ARP Inspection on SF-300-24 switch?

I'm having an issue where two PCs are responding to ARP requests "Who is 192.168.0.1". 
The real 192.168.0.1 is on port 1 of the switch, and has a MAC address of 00:24:a5:c7:e0:a8.   I can't seem to setup ARP Inspection properly as the rogue device continues to respond.   Can somebody provide the proper steps?  I've enabled DHCP Snooping, enabled ARP Inspection, enabled IP source guard, added FE1 as a trusted interface and all others untrusted, yet this continues to be an issue.  Not sure what I'm doing wrong and can't find any documentation on the web to help out.  I know where the offending piece of hardware is, unfortunately due to its location I can't fix it for several weeks so just looking to bandaid this for the time being.
Thanks for any help!
Ryan

Thanks for your reply.  No, it does not seem to be working as intended.  Please see my screen attachments. 
I am still getting multiple responses to "WHO HAS 192.168.0.1" from the clients.   Should just be from the trusted host on port 1.
Any other hints are appreciated. Thank you!

Similar Messages

  • ARP inspection Logs

    Hi,
    I have configured ARP inspection along with DHCP snooping.
    All the computers are getting the IPs properly and building the snooping database. but once I disable and enable the network adapter, it starts discovering for IP address, in that process ARP inspection shows log in the switch says invalid ARP (Req) on the port with MAC address of the system and Microsoft Automatic IP even after IP address and the port number entry in the snooping database .
    My cisco Model is 3560 and IOS ver is 15.0 (2) SE6
    Any suggestions what is the issue.
    Regards,
    Azeem

    Hi Bekzod,
    have you disabled insertion of option-82
    if not then type in your switch this command:-
    no ip dhcp snooping information option
    Can you post your configuration you have done for DHCP snooping.

  • How config dynamic arp inspection for 300 or 500 series ?

    Hi Cisco Expert ,
    How config dynamic arp inspection for 300 or 500 series ? Do you have clearly document for this solution ? Could you please to share ?
    i find in admin guide it's no simple to do
    Thank you for kindly support.

    Hi Siriphan, using the command line is the easiest way to deal with this.
    You need to understand the difference between trusted  and untrusted interfaces. The untrusted interfaces are the ports that  will be inspected and if not specified within the arp entry list then  will get dropped.
    Any port you do not want arp inspection to be a part of, you need to trust that port.
    Below is how to make a port trusted.
    configure terminal
    interface fe1
    ip arp inspection trust
    Once you establish the trusted ports, you can build your arp list.
    configure terminal
    ip ap inspection list create ARP_INSPECTION  (the word after the create can be anything you want)
    ip 192.168.100.3 mac-address 64:31:50:1c:50:a1
    This  is the example of adding 1 entry to your arp list. You can add128 of  these entries. These IP/mac binds are the devices that are "safe" from  being dropped.
    Lastly, you need to enable the arp  inspection globally. You DO NOT want to toggle the arp inspection  without establishing your interfaces or bind list. If you do not  establish your trust interfaces and list first, you will lock down any  connection through the switch and essentially brick it.
    To toggle the global arp inspection
    configure terminal
    ip arp inspection
    Once you're done, save your running config to the start up config.
    -Tom
    Please mark answered for helpful posts

  • Dynamic ARP Inspections on Wifi Routers?

    Is Dynamic ARP inspection possible to be done on wifi routers? I'm asking because I can't find any model with that feature. I would especially be interested in some cheaper models for home or small business use (maybe Linksys).

    You could be better served posting this on the SOHO forum. Speaking to enterprise gear like the cisco WLC yes.
    DAI for Wireless Access
    The WLC protects against MIM attacks by performing a similar function as DAI on the WLC itself. DAI should not be enabled on the access switch for those VLANs connecting directly to the WLCs because the WLC uses GARP to support Layer 3 client roaming.
    It is possible to enable DAI for each VLAN configured on a trunk between a FlexConnect and access point. Therefore, DAI is useful in wireless deployments where multiple SSIDs/VLANs exist on an FlexConnect. However, in an FlexConnect WLC deployment, there are two topologies that impact the effectiveness of the DAI feature. Both topologies assume that the attacker is associated to a FlexConnect WLC and is Layer 2-adjacent to the targets:
    http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Mobility/emob73dg/emob73/ch4_Secu.html#pgfId-1019449

  • Help understanding DHCP Snooping and Dynamic ARP Inspection

    Please help me to understand DHCP Snooping and Dynamic ARP Inspection.

    HI Ezra,
    In simple words:
    DHCP Snooping is a feature which is available on switches. This feature is used to prevent rogue dhcp server attacks.
    In the diagram, a valid dhcp server is connected to the network. The computers are suppose to receive dynamic ip addresses from the valid server. An attacker implants a rogue dhcp server on the network as shown in the diagram. The following steps are followed for a client to receive an ip address from a dhcp server.
    When a client (computer) is connected to the switch and is configured to receive a dynamic ip address from a dhcp server, the dhcp service on the client, sends out a DHCP Discover packet, searching for servers on the network. This packet is broadcast in nature. DHCP servers on the network, would respond to the DHCP Discover packet sent from the client. In the example, both the DHCP servers would respond to the DHCP discover packet. The client would process the first packet it receives. If the response send by the rogue dhcp server reaches the client first, then the computer would have an ip address provided by the rogue dhcp server.
    To prevent this, dhcp snooping is configured on the port on which the valid dhcp server is connected to. After the configuration is performed, no other ports on the switch would be able to respond to DHCP Discover packets from the clients. So even through the attacker has set up a rogue dhcp server, the port on the switch to which the attacker has connected would not be allowed to respond to DHCP discover packets. Thus dhcp snooping thwarts the attempt from the attacker in setting up a rogue dhcp server.
    DAI:
    Please read the expalined version from here: http://ciscocertstudyblog.blogspot.de/2010/06/ciscoblogpics.html
    More about DHCP snooping and DAI: Please read this attached document with some detailed explanation.
    Hope it helps.
    Regards
    Please use rating system and mark athe question answered it may help others.

  • Why all packets dropped with %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs error msg for arp inspected vlans for DMZ and Backup

    Hi,
    We have got cisco 3759 switch where the followign line was configrued only
    ip arp inspection vlan 6,100
    And on those vlans no arp inspection trust was configrued. DMZ and backup servers were connected on that switch. Switch got restarted wihtin 5 minutes for the power outage and when the swithc came online it was denying all the packets coming through the vlan 100 adn 6 althought it was allowing packets before the power outage.
    It took me 30 minutes to find out that arp inspection was enables which might cause the issue, but I am still unsue why it would block all packets for vlan 100 & 6.After taking out the command ' ip arp inspection vlan 6,100' all started working fine.
    What is the reason the switch had this issue? Is there any resolution for this? thanks
    FYI: The error messages-
    0:48:32: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Gi1/0/1, vlan 6.([001e.0b5f.3a8c/220.233.31.177/0000.0000.0000/220.233.31.182/14:48:32 AEST Sun Feb 28 1993])
    00:48:33: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Gi1/0/3, vlan 6.([000c.2915.1abe/220.233.31.184/0000.0000.0000/220.233.31.177/14:48:32 AEST Sun Feb 28 1993])
    00:48:33: %SW_DAI-4-DHCP_SNOOPING_DENY: 2 Invalid ARPs (Req) on Gi1/0/1, vlan 6.([001e.0b5f.3a8c/220.233.31.177/0000.0000.0000/220.233.31.178/14:48:33 AEST Sun Feb 28 1993])
    00:48:33: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Gi1/0/1, vlan 6.([001e.0b5f.3a8c/220.233.31.177/0000.0000.0000/220.233.31.184/14:48:33 AEST Sun Feb 28 1993])
    Regards,
    Arman

    Code version:
    System image file is "flash:c3750-ipservicesk9-mz.122-50.SE3/c3750-ipservicesk9-mz.122-50.SE3.bin"
    I don’t have any etherchannel running from the switch. It is connected to vmware machines which are on DMZ.
    rgds,
    arman

  • Sg200-50 support dhcp snooping and dynamic arp inspection?

    do the sg200-50 switches support:
    dhcp snooping
    dynamic arp inspection
    ?? thanks

    HI d.pennington,
    SG200 is L2 switch only.  so this mean switch not support dhcp snooping.  Switch support IGMP snooping, Switch support dynamic arp table.  You can management switch with web page GUI only (CLI) not supported.
    Thanks,
    Moh

  • Arp inspection limit

    Can anyone help explain to me the way that arp inspection packet per second limiting works when enabling burst. For example, if my config is "ip arp inspection limit rate 25 burst 3", does the switch check every three seconds to see if arp packets were beyond the threshold every second of that interval? Is it simply checking every three seconds to see if the total arp packets are above 75 for the entire interval? Is it checking every three seconds or every second for the prior three second interval?
    I am having a consistent issue with multiple devices in one building violating our arp packet per second limit.  Is anyone else using a burst interval, and have you come across any client hardware that consistently violates the pps limit? What is your pps limit?

    Initially we used the default settings, ie 15 pps, but since the migration of the park in Win7 we had problems (probably Windows network discovery):
    % SW_DAI-4-PACKET_RATE_EXCEEDED: 16 packets received in 855 milliseconds on Fa0/1.
    So we set the threshold at 64 pps with a burst of three seconds (ip arp inspection limit rate 64 burst interval 3)
    Recently I had a user who exceeded the threshold:
    % SW_DAI-4-PACKET_BURST_RATE_EXCEEDED: 279 packets received in 3 seconds on Fa0/35.
    The message in the logs, suggests that if the threshold is exceeded per second, you can expect to see the value of 3 seconds. The threshold would be your value multiplied by the duration of the burst threshold (ie 64x3 = 192?). I'm not sure.

  • %PM-4-ERR_RECOVER: Attempting to recover from arp-inspection err-disable state on Gi2/0/40

    Hi All,
    I am getting below error in the Switch, Please help how to troubleshoot and stop.
    Mar 11 09:46:07.492 GMT: %PM-4-ERR_DISABLE: arp-inspection error detected on Gi2/0/37, putting Gi2/0/37 in err-disable state (C29NEWM434-03-2)
    Mar 11 09:49:07.516 GMT: %PM-4-ERR_RECOVER: Attempting to recover from arp-inspection err-disable state on Gi2/0/37 (C29NEWM434-03-2)
    Mar 11 10:02:55.308 GMT: %PM-4-ERR_DISABLE: arp-inspection error detected on Gi2/0/37, putting Gi2/0/37 in err-disable state (C29NEWM434-03-2)
    Mar 11 10:05:55.325 GMT: %PM-4-ERR_RECOVER: Attempting to recover from arp-inspection err-disable state on Gi2/0/37 (C29NEWM434-03-2)
    Mar 11 10:11:39.306 GMT: %PM-4-ERR_DISABLE: arp-inspection error detected on Gi2/0/37, putting Gi2/0/37 in err-disable state (C29NEWM434-03-2)
    Mar 11 10:14:39.323 GMT: %PM-4-ERR_RECOVER: Attempting to recover from arp-inspection err-disable state on Gi2/0/37 (C29NEWM434-03-2)
    Mar 11 10:50:13.152 GMT: %PM-4-ERR_DISABLE: arp-inspection error detected on Gi2/0/37, putting Gi2/0/37 in err-disable state (C29NEWM434-03-2)
    Mar 11 10:53:13.162 GMT: %PM-4-ERR_RECOVER: Attempting to recover from arp-inspection err-disable state on Gi2/0/37 (C29NEWM434-03-2)
    Mar 11 14:53:30.262 GMT: %PM-4-ERR_DISABLE: arp-inspection error detected on Gi2/0/40, putting Gi2/0/40 in err-disable state (C29NEWM434-03-2)
    Mar 11 14:56:30.279 GMT: %PM-4-ERR_RECOVER: Attempting to recover from arp-inspection err-disable state on Gi2/0/40 (C29NEWM434-03-2)
    Mar 11 15:33:03.207 GMT: %PM-4-ERR_DISABLE: arp-inspection error detected on Gi2/0/40, putting Gi2/0/40 in err-disable state (C29NEWM434-03-2)
    Mar 11 15:36:03.227 GMT: %PM-4-ERR_RECOVER: Attempting to recover from arp-inspection err-disable state on Gi2/0/40 (C29NEWM434-03-2)
    Mar 11 15:46:03.250 GMT: %PM-4-ERR_DISABLE: arp-inspection error detected on Gi2/0/40, putting Gi2/0/40 in err-disable state (C29NEWM434-03-2)
    Mar 11 15:49:03.268 GMT: %PM-4-ERR_RECOVER: Attempting to recover from arp-inspection err-disable state on Gi2/0/40 (C29NEWM434-03-2)
    Mar 11 15:53:23.050 GMT: %PM-4-ERR_DISABLE: arp-inspection error detected on Gi2/0/40, putting Gi2/0/40 in err-disable state (C29NEWM434-03-2)
    Mar 11 15:56:23.064 GMT: %PM-4-ERR_RECOVER: Attempting to recover from arp-inspection err-disable state on Gi2/0/40 (C29NEWM434-03-2)
    Mar 11 17:09:43.703 GMT: %PM-4-ERR_DISABLE: arp-inspection error detected on Gi2/0/40, putting Gi2/0/40 in err-disable state (C29NEWM434-03-2)
    Mar 12 09:53:20.747 GMT: %PM-4-ERR_DISABLE: arp-inspection error detected on Gi2/0/40, putting Gi2/0/40 in err-disable state (C29NEWM434-03-2)
    Thanks in advance,
    Nagasheshu.

    sh errdisable recovery
    ErrDisable Reason            Timer Status
    arp-inspection               Enabled
    bpduguard                    Enabled
    channel-misconfig (STP)      Disabled
    dhcp-rate-limit              Disabled
    dtp-flap                     Disabled
    gbic-invalid                 Disabled
    inline-power                 Disabled
    link-flap                    Enabled
    mac-limit                    Disabled
    loopback                     Disabled
    pagp-flap                    Disabled
    port-mode-failure            Disabled
    pppoe-ia-rate-limit          Disabled
    psecure-violation            Disabled
    security-violation           Disabled
    sfp-config-mismatch          Disabled
    small-frame                  Disabled
    storm-control                Disabled
    udld                         Disabled
    vmps                         Disabled
    psp                          Disabled
    Timer interval: 180 seconds
    Interfaces that will be enabled at the next timeout:
    sh ip arp inspection int output
     Gi2/0/37         Untrusted               15                 1
     Interface        Trust State     Rate (pps)    Burst Interval
     Gi2/0/38         Untrusted               15                 1
     Gi2/0/39         Untrusted               15                 1
     Gi2/0/40         Untrusted               15                 1
     Gi2/0/41         Untrusted               15                 1
     Gi2/0/42         Untrusted               15                 1
     Gi2/0/43         Untrusted               15                 1
     Gi2/0/44         Untrusted               15                 1
     Gi2/0/45         Untrusted               15                 1
     Gi2/0/46         Untrusted               15                 1
     Gi2/0/47         Untrusted               15                 1
     Gi2/0/48         Trusted               None               N/A
     Gi2/0/49         Untrusted               15                 1
    sh cdp  neighbors Gig 2/0/40 det
    Device ID: SEP0004f2440d98
    Entry address(es):
      IP address: 10.210.86.86
    Platform: Polycom SoundPoint IP 450,  Capabilities: Host Phone
    Interface: GigabitEthernet2/0/40,  Port ID (outgoing port): Port 1
    Holdtime : 120 sec
    Version :
    Updater: 5.0.2, App: 4.0.2
    advertisement version: 2
    Duplex: full
    Power drawn: 5.400 Watts
    Power Available TLV:
        Power request id: 0, Power management id: 0, Power available: 0, Power management level: 0
    Management address(es):
    29NEWM434-03#sh run | i arp inspe
    ip arp inspection vlan 11-13,21-23
    Please see the output and config. Please advise.
    Thanks!!

  • Jumbo frame caveat on 3750 - dynamic arp inspection

    i want to enable jumbo frame on a stacked 3750 running 12.2.25(SEB2).
    any caveats - the only caveat i found is dynamic arp inspection.

    Hello,
    There is no know problem with Jumbo/Giant frame support on 3750 platform other than the bug you reported.
    I have verified that Jumbo/Giant frame support works on 12.2(25)SED in stack configuration.
    Facts
    - The 12.2(25)SEB2 release has been deferred. Cisco advises you to upgrade to to (at least) 12.2(25)SEB3.
    http://www.cisco.com/cgi-bin/Software/Iosplanner/Planner-tool/printdefer.pl?platform=CAT3750&majorRel=12.2&release=12.2.25-SEB2&data_from=&file=12.2.25-SEB2.CAT3750.c.html
    - Jumbo/Giant frame support
    http://www.cisco.com/en/US/products/hw/switches/ps700/products_configuration_example09186a008010edab.shtml#3750
    HTH

  • ESW 520 ARP Inspection Problem

    Hello,
    I have observed strange behavior on ESW 520 switches, with ARP Inspection operation.  ARP inspection is configured with static ip to mac bindings, and it work.Problem is with logs, switch generates tons of ARP inspection logs, during network normal operation, but network endpoints are working well. These logs are same witch are generated during ARP poisoning in network. This operation was observed in older and new firmware.
    Here is sample log:
    Informational %ARPINSP-I-PCKTLOG: ARP packet dropped
    from port e9 with VLAN tag 10 and reason: packet verification failed SRC MAC 13:71:05:5a:85:2e SRC IP
    0.0.0.0 DST MAC 00 :00:00:00:00:00 DST IP 10.0.10.18
    Informational %ARPINSP-I-PCKTLOG: ARP packet dropped
    from port e1 with VLAN tag 10 and reason: packet verification failed SRC MAC 13:71:05:80:f5:03 SRC IP
    0.0.0.0 DST MAC 00 :00:00:00:00:00 DST IP 10.0.10.16
    Informational %ARPINSP-I-PCKTLOG: ARP packet dropped
    from port e6 with VLAN tag 10 and reason: packet verification failed SRC MAC 13:71:05:19:85:26 SRC IP
    0.0.0.0 DST MAC 00 :00:00:00:00:00 DST IP 10.0.10.15
    Informational %ARPINSP-I-PCKTLOG: ARP packet dropped
    from port e1 with VLAN tag 10 and reason: packet verification failed SRC MAC 13:71:05:80:f5:03 SRC IP
    0.0.0.0 DST MAC 00 :00:00:00:00:00 DST IP 10.0.10.16
    Informational %ARPINSP-I-PCKTLOG: ARP packet dropped
    from port e9 with VLAN tag 10 and reason: packet verification failed SRC MAC 13:71:05:12:85:2e SRC IP
    0.0.0.0 DST MAC 00 :00:00:00:00:00 DST IP 10.0.10.18
    Informational %ARPINSP-I-PCKTLOG: ARP packet dropped
    from port e5 with VLAN tag 10 and reason: packet verification failed SRC MAC 13:71:05:80:f5:10 SRC IP
    0.0.0.0 DST MAC 00 :00:00:00:00:00 DST IP 10.0.10.10
    Informational %ARPINSP-I-PCKTLOG: ARP packet dropped
    from port e6 with VLAN tag 10 and reason: packet verification failed SRC MAC 13:71:05:11:85:26 SRC I
    0.0.0.0 DST MAC 00 :00:00:00:00:00 DST IP 10.0.10.1
    Informational %ARPINSP-I-PCKTLOG: ARP packet dropped
    from port e5 with VLAN tag 10 and reason: packet verification failed SRC MAC 13:71:05:80:f5:10 SRC IP
    0.0.0.0 DST MAC 00 :00:00:00:00:00 DST IP 10.0.10.10
    Informational %ARPINSP-I-PCKTLOG: ARP packet dropped
    from port e8 with VLAN tag 10 and reason: packet verification failed SRC MAC 13:71:05:14:85:0c SRC IP
    0.0.0.0 DST MAC 00 :00:00:00:00:00 DST IP 10.0.10.14
    Informational %ARPINSP-I-PCKTLOG: ARP packet dropped
    from port e3 with VLAN tag 10 and reason: packet verification failed SRC MAC 13:71:05:80:f5:3f SRC IP
    0.0.0.0 DST MAC 00 :00:00:00:00:00 DST IP 10.0.10.12
    Informational %ARPINSP-I-PCKTLOG: ARP packet dropped
    from port e8 with VLAN tag 10 and reason: packet verification failed SRC MAC 13:71:05:51:85:0c SRC IP
    0.0.0.0 DST MAC 00 :00:00:00:00:00 DST IP 10.0.10.14
    Informational %ARPINSP-I-PCKTLOG: ARP packet dropped
    from port e5 with VLAN tag 10 and reason: packet verification failed SRC MAC 13:71:05:80:f5:10 SRC IP
    0.0.0.0 DST MAC 00 :00:00:00:00:00 DST IP 10.0.10.10
    Informational %ARPINSP-I-PCKTLOG: ARP packet dropped
    from port e6 with VLAN tag 10 and reason: packet verification failed SRC MAC 13:71:05:57:85:26 SRC IP
    0.0.0.0 DST MAC 00 :00:00:00:00:00 DST IP 10.0.10.15
    It seems switch dont like ARP request which are going to local network addresses., but in that vlan all host can communicate which each other.
    Do you have any idea what can be the problem ?

    Hi ngtransge,
    I will first come to say I do not know the answer. But, I will suspect the log entries are indicating a MAC address that arrived on the interface that did not recognize the IP or MAC address. If the MAC or IP is not found in the inspection list, it would revert to the DHCP snooping table if that is enabled.
    I would suspect these entries are coming from an untrusted interface then goes through validation.
    Can you show the trusted interfaces and the MAC bindings?
    Are the MAC addresses on the log entry meaningful to you in any way?
    Are those MAC addresses supposed to be going to a particular destination? Or conversely, are the MAC addresses supposed to be seen on an untrusted interface?
    -Tom

  • ARP Inspection issue

    3 switches in the same broadcast domain (transparent mode), approx 200 vlans. Trunk links between switches allow all vlans 1-4096
    I setup arp inspection for 1 particular vlan to troubleshoot an arp server issue, possibly an unintentionally arp MITM. Setup as follows:
    ip arp inspection vlan 100
    arp access-list DAI
    permit ip any mac any
    ip arp inspection filter DAI vlan 100
    ip arp inspection vlan 100 logging acl-match matchlog
    Once enabled some of the servers in each switch on vlan100 went into error disable mode and the Port channel between switches went into error disabled status, once I removed "no ip inspection vlan 100" and shut/no shut on the Port channel the Port channel came back up and I had to wade through and shut/no shut on all the error disabled server ports everything was back to normal.
    Am I right saying the problem was caused by not setting the Port Channels between switches to "arp inspection trust" and should I just leave all the server ports to untrusted (default). i.e for all inter switch links
    conf t
    int Po200
    ip arp inspection trust
    end
    then leave everything else is? Would this make the problem go away. I can't try now as Production kit, don't really have an ideal UAT lab as such yet.

    Hello stephendrkw,
    I believe you are right about the port channel causing the outage.
    Typically all host ports would be configured as untrusted and all switchports connected to other switches would be trusted.  Configuring a port as untrusted when it should be trusted, can cause an  outage. 
    If you suspect a MITM attack, you can go to a pc that you think may be sending the ip traffic to the wrong mac and at the command prompt, type "arp -a 192.168.1.1" and verify it has the correct mac address mapped to the ip address.  If it has the wrong mac, you can login to the switch then "show mac address-table address xxxx.xxxx.xxxx to locate the source of the MITM attack.
    On the switch side, you can type "show arp | i 192.168.1.1" and "show arp | i "mac address" to verify what mac is binded to the ip address. 
    Hope this helps....

  • Do sg200-50 support dhcp snooping or dynamic arp inspection (DAI) ?

    do the sg200-50 switches support:
    dhcp snooping
    dynamic arp inspection
    ?? thanks

    HI d.pennington,
    SG200 is L2 switch only.  so this mean switch not support dhcp snooping.  Switch support IGMP snooping, Switch support dynamic arp table.  You can management switch with web page GUI only (CLI) not supported.
    Thanks,
    Moh

  • SG-300 28P switches problem with VLAN Data and Voice, working all the time as Voice VLAN

    Hi Everyone,
    Thank you very much for your help in advance. I’m pulling my hair to fix the problem.
    I  just got the new SG-300 28P switches. My Bios ordered for me. I did not  know how it runs until now... not an IOS based. I really do not know  how to configure it.
    I have 2 VLAN are Data and Voice.
    -          Data VLAN ID is 2 IP 192.168.2.X/255.255.255.0
    -          Voice VLAN ID is 200 IP 192.168.22.X/255.255.255.0
    -          I created two vlans, in switch, Data and Voice.
    -          On the port number 28, it is trunk by default, so I add Data vlan ID 2 tagged.
    -          On the port number 26, it is trunk by default, so I add Voice vlan ID 200 tagged.
    -          On the port number 27, I add Data vlan ID 2 tagged for Data vlan out.
    -          Port settings No.1
    I set it up as Trunk with Data vlan 2 untagged, and  200  Tagged (voice vlan). I plugged in a phone with a pc attached. But the  PC will get to the vlan 200 to get the DHCP address, but no from vlan 2.  The Phone works with correct vlan ip.
    -          Port settings No.2
    Trunk with vlan 1UP, 2T, and 200T. The phone is even worse. Would never pick up any IP from DHCP.
    -          Port settings No.3
    Access  with 200U...of course the phone will work... and the PC could not get  to its own vlan. Instead, the PC got an ip from the voice vlan. Not from  VLAN 2.
    I have Linksys phone I’m not sure if this help.
    For more information I setup in switch,
                - enable voice vlan
    - set the port on auto voice vlan
    - enable LLDP-MED globally
    - create a network policy to assign VLAN 200
    - assign this network policy to the port the phone is connected to.
    I  hope this information help to help me to setup Data and Voice vlans, to  plug the phone to work with vlan Voice 200 (IP rang 192.168.22.X), from  phone to Pc and pc work as Data vlan 2 (IP rang 192.168.2.X).

    I just got done setting up voice VLANs on an SF 300-24P and verified working.  This was working with Cisco 7900 series phones connected to a Cisco UC setup.
    Here's my sample config.
    Note that I edited this by hand before posting, so doing a flat out tftp restore probably won't work.  However, this should give you a clue.  Also, don't take this as 100% accurate or correct.  I've only been working with these things for about a week, though I've worked with the older Linksys SRW switches for a couple of years.  I'm a CCNP/CCDP.
    VLAN 199 is my management VLAN and is the native VLAN on 802.1q trunks.
    VLAN 149 is the data/computer VLAN here.
    VLAN 111 is the voice/phone VLAN here.
    VLAN 107 does nothing.
    interface range ethernet e(1-24)
    port storm-control broadcast enable
    exit
    interface ethernet e1
    port storm-control include-multicast
    exit
    interface ethernet e2
    port storm-control include-multicast
    exit
    interface ethernet e3
    port storm-control include-multicast
    exit
    interface ethernet e4
    port storm-control include-multicast
    exit
    interface ethernet e5
    port storm-control include-multicast
    exit
    interface ethernet e6
    port storm-control include-multicast
    exit
    interface ethernet e7
    port storm-control include-multicast
    exit
    interface ethernet e8
    port storm-control include-multicast
    exit
    interface ethernet e9
    port storm-control include-multicast
    exit
    interface ethernet e10
    port storm-control include-multicast
    exit
    interface ethernet e11
    port storm-control include-multicast
    exit
    interface ethernet e12
    port storm-control include-multicast
    exit
    interface ethernet e13
    port storm-control include-multicast
    exit
    interface ethernet e14
    port storm-control include-multicast
    exit
    interface ethernet e15
    port storm-control include-multicast
    exit
    interface ethernet e16
    port storm-control include-multicast
    exit
    interface ethernet e17
    port storm-control include-multicast
    exit
    interface ethernet e18
    port storm-control include-multicast
    exit
    interface ethernet e19
    port storm-control include-multicast
    exit
    interface ethernet e20
    port storm-control include-multicast
    exit
    interface ethernet e21
    port storm-control include-multicast
    exit
    interface ethernet e22
    port storm-control include-multicast
    exit
    interface ethernet e23
    port storm-control include-multicast
    exit
    interface ethernet e24
    port storm-control include-multicast
    exit
    interface range ethernet g(1-4)
    description "Uplink trunk"
    exit
    interface range ethernet g(1-4)
    switchport default-vlan tagged
    exit
    interface range ethernet e(21-24)
    switchport mode access
    exit
    vlan database
    vlan 107,111,149,199
    exit
    interface range ethernet g(1-4)
    switchport trunk allowed vlan add 107
    exit
    interface range ethernet e(21-24)
    switchport access vlan 111
    exit
    interface range ethernet g(1-4)
    switchport trunk allowed vlan add 111
    exit
    interface range ethernet e(1-20)
    switchport trunk native vlan 149
    exit
    interface range ethernet g(1-4)
    switchport trunk allowed vlan add 149
    exit
    interface range ethernet g(1-4)
    switchport trunk native vlan 199
    exit
    voice vlan aging-timeout 5
    voice vlan oui-table add 0001e3 Siemens_AG_phone________
    voice vlan oui-table add 00036b Cisco_phone_____________
    voice vlan oui-table add 00096e Avaya___________________
    voice vlan oui-table add 000fe2 H3C_Aolynk______________
    voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone
    voice vlan oui-table add 00d01e Pingtel_phone___________
    voice vlan oui-table add 00e075 Polycom/Veritel_phone___
    voice vlan oui-table add 00e0bb 3Com_phone______________
    voice vlan oui-table add 108ccf MyCiscoIPPhones1
    voice vlan oui-table add 40f4ec MyCiscoIPPhones2
    voice vlan oui-table add 8cb64f MyCiscoIPPhones3
    voice vlan id 111
    voice vlan cos 6 remark
    interface ethernet e1
    voice vlan enable
    exit
    interface ethernet e1
    voice vlan cos mode all
    exit
    interface ethernet e2
    voice vlan enable
    exit
    interface ethernet e2
    voice vlan cos mode all
    exit
    interface ethernet e3
    voice vlan enable
    exit
    interface ethernet e3
    voice vlan cos mode all
    exit
    interface ethernet e4
    voice vlan enable
    exit
    interface ethernet e4
    voice vlan cos mode all
    exit
    interface ethernet e5
    voice vlan enable
    exit
    interface ethernet e5
    voice vlan cos mode all
    exit
    interface ethernet e6
    voice vlan enable
    exit
    interface ethernet e6
    voice vlan cos mode all
    exit
    interface ethernet e7
    voice vlan enable
    exit
    interface ethernet e7
    voice vlan cos mode all
    exit
    interface ethernet e8
    voice vlan enable
    exit
    interface ethernet e8
    voice vlan cos mode all
    exit
    interface ethernet e9
    voice vlan enable
    exit
    interface ethernet e9
    voice vlan cos mode all
    exit
    interface ethernet e10
    voice vlan enable
    exit
    interface ethernet e10
    voice vlan cos mode all
    exit
    interface ethernet e11
    voice vlan enable
    exit
    interface ethernet e11
    voice vlan cos mode all
    exit
    interface ethernet e12
    voice vlan enable
    exit
    interface ethernet e12
    voice vlan cos mode all
    exit
    interface ethernet e13
    voice vlan enable
    exit
    interface ethernet e13
    voice vlan cos mode all
    exit
    interface ethernet e14
    voice vlan enable
    exit
    interface ethernet e14
    voice vlan cos mode all
    exit
    interface ethernet e15
    voice vlan enable
    exit
    interface ethernet e15
    voice vlan cos mode all
    exit
    interface ethernet e16
    voice vlan enable
    exit
    interface ethernet e16
    voice vlan cos mode all
    exit
    interface ethernet e17
    voice vlan enable
    exit
    interface ethernet e17
    voice vlan cos mode all
    exit
    interface ethernet e18
    voice vlan enable
    exit
    interface ethernet e18
    voice vlan cos mode all
    exit
    interface ethernet e19
    voice vlan enable
    exit
    interface ethernet e19
    voice vlan cos mode all
    exit
    interface ethernet e20
    voice vlan enable
    exit
    interface ethernet e20
    voice vlan cos mode all
    exit
    interface ethernet e1
    lldp optional-tlv port-desc sys-name sys-desc sys-cap 802.3-mac-phy 802.3-lag 802.3-max-frame-size
    exit
    interface ethernet e2
    lldp optional-tlv port-desc sys-name sys-desc sys-cap 802.3-mac-phy 802.3-lag 802.3-max-frame-size
    exit
    interface ethernet e3
    lldp optional-tlv port-desc sys-name sys-desc sys-cap 802.3-mac-phy 802.3-lag 802.3-max-frame-size
    exit
    interface ethernet e4
    lldp optional-tlv port-desc sys-name sys-desc sys-cap 802.3-mac-phy 802.3-lag 802.3-max-frame-size
    exit
    interface ethernet e5
    lldp optional-tlv port-desc sys-name sys-desc sys-cap 802.3-mac-phy 802.3-lag 802.3-max-frame-size
    exit
    interface ethernet e6
    lldp optional-tlv port-desc sys-name sys-desc sys-cap 802.3-mac-phy 802.3-lag 802.3-max-frame-size
    exit
    interface ethernet e7
    lldp optional-tlv port-desc sys-name sys-desc sys-cap 802.3-mac-phy 802.3-lag 802.3-max-frame-size
    exit
    interface ethernet e8
    lldp optional-tlv port-desc sys-name sys-desc sys-cap 802.3-mac-phy 802.3-lag 802.3-max-frame-size
    exit
    interface ethernet e9
    lldp optional-tlv port-desc sys-name sys-desc sys-cap 802.3-mac-phy 802.3-lag 802.3-max-frame-size
    exit
    interface ethernet e10
    lldp optional-tlv port-desc sys-name sys-desc sys-cap 802.3-mac-phy 802.3-lag 802.3-max-frame-size
    exit
    interface ethernet e11
    lldp optional-tlv port-desc sys-name sys-desc sys-cap 802.3-mac-phy 802.3-lag 802.3-max-frame-size
    exit
    interface ethernet e12
    lldp optional-tlv port-desc sys-name sys-desc sys-cap 802.3-mac-phy 802.3-lag 802.3-max-frame-size
    exit
    interface ethernet e13
    lldp optional-tlv port-desc sys-name sys-desc sys-cap 802.3-mac-phy 802.3-lag 802.3-max-frame-size
    exit
    interface ethernet e14
    lldp optional-tlv port-desc sys-name sys-desc sys-cap 802.3-mac-phy 802.3-lag 802.3-max-frame-size
    exit
    interface ethernet e15
    lldp optional-tlv port-desc sys-name sys-desc sys-cap 802.3-mac-phy 802.3-lag 802.3-max-frame-size
    exit
    interface ethernet e16
    lldp optional-tlv port-desc sys-name sys-desc sys-cap 802.3-mac-phy 802.3-lag 802.3-max-frame-size
    exit
    interface ethernet e17
    lldp optional-tlv port-desc sys-name sys-desc sys-cap 802.3-mac-phy 802.3-lag 802.3-max-frame-size
    exit
    interface ethernet e18
    lldp optional-tlv port-desc sys-name sys-desc sys-cap 802.3-mac-phy 802.3-lag 802.3-max-frame-size
    exit
    interface ethernet e19
    lldp optional-tlv port-desc sys-name sys-desc sys-cap 802.3-mac-phy 802.3-lag 802.3-max-frame-size
    exit
    interface ethernet e20
    lldp optional-tlv port-desc sys-name sys-desc sys-cap 802.3-mac-phy 802.3-lag 802.3-max-frame-size
    exit
    interface ethernet e21
    lldp optional-tlv port-desc sys-name sys-desc sys-cap 802.3-mac-phy 802.3-lag 802.3-max-frame-size
    exit
    interface ethernet e22
    lldp optional-tlv port-desc sys-name sys-desc sys-cap 802.3-mac-phy 802.3-lag 802.3-max-frame-size
    exit
    interface ethernet e23
    lldp optional-tlv port-desc sys-name sys-desc sys-cap 802.3-mac-phy 802.3-lag 802.3-max-frame-size
    exit
    interface ethernet e24
    lldp optional-tlv port-desc sys-name sys-desc sys-cap 802.3-mac-phy 802.3-lag 802.3-max-frame-size
    exit
    interface ethernet g1
    lldp optional-tlv port-desc sys-name sys-desc sys-cap 802.3-mac-phy 802.3-lag 802.3-max-frame-size
    exit
    interface ethernet g2
    lldp optional-tlv port-desc sys-name sys-desc sys-cap 802.3-mac-phy 802.3-lag 802.3-max-frame-size
    exit
    interface ethernet g3
    lldp optional-tlv port-desc sys-name sys-desc sys-cap 802.3-mac-phy 802.3-lag 802.3-max-frame-size
    exit
    interface ethernet g4
    lldp optional-tlv port-desc sys-name sys-desc sys-cap 802.3-mac-phy 802.3-lag 802.3-max-frame-size
    exit
    interface ethernet e1
    lldp med notifications topology-change enable
    exit
    interface ethernet e2
    lldp med notifications topology-change enable
    exit
    interface ethernet e3
    lldp med notifications topology-change enable
    exit
    interface ethernet e4
    lldp med notifications topology-change enable
    exit
    interface ethernet e5
    lldp med notifications topology-change enable
    exit
    interface ethernet e6
    lldp med notifications topology-change enable
    exit
    interface ethernet e7
    lldp med notifications topology-change enable
    exit
    interface ethernet e8
    lldp med notifications topology-change enable
    exit
    interface ethernet e9
    lldp med notifications topology-change enable
    exit
    interface ethernet e10
    lldp med notifications topology-change enable
    exit
    interface ethernet e11
    lldp med notifications topology-change enable
    exit
    interface ethernet e12
    lldp med notifications topology-change enable
    exit
    interface ethernet e13
    lldp med notifications topology-change enable
    exit
    interface ethernet e14
    lldp med notifications topology-change enable
    exit
    interface ethernet e15
    lldp med notifications topology-change enable
    exit
    interface ethernet e16
    lldp med notifications topology-change enable
    exit
    interface ethernet e17
    lldp med notifications topology-change enable
    exit
    interface ethernet e18
    lldp med notifications topology-change enable
    exit
    interface ethernet e19
    lldp med notifications topology-change enable
    exit
    interface ethernet e20
    lldp med notifications topology-change enable
    exit
    interface ethernet e21
    lldp med notifications topology-change enable
    exit
    interface ethernet e22
    lldp med notifications topology-change enable
    exit
    interface ethernet e1
    lldp med enable network-policy poe-pse
    exit
    interface ethernet e2
    lldp med enable network-policy poe-pse
    exit
    interface ethernet e3
    lldp med enable network-policy poe-pse
    exit
    interface ethernet e4
    lldp med enable network-policy poe-pse
    exit
    interface ethernet e5
    lldp med enable network-policy poe-pse
    exit
    interface ethernet e6
    lldp med enable network-policy poe-pse
    exit
    interface ethernet e7
    lldp med enable network-policy poe-pse
    exit
    interface ethernet e8
    lldp med enable network-policy poe-pse
    exit
    interface ethernet e9
    lldp med enable network-policy poe-pse
    exit
    interface ethernet e10
    lldp med enable network-policy poe-pse
    exit
    interface ethernet e11
    lldp med enable network-policy poe-pse
    exit
    interface ethernet e12
    lldp med enable network-policy poe-pse
    exit
    interface ethernet e13
    lldp med enable network-policy poe-pse
    exit
    interface ethernet e14
    lldp med enable network-policy poe-pse
    exit
    interface ethernet e15
    lldp med enable network-policy poe-pse
    exit
    interface ethernet e16
    lldp med enable network-policy poe-pse
    exit
    interface ethernet e17
    lldp med enable network-policy poe-pse
    exit
    interface ethernet e18
    lldp med enable network-policy poe-pse
    exit
    interface ethernet e19
    lldp med enable network-policy poe-pse
    exit
    interface ethernet e20
    lldp med enable network-policy poe-pse
    exit
    interface ethernet e21
    lldp med enable network-policy poe-pse
    exit
    interface ethernet e22
    lldp med enable network-policy poe-pse
    exit
    lldp med network-policy 1 voice vlan 111 vlan-type tagged
    interface range ethernet e(1-22)
    lldp med network-policy add 1
    exit
    interface vlan 199
    ip address 199.16.30.77 255.255.255.0
    exit
    ip default-gateway 199.16.30.3
    interface vlan 1
    no ip address dhcp
    exit
    no bonjour enable
    bonjour service enable csco-sb
    bonjour service enable http  
    bonjour service enable https 
    bonjour service enable ssh   
    bonjour service enable telnet
    hostname psw1
    line console
    exec-timeout 30
    exit
    line ssh
    exec-timeout 30
    exit
    line telnet
    exec-timeout 30
    exit
    management access-list Management1
    permit ip-source 10.22.5.5 mask 255.255.255.0
    exit
    logging 199.16.31.33 severity debugging description mysysloghost
    aaa authentication enable Console local
    aaa authentication enable SSH tacacs local
    aaa authentication enable Telnet local
    ip http authentication tacacs local
    ip https authentication tacacs local
    aaa authentication login Console local
    aaa authentication login SSH tacacs local
    aaa authentication login Telnet local
    line telnet
    login authentication Telnet
    enable authentication Telnet
    password admin
    exit
    line ssh
    login authentication SSH
    enable authentication SSH
    password admin
    exit
    line console
    login authentication Console
    enable authentication Console
    password admin
    exit
    username admin password admin level 15
    power inline usage-threshold 90
    power inline traps enable
    ip ssh server
    snmp-server location in-the-closet
    snmp-server contact [email protected]
    ip http exec-timeout 30
    ip https server
    ip https exec-timeout 30
    tacacs-server host 1.2.3.4 key spaceballz  timeout 3  priority 10
    clock timezone -7
    clock source sntp
    sntp unicast client enable
    sntp unicast client poll
    sntp server 199.16.30.1
    sntp server 199.16.30.2
    ip domain-name mydomain.com
    ip name-server  199.16.5.12 199.16.5.13
    ip telnet server

  • Arp inspection not working on ASA

    Folks,
    I configured a transparent firewall on ASA. I have arp inspection enabled, with dynamic mac learning and dynamic arp. I am able to ping through the transparent firewall using 2 routers with the same mac-address. The firewall shows me that it is learning both the mac-addresses and also forwarding packets, can someone help me understand why this is happening?

    For some reason it will not take the shun command...I've tried every combanation I could think of but it will always fail.. I'm guessing there is a bug or that its just not allowed in transparent mode.. 
    You have to use the vlan before the number or it says invalid host.. when I do specify the vlan 2 it take it and then comes back with "Invalid vlan (2) shun failed

Maybe you are looking for

  • RFC Lookup Error --- error executing simple look up

    Hi all, Below is the error when displaying the queue of the UDF. RuntimeException in Message-Mapping transformation: Exception:[java.lang.RuntimeException: Error during MEI RFC Lookup] in class com.sap.xi.tf._MM_COND_A03_TO_MT_PRICELIST_ method callR

  • My ipod says it's synced with another computer and will erase my ipod, i dont want my ipod to be erased

    My hard drive went out and had to be replaced. I coundnt back-up anything before it happened becuase i was having so many issues with my computer. So  i plugged my ipod into my computer and Itunes tells me- the ipod "my ipods name"  is synced with an

  • Personal Webpage doesn't work

    I just got through with a 3+ hour fight to install PHP on my MBP (Tiger 10.4.9). Now that everything's all up and running (allegedly... PHP eventually installed properly, and I restarted Personal Web Sharing a few times, as well as my computer), noth

  • Access file type changing

    iPlanet-Web-Proxy-Server/3.6-SP6/2004.243.0654 SP6 Obj.conf Init section: Init fn="flex-init" access="/web/soft/3.6proxy/proxy-ntsmtcmlon01-acl-xrp1/logs/access" format.access="%Ses->c lient.ip% - %Req->vars.pauth-user% [%SYSDATE%] \"%Req->reqpb.prox

  • PPI Limitation in photoshop CS5???

    Hi, I am working with very high resolution images (21,739 pixels per cm).  Not a typo! The images are of zebra finch brain sections that were scanned using an Olympus Nanozoomer (microscope) with a 20X object. The scanning resolution was a cool 0.46u