Catalyst 2950 Blocking ports by default?

Similar Messages

• Catalyst 2950 Series - Monitoring Port

  Do the catalyst 2950 series have a port that can be used to connect a device that is designed to monitor all traffic on the switch - we are looking to install Webspy to track network & internet usage. The Sentinal product would best be connected to the switch where it can record all traffic - it needs a monitor port or some such equivalent.

  Hi,
  The 2950 does indeed support that - the functionality is called Switch Port Analyzer (SPAN). The following link has details on how to configure it:
  http://www.cisco.com/en/US/products/hw/switches/ps628/products_configuration_guide_chapter09186a00800d84c5.html
  Hope that helps - pls rate the post if it does.
  Paresh

• Catalyst 2950 Switch flash_init error

  Hi Everyone,
  I'm new to Cisco products and have a small home lab set up. I have a Catalyst 2950 switch that I would like to restore to factory defaults. Here is the issue I'm having and can't figure out.
  I pull the power, telnet into the console port, hold the mode button and restore power. The boot loader (Version 12.1(11r) starts and says the usual message the system was interrupted prior to flash initialization (Paraphrasing here)
  I get to the switch: command line, enter flash_init. Flash states it initialized and then all I get is a < with an underscore under it prompt. Anything I try to type comes up as bizarre characters and I can not get back to a switch: prompt unless I reboot the switch manually. Unsure of what to do here.
  Thanks in advance!
  -Matt
  Telnet session:
  C2950 Boot Loader (C2950-HBOOT-M) Version 12.1(11r)EA1, RELEASE SOFTWARE (fc1)
  Compiled Mon 22-Jul-02 18:57 by antonino
  WS-C2950T-24 starting...
  Base ethernet MAC Address: 00:06:52:bb:c9:40
  Xmodem file system is available.
  The system has been interrupted prior to initializing the
  flash filesystem.  The following commands will initialize
  the flash filesystem, and finish loading the operating
  system software:
      flash_init
      load_helper
      boot
  switch: flash_init
  Initializing Flash...
  flashfs[0]: 4 files, 2 directories
  flashfs[0]: 0 orphaned files, 0 orphaned directories
  flashfs[0]: Total bytes: 7741440
  flashfs[0]: Bytes used: 3726848
  flashfs[0]: Bytes available: 4014592
  flashfs[0]: flashfs fsck took 7 seconds.
  ...done initializing flash.
  Boot Sector Filesystem (bs:) installed, fsid: 3
  Parameter Block Filesystem (pb:) installed, fsid: 4
  õíííííí   <---These characters appear no matter what keys I hit.

  Hi mattymattlynch
  Check the workaround on the following documents:
  http://www.cisco.com/c/en/us/support/docs/switches/catalyst-2950-series-switches/41845-192.html
  http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2950/software/release/12-1_22_ea11x/configuration/guide/scg/swtrbl.html
  If no luck , the flash might be corrupted and requires a replacement.
  Hope this helps
  -Randy-

• Cisco Catalyst 2950/2960/3750 Multicast Traffic Preference

  Hello all,
  we, as a student company act as an ISP for university dormitories. We would like to (if it's possible) deploy QoS to prefer multicast traffic over all other types of traffic. 
  Devices used in network:
  Acces layer: Cisco Catalyst 2950,  12.1(22)EA14
  Dristribution layer: Cisco Catalyst 2960G, 12.2(58)SE1 
  Core layer: Cisco Catalyst 3750G, 12.2(52)SE
  Do you see any possibility to solve this with these devices? We have almost no experience with QoS, therefore any help would be greatly appreciated. 
  Thanks in advance.

  Disclaimer
  The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
  Liability Disclaimer
  In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
  Posting
  Hmm, I think it should be doable although the 2950s, if non-E variants, are especially weak in QoS features.  I.e. those might create some issues.
  With the 2960G and 3750G, you often will create problems when you enable QoS because QoS, by default, allocates its buffers resources for 4 egress queues per port rather than using all for 1 egress queue per port.  However, this can be countered by QoS parameter tuning, but that takes some QoS expertize to match to your traffic and your overall QoS policy.

• DHCP on Cisco Catalyst 2950 Switch

  Hello
  I need to configure my cisco catalyst 2950 series switch in order to act as DHCP server for devices connected to its ports.
  Please say me, how to do that ?
  Thank you
  Narek

  Please find the sample DHCP configuration for one of the VLANs.
  Interface Vlan1
  description Cisco DHCP
  ip address 10.10.2.1 255.255.255.0
  ip dhcp pool cisco
  network 10.10.2.0 255.255.255.0
  default-router 10.10.2.1
  domain-name mydomain.com
  dns-server 10.10.2.10
  netbios-name-server 10.10.2.15
  lease 7
  A 24 hour lease is the default if left out and the netbios-name-server is WINS in the Windows world.
  If you want to use DHCP server for other VLANs as well create similar DHCP pools and assign the DG to the corresponding VLAN interface IP.
  HTH, rate if it does
  Narayan

• Catalyst 2950 switch

  Hello,
  I am using a catalyst 2950 switch and connecting machines which have the operating system as TRU64 UNIX 5.1B (HP make DS25 servers) and WINDOWS XP Professional. The WINDOWS machines are getting connected on the network ( I am able to PING each other), but the UNIX machines are not getting connected on the network. The port LED on the switch is normal (GREEN). The netstat -r command on the UNIX machine shows default as defgw (/etc/routes) and the IP of defgw is defined in the /etc/hosts file. But there is actually no such gateway.
  Please help me to get the UNIX machines connected on the network.
  Thank You very Much
  Best Regards
  S R Vijayan

  I wonder if the Windows machines are configured to use DHCP? If they are configured for DHCP and there is a DHCP server that is reachable, then it explains why the Windows machines have reachability to each other. If there is not a DHCP server available then the Windows machines are probably taking addresses in 169.254 (which is the default for Windows when it can not acquire from DHCP). This would also explain the ability of Windows machines to communicate with each other. Can the original poster clarify what IP addresses the Windows machines are using?
  Then the question becomes how are the Unix machines configured? Are they supposed to use DHCP? Is so is the DHCP server reachable? If not how is the interface on the Unix box configured?
  I also think that the suggestion about verifying whether the switch is configured with more than one VLAN is an excellent suggestion.
  HTH
  Rick

• Blocking Port 192

  The company that processes credit card transactions is insisting we block port 192. How is this done? I have hear similar issues from other companies.

  I see from your other posts that you do have an Airport Extreme base station.
  As I indicated, this is not something I know much about either. I'm not even sure that the AEBS is the problem, though it seems to be according to the post I listed. I guess you could temporarily connect your Mac directly to your broadband modem, to see if the claimed vulnerability is still there.
  Assuming the AEBS is the problem, one thing you could try is to disable outside SNMP access - I found another post suggesting that [here|http://forums.macrumors.com/showthread.php?t=602839]. I have an older AEBS, which uses Airport Admin Utility for configuration. It's help section includes
  Protecting your AirPort network from denial-of-service attacks
  Networks managed by Simple Network Management Protocol (SNMP) may be vulnerable to denial-of-service attacks. (SNMP is turned on by default in AirPort Admin Utility.) Similarly, if you allow your base station to be configured remotely over the wide area network (WAN) port, unauthorized users may be able to change network settings.
  To help protect your network and base station:
  Open AirPort Admin Utility, located in Applications/Utilities.
  Select your base station and click Configure. Enter the base station password if necessary.
  Click AirPort, and click Base Station Options. Make sure the Enable SNMP Access and the Enable Remote Configuration checkboxes are not selected.
  If the Enable SNMP Access and Enable Remote Configuration checkboxes are deselected, you must configure the base station using only the local area network (LAN) or the AirPort wireless network.
  The newer Airport Utility may do this differently.
  Hopefully you can also get more help from others who are more knowledgeable about networks. As a last resort you could ask the security company to recommend a wireless router that they know will pass their test.

• Configuring socket policy for flex apps(with blocked port 843)?

  We have built several flex-based ecommerce apps for a fortune 500 customer of ours, that for various reasons, we need to use sockets to a different domain and requires a socket policy file, but were having trouble configuring our flex apps for deployment in thier enviornment where they are blocking virtually everything except port 80 . The current documentation in in regards to socket policy files and crossdomain files in a non-standard configuration not using port 843 is not providing any useful help to us.
  Here is the scenario:
  Flex apps are served from domain www.a.com in  to users browsers via http. The apps then make socket connections to domain www.b.com:80 where there are php scripts serving json data to the flex apps via port 80 using http(we use sockets because we need to set and read back http headers). The problem is the flex apps cannot make socket connections to the www.b.com domain without errors like below(unless we setup a socket policy server on port 843 of www.b.com, in which case everything works):
  Warning: Timeout on xmlsocket://www.b.com:80 (at 3 seconds) while waiting for socket policy file.  This should not cause any problems, but see http://www.adobe.com/go/strict_policy_files for an explanation.
  Error: Request for resource at xmlsocket://www.b.com:80 by requestor from http://www.a.com/bin-debug/DownloadManagerFlex.swf is denied due to lack of policy file permissions.
  Error: Request for resource at xmlsocket://www.b.com:80 by requestor from http://www.a.com.us/bin-debug/DownloadManagerFlex.swf is denied due to lack of policy file permissions.
  Since we cannot use port  843 for the socket policy file server, we setup the socket policy server on a different ip in the same domain: spf.b.com:80 (using the sample perl code Adobe provides), and per the docs(cited below), use Security.loadPolicyFile("xmlsocket://spf.b.com:80") before we invoke "socket.connect", to supposedly tell the flash player to check there for the socket policy file. The problem, as you can see from the error log, is that the  loadPolicyFile("xmlsocket://spf.b.com:80") is ignored.
  No matter what we do or how we set things up, we cannot get the flash player to recognize the loadPolicyFile(), it always wants to go to the port were making the socket connection on. It is unclear how to properly configure the flex app, socket policy file and crossdomain file for the above scenario. The docs allude to being able to serve  the socket policy file from a different port 80 in the same domain as the socket connection were trying to make, but were having no luck with that.
  ->Can anyone shed some light on how to make this work or what are we  missing/doing wrong? Also, if we can get this to work, are we  stuck with a 3 second delay because this(very large) customer is blocking port 843?
  As an aside,  the documentation for all this is a bit scattered, unclear and contrdictory:
  One document says:(http://www.adobe.com/devnet/flashplayer/articles/fplayer9_security_07.html)
  "This warning usually means one of two things: first, that you need to set up a
              socket policy file server on port 843, which is the first location that Flash
              Player checks by default; or second, that you need to provide more explicit
              guidance to Flash Player from ActionScript by calling loadPolicyFile to indicate the location
              of a socket policy file. When you call loadPolicyFile rather than allowing Flash Player to check
              locations by default, Flash Player will wait as long as necessary for a
              response from a socket policy file server, rather than timing out after 3
              seconds."
  Another document says(http://www.adobe.com/devnet/flashplayer/articles/socket_policy_files.html):
  "If an ActionScript Security.loadPolicyFile() command exists within               the SWF file, then the Flash Player runtime checks that location. Flash Player checks               the destination of the loadPolicyFile() only after it has checked the               master policy file on port 843 for permission to acknowledge other policy               files. If the developer has not specified a loadPolicyFile() command,               then Flash Player checks the destination port of the connection."

  I found the reason why the Flex application was ignoring the socket policy (crossdomain.XML). I have a policy server that listens to port 843 and submits the policy to the Flex client. My policy was getting ignored by the Flex application and I was getting the sandbox security error you were getting. The solution to this problem isto write a null byte right after the policy server sends the policy. I'm using Apache Mina that is wrtten is Java and the null byte is written as follows:
  public void sessionCreated (IoSession session)
          throws Exception
          session.write(_policy);  -- > policy string
          session.write("\u0000"); --> null byte
           //session.close(true); ---> No need to close the session because it is closed by the Flex client after it receives the null byte.
  Now my Flex application can read and accept the policy from port 843 and I'm not getting more security violations.
  Thanks for your reply,
  Alberto

• Trunking Catalyst 2950 to Catalyst 3750 problem

  I cannot seem to figure out how to trunk a catalyst 3750 to a Catalyst 2950.
  I've set
  3750(config)#interface fastethernet 1/0/2
  switchport mode trunk
  switchport trunk encapsulation dot1q
  BUT my Catalyst 2950 does not offer the "switchport trunk encapsulation dot1q" command
  My 2950 is running IOS version 12.1(20)EA1a
  is there a work around for this situation. Our network still employs a bunch of these 2950's.

  The Catalyst 2950 series can only do 802.1Q trunking. It's the default, and only, choice. So there's no need to specify it when trunking.
  In fact, since you don't have a choice of which encapsulation to use, there's no need for a "switchport trunk encapsulation" command. Which is why it's missing from the Cat2950 switch IOS.
  This took me by surprise too, when I first transitioned out of the 3500XL series into 2950 and 3550 switches.

• POST error Catalyst 2950

  I have a Catalyst 2950 series 12 prt. switch. When the switch is booting I receive the following error: "00:00:13: POST: Packet DA mismatch on port: 9"
  What does this message means? Can I still use this port?
  Kind regards,

  This is part of the power on self test(POST).
  The switch sets the interface to loopback and sends
  a packet. If anything is wrong or changed with
  the packet then you get an error. In this case
  the DA (destination address) was changed on
  the received packet. I assume since this is a
  switch they are referring to the layer2 address.
  I would think this would indicate a possible hardware
  failure.

• Web Server Blocks Port 80 - What am I to Do?

  I have a WebSite that will load up locally, but not remotely. I think it's because the web server is blocking port 80. How do I get around this (port forwarding - how do you do it)?

  There are a few ways to do this... This is what I do, personally... This is sketchy, but you can figure it out with some research and lots of googling!
  1. Set the machine that will be the server to use a static internal network address. I use 192.168.2.100. This is the internal, non-routable IP address of the machine on your network. This is not the IP that your modem/router receives from your internet provider.
  2. Open an external port on the router that is not blocked by your ISP. I use port 5100. Then configure the router to listen on external port 5100, and pass all "port 5100" traffic to 192.168.2.100 and port 80. By doing it this way, I avoid having to edit the apache configuration. Apache listens to port 80 by default. Apache does not realize that the traffic originally entered the network on port 5100.
  3. If your external IP address is dynamic, you will want to start googling "dyndns". It is a free service that will let you "register" a domain name. In my case, my router notifies DynDns automatically whenever it gets a new IP from the provider. This way, I don't have to remember my IP address, which changes anyway... I just remember my domain name. I can use any network service, such as SSH, Apache, ftp, etc....
  Good luck!

• Catalyst 2950 bandwidth limitation

  Hello,
  please, can anyone tell me if it is possible to limit bandwidth on Catalyst 2950 switch on per VLAN basis.
  Thanks in advance.
  Maxime Frolov

  Hello Amit,
  I'll try to clarify my problem. I have a 2950 (Standard Image) with a giga uplink to a 6500. On the 2950 I have a VLAN composed of 4 ports. I' like to limit the use of the uplink link of this VLAN or at least of one port to 20%. Would it be possible on 2950 SI or I'll have to upgrade to EI whitch implyes hardware changes ? Or it just impossible on 2950 and I'll have to migrate to 3750 ?
  Regards.
  Maxime Frolov

• Catalyst 2950 interface problem

  Hi, Sirs.
  My Catalyst 2950-24 (IOS Ver 12.1.22EA7)stops communicate with an other switch port of a Catalyst 3512XL-EN after catalyst 2950 powered on 1 or 2 days.
  th show interface shows that 2476498 ignored.
  FastEthernet0/1 is up, line protocol is up (connected)
  Hardware is Fast Ethernet, address is 000d.28c0.cf41 (bia 000d.28c0.cf41)
  MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,
  reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ARPA, loopback not set
  Keepalive set (10 sec)
  Full-duplex, 100Mb/s, media type is 100BaseTX
  input flow-control is unsupported output flow-control is unsupported
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input 3d19h, output 00:00:00, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  5 minute input rate 28000 bits/sec, 44 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
  10033048 packets input, 806430104 bytes, 2476489 no buffer
  Received 10031591 broadcasts (0 multicast)
  0 runts, 0 giants, 0 throttles
  0 input errors, 0 CRC, 0 frame, 0 overrun, 2476498 ignored
  0 watchdog, 2217265 multicast, 0 pause input
  0 input packets with dribble condition detected
  357799 packets output, 25835259 bytes, 0 underruns
  0 output errors, 0 collisions, 2 interface resets
  0 babbles, 0 late collision, 0 deferred
  0 lost carrier, 0 no carrier, 0 PAUSE output
  0 output buffer failures, 0 output buffers swapped out
  what does is mean?

  Hello,
  what other switches do you have in your network ? If you have just the 2950 and the 3500, make sure that the 2950 is the root switch for all your VLANs, by configuring the global command:
  spanning-tree vlan x priority 0
  Also, check the log on the 2950 for the following message:
  SCHAN ERROR INTR: SRC=6 DST=5 OPCODE=20 ERRCODE=5
  If you see those, chances are that you have a faulty unit. Here is the relevant bug info:
  CSCdv83336 Bug Details
  Under certain level of traffic load, the (2950) switch will start logging the following messages on the console:
  SCHAN ERROR INTR: SRC=6 DST=5 OPCODE=20 ERRCODE=5
  and after a few seconds, the switch will stop passing any traffic. In some cases, the switch seemed still forwarding broadcast and multicast traffic, which will cause STP problem if the switch has redundant link and is not supposed to be the root for the VLAN, as both port will go forwarding.
  The same error message has been identified in CSCdu87836.
  An assessment of the impact
  Unit stops passing any traffic.
  WORKAROUND
  Several units were returned by CISCO. The units were re-screened to the latest test program, and failed the SDRAM memory test.
  Customer should RMA unit back to Cisco
  Regards,
  Nethelper

• Catalyst 2950: SNMP queries

  Hello,
  I want to get the following information from CISCO's Catalyst 2950:
  1. Port's status: Up / Down
  2. What MAC is connected to the port
  3. Number of messages transmitted and received from the port.
  What OID should I use for this purpose ?
  For a reference I want to use ireasoning MIB browser.
  What MIB file should I download from CISCO's FTP site ?
  Thanks,
  Zvika. 

  Up/down : 1.3.6.1.2.1.2.2.1.8 (ifOperStatus)
  MAC addresses : 1.3.6.1.2.1.17.4.3.1.1 (dot1dTpFdbAddress)
  Number of "messages" (I assume you mean packets) : 1.3.6.1.2.1.2.2.1.11 (ifInUcastPkts), 1.3.6.1.2.1.2.2.1.17 (ifOutUcastPkts)
  For these objects you'll want the IF-MIB and the BRIDGE-MIB.

• Cannot sync; receiving a message that firewall is blocking port 3689

  I am receiving an error message when I try to sync my Apple TV. The error message says that a firewall is blocking port 3689. I have checked the settings I can find, but have been unable to find the source of the problem. Has anyone had this problem and if so, how did you resolve this?

  Thanks Chenks! At least I know I'm not nuts. I have done exactly what you suggest. Itunes is in the list and I went the extra step and added port 3689. Still no luck. I've checked my McAfee settings and anything else I can find. I am at the point of resetting everything to the defaults to see if I can get around this. This is so odd as the Apple TV has been working beautifully, then, BAM! An error code and I can't synce.