2950 or 2960

Hi everybody
what is differences between 2950 and 2960 ?
is 2960 layer 3 or no?
and what about voice feature diffrences between 2950 and 2960 ?
should i use 2960 at access layer ?
what is better to use at access layer ?
note that i have collapsed core and i used 3750 at distribute layer.
Thanks.

Hi
Cisco 2960 is very similar to 2950 offering advanced quality of service (QoS), Security features with few notable differences like Performance,maximum MTU size,no of acl entries,qos policies...
would suggst to check these data sheets to know more about the same.
as per the recommendattions its best to be placed in the network edge .
http://cisco.com/en/US/products/ps6406/products_data_sheet0900aecd80322c0c.html
http://cisco.com/en/US/products/hw/switches/ps628/products_data_sheet09186a00801cfb64.html
regds

Similar Messages

2950 or 2060 bandwidth limiting egress and ingress per port

I am providing an MTU bandwidth and needing a switch that I can set bandwidth limits for each customer. Each customer will have their own port on the switch. Will the Enhanced image 2950 or 2960 limit on egress as well?

Neither switch supports egress policers. Ingress policers can be configured on the 2960 & the 2950 as long as you have the EI-capable hardware. This is the same for the newer switches - 2960, 2970, 3560 & 3750. The 3550 does allowed egress policers but this is EOS now I think?
HTH
Andy

Diff. between 2950T-24/2960-24TT/CE500-24TT

Hi,
referred the cisco site for the difference between 2950/2960 & 500, but what makes the major difference between these, based on that i thought i will suggest the manangement, because i am planning to move from 2950 to 2960 or 500., thanks in advance

The specs from post above are incorrect. They should've been:
2950T-24
8.8 Gbps / 6.6 Mpps
2960-24TT
16 Gbps / 6.5 Mpps
Also, 2950 has max 16 / 8 DRAM / Flash, while 2960 has 64 / 32.
So to answer OP's question, one big difference I see between 2950 and 2960 is the hardware archetecture.
2960s are faster and more efficient. The 48-port model is not as deep as that of 2950.
Unless you're not familiar w/ Cisco and/or CLI, I'd go w/ 2960 & 2950 instead of 500. They're for the less experienced or less demanding clients.

LMS config deployement with new device

Hello,
I have recovered some configuration files from my 2950 switches with the Configuration Archive Tool in LMS.
Now, I'd like to replace my old 2950s by 2960 switches, which have the same number of ports.
Will there be any issue if I copy the exact same config from 2950 to 2960 ? Will some features not work or is everything interoperable ?
Here's an extract of the config :
Global
version 12.1
no service pad
service timestamps debug datetime
service timestamps log datetime
no service password-encryption
hostname sw48
logging buffered 20000 debugging
enable secret 5 ********
enable password ********
clock timezone UTC 1
clock summer-time UTC recurring last Sun Mar 2:00 last Sun Oct 3:00
ntp clock-period 17179870
ntp server 192.168.32.17
ntp server 192.168.32.18
IP
IP Global
ip subnet-zero
ip default-gateway 172.25.1.1
ip http server
Spanning Tree
spanning-tree mode rapid-pvst
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
Interface
Interface FastEthernet0/1
interface FastEthernet0/1
switchport trunk allowed vlan 1,17,1001-1005
switchport mode trunk
switchport voice vlan 17
spanning-tree portfast
Interface Vlan1
interface Vlan1
no ip address
no ip route-cache
shutdown
Interface Vlan25
interface Vlan25
ip address 172.25.11.48 255.255.0.0
no ip route-cache
SNMP
snmp-server community ******** RO
snmp-server community ******** RW
Line
Line con 0
line con 0
Line vty 0 4
line vty 0 4
password ********
login
Line vty 5 15
line vty 5 15
password ********
login
Thank you for your further help !

The 2960 is just an upgrade of the 2950 switch much like the 2960S is an upgrade of the 2960 so there should be no major problems unless there are some weird commands on the interfaces themselves. Nothing shown above looks like it wouldn't work to me.
You may want to go through the config a little, having enable secret and enable password is worthless, only keep enable secret, it is more secure. service password-encryption and some ACL's on SNMP might also be worth considering, depends how security concencious you are. Also the new enable secret command on IOS 15.1+ I think uses encryption type 4 to encrypt the password, again more secure but up to you. I'm guessing this is more about will it work rather than pointing out best practices that are fairly well documented by many others.
If you do come across a line of unsupported config the 2960 should give a warning or error anyway, things don't go boom and blow blue smoke, most of the time anyway.

Channel-group command

Could someone point me to a link about information about this command besides its options and such. If you dont know of a link but know the command, some of the questions I'm having include:
(1) what are the benefits of this command and why would you use this configuration?
(2) What platforms will this work for?
(3) If using between two switches and lets say you have four fiber links between the two, can you put three of the links into a channel-group and leave the other link out of the channel-group?
(4) Do the interfaces in the channel-group have to be in the same slot (same switching module) to be in a channel-group?
(5) Again, if you have two switches connected by four fiber links and you put each side of interfaces in a channel-group, do both sides have to be the same channel-group number?
(6) Neglecting that it is a hardware or line problem, what might be the reason for some of the interfaces in a channel-group to come up while others dont assuming that all the interfaces are configured exactly the same?

(1) what are the benefits of this command and why would you use this configuration?
>> channel-group x mode is an interface configuration to group identical interfaces in a combined logical interface, think of it as small pipes being combined to create a bigger pipe so that you can have more flows.
(2) What platforms will this work for?
>> channel-group is specific to catalyst running IOS like 2950, 2955, 2960, 2970, 3550, 3560, 3750, cat4000 with sup II+ or above, cat6000 with sups running Native IOS. For catalyst running it will be "port channel" command.
(3) If using between two switches and lets say you have four fiber links between the two, can you put three of the links into a channel-group and leave the other link out of the channel-group?
>> yes, by virtue of channel it will have a lower cost than the single interface therefore STP will block the single interface because it has a higher path cost to the root (STP can be discuss in a separate discussion).
(4) Do the interfaces in the channel-group have to be in the same slot (same switching module) to be in a channel-group?
>> No it does not have to be but they have to be identical. You cannot channel two ports where one is 100 MB and the other is a gig port.
(5) Again, if you have two switches connected by four fiber links and you put each side of interfaces in a channel-group, do both sides have to be the same channel-group number?
>> NO, channel group have local significance. If on switch A port 1 and 2 are in channel-group 1 and port 1 and 2 are connecting to port 3 and 4 of switch B. In switch B port 3 and 4 can be in channel-group 2 or 3 or 1 if you want to keep them the same for administrative sanity.
(6) Neglecting that it is a hardware or line problem, what might be the reason for some of the interfaces in a channel-group to come up while others dont assuming that all the interfaces are configured exactly the same?
>> cabling not right, interfaces in the same channel group are not alike, problem with the other end, or bug but this seldom is the case.
Please rate helpful posts.

How to redirect domain controller address to another one without changing IP Helper

Hi All
Basically we have been told that our domain controller's address is going to change, we have many switches 200+ that have the current address as the IP Helper address. The topology is basically a core 6509 that goes out to approx 45 distribution switches 3560s that then have multiple access switches hanging off 3560s, 2950s and 2960s. There are also many workstations that have the domain controllers IP statically assigned.
My question is is there a way that this server can be decomisioned and replaced with a new one with a different IP without having to change all of the devices IP Helper address static DNS etc. but to just redirect requests for that address to another at a higher level? Like say the core receives requests for the old IP and redirects requests to the new address? We have tried suggesting they keep the same IP for the new server but it's not going to happen.
thanks

You can use NAT to do that. Be careful though because that is really a band-aid and not a resolution to the problem.
http://www.cisco.com/en/US/tech/tk648/tk361/tk438/tsd_technology_support_sub-protocol_home.html

Help to connect 2 switches together

Hi
I need your help to can i make 2 switches 2950 and 2960 connecting it together through trunk port,so in my question is what the command that should be on the trunk port???
I wrote the below command but it's not acceptable:
Switch(condig-if)#switchport trunk encapsolation isl

abakrbshat wrote:Hi,thanks for your responseI did that right now but still the pc unable on the ping to other pc in other switch
Do the interfaces on the switches come up when connected? What do you get when you input "show interface X/Y" on each switch?
Are the source and destination PC in the same VLAN (1 by default, something else if it's been changed), and have IP addresses in the same subnet?
And, lastly - are they Windows boxes? If so, do you have the firewall turned OFF? Recent Windows boxes seem to block PING by default unless you tell them otherwise.

Adding SG300 to exisiting network

I am not an expert in the network field.
About a year ago, I upgraded old network equipment with Cisco 2950 and 2960's to get some consistency in house.
We are about to switch over to a VOIP system, and we decided to replace all switches with Cisco Small Business SG300 POE to make like simpler, and hopefully faster.
Problem is, we give it an IP address, rename the switch and have updated to the newest firmware. We plug it in, and in seconds, it shuts down my network.
When I look at the log, we get a native VLAN mismatch, then Loopback error.
Obviously I need some more basic configuration. I assumed I would just be able to plug these in and swap similar to the way I upgraded my 2960's.
Any help would be appreciated.

Hi,
SG300 series switches have all the default settings to simplify voice and data network implementation but...
if you are adding to Cisco enterprise network there are several things which needs to be consider:
1. PVST is not supported ad only common STP is MSTP
2. VTP is not supported so all the trunks needs to be configured one by one manually
3. when setting up access port for desktop+phone on SG300 port needs to be in trunk mode and data vlan set as native and auto-voice vlan enabled
If you still have some problem we would really need to look at your topology and devices interaction in details and I would recommend you to open ticket with Cisco Small Business Support team:
http://www.cisco.com/c/en/us/support/web/tsd-cisco-small-business-support-center-contacts.html
Regards,
Aleksandra

ACL on switch ports

Hi
I have 2 switches available to use, a 2960 or 2950. Ideally I wish to use the 2950 if possible.
What I want to achive is for a few ports to be limted to Internet only traffic, and dns lookups from a selected internal dns server. So when a machine is plugged into one of these ports the user cannot see any of the internal network.
The setup of the site I need this for prevents me from using multiple vlans as everyone must be on the same /27 subnet.
Can this be done on a 2950 or 2960?

You can use the 2950 but there are quite a few limitations in terms of how many entries you can have in the acl. However your acl could be very simple eg.
assuming your subnet was 192.168.5.0 255.255.255.224
access-list 101 permit udp host host eq 53
access-list 101 deny ip host 192.168.5.0 0.0.0.31
access-list 101 permit ip host any
then you apply it to the physical port -
int fa0/1
ip access-group 101 in
you should refer to this document for full details including all the restrictions/limitations -
http://www.cisco.com/en/US/docs/switches/lan/catalyst2950/software/release/12.1_22_ea11x/configuration/guide/swacl.html#wp1082773
Jon

Wifi User Authentication.

Dear Team,
We have cisco switch 2950 and 2960 in two office buildings. all the user in two buildings are using wifi. but now we want one level of authentication to user. means when a new user is created before using internet it must ask for username and password.
we have radiuse server (SBR) , juniper 8208 as core switch, connected to cisco switch 2950 and 2960, and normal wifi AP's,
How can i configure the cisco swiych so wifi request go to radius server for authentication.?

You can configure 802.1X authentication for this. Below is the link for the same.
http://www.cisco.com/en/US/docs/switches/lan/catalyst2960/software/release/12.2_55_se/configuration/guide/sw8021x.html

Hands-on practice...

Hi there! I hope someone can help me with the following question:
Unfortunately, I don't have access to real routers or switches. However, I have the Boson CCNA Simulator software v.6. I know they're in the process of upgrading the software so that it's compatible with the new CCNA exam, however, I just wondered whether the simulator software I have is adequate for the exam. Specifically, I'm worried about the types and models of routers and switches that my simulator does not support ie Switch 2960. Is there much of a difference between the 1900, 2950 and 2960 series of switches? If there is much of a difference, can you please direct me to a lab where I can access through the internet.
Many thanks.

Well, I would say that at CCNA level there is not too much difference between 2560 and 2960. However, the 1900 is a completely different animal altogether.
Kevin Dorrell
Luxembourg

Cisco Architectures for 2950/2960 Switches and 2800 Routers

Hello,
I have a question regarding the architectures of these three series, i.e. the type of switch fabric they use and the general architecture (first, second, or third generation regarding the sharing of the bus, memory and the type of switch fabric). We have so far learned these three generation and our assumption is that the only generation being produced now is the third (crossbar) generation, but so far we have to information to back up this claim. We are doing a study on buffer sizing in edge routers/switches so knowing the exact architecture of each model is our priority.
Thank you for reading and thanks in advance for the answers.

Disclaimer
The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
Liability Disclaimer
In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
Posting
Exact details on Cisco switch and/or router architecture can be hard to come by, as much of the information, Cisco appears to consider proprietary.
Most switches have some kind of cross bar architecture. Overall bandwidth tends to be higher in later variants (to support higher port densities and/or higher bandwidth ports). Later switch architectures are less likely to block at ports. However, there are often other architecture changes which may improve or worsen performance. For example, 2960 tends to have more fabric bandwidth than the 2950, but the 2960 has different port buffer management (I believe) from the 2950, often resulting in more port drops with bursty traffic.
True routers, like the 2800 series, I believe use a PCI bus, with additional bandwidth restrictions to the modules. They will well support the WAN bandwidths they are recommended for, but they do not well support LAN port bandwidths. Again, specific architecture details can be hard to come by.

Cisco Catalyst 2950/2960/3750 Multicast Traffic Preference

Hello all,
we, as a student company act as an ISP for university dormitories. We would like to (if it's possible) deploy QoS to prefer multicast traffic over all other types of traffic.
Devices used in network:
Acces layer: Cisco Catalyst 2950, 12.1(22)EA14
Dristribution layer: Cisco Catalyst 2960G, 12.2(58)SE1
Core layer: Cisco Catalyst 3750G, 12.2(52)SE
Do you see any possibility to solve this with these devices? We have almost no experience with QoS, therefore any help would be greatly appreciated.
Thanks in advance.

Disclaimer
The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
Liability Disclaimer
In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
Posting
Hmm, I think it should be doable although the 2950s, if non-E variants, are especially weak in QoS features. I.e. those might create some issues.
With the 2960G and 3750G, you often will create problems when you enable QoS because QoS, by default, allocates its buffers resources for 4 egress queues per port rather than using all for 1 egress queue per port. However, this can be countered by QoS parameter tuning, but that takes some QoS expertize to match to your traffic and your overall QoS policy.

Configuring wired 802.1x with Cisco 2950 and NPS 2012 problem

Hi,
I am trying to setup wired authentication on my corporate network. For testing purposes, I have setup a Cisco 2950 switch for RADIUS authentication.
On the first day of the test, access messages were appearing on the event log of the 2012 Server and we were trying to address the issues with EAP and policy.(Network Policy and Access services)
Then, suddenly no events are written to the event log for the wired authentication. Accounting data is written to the log file at c:\windows\system32\logfiles, but nothing happens on the event log as if the NPS is not answering. We are using the same server for wireless 802.1x and all is working fine.
Checking the wired autoconfig log on the client, Restart Reason : Onex Auth Timeout appears.
Logging seems to be configured properly, there are no entries in event log. Below is the debug information from the 2950 switch;
KAT2-BATISW1#
00:18:28: dot1x-registry:dot1x_port_linkchange invoked on interface FastEthernet
0/17
00:18:28: dot1x-registry:dot1x_port_linkcomingup invoked on interface FastEthern
et0/17
00:18:28: dot1x-ev:dot1x_port_enable: set dot1x ask handler on interface FastEth
ernet0/17
00:18:28: dot1x-ev:dot1x_update_port_direction: Updating oper direction for Fa0/
17 (admin=Both, current oper=Both)
00:18:28: dot1x-ev:dot1x_update_port_direction: New oper direction for Fa0/17 is
Both
00:18:28: dot1x_auth Fa0/17: initial state auth_initialize has enter
00:18:28: dot1x-sm:Fa0/17:0000.0000.0000:auth_initialize_enter called
00:18:28: dot1x-ev:auth_initialize_enter:0000.0000.0000: Current ID=0
00:18:28: dot1x_auth Fa0/17: during state auth_initialize, got event 0(cfg_a
uto)
00:18:28: @@@ dot1x_auth Fa0/17: auth_initialize -> auth_disconnected
00:18:28: dot1x-sm:Fa0/17:0000.0000.0000:auth_disconnected_enter_action called
00:18:28: dot1x-sm:
dot1x_update_port_status called with port_status = DOT1X_PORT_STATUS_UNAUTHORIZE
D
00:18:28: dot1x-ev:dot1x_update_port_direction: Updating oper direction for Fa0/
17 (admin=Both, current oper=Both)
00:18:28: dot1x-ev:dot1x_update_port_direction: New oper direction for Fa0/17 is
Both
00:18:28: dot1x-ev:dot1x_port_cleanup_author: cleanup author on interface FastEt
hernet0/17
00:18:28: dot1x-ev:dot1x_update_port_status: Called with host_mode=0 state UNAUT
HORIZED
00:18:28: dot1x-ev:dot1x_update_port_status: using mac 0000.0000.0000 to send po
rt to unauthorized on vlan 0
00:18:28: dot1x-ev:Found a supplicant block for mac 0000.0000.0000 80D71C74
00:18:28: dot1x-ev:dot1x_port_unauthorized: Host-mode=0 radius/guest vlan=0 on F
astEthernet0/17
00:18:28: dot1x-ev: GuestVlan configured=0
00:18:28: dot1x-ev:supplicant 0000.0000.0000 is default
00:18:28: dot1x-ev:supplicant 0000.0000.0000 is last
00:18:28: dot1x-ev:Found a supplicant block for mac 0000.0000.0000 80D71C74
00:18:28: dot1x-ev:0000.0000.0000 is now unauthorized on port FastEthernet0/17
00:18:28: dot1x-ev:dot1x_port_cleanup_author: cleanup author on interface FastEt
hernet0/17
00:18:28: dot1x-ev:Enter function dot1x_aaa_acct_end
00:18:28: dot1x-ev:Found a supplicant block for mac 0000.0000.0000 80D71C74
00:18:28: dot1x-ev:Found a supplicant block for mac 0000.0000.0000 80D71C74
00:18:28: dot1x_auth Fa0/17: idle during state auth_disconnected
00:18:28: @@@ dot1x_auth Fa0/17: auth_disconnected -> auth_connecting
00:18:28: dot1x-sm:Fa0/17:0000.0000.0000:auth_connecting_enter called
00:18:28: dot1x_bend Fa0/17: initial state dot1x_bend_initialize has enter
00:18:28: dot1x-sm:Dot1x Initialize State Entered
00:18:28: dot1x_bend Fa0/17: initial state dot1x_bend_initialize has idle
00:18:28: dot1x_bend Fa0/17: during state dot1x_bend_initialize, got event 1
6383(idle)
00:18:28: @@@ dot1x_bend Fa0/17: dot1x_bend_initialize -> dot1x_bend_idle
00:18:28: dot1x-sm:Dot1x Idle State Entered
00:18:28: dot1x-ev:Created port supplicant block 0000.0000.0000 expected_id=0 cu
rrent_id=0
00:18:28: dot1x-ev:dot1x_init_sb_oper_info:Default port supplicant at memloc 80D
71C74
00:18:28: dot1x-ev:dot1x_post_message_to_auth_sm: cleanup author from interface
FastEthernet0/17
00:18:28: dot1x-ev:
dot1x_post_message_to_auth_sm:0000.0000.0000: Sending TX_FAIL
00:18:28: dot1x-ev:dot1x_post_message_to_auth_sm:0000.0000.0000: Current ID=1
00:18:28: dot1x-ev:Transmitting an EAPOL frame on FastEthernet0/17
00:18:28: dot1x-packet:Tx EAP-Failure, id 0, ver 1, len 4 (Fa0/17)
00:18:28: dot1x-registry:registry:dot1x_ether_macaddr called
00:18:28: dot1x-packet:Tx sa=000f.24e9.72d1, da=0180.c200.0003, et 888E (Fa0/17)
00:18:28: dot1x-ev:dot1x_post_message_to_auth_sm: cleanup author from interface
FastEthernet0/17
00:18:28: dot1x-ev:dot1x_post_message_to_auth_sm: Tx for req_id for supplicant 0
000.0000.0000
00:18:28: dot1x-ev:Transmitting an EAPOL frame on FastEthernet0/17
00:18:28: dot1x-packet:Tx EAP-Request(Id), id 1, ver 1, len 5 (Fa0/17)
00:18:28: dot1x-registry:registry:dot1x_ether_macaddr called
00:18:28: dot1x-packet:Tx sa=000f.24e9.72d1, da=0180.c200.0003, et 888E (Fa0/17)
00:18:28: dot1x-ev:Received an EAPOL frame on interface FastEthernet0/17
00:18:28: dot1x-packet:Rx EAP-Response(Id), id 1, ver 1, len 21 (Fa0/17)
00:18:28: dot1x-packet:Rx sa=0024.1d10.d7c5, da=0180.c200.0003, et 888E (Fa0/17)
00:18:28: dot1x-ev:Couldn't find a supplicant block for mac 0024.1d10.d7c5
00:18:28: dot1x-ev:Couldn't find a supplicant block for mac 0024.1d10.d7c5
00:18:28: dot1x-ev:Found a supplicant block for mac 0000.0000.0000 80D71C74
00:18:28: dot1x_auth Fa0/17: initial state auth_initialize has enter
00:18:28: dot1x-sm:Fa0/17:0024.1d10.d7c5:auth_initialize_enter called
00:18:28: dot1x-ev:auth_initialize_enter:0024.1d10.d7c5: Current ID=0
00:18:28: dot1x_auth Fa0/17: during state auth_initialize, got event 0(cfg_a
uto)
00:18:28: @@@ dot1x_auth Fa0/17: auth_initialize -> auth_disconnected
00:18:28: dot1x-sm:Fa0/17:0024.1d10.d7c5:auth_disconnected_enter_action called
00:18:28: dot1x-sm:
dot1x_update_port_status called with port_status = DOT1X_PORT_STATUS_UNAUTHORIZE
D
00:18:28: dot1x-ev:dot1x_update_port_direction: Updating oper direction for Fa0/
17 (admin=Both, current oper=Both)
00:18:28: dot1x-ev:dot1x_update_port_direction: New oper direction for Fa0/17 is
Both
00:18:28: dot1x-ev:dot1x_port_cleanup_author: cleanup author on interface FastEt
hernet0/17
00:18:28: dot1x-ev:dot1x_update_port_status: Called with host_mode=0 state UNAUT
HORIZED
00:18:28: dot1x-ev:dot1x_update_port_status: using mac 0024.1d10.d7c5 to send po
rt to unauthorized on vlan 0
00:18:28: dot1x-ev:Found a supplicant block for mac 0024.1d10.d7c5 80D7E584
00:18:28: dot1x-ev:dot1x_port_unauthorized: Host-mode=0 radius/guest vlan=0 on F
astEthernet0/17
00:18:28: dot1x-ev: GuestVlan configured=0
00:18:28: dot1x-ev:supplicant 0024.1d10.d7c5 is last
00:18:28: dot1x-ev:Found a supplicant block for mac 0024.1d10.d7c5 80D7E584
00:18:28: dot1x-ev:0024.1d10.d7c5 is now unauthorized on port FastEthernet0/17
00:18:28: dot1x-ev:dot1x_port_cleanup_author: cleanup author on interface FastEt
hernet0/17
00:18:28: dot1x-ev:Enter function dot1x_aaa_acct_end
00:18:28: dot1x-ev:Found a supplicant block for mac 0024.1d10.d7c5 80D7E584
00:18:28: dot1x-ev:Found a supplicant block for mac 0024.1d10.d7c5 80D7E584
00:18:28: dot1x_auth Fa0/17: idle during state auth_disconnected
00:18:28: @@@ dot1x_auth Fa0/17: auth_disconnected -> auth_connecting
00:18:28: dot1x-sm:Fa0/17:0024.1d10.d7c5:auth_connecting_enter called
00:18:28: dot1x_bend Fa0/17: initial state dot1x_bend_initialize has enter
00:18:28: dot1x-sm:Dot1x Initialize State Entered
00:18:28: dot1x_bend Fa0/17: initial state dot1x_bend_initialize has idle
00:18:28: dot1x_bend Fa0/17: during state dot1x_bend_initialize, got event 1
6383(idle)
00:18:28: @@@ dot1x_bend Fa0/17: dot1x_bend_initialize -> dot1x_bend_idle
00:18:28: dot1x-sm:Dot1x Idle State Entered
00:18:28: dot1x-ev:Created port supplicant block 0024.1d10.d7c5 expected_id=1 cu
rrent_id=1
00:18:28: dot1x-ev:dot1x_post_message_to_auth_sm: cleanup author from interface
FastEthernet0/17
00:18:28: dot1x-ev:dot1x_post_message_to_auth_sm: cleanup author from interface
FastEthernet0/17
00:18:28: dot1x-ev:dot1x_post_message_to_auth_sm: Tx for req_id for supplicant 0
024.1d10.d7c5
00:18:28: dot1x-ev:Transmitting an EAPOL frame on FastEthernet0/17
00:18:28: dot1x-packet:Tx EAP-Request(Id), id 0, ver 1, len 5 (Fa0/17)
00:18:28: dot1x-registry:registry:dot1x_ether_macaddr called
00:18:28: dot1x-packet:Tx sa=000f.24e9.72d1, da=0180.c200.0003, et 888E (Fa0/17)
00:18:28: dot1x-ev:Received an EAPOL frame on interface FastEthernet0/17
00:18:28: dot1x-packet:Rx EAP-Response(Id), id 0, ver 1, len 21 (Fa0/17)
00:18:28: dot1x-packet:Rx sa=0024.1d10.d7c5, da=0180.c200.0003, et 888E (Fa0/17)
00:18:28: dot1x-ev:Found a supplicant block for mac 0024.1d10.d7c5 80D7E584
00:18:28: dot1x-ev:Found a supplicant block for mac 0024.1d10.d7c5 80D7E584
00:18:28: dot1x_auth Fa0/17: during state auth_connecting, got event 7(rxRes
pId)
00:18:28: @@@ dot1x_auth Fa0/17: auth_connecting -> auth_authenticating
00:18:28: dot1x-sm:Fa0/17:0024.1d10.d7c5:auth_connecting_exit alled
00:18:28: dot1x-sm:Fa0/17:0024.1d10.d7c5:auth_authenticating_enter called
00:18:28: dot1x-ev:sending AUTH_START to BEND for supp_info=80D7E584
00:18:28: dot1x-sm:Fa0/17:0024.1d10.d7c5:auth_connecting_authenticating_action c
alled
00:18:28: dot1x-ev:Received AuthStart from Authenticator for supp_info=80D7E584
00:18:28: dot1x_bend Fa0/17: during state dot1x_bend_idle, got event 1(auth_
start)
00:18:28: @@@ dot1x_bend Fa0/17: dot1x_bend_idle -> dot1x_bend_response
00:18:28: dot1x-sm:Dot1x Response State Entered for supp_info=80D7E584 hwidb=807
D353C, swidb=807D4898 on intf=Fa0/17
00:18:28: dot1x-ev:Managed Timer in sub-block attached as leaf to master
00:18:28: dot1x-sm:Started the ServerTimeout Timer
00:18:28: dot1x-ev:Going to Send Request to AAA Client on RP for id = 0 and leng
th = 21
00:18:28: dot1x-ev:Got a Request from SP to send it to Radius with id 4294967283
00:18:28: dot1x-ev:Couldn't Find a process thats already handling the request fo
r this id 0
00:18:28: dot1x-ev:Inserted AAA request for interface FastEthernet0/17, MAC 0024
.1d10.d7c5, VLAN 0 on pending request queue
00:18:28: dot1x-ev:Found a free slot at slot 0
00:18:28: dot1x-ev:Found a free slot at slot 0
00:18:28: dot1x-ev:Processing AAA request for interface FastEthernet0/17, MAC 00
24.1d10.d7c5, VLAN 0 from pending request queue
00:18:28: dot1x-ev:Request id = -13 and length = 21
00:18:28: dot1x-ev:Found a supplicant block for mac 0024.1d10.d7c5 80D7E584
00:18:28: dot1x-ev:The Interface on which we got this AAA Request is FastEtherne
t0/17
00:18:28: dot1x-ev:Found a supplicant block for mac 0024.1d10.d7c5 80D7E584
00:18:28: dot1x-ev:Username is DUZEY\SAYTAMANER
00:18:28: dot1x-ev:MAC Address is 0024.1d10.d7c5
00:18:28: dot1x-ev:RemAddr is 00-24-1D-10-D7-C5/00-0F-24-E9-72-D1
00:18:28: dot1x-ev:Found a supplicant block for mac 0024.1d10.d7c5 80D7E584
00:18:30: %LINK-3-UPDOWN: Interface FastEthernet0/17, changed state to up
00:18:46: dot1x-ev:Received an EAPOL frame on interface FastEthernet0/17
00:18:46: dot1x-packet:Rx EAPOL-Start, ver 1, len 0 (Fa0/17)
00:18:46: dot1x-packet:Rx sa=0024.1d10.d7c5, da=0180.c200.0003, et 888E (Fa0/17)
00:18:46: dot1x-ev:Found a supplicant block for mac 0024.1d10.d7c5 80D7E584
00:18:46: dot1x-ev:Found a supplicant block for mac 0024.1d10.d7c5 80D7E584
00:18:46: dot1x-ev:RECEIVED mac =0024.1d10.d7c5 and Stored MAC =0024.1d10.d7c5
00:18:46: dot1x_auth Fa0/17: during state auth_authenticating, got event 4(e
apStart)
00:18:46: @@@ dot1x_auth Fa0/17: auth_authenticating -> auth_aborting
00:18:46: dot1x-sm:Fa0/17:0024.1d10.d7c5:auth_aborting_enter called
00:18:46: dot1x-sm:Fa0/17:0024.1d10.d7c5:auth_authenticating_aborting_action cal
led
00:18:46: dot1x-ev:Received DOT1X_MSG_AUTH_ABORT: setting msg_id = 0
00:18:46: dot1x_bend Fa0/17: during state dot1x_bend_response, got event 5(i
nitialize)
00:18:46: @@@ dot1x_bend Fa0/17: dot1x_bend_response -> dot1x_bend_initialize
00:18:46: dot1x-sm:Dot1x Initialize State Entered
00:18:46: dot1x_bend Fa0/17: idle during state dot1x_bend_initialize
00:18:46: @@@ dot1x_bend Fa0/17: dot1x_bend_initialize -> dot1x_bend_idle
00:18:46: dot1x-sm:Dot1x Idle State Entered
00:18:46: dot1x_auth Fa0/17: during state auth_aborting, got event 16(noauth
Abort_noeapLogoff)
00:18:46: @@@ dot1x_auth Fa0/17: auth_aborting -> auth_connecting
00:18:46: dot1x-sm:Fa0/17:0024.1d10.d7c5:auth_connecting_enter called
00:18:46: dot1x-ev:dot1x_post_message_to_auth_sm: Tx for req_id for supplicant 0
024.1d10.d7c5
00:18:46: dot1x-ev:Transmitting an EAPOL frame on FastEthernet0/17
00:18:46: dot1x-packet:Tx EAP-Request(Id), id 1, ver 1, len 5 (Fa0/17)
00:18:46: dot1x-registry:registry:dot1x_ether_macaddr called
00:18:46: dot1x-packet:Tx sa=000f.24e9.72d1, da=0180.c200.0003, et 888E (Fa0/17)
00:18:46: dot1x-ev:Received an EAPOL frame on interface FastEthernet0/17
00:18:46: dot1x-packet:Rx EAP-Response(Id), id 1, ver 1, len 21 (Fa0/17)
00:18:46: dot1x-packet:Rx sa=0024.1d10.d7c5, da=0180.c200.0003, et 888E (Fa0/17)
00:18:46: dot1x-ev:Found a supplicant block for mac 0024.1d10.d7c5 80D7E584
00:18:46: dot1x-ev:Found a supplicant block for mac 0024.1d10.d7c5 80D7E584
00:18:46: dot1x-ev:RECEIVED mac =0024.1d10.d7c5 and Stored MAC =0024.1d10.d7c5
00:18:46: dot1x_auth Fa0/17: during state auth_connecting, got event 7(rxRes
pId)
00:18:46: @@@ dot1x_auth Fa0/17: auth_connecting -> auth_authenticating
00:18:46: dot1x-sm:Fa0/17:0024.1d10.d7c5:auth_connecting_exit alled
00:18:46: dot1x-sm:Fa0/17:0024.1d10.d7c5:auth_authenticating_enter called
00:18:46: dot1x-ev:sending AUTH_START to BEND for supp_info=80D7E584
00:18:46: dot1x-sm:Fa0/17:0024.1d10.d7c5:auth_connecting_authenticating_action c
alled
00:18:46: dot1x-ev:Received AuthStart from Authenticator for supp_info=80D7E584
00:18:46: dot1x_bend Fa0/17: during state dot1x_bend_idle, got event 1(auth_
start)
00:18:46: @@@ dot1x_bend Fa0/17: dot1x_bend_idle -> dot1x_bend_response
00:18:46: dot1x-sm:Dot1x Response State Entered for supp_info=80D7E584 hwidb=807
D353C, swidb=807D4898 on intf=Fa0/17
00:18:46: dot1x-ev:Managed Timer in sub-block attached as leaf to master
00:18:46: dot1x-sm:Started the ServerTimeout Timer
00:18:46: dot1x-ev:Going to Send Request to AAA Client on RP for id = 1 and leng
th = 21
00:18:46: dot1x-ev:Got a Request from SP to send it to Radius with id 4294967284
00:18:46: dot1x-ev:Found a process thats already handling therequest for this id
1
00:18:48: dot1x-err:Dot1x Authentication failed (AAA_AUTHEN_STATUS_ERROR)
00:18:48: dot1x-ev:Received VLAN is No Vlan
00:18:48: dot1x-ev:Enqueued the response to BackEnd
00:18:48: dot1x-ev:Found a supplicant block for mac 0024.1d10.d7c5 80D7E584
00:18:48: dot1x-ev:Enter function dot1x_aaa_acct_end
00:18:48: dot1x-ev:Found a supplicant block for mac 0024.1d10.d7c5 80D7E584
00:18:48: dot1x-ev:Found a supplicant block for mac 0024.1d10.d7c5 80D7E584
00:18:48: dot1x-ev:Found a supplicant block for mac 0024.1d10.d7c5 80D7E584
00:18:48: dot1x-ev:Received QUEUE EVENT in response to AAA Request
00:18:58: dot1x-sm:Fa0/17:0000.0000.0000:dot1x_process_txWhen_expire called
00:18:58: dot1x_auth Fa0/17: during state auth_connecting, got event 19(txWh
en_expire)
00:18:58: @@@ dot1x_auth Fa0/17: auth_connecting -> auth_connecting
00:18:58: dot1x-sm:Fa0/17:0000.0000.0000:auth_connecting_connecting_action calle
d
00:18:58: dot1x-ev:dot1x_post_message_to_auth_sm: Skipping tx for req_id for def
ault supplicant
00:19:07: dot1x-ev:Received an EAPOL frame on interface FastEthernet0/17
00:19:07: dot1x-packet:Rx EAPOL-Start, ver 1, len 0 (Fa0/17)
00:19:07: dot1x-packet:Rx sa=0024.1d10.d7c5, da=0180.c200.0003, et 888E (Fa0/17)
00:19:07: dot1x-ev:Found a supplicant block for mac 0024.1d10.d7c5 80D7E584
00:19:07: dot1x-ev:Found a supplicant block for mac 0024.1d10.d7c5 80D7E584
00:19:07: dot1x-ev:RECEIVED mac =0024.1d10.d7c5 and Stored MAC =0024.1d10.d7c5
00:19:07: dot1x_auth Fa0/17: during state auth_authenticating, got event 4(e
apStart)
00:19:07: @@@ dot1x_auth Fa0/17: auth_authenticating -> auth_aborting
00:19:07: dot1x-sm:Fa0/17:0024.1d10.d7c5:auth_aborting_enter called
00:19:07: dot1x-sm:Fa0/17:0024.1d10.d7c5:auth_authenticating_aborting_action cal
led
00:19:07: dot1x-ev:Received DOT1X_MSG_AUTH_ABORT: setting msg_id = 0
00:19:07: dot1x_bend Fa0/17: during state dot1x_bend_response, got event 5(i
nitialize)
00:19:07: @@@ dot1x_bend Fa0/17: dot1x_bend_response -> dot1x_bend_initialize
00:19:07: dot1x-sm:Dot1x Initialize State Entered
00:19:07: dot1x_bend Fa0/17: idle during state dot1x_bend_initialize
00:19:07: @@@ dot1x_bend Fa0/17: dot1x_bend_initialize -> dot1x_bend_idle
00:19:07: dot1x-sm:Dot1x Idle State Entered
00:19:07: dot1x_auth Fa0/17: during state auth_aborting, got event 16(noauth
Abort_noeapLogoff)
00:19:07: @@@ dot1x_auth Fa0/17: auth_aborting -> auth_connecting
00:19:07: dot1x-sm:Fa0/17:0024.1d10.d7c5:auth_connecting_enter called
00:19:07: dot1x-ev:dot1x_post_message_to_auth_sm: Tx for req_id for supplicant 0
024.1d10.d7c5
00:19:07: dot1x-ev:Transmitting an EAPOL frame on FastEthernet0/17
00:19:07: dot1x-packet:Tx EAP-Request(Id), id 2, ver 1, len 5 (Fa0/17)
00:19:07: dot1x-registry:registry:dot1x_ether_macaddr called
00:19:07: dot1x-packet:Tx sa=000f.24e9.72d1, da=0180.c200.0003, et 888E (Fa0/17)
00:19:07: dot1x-ev:Received an EAPOL frame on interface FastEthernet0/17
00:19:07: dot1x-packet:Rx EAP-Response(Id), id 2, ver 1, len 21 (Fa0/17)
00:19:07: dot1x-packet:Rx sa=0024.1d10.d7c5, da=0180.c200.0003, et 888E (Fa0/17)
00:19:07: dot1x-ev:Found a supplicant block for mac 0024.1d10.d7c5 80D7E584
00:19:07: dot1x-ev:Found a supplicant block for mac 0024.1d10.d7c5 80D7E584
00:19:07: dot1x-ev:RECEIVED mac =0024.1d10.d7c5 and Stored MAC =0024.1d10.d7c5
00:19:07: dot1x_auth Fa0/17: during state auth_connecting, got event 7(rxRes
pId)
00:19:07: @@@ dot1x_auth Fa0/17: auth_connecting -> auth_authenticating
00:19:07: dot1x-sm:Fa0/17:0024.1d10.d7c5:auth_connecting_exit alled
00:19:07: dot1x-sm:Fa0/17:0024.1d10.d7c5:auth_authenticating_enter called
00:19:07: dot1x-ev:sending AUTH_START to BEND for supp_info=80D7E584
00:19:07: dot1x-sm:Fa0/17:0024.1d10.d7c5:auth_connecting_authenticating_action c
alled
00:19:07: dot1x-ev:Received AuthStart from Authenticator for supp_info=80D7E584
00:19:07: dot1x_bend Fa0/17: during state dot1x_bend_idle, got event 1(auth_
start)
00:19:07: @@@ dot1x_bend Fa0/17: dot1x_bend_idle -> dot1x_bend_response
00:19:07: dot1x-sm:Dot1x Response State Entered for supp_info=80D7E584 hwidb=807
D353C, swidb=807D4898 on intf=Fa0/17
00:19:07: dot1x-ev:Managed Timer in sub-block attached as leaf to master
00:19:07: dot1x-sm:Started the ServerTimeout Timer
00:19:07: dot1x-ev:Going to Send Request to AAA Client on RP for id = 2 and leng
th = 21
00:19:07: dot1x-ev:Got a Request from SP to send it to Radius with id 4294967285
00:19:07: dot1x-ev:Couldn't Find a process thats already handling the request fo
r this id 2
00:19:07: dot1x-ev:Inserted AAA request for interface FastEthernet0/17, MAC 0024
.1d10.d7c5, VLAN 0 on pending request queue
00:19:07: dot1x-ev:Found a free slot at slot 0
00:19:07: dot1x-ev:Found a free slot at slot 0
00:19:07: dot1x-ev:Processing AAA request for interface FastEthernet0/17, MAC 00
24.1d10.d7c5, VLAN 0 from pending request queue
00:19:07: dot1x-ev:Request id = -11 and length = 21
00:19:07: dot1x-ev:Found a supplicant block for mac 0024.1d10.d7c5 80D7E584
00:19:07: dot1x-ev:The Interface on which we got this AAA Request is FastEtherne
t0/17
00:19:07: dot1x-ev:Found a supplicant block for mac 0024.1d10.d7c5 80D7E584
00:19:07: dot1x-ev:Username is DUZEY\SAYTAMANER
00:19:07: dot1x-ev:MAC Address is 0024.1d10.d7c5
00:19:07: dot1x-ev:RemAddr is 00-24-1D-10-D7-C5/00-0F-24-E9-72-D1
00:19:07: dot1x-ev:Found a supplicant block for mac 0024.1d10.d7c5 80D7E584
00:19:19: dot1x-registry:dot1x_port_linkchange invoked on interface FastEthernet
0/17
00:19:19: dot1x-ev:supp_info=80D7E584 txWhen_timer=80D7E5D4 quietWhile_timer=80D
7E594reAuthWhen_timer=80D7E5B4 awhile_timer=80D7E5F4
00:19:19: dot1x-ev:destroy supplicant block for 0024.1d10.d7c5
00:19:19: dot1x-ev:supp_info=80D71C74 txWhen_timer=80D71CC4 quietWhile_timer=80D
71C84reAuthWhen_timer=80D71CA4 awhile_timer=80D71CE4
00:19:19: dot1x-ev:destroy supplicant block for 0000.0000.0000
00:19:19: dot1x-ev:Enter function dot1x_aaa_acct_end
00:19:19: dot1x-ev:Found a supplicant block for mac 0000.0000.0000 80D71C74
00:19:19: dot1x-ev:Found a supplicant block for mac 0000.0000.0000 80D71C74
00:19:19: dot1x-ev:dot1x_port_cleanup_author: cleanup author on interface FastEt
hernet0/17
00:19:19: dot1x-ev:dot1x_post_message_to_auth_sm: cleanup author from interface
This is driving me crazy, working on it for a whole week and no results..
Thank you..

Hi again,
I have put the config on 2960. Now as soon as the authentication starts, this is the message on debug;
dot1x authentication unable to start - authenticator not enabled..
Any ideas?
regards,
onur

Packet drops on 2960 with port-security enabled

Hello,
We are using the following port-security configuration on user access ports on Cisco 2960 switches, in order to protect the infrastructure to prevent MAC flooding attacks:
switchport port-security maximum 10 switchport port-security switchport port-security aging time 1 switchport port-security violation restrict switchport port-security aging type inactivity
There is a problem with the more "quiet" hosts, especially in technology - every time the MAC address ages out, the first packets (an ARP request usually) sent by the host is dropped by the switch. There is no violation logged, the switch should be OK to forward the packets but doesn't:
Port Security : EnabledPort Status : Secure-upViolation Mode : RestrictAging Time : 1 minsAging Type : InactivitySecureStatic Address Aging : DisabledMaximum MAC Addresses : 10Total MAC Addresses : 0Configured MAC Addresses : 0Sticky MAC Addresses : 0Last Source Address:Vlan : 0011.aabb.ccdd:11Security Violation Count : 0
When port-security is turned off, all packets are forwarded without trouble. This is happening on both WS-C2960-24TT-L and WS-C2960-8TC-L, with IOS 12.2(35)SE1 and 12.2(50)SE5, respectively. I didn't check other models yet.
I have found similar reports and bugs for the 2950 and 3750:
https://supportforums.cisco.com/thread/163910
https://supportforums.cisco.com/message/89560
https://tools.cisco.com/bugsearch/bug/CSCeg63177
https://tools.cisco.com/bugsearch/bug/CSCec21652
Is there anything we can do to fix this?
Is there an access switch that would not suffer from this problem? (Like 2960-S maybe?)
Thank you.

Hi Alioune,
This is expected behaviour on the Nexus 1000v Ethernet interfaces when the uplinks are configured with MAC pinning.
When using MAC pinning there's no special configuration of the ports on the upstream physical switches and so any broadcast packets are sent by the upstream switches on all uplinks towards the Nexus 1000v switch.
On each VEM of the Nexus there's one uplink interface that is chosen as the Designated Receiver for broadcast traffic, and the function of the DR is to forward received broadcast traffic to VMs within the VLAN. The broadcast traffic received on any other uplinks of the VEM i.e., those that are not the acting as DR, drop the received broadcast traffic on ingress to the VEM.
The drops you're seeing on the uplink interfaces are almost certainly the broadcast traffic being received on one or more non DR uplinks.
Regards

2950 or 2960

Similar Messages

Maybe you are looking for