9-M
[Code].....
When we remove port security from the port, it works perfectly fine, as expected.
It seems this is not HW or IOS version related. It seems it is not a stack synchronization issue, it does not matter if a device is connected to the first or other stack member. I tested on C3560 too, here there are no problems, so seems it is 3750 related.
I have worked on cisco switches only..I want to configure nortel5510 have configured vlan.but Switch Ip address is changing when I am giving ip address to port. and i cant see port ip configuration in show runn also i want to configure loopback.I am configuring switch ip address 192.168.123.1/24 but when I give ip address to port 192.168.120.17/29(PORT IN DEFAULT VLAN) switch ip address changes automatically.I have port 1-4 configured in vlan 1 other ports are in L3 vlan.I want see port ip address details Like we see in cisco (SHOW IP INTERFACE BRIEF ) what is command in NORTEL??
View 2 Replies View RelatedHow to configure traffic flow between computers inside VLANs and a routed port? Here is the setup details:
1. Switch 3750-X
2. VLAN 100 - ( SVI IP address 192.168.100.1 /24)
3. VLAN 200 - ( SVI IP address 192.168.200.1 /24)
4. routed port gi1/0/48 (IP address 192.168.150.1 /24). Note: this port is directly connected to a firewall ASA 5520 port IP 192.168.150.100 /24
Ip routing is enabled on the switch and inter vlan traffic is flowing ok. I can ping the routed port gi1/0/48 from any computer connected in the VLAN 100 or 200. For example computer with IP 192.168.100.25 can ping the routed port 192.168.150.1. Switch can ping firewall port 192.168.150.100 and the 'sh ip route' command shows the network 192.168.150.0 /24 as directly connected network.
any computer in the two VLANs CANNOT ping firewall ASA port 192.168.150.100 Is it because inter VLAN routing does not work with a routed port on L3 switch? I looked up fallback bridging, but it is meant for non IP traffic.The goal is I am trying to set the ASA port as an internet gateway for VLANs.
I have 2 3560 switches that are running 12.2(25)SEE2. Port security is enabled on some of the ports. Whenever there is a power failure, when power is restored, 1 port on each switch goes to err-disabled. The mac address that causes this is a valid address for that port. Below is the configuration on one of the ports.
View 1 Replies View RelatedMy group has recently started configuring traps on our switches to alert us of issues as they arise vs. waiting for the Helpdesk to receive user complaints and then responding.We have successfully configured the 2950 and 2960 switches to alert us when a port-security violation happens. However, the 3750 switches refuse to fire the port-security violation traps. The 3750's will fire an errdisable trap when the port goes down though.
Here is one of the port configurations:
interface FastEthernet1/0/45
switchport access vlan 5
switchport mode access
switchport port-security
switchport port-security mac-address sticky
[code].....
And here is the output of the port-security debug:
2522070: Oct 21 16:37:04: %LINK-3-UPDOWN: Interface FastEthernet1/0/45, changed state to down
2522089: Oct 21 16:37:05: %PM-4-ERR_DISABLE: psecure-violation error detected on Fa1/0/45, putting Fa1/0/45 in err-disable state
2522100: Oct 21 16:37:05: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 0012.3f07.95d3 on port FastEthernet1/0/45.
All of the 3750's are running C3750-IPBASEK9-M, Version 12.2(53) SE2. Wireshark also shows the errdisable traps, but no other traps so I've ruled out the traps being missed. All of the switches have been reloaded and power cycled.
I am looking to simply monitor Port-Security , Error-Disable and HSRP. I would like to receive an email when any of these are triggered.
Port Security - Port Is shut down
Err-Disable - Port goes into err-disable state (securedown)
HSRP - When HSRP standyby changes are detected
I need to receive emails with any of the able are triggered. What is the easiest way to do this? I know SNMP is the main option but I have never worked with SNMP and dont understand it too much.
Equipment:
2x Cisco 1921 series routers
3x Cisco 2960 POE switches stacked
On the supervisor card of a cisco 6500 series, according to the following link, [URL] it only has 2 uplink ports on the card. Would I be correct in assuming that I only have those to ports that I can configure IP addresses on?
The cisco that is being devlivere is coming with a 48 port switch and 24 port fibre switch. Could I change any of those ports into a router port and configure IP addresses on those?
The supervisor card is a ws-sup-720-3b the 48 port switch is a ws-x6748-ge-tx the 24 port fibre switch is ws-x6724-sfp
We just installed a hosted VOIP system using Cisco 7900 series IP phones. We are having a strange issue with a few computers where they pull DHCP information from our VOIP provider's DHCP server on the Internet and not our LAN DHCP server.
The switchports areconfigured as: switchport mode access
My rationale behind this is that the phones would use CDP to get their VLAN info from the providers Cisco router and the PCs would just ride on the default VLAN. But this is not the case. Computers randomly keep getting DHCP info from the provider's router. Do I have to use voice vlan x and make the switchports trunks?