Cisco Switching/Routing :: SG500 - Roaming WiFi Machines In Conjunction With IP Source Guard?
Sep 29, 2012
I've just set up DHCP Snooping and IP Source Guard on our SG500 series switches. It seems to work quite well, except when a wireless host roams from one AP to another (on a different switch port), all traffic from that host gets blocked.
I can understand why this is occuring, but I don't know what I can do to work around this problem.had success with roaming WiFi machines in conjunction with IP Source Guard?
View 6 Replies
ADVERTISEMENT
May 22, 2013
We have an environment where users create a lot of bridge loops. We have tried to send E-mails about it and educate the users but it is almost a lost cause at this point. The loops are created when users don’t pay attention and they plug a patch cable coming off of an access port up to ANOTHER access port by mistake.
All of our access ports are from 3750 stacked switches. The way we tried to deal with this in the beginning was with BPDUGuard and ERRDiable (BPDUGuard) auto recovery. We turned BPDUGuard on globally and left BPDUGuard auto recovery at the default value (I believe it was 30 seconds). so a loop would be detected and after 30 seconds, the switch would try to enable the port and if the loop still existed, close the port for 30 more seconds. Then we started having problems with printers getting "fried". Their NICs would die out and the control board would need to be replaced. After a lot of troubleshooting and testing, it was determined that allowing the ports to come out of ERRDisabled state would flood the network and the packets would generate in the millions per second range and fry the NIC of these printer.
The fix for this and saving the printers was terrible. We removed ERRDisable auto recovery and just let the ports that are looped stay in an ERRRDisabled state. We wait for the user to figure out the loop and try to use the port and then put in a work order. Then we physically visit the site and verify the port was shut (ERRDisabled) from a loop and we bounce the port (shut/no shut) and everything is resolved. I did lab tests with a switch looped and a printer on the switch and watched it fry. We have had no printers fry after we removed the auto recovery protocol at every location. Only the locations where loops existed and auto recovery protocol running were printers going bad. What I found during my lab tests was that each time the port was auto-recovered (yes, for that millisecond while it checks if a loop still exists), more packets were re-generated and eventually enough was re-broadcastthat printers would go down. We never had a problem with computer NICs. I guess the cheaper printer NICs couldn’t handle the broadcast storms created by this. I tried playing with the auto recovery timers and even the highest setting would eventually re-create these storms.
So my question is what best practices are others using? Should we get rid of BPDUGuard and just try to let spanning-tree handle these bridge loops? Is there something else I can try? I’m not CCNA by any means, just trying to do what I can in my environment. Manually visiting sites when loops occur is becoming more and more my job, though and I have plenty of other things to be doing.
View 9 Replies
View Related
Mar 24, 2013
I have a strange issue where spanning-tree is blocking vlans through a mesh network.Here is my set up.
2-Cisco 3560's that have two trunk ports set with do1q and a native vlan of 2. I'm allowing a client vlan (2) and a voice vlan (103) to come over the trunk. They have a native vlan of 2 so the mesh APs can get an address through DHCP. Spanning-tree loop guard is also enabled.
When connected to the mesh network, the voice vlan is being blocked by spanning-tree. I get the following erros:
000129: *Feb 28 19:24:58.289 EST: %SPANTREE-2-LOOPGUARD_BLOCK: Loop guard blocking port FastEthernet0/1 on VLAN0103.000130: *Feb 28 19:24:58.448 EST: %SPANTREE-2-LOOPGUARD_UNBLOCK: Loop guard unblocking port FastEthernet0/1 on VLAN0103.
Eventually the loop is cleared and the port is set back to a forwarding state from a blocking state. I don't want to disabled spanning-tree loopguard since I don't want to create a loop. The mesh network is supposed to act as a P2P connection between two switches. As a test I disconnected the APs from their trunk ports. I then used a cross over cable to connect the switches and no spanning tree loops occured. The mesh doesn't have STP enabled on it and should just be acting as an over-the-air connection from one switch to another.
View 1 Replies
View Related
Jan 12, 2012
I have 2 3550 12G switches that I use as core fiber switches. Switch 1 is the primary for 1/2 the V LANs and Switch 2 is the primary for the others using MST with 2 instances (I am not including the default 0 instance). I am using HSRP to provide redundancy. So far so good.
Recently a tenant in my building would like to use their own switch for data but still needs access to a V LAN on mine for voice. Again not a problem as I can configure a trunk port and give them what they need. My concern is that if they try to configure STP on their switch can they take down mine. Are there some preventions that I can put into place, such as root guard, that work with MST? What happens if they too set up MST can they kill mine?
Switch 1 is the root for 1/2 the v lans and Switch 2 is the backup root. The scenario is flipped for the other 1/2.
View 3 Replies
View Related
Dec 15, 2012
in my LAN the all access layer switchs/stacks are connected directly to core backbone switch (cisco 6509) via sfp fiber-optic, i want to protect my spanning tree setup with the "root guard" command.
1. where would i set this ? on uplink ports on access layer switches ? or on core backbone ports to which the access layer swithes connect to?.
2. can this be set on active (production) ports without downtime?
View 5 Replies
View Related
May 9, 2012
Switch: SG500 VLANS: 1 (default) xxx.xxx.0.0/24 network, 150 (device management vlan) xxx.xxx.150.0/24 network I am plugged into port 1. This is a trunk port with VLANs assigned as follows: VLAN 1 (Default) - UntaggedVLAN 150 (dev mgmt) - Tagged Device is plugged into port 2. This is an access port with the following VLAN assigned: VLAN 150 - Untagged Why is it I cannot communicate with the device on port 2?
View 1 Replies
View Related
May 20, 2013
PCs --> SG500(4 vlans) --> rv042 --> Internet..vlan 1 is able to reach the internet..vlan 2-4 cannot reach the internet, but can reach vlan 1.
View 2 Replies
View Related
Jun 12, 2012
We have to connect two 3750G switches to some HP machines. Those machines have several network interfaces, which are going to be configured in several bondings. The load balancing mode they want to configure is mode 6, alb. We have investigated and it is: [code] Receive load balancing is achieved through ARP negotiation.We would like to know if it is supported to be connected to a 3750G an if an special configuration is needed.
View 1 Replies
View Related
Jun 20, 2012
I have and 880 W router. The LAN members can get out t o the internet. Now I want to configure NAT such that outside computers can access a couple of the machines using Remote Desktop (RDP). I am using Configuration Professional.
When I configure inside to outside, the remote computers can't connect to the target machines.When I configure outside to inside, the target machines acn't get to the internet.
When I try to use the advanced NAT definition wizard, I can't complete the task because the only inside pool (?) or LAN (?) is "designated" and not available to select. I can't free it up without deleting the one working NAT entry which is the one that enables all computers to reach the internet.
View 1 Replies
View Related
Dec 2, 2012
I want to know if there is way to tag traffic with DCSP tags without having to do all the other requirments of QOS setup. All i want to do is just tag traffic at different DCSP values via source and destination IPs. We do not have a need to be priortizing traffic on out internal switches. We just want to tag the traffic so our MPLS provider can distinguish the different types of traffic.
Our environments is primarily 3750s in all offices.
View 6 Replies
View Related
Mar 27, 2012
We have Cisco IP phones behind a 2600 series router:Most of the time when the PBX receives a packet from the phone, the source IP of the packet is set to the public IP of the router (1.2.3.4) as expected. However, once in a while, we get packets (at the PBX) with the source IP set to the private IP of the phone (10.0.0.12).The router is configured by our provider, and they can't give us any explanation for this behaviour. Is it safe to assume that PAT is not configured properly at the router?
View 2 Replies
View Related
Feb 23, 2012
We have 2 switches split across 2 datacentres connected via an interconnect. Over the past couple of days the interconnect provider's Cisco kit has shut down our port (err-disabled) due to a broadcast storm. They had the level set at 1 which I thought was a bit low. They say they tried to set to 2, then 5 but still kept tripping the storm-control feature so they set at 10. They say they've always had it set at 1% (on a 100Mb switch) and so we must be generating more broadcast traffic.
I'm trying to identify where the broadcast traffic is coming from. On our Cisco 3750 I've clear interface counters and when I do a sh run | i broadcasts there are a few ports which have what seems like a high broadcast count. The one port that is especially high and the only one tripping the storm-control feature (I've enabled on all our ports to try to identify where the traffic is coming from) is the port connected to the 100Mb interconnect. I've mirrored that port to another port and connected a server with wireshark so I can capture all the traffic across that port.
What I'm struggling to find is the source of the broadcast traffic.I have a few questions are these broadcasts layer 3 or layer 2 broadcasts. Also in the output below when it says broadcasts received is this inbound to the port i.e. from the connected device or is this a total of inbound and outbound broadcasts.
When I use wireshark and filter the capture on broadcasts (ff:ff:ff:ff:ff:ff) I see only 200-300 compared to the thousands the switch is reporting.If I filter on the broadcast IP address I also don't see the numbers corresponding to what I see in the show interface output.
GigabitEthernet1/0/1 is up, line protocol is up (connected)
Hardware is Gigabit Ethernet, address is 0014.a93f.7401 (bia 0014.a93f.7401)
Description: Interconnect
MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,
reliability 255/255, txload 4/255, rxload 44/255
Encapsulation ARPA, loopback not set
[code].....
also I'm currently doing : monitor session 1 source int g1/0/1 both, and also tried just rx incase I just need to be looking at receive traffic but still nothing is standing out.
View 10 Replies
View Related
Apr 29, 2012
I am using Nokia Siemens router. Recently there is an hack on the network. So I changed the security by enabling WPA2-PSK and AES and mac filter enabled. After that two of my roommate machines are not getting connected to WiFi. Even I cant see ssid being detected in thier machines.
how to connect to the machines. I have tried by removing security also but those two machines cant even detect the network being broadcasted by us. But it is detecting other networks(neighbors wifi).
View 1 Replies
View Related
Apr 29, 2012
I am using Nokia Siemens router. Recently there is an hack on the network. So I changed the security by enabling WPA2-PSK and AES and mac filter enabled. After that two of my roommate machines are not getting connected to WiFi. Even I cant see ssid being detected in thier machines. how to connect to the machines. I have tried by removing security also but those two machines cant even detect the network being broadcasted by us. But it is detecting other networks(neighbors wifi).
View 1 Replies
View Related
May 1, 2012
how to create WiFi network with uninteruptable roaming between Access Points while clients are moving.What hardware is the best here? Are there any manuals about that?
View 2 Replies
View Related
Mar 2, 2012
How can I allow AND prevent connection to wireless networks based on their BSSID(MAC Address), when their SSID(default/custom name) is the same and changing SSID is absolutely NOT an option? Physicaly moving closer to the Preferred Network Wireless Access Point is also absolutely NOT an option. i.e.
Allow connect/reconnect to:
SSID - Linksys
BSSID - AA-AA-AA-AA-AA-AA
and
Prevent connection to:
SSID - Linksys
[code]....
View 1 Replies
View Related
Dec 7, 2011
I am facing switch reboot issue when power of switch restore from RPS to AC.
View 1 Replies
View Related
Sep 3, 2012
Most of the 4500 Switches in our network are giving the similar error for so many ports
%C4K_L2MAN-6-INVALIDSOURCEADDRESSPACKET: (Suppressed 1 times)Packet received with invalid source MAC address (00:00:00:00:00:00) on p t Gi2/6 in vlan 100
Its impossible to do a wireshark packet tracing for all the ports.
View 2 Replies
View Related
Feb 14, 2012
Issue I am having with a Cisco 4507? Below is the error i am receiving.
Feb 14 10:06:09 EST: %C4K_L2MAN-6-INVALIDSOURCEADDRESSPACKET: (Suppressed 508 times)Packet received with invalid source MAC address (00:00:00:00:00:00) on port Po10 in vlan 112
Feb 14 18:44:06 EST: %C4K_L2MAN-6-INVALIDSOURCEADDRESSPACKET: (Suppressed 119 times)Packet received with invalid source MAC address (00:00:00:00:00:00) on port Po10 in vlan 112
Feb 15 00:51:06 EST: %C4K_L2MAN-6-INVALIDSOURCEADDRESSPACKET: (Suppressed 366 times)Packet received with invalid source MAC address (00:00:00:00:00:00) on port Po10 in vlan 112
[Code]...
View 9 Replies
View Related
Nov 11, 2012
is it possible, to use a Catalyst Switch (in my case a 3560E) as a source for a console session to another Catalyst? In principle to use it as a console terminal server.
View 1 Replies
View Related
Oct 31, 2012
i have a stack of 3750x, with minimal configuration. there are two vlans, and two vlan interfaces with IP addresses. when i ping out from this switch to another host, it picks vlan1's ip address as the source automatically. i tested this by doing two pings with extended options using each vlan's interface as the source, and got different results. how the switch decided to use the first vlan's ip address as a source.
View 11 Replies
View Related
Feb 27, 2013
There is a unicast flood on 3750 killing slow modem links. How to determine source MAC address of flooder? Is there a rate limit feature for it?
I know how to block it completely on port-level, but it breaks normal network operation. (when port goes down for some reason, it's learned MACs got flushed and since other hosts know MACs, they keep flooding untill their arp caches expire).
View 11 Replies
View Related
Apr 29, 2012
I am using Nokia Siemens router. Recently there is an hack on the network. So I changed the security by enabling WPA2-PSK and AES and mac filter enabled. After that two of my roommate machines are not getting connected to WiFi. Even I cant see ssid being detected in thier machines. How to connect to the machines. I have tried by removing security also but those two machines cant even detect the network being broadcasted by us. But it is detecting other networks (neighbors wifi).
View 1 Replies
View Related
May 20, 2013
I have cisco 2651. It contains two FastEthernet interfaces: Fa0/0, Fa0/1.Fa0/1 has an ip address. Fa0/0 hasn't an ip address.I need to create monitor session from source Fa0/1 to destination Fa0/0. Then i want to connect my notebook to Fa0/0 to analyze some traffic from port Fa0/1
View 2 Replies
View Related
Nov 5, 2012
i would like to monitor traffic between multiple source ports to multiple destination ports on a nexus 7k. i lknow when you set up monitor session is between source and destination (laptop or traffic analyser) but is there a way i can set up between source and multiple destination ports and capture that traffic ?
View 3 Replies
View Related
Aug 20, 2012
I have configured the ip telnet source-interface Loopback 0 command on a Nexus7010, but when I telnet to another device and do a show users, the ip address is of the closest interface to the device I telnet to, not the ip address of the Loopback. All interfaces are in vrf default. I am running 5.1(6) NXOS.
View 6 Replies
View Related
May 19, 2013
Basically I am trying to use Wireshark to do a packet capture on a Nexus 5010. I want to do a monitor session on on the switch so I can capture from a source port to a destination port on the same switch. I can configure the source port but when I go to configure the destination port I get "ERROR: Eth102/1/4: Configuration not allowed on fex interface". I have tried to reconfigure this port as a switchport but "switchport mode access" command does not take. I don't want to make any changes to any other ports but this one.
View 1 Replies
View Related
Aug 9, 2012
I'm trying to get ERSPAN working with an ERSPAN source on a Nexus 5548 and the ERSPAN destination on a Catalyst 6500.
The configuration on the Nexus is as follows:
[...]
interface loopback0
ip address 192.168.2.133/32
[Code].....
If I do a netdr capture I can see ERSPAN traffic sourced from the Nexus reaching the C6500, but there doesn't appear to be anything sent out the ERSPAN destination inerface (Gi4/6) and there's nothing being received by the probe connected to that interface. I know the traffic seen with netdr is definitely the ERSPAN traffic sourced from the Nexus as I've changed the TTL and DSCP values within the monitor session on the Nexus and can see those changes reflected on the C6500 netdr capture. The attached is a screen grab of the show netdr capture started with debug netdr capture soure-ip-address 192.168.2.133.
When I look at the interface I see it shown as up/down (monitoring), but no output or counters clocking up. If I run a local SPAN session on the C6500 it works fine.
I've tried changing the destination IP address from that assigned to the C6500 Loopback interface to an IP address assigned to a physical interface, but that still doens't work.
The hardware in the C6500 is WS-SUP720-BASE Hw version 3.2 with WS-F6K-PFC3B Hw version 2.4. The IOS version is 12.2(33)SXI6.
View 2 Replies
View Related
Jan 21, 2013
Platform:
cisco6509-E with FWSM
Supervisor Engine 32 PISA 8GE
sup-bootdisk:s32p3-adventerprisek9_wan-mz.122-18.ZY2.bin
command:
(config)#ip nat inside source static tcp 10.10.8.147 14029 interface g7/8 14029
(config)#no ip nat inside source static tcp 10.10.8.147 14029 interface g7/8 14029
#clear ip nat tran *
(config)#ip nat inside source static tcp 10.10.8.147 14029 interface g7/8 14029
%Port 14029 is being used by system
Or %Static entry in use, cannot change
But when I perform "sh ip nat tran" command,There is nothing
View 1 Replies
View Related
Feb 20, 2012
We have 2 6513 switches with SUP720/PFC3A and various POE modules and a 6748-GE-TX facing our servers. Additionally, we have a 4Gbps portchannel trunk interconnecting the switches. We have approximately 300 Nortel IP 1140e phones in use between the two switches.For the purpose of call recording, we've attempted to mirror the voice vlan using various approaches and have been met with limited success. We mirrored the VLAN using tx, rx, and both. When using both we appear to get duplicate packets at the destination interface.We seem to lose packets completely going in one direction or another for a given call. Packets are lost before they get to the destination interface?
View 2 Replies
View Related
Mar 20, 2012
I live in a new apartment building which means a lot of concrete. The internet (fiber) enters the house at the beginning where the modem is hooked up to my Linksys WRT320N. From there two cables run through the house:1 to the home office, where two computers are connected through a switch.1 to the living room, where the Xbox, blue-ray player are connected through a switch.I also have a wifi network running from my WRT320N, but as it is at the beginning of the house, there are some black spots in other parts of the house. I tried to fix this with a Netgear repeater, but that keeps disconnecting.
What I want to do know is place a second linksys device in the living room at the end of the already existing cable that will also broadcast a wifi network, but I want this to be exactly the same Wi-Fi network as I already have. What I want to achieve is that I can walk from one end of the house with my iPad, streaming a video, to the other end of the house and that I always stay connected to the internet and that my tabled just picks up the strongest broadcaster, basically the same as with a mobile phone.
View 1 Replies
View Related
Jan 24, 2012
I am trying to change the security on my router so I can use WPA2 AES security in conjunction with a media device. The router security page only gives me a choice of WPA2 Personal or WPA2 Enterprise (which requires the use of a Radius Server that I don't have).
View 1 Replies
View Related
May 12, 2013
I know very little about switches. This is the first time I've ever touched them. However, I'm the only one in the company who has the slightest knowledge on how to make them work.
4 vlans
vlan 1 - 192.168.32.1 - Existing network with Internet access
vlan 33 - 192.168.33.1
vlan 34 - 192.168.34.1
vlan 35 - 192.168.35.1
From the laptop on vlan 33 I can ping the management interfaces (192.168.x.1) for each of the vlans. However, I cannot ping anything on those networks.
Below is what I have with the config. Right now not much attached to these switches until they are setup.
Code:
config-file-header
poe-switch
[Code].....
View 19 Replies
View Related
