ARP Inspection on SF-300-24 switch?
I'm having an issue where two PCs are responding to ARP requests "Who is 192.168.0.1".
The real 192.168.0.1 is on port 1 of the switch, and has a MAC address of 00:24:a5:c7:e0:a8. I can't seem to setup ARP Inspection properly as the rogue device continues to respond. Can somebody provide the proper steps? I've enabled DHCP Snooping, enabled ARP Inspection, enabled IP source guard, added FE1 as a trusted interface and all others untrusted, yet this continues to be an issue. Not sure what I'm doing wrong and can't find any documentation on the web to help out. I know where the offending piece of hardware is, unfortunately due to its location I can't fix it for several weeks so just looking to bandaid this for the time being.
Thanks for any help!
Ryan
Thanks for your reply. No, it does not seem to be working as intended. Please see my screen attachments.
I am still getting multiple responses to "WHO HAS 192.168.0.1" from the clients. Should just be from the trusted host on port 1.
Any other hints are appreciated. Thank you!
Similar Messages
-
Hi,
I have configured ARP inspection along with DHCP snooping.
All the computers are getting the IPs properly and building the snooping database. but once I disable and enable the network adapter, it starts discovering for IP address, in that process ARP inspection shows log in the switch says invalid ARP (Req) on the port with MAC address of the system and Microsoft Automatic IP even after IP address and the port number entry in the snooping database .
My cisco Model is 3560 and IOS ver is 15.0 (2) SE6
Any suggestions what is the issue.
Regards,
AzeemHi Bekzod,
have you disabled insertion of option-82
if not then type in your switch this command:-
no ip dhcp snooping information option
Can you post your configuration you have done for DHCP snooping. -
How config dynamic arp inspection for 300 or 500 series ?
Hi Cisco Expert ,
How config dynamic arp inspection for 300 or 500 series ? Do you have clearly document for this solution ? Could you please to share ?
i find in admin guide it's no simple to do
Thank you for kindly support.Hi Siriphan, using the command line is the easiest way to deal with this.
You need to understand the difference between trusted and untrusted interfaces. The untrusted interfaces are the ports that will be inspected and if not specified within the arp entry list then will get dropped.
Any port you do not want arp inspection to be a part of, you need to trust that port.
Below is how to make a port trusted.
configure terminal
interface fe1
ip arp inspection trust
Once you establish the trusted ports, you can build your arp list.
configure terminal
ip ap inspection list create ARP_INSPECTION (the word after the create can be anything you want)
ip 192.168.100.3 mac-address 64:31:50:1c:50:a1
This is the example of adding 1 entry to your arp list. You can add128 of these entries. These IP/mac binds are the devices that are "safe" from being dropped.
Lastly, you need to enable the arp inspection globally. You DO NOT want to toggle the arp inspection without establishing your interfaces or bind list. If you do not establish your trust interfaces and list first, you will lock down any connection through the switch and essentially brick it.
To toggle the global arp inspection
configure terminal
ip arp inspection
Once you're done, save your running config to the start up config.
-Tom
Please mark answered for helpful posts -
Dynamic ARP Inspections on Wifi Routers?
Is Dynamic ARP inspection possible to be done on wifi routers? I'm asking because I can't find any model with that feature. I would especially be interested in some cheaper models for home or small business use (maybe Linksys).
You could be better served posting this on the SOHO forum. Speaking to enterprise gear like the cisco WLC yes.
DAI for Wireless Access
The WLC protects against MIM attacks by performing a similar function as DAI on the WLC itself. DAI should not be enabled on the access switch for those VLANs connecting directly to the WLCs because the WLC uses GARP to support Layer 3 client roaming.
It is possible to enable DAI for each VLAN configured on a trunk between a FlexConnect and access point. Therefore, DAI is useful in wireless deployments where multiple SSIDs/VLANs exist on an FlexConnect. However, in an FlexConnect WLC deployment, there are two topologies that impact the effectiveness of the DAI feature. Both topologies assume that the attacker is associated to a FlexConnect WLC and is Layer 2-adjacent to the targets:
http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Mobility/emob73dg/emob73/ch4_Secu.html#pgfId-1019449 -
Help understanding DHCP Snooping and Dynamic ARP Inspection
Please help me to understand DHCP Snooping and Dynamic ARP Inspection.
HI Ezra,
In simple words:
DHCP Snooping is a feature which is available on switches. This feature is used to prevent rogue dhcp server attacks.
In the diagram, a valid dhcp server is connected to the network. The computers are suppose to receive dynamic ip addresses from the valid server. An attacker implants a rogue dhcp server on the network as shown in the diagram. The following steps are followed for a client to receive an ip address from a dhcp server.
When a client (computer) is connected to the switch and is configured to receive a dynamic ip address from a dhcp server, the dhcp service on the client, sends out a DHCP Discover packet, searching for servers on the network. This packet is broadcast in nature. DHCP servers on the network, would respond to the DHCP Discover packet sent from the client. In the example, both the DHCP servers would respond to the DHCP discover packet. The client would process the first packet it receives. If the response send by the rogue dhcp server reaches the client first, then the computer would have an ip address provided by the rogue dhcp server.
To prevent this, dhcp snooping is configured on the port on which the valid dhcp server is connected to. After the configuration is performed, no other ports on the switch would be able to respond to DHCP Discover packets from the clients. So even through the attacker has set up a rogue dhcp server, the port on the switch to which the attacker has connected would not be allowed to respond to DHCP discover packets. Thus dhcp snooping thwarts the attempt from the attacker in setting up a rogue dhcp server.
DAI:
Please read the expalined version from here: http://ciscocertstudyblog.blogspot.de/2010/06/ciscoblogpics.html
More about DHCP snooping and DAI: Please read this attached document with some detailed explanation.
Hope it helps.
Regards
Please use rating system and mark athe question answered it may help others. -
Hi,
We have got cisco 3759 switch where the followign line was configrued only
ip arp inspection vlan 6,100
And on those vlans no arp inspection trust was configrued. DMZ and backup servers were connected on that switch. Switch got restarted wihtin 5 minutes for the power outage and when the swithc came online it was denying all the packets coming through the vlan 100 adn 6 althought it was allowing packets before the power outage.
It took me 30 minutes to find out that arp inspection was enables which might cause the issue, but I am still unsue why it would block all packets for vlan 100 & 6.After taking out the command ' ip arp inspection vlan 6,100' all started working fine.
What is the reason the switch had this issue? Is there any resolution for this? thanks
FYI: The error messages-
0:48:32: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Gi1/0/1, vlan 6.([001e.0b5f.3a8c/220.233.31.177/0000.0000.0000/220.233.31.182/14:48:32 AEST Sun Feb 28 1993])
00:48:33: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Gi1/0/3, vlan 6.([000c.2915.1abe/220.233.31.184/0000.0000.0000/220.233.31.177/14:48:32 AEST Sun Feb 28 1993])
00:48:33: %SW_DAI-4-DHCP_SNOOPING_DENY: 2 Invalid ARPs (Req) on Gi1/0/1, vlan 6.([001e.0b5f.3a8c/220.233.31.177/0000.0000.0000/220.233.31.178/14:48:33 AEST Sun Feb 28 1993])
00:48:33: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Gi1/0/1, vlan 6.([001e.0b5f.3a8c/220.233.31.177/0000.0000.0000/220.233.31.184/14:48:33 AEST Sun Feb 28 1993])
Regards,
ArmanCode version:
System image file is "flash:c3750-ipservicesk9-mz.122-50.SE3/c3750-ipservicesk9-mz.122-50.SE3.bin"
I don’t have any etherchannel running from the switch. It is connected to vmware machines which are on DMZ.
rgds,
arman -
Sg200-50 support dhcp snooping and dynamic arp inspection?
do the sg200-50 switches support:
dhcp snooping
dynamic arp inspection
?? thanksHI d.pennington,
SG200 is L2 switch only. so this mean switch not support dhcp snooping. Switch support IGMP snooping, Switch support dynamic arp table. You can management switch with web page GUI only (CLI) not supported.
Thanks,
Moh -
Can anyone help explain to me the way that arp inspection packet per second limiting works when enabling burst. For example, if my config is "ip arp inspection limit rate 25 burst 3", does the switch check every three seconds to see if arp packets were beyond the threshold every second of that interval? Is it simply checking every three seconds to see if the total arp packets are above 75 for the entire interval? Is it checking every three seconds or every second for the prior three second interval?
I am having a consistent issue with multiple devices in one building violating our arp packet per second limit. Is anyone else using a burst interval, and have you come across any client hardware that consistently violates the pps limit? What is your pps limit?Initially we used the default settings, ie 15 pps, but since the migration of the park in Win7 we had problems (probably Windows network discovery):
% SW_DAI-4-PACKET_RATE_EXCEEDED: 16 packets received in 855 milliseconds on Fa0/1.
So we set the threshold at 64 pps with a burst of three seconds (ip arp inspection limit rate 64 burst interval 3)
Recently I had a user who exceeded the threshold:
% SW_DAI-4-PACKET_BURST_RATE_EXCEEDED: 279 packets received in 3 seconds on Fa0/35.
The message in the logs, suggests that if the threshold is exceeded per second, you can expect to see the value of 3 seconds. The threshold would be your value multiplied by the duration of the burst threshold (ie 64x3 = 192?). I'm not sure. -
Hi All,
I am getting below error in the Switch, Please help how to troubleshoot and stop.
Mar 11 09:46:07.492 GMT: %PM-4-ERR_DISABLE: arp-inspection error detected on Gi2/0/37, putting Gi2/0/37 in err-disable state (C29NEWM434-03-2)
Mar 11 09:49:07.516 GMT: %PM-4-ERR_RECOVER: Attempting to recover from arp-inspection err-disable state on Gi2/0/37 (C29NEWM434-03-2)
Mar 11 10:02:55.308 GMT: %PM-4-ERR_DISABLE: arp-inspection error detected on Gi2/0/37, putting Gi2/0/37 in err-disable state (C29NEWM434-03-2)
Mar 11 10:05:55.325 GMT: %PM-4-ERR_RECOVER: Attempting to recover from arp-inspection err-disable state on Gi2/0/37 (C29NEWM434-03-2)
Mar 11 10:11:39.306 GMT: %PM-4-ERR_DISABLE: arp-inspection error detected on Gi2/0/37, putting Gi2/0/37 in err-disable state (C29NEWM434-03-2)
Mar 11 10:14:39.323 GMT: %PM-4-ERR_RECOVER: Attempting to recover from arp-inspection err-disable state on Gi2/0/37 (C29NEWM434-03-2)
Mar 11 10:50:13.152 GMT: %PM-4-ERR_DISABLE: arp-inspection error detected on Gi2/0/37, putting Gi2/0/37 in err-disable state (C29NEWM434-03-2)
Mar 11 10:53:13.162 GMT: %PM-4-ERR_RECOVER: Attempting to recover from arp-inspection err-disable state on Gi2/0/37 (C29NEWM434-03-2)
Mar 11 14:53:30.262 GMT: %PM-4-ERR_DISABLE: arp-inspection error detected on Gi2/0/40, putting Gi2/0/40 in err-disable state (C29NEWM434-03-2)
Mar 11 14:56:30.279 GMT: %PM-4-ERR_RECOVER: Attempting to recover from arp-inspection err-disable state on Gi2/0/40 (C29NEWM434-03-2)
Mar 11 15:33:03.207 GMT: %PM-4-ERR_DISABLE: arp-inspection error detected on Gi2/0/40, putting Gi2/0/40 in err-disable state (C29NEWM434-03-2)
Mar 11 15:36:03.227 GMT: %PM-4-ERR_RECOVER: Attempting to recover from arp-inspection err-disable state on Gi2/0/40 (C29NEWM434-03-2)
Mar 11 15:46:03.250 GMT: %PM-4-ERR_DISABLE: arp-inspection error detected on Gi2/0/40, putting Gi2/0/40 in err-disable state (C29NEWM434-03-2)
Mar 11 15:49:03.268 GMT: %PM-4-ERR_RECOVER: Attempting to recover from arp-inspection err-disable state on Gi2/0/40 (C29NEWM434-03-2)
Mar 11 15:53:23.050 GMT: %PM-4-ERR_DISABLE: arp-inspection error detected on Gi2/0/40, putting Gi2/0/40 in err-disable state (C29NEWM434-03-2)
Mar 11 15:56:23.064 GMT: %PM-4-ERR_RECOVER: Attempting to recover from arp-inspection err-disable state on Gi2/0/40 (C29NEWM434-03-2)
Mar 11 17:09:43.703 GMT: %PM-4-ERR_DISABLE: arp-inspection error detected on Gi2/0/40, putting Gi2/0/40 in err-disable state (C29NEWM434-03-2)
Mar 12 09:53:20.747 GMT: %PM-4-ERR_DISABLE: arp-inspection error detected on Gi2/0/40, putting Gi2/0/40 in err-disable state (C29NEWM434-03-2)
Thanks in advance,
Nagasheshu.sh errdisable recovery
ErrDisable Reason Timer Status
arp-inspection Enabled
bpduguard Enabled
channel-misconfig (STP) Disabled
dhcp-rate-limit Disabled
dtp-flap Disabled
gbic-invalid Disabled
inline-power Disabled
link-flap Enabled
mac-limit Disabled
loopback Disabled
pagp-flap Disabled
port-mode-failure Disabled
pppoe-ia-rate-limit Disabled
psecure-violation Disabled
security-violation Disabled
sfp-config-mismatch Disabled
small-frame Disabled
storm-control Disabled
udld Disabled
vmps Disabled
psp Disabled
Timer interval: 180 seconds
Interfaces that will be enabled at the next timeout:
sh ip arp inspection int output
Gi2/0/37 Untrusted 15 1
Interface Trust State Rate (pps) Burst Interval
Gi2/0/38 Untrusted 15 1
Gi2/0/39 Untrusted 15 1
Gi2/0/40 Untrusted 15 1
Gi2/0/41 Untrusted 15 1
Gi2/0/42 Untrusted 15 1
Gi2/0/43 Untrusted 15 1
Gi2/0/44 Untrusted 15 1
Gi2/0/45 Untrusted 15 1
Gi2/0/46 Untrusted 15 1
Gi2/0/47 Untrusted 15 1
Gi2/0/48 Trusted None N/A
Gi2/0/49 Untrusted 15 1
sh cdp neighbors Gig 2/0/40 det
Device ID: SEP0004f2440d98
Entry address(es):
IP address: 10.210.86.86
Platform: Polycom SoundPoint IP 450, Capabilities: Host Phone
Interface: GigabitEthernet2/0/40, Port ID (outgoing port): Port 1
Holdtime : 120 sec
Version :
Updater: 5.0.2, App: 4.0.2
advertisement version: 2
Duplex: full
Power drawn: 5.400 Watts
Power Available TLV:
Power request id: 0, Power management id: 0, Power available: 0, Power management level: 0
Management address(es):
29NEWM434-03#sh run | i arp inspe
ip arp inspection vlan 11-13,21-23
Please see the output and config. Please advise.
Thanks!! -
Jumbo frame caveat on 3750 - dynamic arp inspection
i want to enable jumbo frame on a stacked 3750 running 12.2.25(SEB2).
any caveats - the only caveat i found is dynamic arp inspection.Hello,
There is no know problem with Jumbo/Giant frame support on 3750 platform other than the bug you reported.
I have verified that Jumbo/Giant frame support works on 12.2(25)SED in stack configuration.
Facts
- The 12.2(25)SEB2 release has been deferred. Cisco advises you to upgrade to to (at least) 12.2(25)SEB3.
http://www.cisco.com/cgi-bin/Software/Iosplanner/Planner-tool/printdefer.pl?platform=CAT3750&majorRel=12.2&release=12.2.25-SEB2&data_from=&file=12.2.25-SEB2.CAT3750.c.html
- Jumbo/Giant frame support
http://www.cisco.com/en/US/products/hw/switches/ps700/products_configuration_example09186a008010edab.shtml#3750
HTH -
ESW 520 ARP Inspection Problem
Hello,
I have observed strange behavior on ESW 520 switches, with ARP Inspection operation. ARP inspection is configured with static ip to mac bindings, and it work.Problem is with logs, switch generates tons of ARP inspection logs, during network normal operation, but network endpoints are working well. These logs are same witch are generated during ARP poisoning in network. This operation was observed in older and new firmware.
Here is sample log:
Informational %ARPINSP-I-PCKTLOG: ARP packet dropped
from port e9 with VLAN tag 10 and reason: packet verification failed SRC MAC 13:71:05:5a:85:2e SRC IP
0.0.0.0 DST MAC 00 :00:00:00:00:00 DST IP 10.0.10.18
Informational %ARPINSP-I-PCKTLOG: ARP packet dropped
from port e1 with VLAN tag 10 and reason: packet verification failed SRC MAC 13:71:05:80:f5:03 SRC IP
0.0.0.0 DST MAC 00 :00:00:00:00:00 DST IP 10.0.10.16
Informational %ARPINSP-I-PCKTLOG: ARP packet dropped
from port e6 with VLAN tag 10 and reason: packet verification failed SRC MAC 13:71:05:19:85:26 SRC IP
0.0.0.0 DST MAC 00 :00:00:00:00:00 DST IP 10.0.10.15
Informational %ARPINSP-I-PCKTLOG: ARP packet dropped
from port e1 with VLAN tag 10 and reason: packet verification failed SRC MAC 13:71:05:80:f5:03 SRC IP
0.0.0.0 DST MAC 00 :00:00:00:00:00 DST IP 10.0.10.16
Informational %ARPINSP-I-PCKTLOG: ARP packet dropped
from port e9 with VLAN tag 10 and reason: packet verification failed SRC MAC 13:71:05:12:85:2e SRC IP
0.0.0.0 DST MAC 00 :00:00:00:00:00 DST IP 10.0.10.18
Informational %ARPINSP-I-PCKTLOG: ARP packet dropped
from port e5 with VLAN tag 10 and reason: packet verification failed SRC MAC 13:71:05:80:f5:10 SRC IP
0.0.0.0 DST MAC 00 :00:00:00:00:00 DST IP 10.0.10.10
Informational %ARPINSP-I-PCKTLOG: ARP packet dropped
from port e6 with VLAN tag 10 and reason: packet verification failed SRC MAC 13:71:05:11:85:26 SRC I
0.0.0.0 DST MAC 00 :00:00:00:00:00 DST IP 10.0.10.1
Informational %ARPINSP-I-PCKTLOG: ARP packet dropped
from port e5 with VLAN tag 10 and reason: packet verification failed SRC MAC 13:71:05:80:f5:10 SRC IP
0.0.0.0 DST MAC 00 :00:00:00:00:00 DST IP 10.0.10.10
Informational %ARPINSP-I-PCKTLOG: ARP packet dropped
from port e8 with VLAN tag 10 and reason: packet verification failed SRC MAC 13:71:05:14:85:0c SRC IP
0.0.0.0 DST MAC 00 :00:00:00:00:00 DST IP 10.0.10.14
Informational %ARPINSP-I-PCKTLOG: ARP packet dropped
from port e3 with VLAN tag 10 and reason: packet verification failed SRC MAC 13:71:05:80:f5:3f SRC IP
0.0.0.0 DST MAC 00 :00:00:00:00:00 DST IP 10.0.10.12
Informational %ARPINSP-I-PCKTLOG: ARP packet dropped
from port e8 with VLAN tag 10 and reason: packet verification failed SRC MAC 13:71:05:51:85:0c SRC IP
0.0.0.0 DST MAC 00 :00:00:00:00:00 DST IP 10.0.10.14
Informational %ARPINSP-I-PCKTLOG: ARP packet dropped
from port e5 with VLAN tag 10 and reason: packet verification failed SRC MAC 13:71:05:80:f5:10 SRC IP
0.0.0.0 DST MAC 00 :00:00:00:00:00 DST IP 10.0.10.10
Informational %ARPINSP-I-PCKTLOG: ARP packet dropped
from port e6 with VLAN tag 10 and reason: packet verification failed SRC MAC 13:71:05:57:85:26 SRC IP
0.0.0.0 DST MAC 00 :00:00:00:00:00 DST IP 10.0.10.15
It seems switch dont like ARP request which are going to local network addresses., but in that vlan all host can communicate which each other.
Do you have any idea what can be the problem ?Hi ngtransge,
I will first come to say I do not know the answer. But, I will suspect the log entries are indicating a MAC address that arrived on the interface that did not recognize the IP or MAC address. If the MAC or IP is not found in the inspection list, it would revert to the DHCP snooping table if that is enabled.
I would suspect these entries are coming from an untrusted interface then goes through validation.
Can you show the trusted interfaces and the MAC bindings?
Are the MAC addresses on the log entry meaningful to you in any way?
Are those MAC addresses supposed to be going to a particular destination? Or conversely, are the MAC addresses supposed to be seen on an untrusted interface?
-Tom -
3 switches in the same broadcast domain (transparent mode), approx 200 vlans. Trunk links between switches allow all vlans 1-4096
I setup arp inspection for 1 particular vlan to troubleshoot an arp server issue, possibly an unintentionally arp MITM. Setup as follows:
ip arp inspection vlan 100
arp access-list DAI
permit ip any mac any
ip arp inspection filter DAI vlan 100
ip arp inspection vlan 100 logging acl-match matchlog
Once enabled some of the servers in each switch on vlan100 went into error disable mode and the Port channel between switches went into error disabled status, once I removed "no ip inspection vlan 100" and shut/no shut on the Port channel the Port channel came back up and I had to wade through and shut/no shut on all the error disabled server ports everything was back to normal.
Am I right saying the problem was caused by not setting the Port Channels between switches to "arp inspection trust" and should I just leave all the server ports to untrusted (default). i.e for all inter switch links
conf t
int Po200
ip arp inspection trust
end
then leave everything else is? Would this make the problem go away. I can't try now as Production kit, don't really have an ideal UAT lab as such yet.Hello stephendrkw,
I believe you are right about the port channel causing the outage.
Typically all host ports would be configured as untrusted and all switchports connected to other switches would be trusted. Configuring a port as untrusted when it should be trusted, can cause an outage.
If you suspect a MITM attack, you can go to a pc that you think may be sending the ip traffic to the wrong mac and at the command prompt, type "arp -a 192.168.1.1" and verify it has the correct mac address mapped to the ip address. If it has the wrong mac, you can login to the switch then "show mac address-table address xxxx.xxxx.xxxx to locate the source of the MITM attack.
On the switch side, you can type "show arp | i 192.168.1.1" and "show arp | i "mac address" to verify what mac is binded to the ip address.
Hope this helps.... -
Do sg200-50 support dhcp snooping or dynamic arp inspection (DAI) ?
do the sg200-50 switches support:
dhcp snooping
dynamic arp inspection
?? thanksHI d.pennington,
SG200 is L2 switch only. so this mean switch not support dhcp snooping. Switch support IGMP snooping, Switch support dynamic arp table. You can management switch with web page GUI only (CLI) not supported.
Thanks,
Moh -
SG-300 28P switches problem with VLAN Data and Voice, working all the time as Voice VLAN
Hi Everyone,
Thank you very much for your help in advance. I’m pulling my hair to fix the problem.
I just got the new SG-300 28P switches. My Bios ordered for me. I did not know how it runs until now... not an IOS based. I really do not know how to configure it.
I have 2 VLAN are Data and Voice.
- Data VLAN ID is 2 IP 192.168.2.X/255.255.255.0
- Voice VLAN ID is 200 IP 192.168.22.X/255.255.255.0
- I created two vlans, in switch, Data and Voice.
- On the port number 28, it is trunk by default, so I add Data vlan ID 2 tagged.
- On the port number 26, it is trunk by default, so I add Voice vlan ID 200 tagged.
- On the port number 27, I add Data vlan ID 2 tagged for Data vlan out.
- Port settings No.1
I set it up as Trunk with Data vlan 2 untagged, and 200 Tagged (voice vlan). I plugged in a phone with a pc attached. But the PC will get to the vlan 200 to get the DHCP address, but no from vlan 2. The Phone works with correct vlan ip.
- Port settings No.2
Trunk with vlan 1UP, 2T, and 200T. The phone is even worse. Would never pick up any IP from DHCP.
- Port settings No.3
Access with 200U...of course the phone will work... and the PC could not get to its own vlan. Instead, the PC got an ip from the voice vlan. Not from VLAN 2.
I have Linksys phone I’m not sure if this help.
For more information I setup in switch,
- enable voice vlan
- set the port on auto voice vlan
- enable LLDP-MED globally
- create a network policy to assign VLAN 200
- assign this network policy to the port the phone is connected to.
I hope this information help to help me to setup Data and Voice vlans, to plug the phone to work with vlan Voice 200 (IP rang 192.168.22.X), from phone to Pc and pc work as Data vlan 2 (IP rang 192.168.2.X).I just got done setting up voice VLANs on an SF 300-24P and verified working. This was working with Cisco 7900 series phones connected to a Cisco UC setup.
Here's my sample config.
Note that I edited this by hand before posting, so doing a flat out tftp restore probably won't work. However, this should give you a clue. Also, don't take this as 100% accurate or correct. I've only been working with these things for about a week, though I've worked with the older Linksys SRW switches for a couple of years. I'm a CCNP/CCDP.
VLAN 199 is my management VLAN and is the native VLAN on 802.1q trunks.
VLAN 149 is the data/computer VLAN here.
VLAN 111 is the voice/phone VLAN here.
VLAN 107 does nothing.
interface range ethernet e(1-24)
port storm-control broadcast enable
exit
interface ethernet e1
port storm-control include-multicast
exit
interface ethernet e2
port storm-control include-multicast
exit
interface ethernet e3
port storm-control include-multicast
exit
interface ethernet e4
port storm-control include-multicast
exit
interface ethernet e5
port storm-control include-multicast
exit
interface ethernet e6
port storm-control include-multicast
exit
interface ethernet e7
port storm-control include-multicast
exit
interface ethernet e8
port storm-control include-multicast
exit
interface ethernet e9
port storm-control include-multicast
exit
interface ethernet e10
port storm-control include-multicast
exit
interface ethernet e11
port storm-control include-multicast
exit
interface ethernet e12
port storm-control include-multicast
exit
interface ethernet e13
port storm-control include-multicast
exit
interface ethernet e14
port storm-control include-multicast
exit
interface ethernet e15
port storm-control include-multicast
exit
interface ethernet e16
port storm-control include-multicast
exit
interface ethernet e17
port storm-control include-multicast
exit
interface ethernet e18
port storm-control include-multicast
exit
interface ethernet e19
port storm-control include-multicast
exit
interface ethernet e20
port storm-control include-multicast
exit
interface ethernet e21
port storm-control include-multicast
exit
interface ethernet e22
port storm-control include-multicast
exit
interface ethernet e23
port storm-control include-multicast
exit
interface ethernet e24
port storm-control include-multicast
exit
interface range ethernet g(1-4)
description "Uplink trunk"
exit
interface range ethernet g(1-4)
switchport default-vlan tagged
exit
interface range ethernet e(21-24)
switchport mode access
exit
vlan database
vlan 107,111,149,199
exit
interface range ethernet g(1-4)
switchport trunk allowed vlan add 107
exit
interface range ethernet e(21-24)
switchport access vlan 111
exit
interface range ethernet g(1-4)
switchport trunk allowed vlan add 111
exit
interface range ethernet e(1-20)
switchport trunk native vlan 149
exit
interface range ethernet g(1-4)
switchport trunk allowed vlan add 149
exit
interface range ethernet g(1-4)
switchport trunk native vlan 199
exit
voice vlan aging-timeout 5
voice vlan oui-table add 0001e3 Siemens_AG_phone________
voice vlan oui-table add 00036b Cisco_phone_____________
voice vlan oui-table add 00096e Avaya___________________
voice vlan oui-table add 000fe2 H3C_Aolynk______________
voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone
voice vlan oui-table add 00d01e Pingtel_phone___________
voice vlan oui-table add 00e075 Polycom/Veritel_phone___
voice vlan oui-table add 00e0bb 3Com_phone______________
voice vlan oui-table add 108ccf MyCiscoIPPhones1
voice vlan oui-table add 40f4ec MyCiscoIPPhones2
voice vlan oui-table add 8cb64f MyCiscoIPPhones3
voice vlan id 111
voice vlan cos 6 remark
interface ethernet e1
voice vlan enable
exit
interface ethernet e1
voice vlan cos mode all
exit
interface ethernet e2
voice vlan enable
exit
interface ethernet e2
voice vlan cos mode all
exit
interface ethernet e3
voice vlan enable
exit
interface ethernet e3
voice vlan cos mode all
exit
interface ethernet e4
voice vlan enable
exit
interface ethernet e4
voice vlan cos mode all
exit
interface ethernet e5
voice vlan enable
exit
interface ethernet e5
voice vlan cos mode all
exit
interface ethernet e6
voice vlan enable
exit
interface ethernet e6
voice vlan cos mode all
exit
interface ethernet e7
voice vlan enable
exit
interface ethernet e7
voice vlan cos mode all
exit
interface ethernet e8
voice vlan enable
exit
interface ethernet e8
voice vlan cos mode all
exit
interface ethernet e9
voice vlan enable
exit
interface ethernet e9
voice vlan cos mode all
exit
interface ethernet e10
voice vlan enable
exit
interface ethernet e10
voice vlan cos mode all
exit
interface ethernet e11
voice vlan enable
exit
interface ethernet e11
voice vlan cos mode all
exit
interface ethernet e12
voice vlan enable
exit
interface ethernet e12
voice vlan cos mode all
exit
interface ethernet e13
voice vlan enable
exit
interface ethernet e13
voice vlan cos mode all
exit
interface ethernet e14
voice vlan enable
exit
interface ethernet e14
voice vlan cos mode all
exit
interface ethernet e15
voice vlan enable
exit
interface ethernet e15
voice vlan cos mode all
exit
interface ethernet e16
voice vlan enable
exit
interface ethernet e16
voice vlan cos mode all
exit
interface ethernet e17
voice vlan enable
exit
interface ethernet e17
voice vlan cos mode all
exit
interface ethernet e18
voice vlan enable
exit
interface ethernet e18
voice vlan cos mode all
exit
interface ethernet e19
voice vlan enable
exit
interface ethernet e19
voice vlan cos mode all
exit
interface ethernet e20
voice vlan enable
exit
interface ethernet e20
voice vlan cos mode all
exit
interface ethernet e1
lldp optional-tlv port-desc sys-name sys-desc sys-cap 802.3-mac-phy 802.3-lag 802.3-max-frame-size
exit
interface ethernet e2
lldp optional-tlv port-desc sys-name sys-desc sys-cap 802.3-mac-phy 802.3-lag 802.3-max-frame-size
exit
interface ethernet e3
lldp optional-tlv port-desc sys-name sys-desc sys-cap 802.3-mac-phy 802.3-lag 802.3-max-frame-size
exit
interface ethernet e4
lldp optional-tlv port-desc sys-name sys-desc sys-cap 802.3-mac-phy 802.3-lag 802.3-max-frame-size
exit
interface ethernet e5
lldp optional-tlv port-desc sys-name sys-desc sys-cap 802.3-mac-phy 802.3-lag 802.3-max-frame-size
exit
interface ethernet e6
lldp optional-tlv port-desc sys-name sys-desc sys-cap 802.3-mac-phy 802.3-lag 802.3-max-frame-size
exit
interface ethernet e7
lldp optional-tlv port-desc sys-name sys-desc sys-cap 802.3-mac-phy 802.3-lag 802.3-max-frame-size
exit
interface ethernet e8
lldp optional-tlv port-desc sys-name sys-desc sys-cap 802.3-mac-phy 802.3-lag 802.3-max-frame-size
exit
interface ethernet e9
lldp optional-tlv port-desc sys-name sys-desc sys-cap 802.3-mac-phy 802.3-lag 802.3-max-frame-size
exit
interface ethernet e10
lldp optional-tlv port-desc sys-name sys-desc sys-cap 802.3-mac-phy 802.3-lag 802.3-max-frame-size
exit
interface ethernet e11
lldp optional-tlv port-desc sys-name sys-desc sys-cap 802.3-mac-phy 802.3-lag 802.3-max-frame-size
exit
interface ethernet e12
lldp optional-tlv port-desc sys-name sys-desc sys-cap 802.3-mac-phy 802.3-lag 802.3-max-frame-size
exit
interface ethernet e13
lldp optional-tlv port-desc sys-name sys-desc sys-cap 802.3-mac-phy 802.3-lag 802.3-max-frame-size
exit
interface ethernet e14
lldp optional-tlv port-desc sys-name sys-desc sys-cap 802.3-mac-phy 802.3-lag 802.3-max-frame-size
exit
interface ethernet e15
lldp optional-tlv port-desc sys-name sys-desc sys-cap 802.3-mac-phy 802.3-lag 802.3-max-frame-size
exit
interface ethernet e16
lldp optional-tlv port-desc sys-name sys-desc sys-cap 802.3-mac-phy 802.3-lag 802.3-max-frame-size
exit
interface ethernet e17
lldp optional-tlv port-desc sys-name sys-desc sys-cap 802.3-mac-phy 802.3-lag 802.3-max-frame-size
exit
interface ethernet e18
lldp optional-tlv port-desc sys-name sys-desc sys-cap 802.3-mac-phy 802.3-lag 802.3-max-frame-size
exit
interface ethernet e19
lldp optional-tlv port-desc sys-name sys-desc sys-cap 802.3-mac-phy 802.3-lag 802.3-max-frame-size
exit
interface ethernet e20
lldp optional-tlv port-desc sys-name sys-desc sys-cap 802.3-mac-phy 802.3-lag 802.3-max-frame-size
exit
interface ethernet e21
lldp optional-tlv port-desc sys-name sys-desc sys-cap 802.3-mac-phy 802.3-lag 802.3-max-frame-size
exit
interface ethernet e22
lldp optional-tlv port-desc sys-name sys-desc sys-cap 802.3-mac-phy 802.3-lag 802.3-max-frame-size
exit
interface ethernet e23
lldp optional-tlv port-desc sys-name sys-desc sys-cap 802.3-mac-phy 802.3-lag 802.3-max-frame-size
exit
interface ethernet e24
lldp optional-tlv port-desc sys-name sys-desc sys-cap 802.3-mac-phy 802.3-lag 802.3-max-frame-size
exit
interface ethernet g1
lldp optional-tlv port-desc sys-name sys-desc sys-cap 802.3-mac-phy 802.3-lag 802.3-max-frame-size
exit
interface ethernet g2
lldp optional-tlv port-desc sys-name sys-desc sys-cap 802.3-mac-phy 802.3-lag 802.3-max-frame-size
exit
interface ethernet g3
lldp optional-tlv port-desc sys-name sys-desc sys-cap 802.3-mac-phy 802.3-lag 802.3-max-frame-size
exit
interface ethernet g4
lldp optional-tlv port-desc sys-name sys-desc sys-cap 802.3-mac-phy 802.3-lag 802.3-max-frame-size
exit
interface ethernet e1
lldp med notifications topology-change enable
exit
interface ethernet e2
lldp med notifications topology-change enable
exit
interface ethernet e3
lldp med notifications topology-change enable
exit
interface ethernet e4
lldp med notifications topology-change enable
exit
interface ethernet e5
lldp med notifications topology-change enable
exit
interface ethernet e6
lldp med notifications topology-change enable
exit
interface ethernet e7
lldp med notifications topology-change enable
exit
interface ethernet e8
lldp med notifications topology-change enable
exit
interface ethernet e9
lldp med notifications topology-change enable
exit
interface ethernet e10
lldp med notifications topology-change enable
exit
interface ethernet e11
lldp med notifications topology-change enable
exit
interface ethernet e12
lldp med notifications topology-change enable
exit
interface ethernet e13
lldp med notifications topology-change enable
exit
interface ethernet e14
lldp med notifications topology-change enable
exit
interface ethernet e15
lldp med notifications topology-change enable
exit
interface ethernet e16
lldp med notifications topology-change enable
exit
interface ethernet e17
lldp med notifications topology-change enable
exit
interface ethernet e18
lldp med notifications topology-change enable
exit
interface ethernet e19
lldp med notifications topology-change enable
exit
interface ethernet e20
lldp med notifications topology-change enable
exit
interface ethernet e21
lldp med notifications topology-change enable
exit
interface ethernet e22
lldp med notifications topology-change enable
exit
interface ethernet e1
lldp med enable network-policy poe-pse
exit
interface ethernet e2
lldp med enable network-policy poe-pse
exit
interface ethernet e3
lldp med enable network-policy poe-pse
exit
interface ethernet e4
lldp med enable network-policy poe-pse
exit
interface ethernet e5
lldp med enable network-policy poe-pse
exit
interface ethernet e6
lldp med enable network-policy poe-pse
exit
interface ethernet e7
lldp med enable network-policy poe-pse
exit
interface ethernet e8
lldp med enable network-policy poe-pse
exit
interface ethernet e9
lldp med enable network-policy poe-pse
exit
interface ethernet e10
lldp med enable network-policy poe-pse
exit
interface ethernet e11
lldp med enable network-policy poe-pse
exit
interface ethernet e12
lldp med enable network-policy poe-pse
exit
interface ethernet e13
lldp med enable network-policy poe-pse
exit
interface ethernet e14
lldp med enable network-policy poe-pse
exit
interface ethernet e15
lldp med enable network-policy poe-pse
exit
interface ethernet e16
lldp med enable network-policy poe-pse
exit
interface ethernet e17
lldp med enable network-policy poe-pse
exit
interface ethernet e18
lldp med enable network-policy poe-pse
exit
interface ethernet e19
lldp med enable network-policy poe-pse
exit
interface ethernet e20
lldp med enable network-policy poe-pse
exit
interface ethernet e21
lldp med enable network-policy poe-pse
exit
interface ethernet e22
lldp med enable network-policy poe-pse
exit
lldp med network-policy 1 voice vlan 111 vlan-type tagged
interface range ethernet e(1-22)
lldp med network-policy add 1
exit
interface vlan 199
ip address 199.16.30.77 255.255.255.0
exit
ip default-gateway 199.16.30.3
interface vlan 1
no ip address dhcp
exit
no bonjour enable
bonjour service enable csco-sb
bonjour service enable http
bonjour service enable https
bonjour service enable ssh
bonjour service enable telnet
hostname psw1
line console
exec-timeout 30
exit
line ssh
exec-timeout 30
exit
line telnet
exec-timeout 30
exit
management access-list Management1
permit ip-source 10.22.5.5 mask 255.255.255.0
exit
logging 199.16.31.33 severity debugging description mysysloghost
aaa authentication enable Console local
aaa authentication enable SSH tacacs local
aaa authentication enable Telnet local
ip http authentication tacacs local
ip https authentication tacacs local
aaa authentication login Console local
aaa authentication login SSH tacacs local
aaa authentication login Telnet local
line telnet
login authentication Telnet
enable authentication Telnet
password admin
exit
line ssh
login authentication SSH
enable authentication SSH
password admin
exit
line console
login authentication Console
enable authentication Console
password admin
exit
username admin password admin level 15
power inline usage-threshold 90
power inline traps enable
ip ssh server
snmp-server location in-the-closet
snmp-server contact [email protected]
ip http exec-timeout 30
ip https server
ip https exec-timeout 30
tacacs-server host 1.2.3.4 key spaceballz timeout 3 priority 10
clock timezone -7
clock source sntp
sntp unicast client enable
sntp unicast client poll
sntp server 199.16.30.1
sntp server 199.16.30.2
ip domain-name mydomain.com
ip name-server 199.16.5.12 199.16.5.13
ip telnet server -
Arp inspection not working on ASA
Folks,
I configured a transparent firewall on ASA. I have arp inspection enabled, with dynamic mac learning and dynamic arp. I am able to ping through the transparent firewall using 2 routers with the same mac-address. The firewall shows me that it is learning both the mac-addresses and also forwarding packets, can someone help me understand why this is happening?For some reason it will not take the shun command...I've tried every combanation I could think of but it will always fail.. I'm guessing there is a bug or that its just not allowed in transparent mode..
You have to use the vlan before the number or it says invalid host.. when I do specify the vlan 2 it take it and then comes back with "Invalid vlan (2) shun failed
Maybe you are looking for
-
RFC Lookup Error --- error executing simple look up
Hi all, Below is the error when displaying the queue of the UDF. RuntimeException in Message-Mapping transformation: Exception:[java.lang.RuntimeException: Error during MEI RFC Lookup] in class com.sap.xi.tf._MM_COND_A03_TO_MT_PRICELIST_ method callR
-
My hard drive went out and had to be replaced. I coundnt back-up anything before it happened becuase i was having so many issues with my computer. So i plugged my ipod into my computer and Itunes tells me- the ipod "my ipods name" is synced with an
-
I just got through with a 3+ hour fight to install PHP on my MBP (Tiger 10.4.9). Now that everything's all up and running (allegedly... PHP eventually installed properly, and I restarted Personal Web Sharing a few times, as well as my computer), noth
-
iPlanet-Web-Proxy-Server/3.6-SP6/2004.243.0654 SP6 Obj.conf Init section: Init fn="flex-init" access="/web/soft/3.6proxy/proxy-ntsmtcmlon01-acl-xrp1/logs/access" format.access="%Ses->c lient.ip% - %Req->vars.pauth-user% [%SYSDATE%] \"%Req->reqpb.prox
-
PPI Limitation in photoshop CS5???
Hi, I am working with very high resolution images (21,739 pixels per cm). Not a typo! The images are of zebra finch brain sections that were scanned using an Olympus Nanozoomer (microscope) with a 20X object. The scanning resolution was a cool 0.46u