Cisco Switching/Routing :: SG300/500 - Similar Feature To HP Loop Protection?
Apr 17, 2012
Do Cisco Catalyst (IOS) and specially Cisco SG300/500 support a similar feature to HP's Loop Protection or DLINK's Loopback Detection? This is an interesting feature to avoid loops caused by unmanaged switches.
we recently had on our network a simple layer 2 loop problem, with big effects.Here is the situation: we have a C3750 switch, with STP activate on all ports.We don't have total control on this switchs, and for some reasons, it is possible that people connect a 2d switch on it (Cisco or non-Cisco).What happened several times is a classic case: a person interconnect 2 ports of this 2d switch, creating a loop. As the loop is created on the 2d switch only, the 1st switch detect no loop, the the uplink port keeps up.Afer this loop created, a broadcast storm occurs through the link between 1st & 2d switch .. and the storm propgates all over the LAN.I try to find some solutions to avoid that. One thing I would like to do is to find a mecanism on the first switch, which can permit to block the uplink port on the 1st switch if it sees the same MAC address as source in the 2 directions.Note that storm control, even configured to a quite low value (ie: 2Mbps) is not efficient enough to protect equipment (we have had big CPU impact on LAN equipments).
Yesterday I upgraded my SG300-10P to firmware 126.96.36.199. I was curious about the new SYN Protection feature, but it seems to do nothing on my installation.
The switch is running in Layer 2 mode. I have ACLs in place and DoS prevention is not enabled. I also tried clearing ACLs and enabling DoS prevention. As I understood the Admin Guide enabling DoS in the Security Suite Settings is not necessary for using the SYN Protection.
In my firewall I see about 300 pps with SYN flags only arriving. What "they" do is sending me SYN packest to port 80 from forged IPs, so that my system should send SYN-ACKs to the victim system. In this case it is the Arab Bank. They are down at the moment...I think that is called a spoofed SYN flood attack.
So I thougt the SYN Protection feature should exactly solve that problem but it does not and does not show any "Last Attack" entries.
If I put a SYN filter in place it works, even if I put SYN Rate Protection in place. But that is just a dirty workaround. My firewall blocks those SYN packets with a SNORT rule.
after upgrading about 35 Catalyst 2960 and Catalyst 2960S to IOS 15.0(2)SE2, we experience a memory leak on several switches. After some days / weeks the switches are not accessible via Console/Telnet/SSH/Web any more. Only SNMP seems to work properly.Attached users do not experience any decrease in service.
Trying to connect to the console, we get following error message:
"% Low on memory; try again later"
The only (temporary) solution is to reboot the switch. The behavior is similar to Bug CSCts52797.With regards to the Bug notes this bug should only affect Catalyst 2960 with 64MB of RAM and should already be solved with IOS 15.0(2)SE2.
It is understood that sub-50 ms ERPS convergence can be achieved with certain HW/SW combinations.
1) What are the platforms supported (and with what FW/SW) has this been tested ?any results that can be shared?
2) Link failure detection in GigE on Copper is slower compared to GigE over "pure" Fibre; so no sub-50ms would be possible with Copper ring ports.is sub-50ms convergence achievable with "combo SFP ports" ?
I have a network where if an end user attaches an hub to the network, or rather one of those cheap unmanaged 8-port mini-switches and then plugs the two ends of the same cable into two ports of that mini-switch, all the network goes down. Loops are generated and many uplinks are shut down in err-disable state due to the loopback reason.
I know I could discourage the use of those mini-switches using port security. I even have NAC (cisco) deployed on the network, but there are cases where that mini-switches are allowed by the managment.In those cases, is not possible to exactly know wich hosts (mac addresses), and even how many of them will attach the network concurrently.As I know, they could even chain many mini-switch one to another. Of course, when even a single mini-switch is allowed on the network, it raises as a security hole.
Is there a way to allow the use of those devices without the risk of network outages? Some STP protection method? The best would be to have the Cisco access switch to get aware of the loop on its affected switchport (where the mini-switch is attached), immediately shutting down that port (to avoid loops on the network) and maybe sending an SNMP trap or a syslog message.
We are using Cisco Catalyst 2950 and 2960 for our access layer.
I am trying to reproduce a Spanning-Tree loop in my lab that occurred on Ops, and for the life of me I cannot break it. The loop is very simple:
Cisco 2960------------FW that doesn't forward STP traffic-----------Cisco 2960
This created an STP loop. In my lab, I am substituting the FW for another Cisco 2960 with STP disabled and BPDUFilter on ingress/egress ports to stop the switch from sending BPDU's to the downstream switch to keep it in the dark, as the FW did on Ops.
We have a couple of cisco SGE switches connected to a single DELL, between the cisco switches we have a trunk interface. I'm not sure which setting should be configured on the switches to get it working because a loop is occuring.
I have a Catalyst 3560-X PoE that suddenly stopped working. I plugged in via console and below is the output I received. It scrolls constantly and I am unable to enter ROMMON mode or stop it from scrolling. I've read of a possible problem with the IOS version but I'm unable to verify due to not being able to stop the scrolling.
Switch uptime is 4 minutes, 4 seconds cisco WS-C3560X-24P (PowerPC405) processor (revision A0) with 262144K bytes of memory. Processor board ID FDO1522R2AY
We recently wanted to swap our existing WS-SUP720-base with a WS-SUP720-3B in a 6513 chassis.Had the existing configuration config saved in a txt file and replaced the supervisor. Booting went fine and we pasted in the original config. There was one failure message about unnsupported command but didnt take further notice."boot system flash sup-bootflash:" was probaly the line that the 720-3B didnt support.After wr mem and reload it went in continious loop and rebooting due to inncorrect boot device. Had to put back the old supervisor and have now the 720-3B in a 6504 chassis. Tried some commands in rommon, but are not getting any further.
I Like To Intentionally Create A Layer 2 Loop in My LabI have 2960 and 3750 switches and servers with multiple NIC's and also Some PC's and Hubs. Connections and Commands And Features Which Sould Be Disabled or Enabled)
I have a strange issue where spanning-tree is blocking vlans through a mesh network.Here is my set up.
2-Cisco 3560's that have two trunk ports set with do1q and a native vlan of 2. I'm allowing a client vlan (2) and a voice vlan (103) to come over the trunk. They have a native vlan of 2 so the mesh APs can get an address through DHCP. Spanning-tree loop guard is also enabled.
When connected to the mesh network, the voice vlan is being blocked by spanning-tree. I get the following erros:
000129: *Feb 28 19:24:58.289 EST: %SPANTREE-2-LOOPGUARD_BLOCK: Loop guard blocking port FastEthernet0/1 on VLAN0103.000130: *Feb 28 19:24:58.448 EST: %SPANTREE-2-LOOPGUARD_UNBLOCK: Loop guard unblocking port FastEthernet0/1 on VLAN0103.
Eventually the loop is cleared and the port is set back to a forwarding state from a blocking state. I don't want to disabled spanning-tree loopguard since I don't want to create a loop. The mesh network is supposed to act as a P2P connection between two switches. As a test I disconnected the APs from their trunk ports. I then used a cross over cable to connect the switches and no spanning tree loops occured. The mesh doesn't have STP enabled on it and should just be acting as an over-the-air connection from one switch to another.
I have an Extremely Old switch that I need to connect to my network. Because it is so old I don't want it to become the Root Switch.
what is the command to change the priority. (Honestly I don't remember if it has to be a lower number 1 or a higher number ). Always get that mixed up. I've read about root guard, but I would like to prevent it manually. (It is a small network after all)It is a Cisco 2950.
I am facing an isssues with 7609 for LAN switching , based on LAN (VRRP/HSRP) feature.Actually we are having ES+ cards (on 7609) and we are using multiple groups(say 350 vrrp groups) running on the router . the routers are connected as router 1>>> mux(which is working as switches)>>> router2
my questing are
1. does their will be "multicast packets" (for VRRP/HSRP group) "from backup router to Master router", when in stable state( ie when Master and backup are already chosen) , or the packet from backup to master should be unicast.I know for sure, the packet from master to back is multicast packets denstination to Multicast IP packet and To MAC address.I am not sure but I think from backup to master it should be multicast
2. what is frequency of these packets( from backup to master)
3. As i have multiper group on a single interface ( we are using q-in-q), when the connectivity from router's is broken, then does all the groups will muticast their active roll in the lan sengment "at once" or it will be in a groups say 100 groups at once, and after few ms few 100's and sone ( as is on OSPF or RIP)
we are in between troubleshooting I hope we get the ans( Actul problem we are seeing in the router's that we have 2 ports on active routers and 2 ports on standby router , but we are not seeing muticast on 1 port on standby router where as all other 3 ports are seeing multicast packets) [code]
I have a bunch of 3750x switches that each have a 10 gig routed link back to a central 4507 (loopback = 172.30.255.255).We carved up a /24 (of course, the /24 doesn't really exist except in our address tracking spreadsheet) into a bunch of /30's for routed WAN links and /32's for loopback addresses.We started on the low end for /30 subnets (ie 172.30.255.0/30, 172.30.255.4/30, etc.).We started at the high end for the /32 loopbacks (ie 172.30.255.255/32, 172.30.255.254/32, etc.)
Well, when I try pinging 172.30.255.255 from the access layer 3750x switches, the 3750x seems to be treating it as a broadcast ping where it lists each member that responds instead of the regular !!!!! response (this makes think something is odd with the 3750x). Of course, only one member responds (the core). But even the core seems to respond with the other end of the /30 instead of the actual /32 loopback (which makes me think something is odd in the core). I could have sworn that I've setup similar topologies without problems (ie, using 10.0.0.0/32, 10.255.255.255/32, etc as loopbacks) and as long as the mask is a /32, it should work.Also, I can ping/ssh to that loopback if my laptop is on a directly connected subnet. But I can't do it from any of the 3750x switches (which are also directly connected).I've double checked for overlapping subnets, but nope. I don't see any. Routing looks fine. The actual /32 is being propagated everywhere properly.
I have a 3925 Router with a 48 port switch module (part number SM-D-ES3G-48-P). I have no problem accessing the 3925 Router, but when I go into the 48 port, I get an error that reads
Error Hardware not supported by firmware. Try loading a newer software instead. System Resetting...
I know that the wrong IOS is installed on the switch, but the problem is that this is an endless loop. The switch resets then comes back to the same error. How to get the switch out of this loop so that I can load the correct IOS.
The following error was seen on the switch and the Diagnostic Test Loop back failed following a new WS-6748-SFP module installation.Fabric in slot 5 detected excessive flow-control on channel 3 (Module 4, fabric connection 1)
Tried Hard reset of the module and still the error persist.
I have a couple of 3560 switches running c3560-advipservicesk9-mz.122-44 and they are randomly experiencing the following:
- The switch locks up with no preceding error message in the log (I am forwarding syslog to Splunk).
- Upon reboot, the switch goes through the normal startup sequence with no error messages, then for some reason reloads the flash and starts all over again. (refer to doc)
This could happen after days or weeks. Sometimes they will go through two of these reloads on boot and be fine for awhile, and other times they will be stuck in the loop infinitely. I am using this same image with all of our 3560s, but am only having this issue with two of them.
one of our switches (WS-C2960G-24TC-L). When I try to turn on the lanbase-routing feature using sdm prefer lanbase-routing, it gives me an error (Unknown command). I tried "sdm prefer ?", and lanbase-routing wasn't there (only qos, default and dual IPv4 & IPv6). The switch is running on image C2960-LANBASEK9-M version 12.2(50)SE5.We have another switch (WS-C2960S-24TS-L), running on image C2960S-UNIVERSALK9-M version 12.2(55)SE5, and I can enable lanbase-routing feature. If I upgrade the WS-C2960G-24TC-L to version 12.2(55)SE5, will it be able to do inter-vlan routing? Or is the switch itself totally limited to VLAN configuration only?
i have recently tried to change the catos on a Catalyst 2948G-L3 and since then i have the following message in a loop :I know that the solution would be to download a new valid image from tftp via the rommon prompt but what i dont undertand is why i cant access the rommon prompt. It justs boots with the message above in a loop
We have a Cisco 3750G Core switch which has physical connections, each configured as trunks to two HP Access switches. The client who uses these access switches would like to put a link between the two, but this would create a loop.
Here is my Lab Setup: 2691 is BGP nei to R4 router and they are not directly connected. 2691 and R4 are in same AS 6500. 2691 Config---router ospf 1 network 188.8.131.52 0.0.0.0 area 0 . Its advertising its loop back IP to OSPF domain.
PC---2960---3750(One Routed Port and All Switched Port)------------------------ 3750(One Routed Port and All Switched Port)-----2960------Internet
I have many Vlans on left side of image , Right Side of Image is having internet connection via Modem, and local connectivity between VLAN works fine but Other Vlans Except Vlan1 is able to Access Internet.Note that 3750X did not have NAT Feature ,How should I able to get Internet on Other Vlans (10,20)
I am trying to configure a loop back interface like so: [URL], on the following device:
C3550 Software (C3550-IPSERVICESK9-M), Version 12.2(50)SE, RELEASE SOFTWARE (fc1on port gig0/1 which is using a 1000Base-SX adapter. This is for troubleshooting purposes and it does not appear to be a feasible option. Is there another way to accomplish in the IOS?
I have been looking to find out the list of features that the IP Base IOS has for the 3750X series switch. What would be ideal is a comparable list but essentially I need to know which of the LAN Base/IP Base/IP Services has SSH functionality.
Full feature set for IP Base with the 3750x.I just wanted to verify that I could create a routed port, turn ip routing on, and create static routes as well as a default route. From what I can find, there shouldn't be a problem with this on the IP Base Feature Set, I just wanted to verify. Or any link for the Features of IP Base on the 3750x.