Cisco Switching/Routing :: WS-C3560G-24PS Configuring Ip Dhcp Snooping Database With Scp
Feb 10, 2011
Just spoke to the TAC and didn't get the information needed. When configuring ip dhcp snooping database I am adding this to my configuration:ip dhcp snooping database scp://dhcpsec@192.168.1.50/home/dhcpsec/switch1.dhcp.database.txt..I assumed that to do this I would either specify the password on the command line, similar to the way its done when using ftp/http, or that I would need to create a public/private key.I have enabled scp and can manually copy a file from the switch to the linux server. So I believe I have all the aaa commands correct. Cisco WS-C3560G-24PS System image file is "flash:/c3560-ipservicesk9-mz.122-55.SE.bin".
View 3 Replies
ADVERTISEMENT
Jun 5, 2013
I receive a question from a future customer about this future if its supported on " WS-C2960S-24PS-L":configuring 2 dhcp server on this swith ( 1 dhcp for voice vlan , and 1 for Data Vlan).I did some search , but i didnt find the answer .i have to advice a customer before ordering the switch.
View 2 Replies
View Related
Apr 23, 2012
I have a WS-C3560G-24PS service as a distribution switch with six (6) WS-C2950T-24 connected to it. In looking at the utilization on the inter connect links no one is running close to a gig speed and this includes the link between this switch and the core. The CPU load (6%) and memory utilization (30%) on the switch do not seem bad so what else does one watch to see if it needs an upgrade?
We are starting tohave discussions about any needed upgrades on the network. I have an ocassional user that complaines about low performance but looking through the network I can find nothing glaring on a consistent basis that says an upgrade is warranted. I am however looking at things such as the above. Utilization on links, CPU, memory, etc.
View 2 Replies
View Related
Jan 14, 2013
I've been experimenting with the 'vlan dot1q tag native' command on a switch and it seems as though tagging the native vlan breaks vty access to my access point.With the 'vlan dot1q tag native' commnand applied, I lose management connectivity to the AP with 'no vlan dot1q tag native' applied, connectivity is restored. Why is this? Is it safe to say that one can access the AP via vty lines using ONLY untagged packets?
SWITCH
Model: WS-C3560G-24PS
Code: c3560-advipservicesk9-mz.122-46.SE
--Abbreviated CONF
vlan dot1q tag native
[code]....
View 14 Replies
View Related
Apr 29, 2011
an attacker have configured his PC with an static IP address but there is no such entry configured statically in switch, neither in DHCP snooping database.now when he want to generate traffic will switch block him? because there is no entry of his PC in the switch database.
View 2 Replies
View Related
Jun 14, 2011
I am not on site and I have not seen a WS-C3750V2-24PS-S. Customer has a stack of 6 x WS-C3750V2-24PS-S and one unit has failed. We do not have a WS-C3750V2-24PS-S spare. Can we replace it with a standard WS-C3750-24PS-S (not V2) switch and be part ofthe stack.
1. Are there any traps gotchas?
2. What about IOS versions - aren't they different for V2 switches
3. Are the stack ports and stack cables same for both WS-C3750V2-24PS-S and WS-C3750-24PS-S
4. What is the main reason for bringing out the V2 switches. What features do they have extra?
View 3 Replies
View Related
Jun 5, 2012
is possible to have WS3750G-24PS in one stack with WS-C2960S-24PS? I want to add two new WS-C2960S-24PS to stack with one WS3750G 24PS.
View 1 Replies
View Related
Sep 27, 2012
I have a problem at a place where 5 ME3400 switches are connected in a straight line. I can't do much about the topology of that place, but the problem is they are all DHCP Snooping, but uni cast replies from the dhcp server further up the hierarchy gets eaten by the first switch! I can't really see why it not only inspects in and whines about it not being for itself - it then drops the message.
What have we done wrong (apart from the actual layout of that place, which I can't really change)?
Sep 28 13:49:29: DHCP_SNOOPING: received new DHCP packet from input interface (GigabitEthernet0/1)
Sep 28 13:49:29: DHCP_SNOOPING: process new DHCP packet, message type: DHCPOFFER, input interface: Gi0/1, MAC da: 7444.012d.debd, MAC sa: 0013.1a4a.65c7, IP da: XX.YY.186.7, IP sa: XX.YY.186.1, DHCP ciaddr: 0.0.0.0, DHCP yiaddr: XX.YY.186.7, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr: 7444.012d.debd
Sep 28 13:49:29: DHCP_SNOOPING: binary dump of option 82, length: 20 data:
[Code] ......
It really should just send it on, as with any uni cast not on the switch itself - it should go out Gi0/2 really. Why isn't it?
[core] -- [sw1] -- [sw2] -- [sw3] -- [sw4] -- [sw5]
All the trunks are trusted, DAI is on (I've tried shutting it off, as well), port-security is used but it's actually not dying on the switch having the client computer, but the first one in the chain with dhcp snooping.
View 6 Replies
View Related
Mar 2, 2013
I have a problem with high CPU load by DHCP Snooping process on Catalyst 6506 (WS-SUP720-3B, soft: s72033-ipservices_wan-mz.122-18.SXF11.bin). I have it enabled on 15 VLANS, in which there are subscriber devices residing, and sending DHCP requests through Cisco to DHCP server (Cisco acts as DHCP relay, and it's collecting the snooping database, I also use DAI).
Snooping database contains 6962 bindings now.
CPU load goes high only sometimes, and I don't have a clue, why it's going so high. It can load as high as 45-47% of CPU, like this:
PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process
116 81471244 322596368 252 42.95% 43.48% 36.06% 0 DHCP Snooping
When the load is high, the command: show ip dhcp snooping statistics is showing, that the overall quantity of
Packets Processed by DHCP Snooping is increasing rapidly. In normal situations, it's like 10-20 packets per second, but when the load is high, it's 1000-10000 pps.
But when I look at SPAN from my subscriber's VLANS, I don't really see any flood of DHCP requests, or something like that - everything looks as usual. Maybe, some of subscriber's devices are sending incorrect DHCP requests, that are causing packets to loop inside RP, or something like that? How can I detect that thing?
Also I thought, that if I enable the ip dhcp snooping trust mode on all of the Catalyst interfaces, the DHCP snooping will not process the subscribers DHCP packets, and I can, by exclusion of interfaces from one to one, detect, from which interface the problem is originating. But this seems to be incorrect, I turned the ip dhcsp snooping trust on all interfaces, and I still get spikes of CPU load by DHCP snooping process. Why it's still examining packets, even on trusted interfaces, is it ok?
And one more question - if I disable the ip dhcp snooping globally, will it clear all my existing bindings in snooping database?
View 3 Replies
View Related
Oct 12, 2011
I have attempted to implement DHCP snooping and have been having some strange issues. I have 5 3560s taht I use for my edge and when I attempt to implement on all five, the VLAN that houses my voice data appears to no longer be able to recieve DHCP lease renewals so after the 24 expiration all of my phones lose their configs. Once I roll back the changes the voice VLAN comes back. The other VLANs seem to function correctly as theya re able to renew their DHCP addresses.
The 3560s tie into each other using GIG Ports 1 & 2 and the top and bottom switches tie into our core switch, a 4507. The config that I use is below, failry simple and straightforward.
4 of the 5 switches feed our general office vlans for voice and data however the 5th switch is there for expansion and not in use. As such I have left the config changes in place on it and have tied myself and a colleague into it and have been operating fine for over a week now. So the config that I use seems sound in theory and should work on the other 4 switches with no issue.
View 14 Replies
View Related
Apr 9, 2012
I am working in a environment that is classed as collapssed Layer 3 environment. We have a core 6500 with routed links to 3560's which are access switches.
We have layer 3 vlans on the access switches, one for data one for voice.On the layer 3 vlans we have ip helper addresses that are used for DHCP. The DHCP servers are located on the 6500.
I recently had a incident where someone plugged a netgear router into a desk point because they thought they could use it for a switch. This router then started to dish out IP addresses to people in the morning for those who came in and docked their laptops. 99% of people weren't affected because they have desktop PC's are their leases hadn't expired.
Now we have bpduguard, bpdufilter to prevent people from plugging in switches that send out BPDU's. However this doesn't prevent the above senario where someone plugs a router or a 'dumb' switch that doesn't send BPDU's.Because of the above senario I started looking at DHCP Snooping, but I am unsure on a couple of things.
With the topology of our network I understand that I don't need to configure IP DHCP Snooping Trust on the L3 uplinks to our core switch. From what I understand I just need to enable IP DHCP Snooping globaly and then on the VLAN's on the access switch (because of the L3 topology VLAN's are local to the access switches). Only if I had L2 uplinks to the core would I need to configure IP DHCP Snooping Trust on the trunk links.
View 2 Replies
View Related
Jan 18, 2013
I am trying to understand the basics of DHCP snooping. I have a just a 3560 switch and a laptop ( to get a DHCP address) and my DSL router which has a DHCP server running. On the switch I have enabled "IP DHCP Snooping" and "IP DHCP Snooping VLAN 1" plugged the laptop and DSL router in and the laptop gets and IP address, should it?
I thought all ports were untrusted by default so the DHCP server should be blocked at offering IP addresses? If I wanted the DHCP server to be allowed to offer IP's I thought I should need to trust the port.
View 3 Replies
View Related
Apr 17, 2012
I have a new catalyst 2960,and i want to enable DHCP SNOOPING,but,it doesn't work,the server is stilling offert addresses IP and it's not connected in a trusted port,the schema is very simple:1 switch catalyst 2960 PST-S,1 server dhcp and 1 pc client,the PC and the server are in VLAN 10,DHCP SNOOPING is enabled in all ports and no port is trusted,but the client get addresse IP after retyping ipconfig /release and ipconfig /renew in dos commande.the configuration and the version of the switch are in the file attached.I tested the same configuration in a catalyst C3560-24PS and DHCP SNOOPING work normally,i tested in other catalyst 2960-PST-S,but the same probléme:DHCP SNOOPING without effect,the commands typed is:
-ip dhcp snnoping
-ip dhcp snooping vlan 10
View 5 Replies
View Related
Nov 24, 2011
I got some problem with enabling dhcp snooping on 4500 (cat4500e-lanbasek9-mz.122-54.SG.bin) the topology is as below: dhcp snooping enabled only on CORE (with interface trusted to dhcp server)the problem is that I put these 2 commands
ip dhcp snooping
ip dhcp snooping vlan 1
but it is not enabled on any vlan
SW-CORE#sh ip dhcp snooping
Switch DHCP snooping is enabled
DHCP snooping is configured on following VLANs:
none
DHCP snooping is operational on following VLANs:
[Code]...
On B1 if I turn it on there is a "1" in the section " DHCP snooping is configured on following VLANs:" but on core no.As you can see I did put the trusted on the interface in the direction to the dhcp.First I thought it can be a problem with option 82, I've read a lot about the issues with that, but the problem would be explicable if the client did receive IP address, but it does.
View 3 Replies
View Related
Nov 14, 2012
I am trying to find a command for dhcp snooping rate-limiting on a CatOS. The PFC card is PFC. PFC3B is said to support that command. But there seems no this command.
-6k> (enable) sh ver
WS-C6509-E Software, Version NmpSW: 8.4(5)
Copyright (c) 1995-2005 by Cisco Systems
NMP S/W compiled on Aug 3 2005, 13:26:46
[Code] ......
Up time is 1183 days, 1 hour, 41 minutes
View 3 Replies
View Related
Jan 9, 2013
I recently installed DHCP snooping on a 3750v2 switch (Version 12.2(55)SE4) and configured the uplink(Po2) as a trusted port. The problem is that clients cannot receive an IP address. When I disable DHCP snooping it is working properly. DHCP snooping is configured correctly but I don't have an idea how to resolve it. [code]I tested the solution on the same kind of hardware switch and firmware and it worked out fine. What is causing the clients not to receive an IP address from the DHCP server?
View 10 Replies
View Related
Feb 14, 2012
does Cisco 2600 series switch support 802.1x and DHCP snooping?
View 6 Replies
View Related
Oct 8, 2012
i have a strange problem in my campus network.im trying to run port security on my access switches which they are 3550 with ios c3550-ipservicesk9-mz.122-52.SE when i run the port security with Sticky option, even i put 1000 mac address for just learning on the port but when i issue the switchport port-security command every pc connected to that port loses its connection with network UNTIL i enable dhcp snooping!!! all my client are getting they ip address from DHCP server but strange thing is that how on earth i have to enable DHCP snooping to port security work properly? also when i check the configuration under the interface when dhcp snooping is not yet enabled switch doesnt add any mac address under the interface so no one can work until i enable snooping and then switch adds mac addresses under the interface configuration.is this Bug on this version of IOS?[code]
View 4 Replies
View Related
Sep 24, 2012
we've an infrastructure were the Access is based on Cat3750G Stacks connected to both Cores using L3 connections.On the Access Switches are implemented the following features DHCP Snooping, IP Source Guard and Dynamic ARP Inspection and all is working fine since years...the DHCP Servers are on a dedicated stack which act as a SFarm.
On the Access Switches the port configuration is the following:the Uplink Ports to both of the Cores are configured in TRUST for DHCP Snooping and ARP Inspection the Access Ports, where the end-device are connected, are UNTRUST for DHCP and ARP Inspection with IP Source Guard Active Right now I've to add a new L2 switch on one of the Access Port and I'm wondering if this is possible since I've to keep on the Stack Access Ports all the security feature active and I've also to implement DHCP Snooping on the new L2 switch to avoid rouge DHCP Server...
I suppose that the uplink to the L2 switch on the Stack Access Switch should be left as it is connected to an end device...but the uplink port on the L2 switch should be set up as TRUST...isn'it? Keeping in mind that I want to implement DHCP Snooping also on this L2 switch to avoid that Rogue DHCP Servers will impact the end-device connected to this L2 switch...is this scenario possible??? or I can't do that and should leave DHCP Snooping only on the Access Stack.
View 2 Replies
View Related
May 7, 2013
I have a problem with DHCP. I have two 2960 connected with a port channel on ports 47 and 48 as trunk with native vlan 10. I only have this one vlan. In port 1 of sw 1, I have a C800 as DHCP server.
I have an AP autonomous with single ssid on vlan 10. When I connect the AP to sw1, I receive dhcp with no problems.When I connect the AP to sw 2, I’m not getting IP by DHCP.I have DHCP snooping working on vlan 10 on both devices.
The ports where I connect the AP are access ports on vlan 10 config as trusted.The trunk ports are also configured as trusted.The port 1 of ws 1 that goes to the C800 is also configured as trusted.
figure out why I’m not getting IP by DHCP when I connect the AP to the SW 2.The only I notice is that when I connect the AP to sw 2, I get on SW 1 the message of packet drop by option 82, but even after configuring ip dhcp snooping information option allow-untrusted on both switches, the problem persists.
View 5 Replies
View Related
Sep 14, 2010
I've configured ip dhcp snooping on several vlans I want to monitor and the binding table doesn't seem to be building.eature DHCP is on, global ip dhcp snooping is enabled, VLAN snooping is enabled on the vlan's I want to monitor and my trusted interfaces are also configured. Alas no binding entries in the table! 7K is running 4.2(6).
View 1 Replies
View Related
Sep 3, 2012
We have a DHCP SERVER implemented in a cisco router 2610.This router is connected to a switch cisco 2960 configured as DHCP SNOOPING. At the switch appear the next log message: [code] The ip address: 10.100.200.1 belongs to DHCP SERVER configured at router cisco 2610. What to do so these log messages does not appear any more? Do I need to do some configuration changes at some switch or router?
View 11 Replies
View Related
Sep 25, 2012
I need to apply DHCP snooping on 4500 series switches working as L2 in my Network. We have external DHCL Server in another location connected with 6500 series switch.
Running EIGRP Configured Voice & Data Vlan both
DHCP Server -------- 6509 switch<----------------------------------->6509 Switch -------- 4500 switch ----------------------------------------------------------Ip Phones.
(ving Redundant) (ving Redundant)
I need to know whether the configuration which I mentioned in scenario is enough for apply DHCP snooping in my network.
View 4 Replies
View Related
Feb 12, 2013
I am configuring DHCP pool for voice vlan on cisco 2921 router.
Here is the setup.
2921 router -> 3750 -> 2960 PoE -> 7942 IP Phone
Router Config
ip dhcp excluded-address 10.146.54.1 10.146.89.50
!
ip dhcp pool VoiceVlan
network 10.146.54.0 255.255.255.0
subnet prefix-length 24
dns-server 10.144.68.32 10.144.68.33
option 150 ip 10.146.68.36
default-router 10.146.54.1
netbios-name-server 10.144.68.32 10.144.68.33
netbios-node-type h-node
[code]....
View 1 Replies
View Related
Nov 6, 2011
I have WS-C3750-24PS version 12.2(55)SE4. I am configuring PBB VPLS. MY PE/P routers are alcatel 7710/7750
my topology is like that.
CE1<-------> Provider_switch(3750)<-------> PE1 < ----IP/MPLS----> PE2<-------> Provider_switch(3750)<----------->CE2
16 11 11
[Code].....
View 3 Replies
View Related
Jan 21, 2013
I have three new 2960 switches as listed in the title. I configured them as follows:
192.168.1.215 host: whse-c
192.168.1.216 host: whse-b
192.168.1.217 host: whse-a
Switches B and C flow into A before continuing on into the server room switch (distance issues).All three switches are configured for ports 21-24 at 1000 and set as cisco switches. all other ports are undefined as they have a myriad of desktops, printers and non cisco access points flowing into them. side question - should i configure them as access points where applicable even if they are non cisco? I am replacing three netgear switches that currently are in place and have no known issues other than they are old and the fans may fail soon.hooked up .217. was able to get to it from the network. Hooked up 215 and then 216. All the sudden I lost the ability to tap into the switches, any of them. (I think I had done 215 at that point too, before adding 216. I found out later it took the network to its knees as internet was lost, and the MPLS stopped functioning.
I undid the changes and put the netgears back in service and all was right with the world again. At first I thought it was a bad host name as I had used whse-a on switch C in error. I changed that after this issue.Later that day I put 215 in place. checked it from the network and could get to it just fine. Then I put 216 in service. I lost connection to 215. I could no longer get to the internet from my pc and the MPLS went down again. This time I just unhooked 216. 215 is still in place and working on the network at the moment and not causing issues. (btw these switches are not even in my path from my pc to the internet, just on the same network) tomorrow I am going to try 217 again while 215 is still on the network and see if there are any issues adding that swtich. if I can do so, and there are no problems, is this an indication of a faulty switch? what further testing can I do, have I missed something in setup? If this brings the network down again, why cant i add two of these switches to each other/on the same network path (B and C were not even connected to each other yesterday evening when it went down again).
View 2 Replies
View Related
Mar 7, 2012
This switch randomly reboots throughout the day. I checked the stacks info and reported it was using crashinfo_12 (report below). I have access to the switch throughout the day if more config info needs to exported.
Cisco IOS Software, C3560 Software (C3560-IPBASEK9-M), Version 12.2(50)SE1, RELEASE SOFTWARE (fc2)
Copyright (c) 1986-2009 by Cisco Systems, Inc.
[Code].....
View 1 Replies
View Related
Mar 11, 2013
3560 is running c3560-advipservicesk9-mz.122-40.SE. The SFP (GLC-TX) has been tested in another 3560 and is recognized. Both the gi0/1 and gi 0/2 ports show the type as unknown.
Port Name Status Vlan Duplex Speed TypeGi0/1 notconnect 1 auto auto unknownGi0/2 notconnect 1 auto auto unknown
View 2 Replies
View Related
Nov 23, 2011
I need to prepare a Bill of Material for WS-C3560G-48PS-S switch.
Whether we should go for CAB-AC-JPN - AC power cord for Japan OR CAB-AC-ACE AC power cord for Europ
View 2 Replies
View Related
Nov 2, 2011
I recently removed a catalyst 2950 switch code version: c2950-i6q4l2-mz.121-13.EA1 ?I had an ASA 5505 connected as a switchport access to the 2950 on port 44. We will call the VLAN that the ASA sits on: VLAN 404. The 2950 had a trunk to our catalyst 6509 distribution switch carrying that VLAN 404. We also have a another VLAN for computers that sits on: VLAN 129, this is a standard DHCP vlan and it accounted for the rest of the switchports. The 2950 also has this trunked to our 6509 distribution switch.
Everything was working fine with that setup.After replacing the 2950 with a 3560 we started running into problems. The 3560 was configured the same exact way as the 2950. What was happening is that computers that sat on VLAN 129 started experiencing packet loss and were unable to work. It's as though the ASA was taking over the switch.
Is there a protocol that is enabled by defult on the 3560 that would do this?
View 4 Replies
View Related
Mar 4, 2012
I am having an issue with VoiP phones giving me an insufficient bandwidth message. I have three remote locations connected to our main building using 2 Mb point to point ethernet solutions through TWC. Each remote location has a Cisco WS-C3560-24PS running IOS C3560-IPBASE-M, version 12.2(25) and have the cable modems plugged into port 1 on them. The remote buildings are labeled 192.168.101.xxx, 192.168.102.xxx, and 192.168.103.xxx. There are 14-16 VoiP phones in each remote building. The main building being in the subnet of 192.168.100.xxx. I have the 3560s connecting to a single port on a 2801 in the main building, all using the subnet of 192.168.253.xxx The phone server sits in our network at 192.168.100.203. I have created the ACLs, class maps, and policy maps on all of the equipment.
For the remote buildings I have the following:
ACL
===========
Extended IP access list VOIP
permit tcp any host 192.168.100.203 dscp ef
permit tcp any host 192.168.100.203 eq 5566
[Code]....
I have put a hub in to capture traffic via Wireshark to see if DSCP flags are being appropriately marked and I do see that all VoiP packets are getting marked with as EF. However, I have been receiving phone calls from people in the remote buildings stating that their phones will cut out, flash Insufficient Bandwidth on the LCD displays and then the call will cut back in. I am wondering if the 2801 is not applying QoS with the rate-limits in mind since it is set to 100 Mb, or is it an issue with trying to take 3 remote locations and bring them down into 1 port on the 2801?
View 6 Replies
View Related
May 1, 2012
how to reset password on WS-C3560G-24TS?
View 1 Replies
View Related
Dec 10, 2011
I'm having trouble stacking a new WS-C3750X-24P with existing switches WS-C3750G-24PS ?I can see the license is on the new WS-C3750X-24P:
switch#sho lic
Index 1 Feature: ipservices
Period left: 8 weeks 4 days
License Type: Evaluation
License State: Active, Not in Use, EULA not accepted
License Priority: None
[code].....
I could put on the c3750e-ipbasek9-mz.122-55.SE1 image, but I may need to get the license sorted still, but not sure if that will work or how to add it if i got one.....
View 2 Replies
View Related
