Cisco CE500 Switch and SPAN Port Monitoring

Similar Messages

• SPAN Port Monitoring Setup

  We have three Cicso Catalyst 3750 switches that are stacked.  The primary switch has a VLAN ( # 99 ) setup on it. The VLAN has our incoming internet connection. The LAN ports from the two redundant firewalls are routed back to the primary switch ( non VLAN ). The WAN ports on the firewalls are connected to the VLAN. There are three unused ports ( 46, 47 & 48 ) available on the VLAN. There are also a couple of available ports ( 36 & 38 ) on the primary switch that are not in the VLAN.
  We want to connect a hardware device to one of the ports on the switch that monitors network traffic. Need to connect two ports on the hardware device. One for LAN/WAN traffic, and one for the SPAN port.
  Question:
  Which port would you setup as the LAN port ? 
  Which port would you setup as the SPAN port ?
  What commands would we run to set this up ?
  Thanks

  I would suggest moving this post here: https://supportforums.cisco.com/community/6016/lan-switching-and-routing
  3750 isn't considered a small business switch.

• Cisco 3850 Switch and Windows 7 IP Conflicts

  Team,
  Last evening (Christmas eve) we setup a pair of Cisco 3850 with IP Base version 3.3.35SE (recommended) and 3.7.0E (very latest).
  We got these to replace a very old switch that had died. Attached to this network are windows 7 PC's with all the standard patches, service packs, etc.
  with standard port configs - no PC would work - and in fact on each screen we got the windows 7 IP Conflict pop up box.
  This seemed very odd to us, as we know these IP's are all static (no dhcp on this segment at all)
  we went with a very vanilla config on each port
  interface g1/0/1
  switchport host
  that is it - nothing special at all.
  well, after hours of research we found the 3850 has a problem where its "ip device tracking" (even though disabled, by way of NOT being enabled on any interface) will effect the windows 7 PC's ip address in use detection port start up phase!
  This is a very big problem. I am frankly SHOCKED Cisco would release a major switch that is going to not work when connected to the average network with windows 7 PC's.
  we tried 3+ hours of prescribed work-arounds found when researching this issue -
  ip device tracking probe delay 10 (global config)
  ip device tracking max 0 (disabed, on interface)
  finally,
  nmsp attach suppress (interface, however this appears to be a default command in all IOS-XE versions we tried, as the command did NOT show in the show run) . this effected many different nic card vendors (laptops, desktops) and nic card drivers levels from old to very recent.
  Finally,
  we compared a 3850 in another location to this one - and we never got HIT by this problem before because that 3850 only as TRUNK ports and no windows 7 hosts directly attached.
  Doing more research, I found out this also can effect vmware guests running windows SERVER.
  this is now a huge issue as we have a scheduled deployment of 3850's throughout our network which is going to be put on hold.
  the work-around I came up with which is not great is -
  Make ALL the "access" ports connected to PC TRUNK ports and leave the NATIVE vlan (untagged) as the vlan you want the PC's to be in
  interface g1/0/1
  switchport mode trunk
  switchport trunk native vlan 1
  this is NOT an acceptable workaround as this presents security issues even with
  switchport trunk allowed vlan 1, etc. as the only allowed vlan.
  Note: this issue manifested itself and windows 7 PC's were UNABLE to use the network. if you do "ipconfig /all | more" you would see
  192.168.0.140(duplicate) and the interface would actually use 169.254.0.239(duplicate) so the duplicate message appeared twice in the output.
  1) With and without an SVI interface on each 3850 for the vlan where the windows 7 machines had a duplicate
  2) when we had an SVI and the command ip device tracking probe use-svi (or whatever the hidden command is I forget now, but it took it)
  3) when we had aaa new-model configured - and not configured - thinking this was some artifact of having aaa turn on something like 802.1x port state
  4) when could confirm NO DHCP SNOOPING
  5) when we DID not use static IP's - and had the switch assign DHCP addresses - the Windows 7 PC's STILL had duplicates and didnt work for their "Just leased" ip's.
  6) when we could confirm ios-xe ip device tracking = disabled with show ip device tracking status, etc.
  This is a major problem for this 3850 and unless we get a definitive answer on why this is happening and how we can rectify we are going to have to return our 3850's and get HP Procurve's something I would rather avoid doing. There is NO REASON I can imagine other than older switches who's ports default to ROUTED ports (i.e.. no ip switchport) where a switch should not at least function as a bare switch with essentially a default configuration out of the box.
  Any ideas? I'm working well now with the ports ALL in trunking mode with vlan 1 native, but this is not a scalable workaround we can live with as we have security risks of a port not blocking certain vlans from going out ports to pc's, etc. that attackers could send tags on at that point, etc.
  thanks,
  Joe Brunner
  #19366

  thanks for replying - i'm not onsite (its a standalone network) - but here is what it is -
  Answers in line -
  This all stems from a switch replacement correct?
  yes a 10 year old Allied Telesyn switch was replaced that had no config - like a hub, just used for connectivity.
  Are these 3850's in a stack?
  >yes, tested all aspects of the stack many times.
  Does it have a managment ip address -If so, is it using the old switch ip address
  >old switch had no ip - i made a "management interface" on vlan 1 - BUT no ip on the built-in management interface on the switch.
  What are they connecting to? (a router/L3 switch/anohter switch- cisco-HP etc..)
  >various other devices - only 1 link back to a single 3750x stack. that switch is "hardened" so to speak to reveal or propagate very little by design.
  How are they connected( L3 interface/L2 trunk/access port)
  >all ports are left in trunk mode with vlan 1 as the active and untagged port. this was the workaround done to ever get the switch going. in "out of the box" or default mode as we initially wanted (no config) links to windows 7 PC's didnt work. links to linux or other devices non-windows did work!
  Are thse switches performing inter-vlan routing or just acting as host switches?
  >dumb flat network, no routing.
  Is ip routing enabled?
  >not unless enabled on 3850 by default. I didnt type "ip routing"
  Do you have multiple vlans in your network and if so ar ethe being propergated to these new switches?
  Your 7 pcs = are they just client pcs not servers?
  client PC's - no servers OS per say.
  can you confirm something like ICS isnt enabled (Internet connection sharing)  on any of them?
  >yes not enabled.
  Are the just using one NIC each?
  > one machine is dual homed - but we know where its "second nic" goes - to another cisco network which is NOT connected back to this one. we traced all our ports a few times thinking even perhaps some small hub was "reflecting" traffic back to us - like a blackbox. Strangest thing -
  default config out of the box - with ALL ports SHUTDOWN EXCEPT the single windows 7 facing port - the windows 7 machine STILL registered an IP CONFLICT when connected to the 3850 - even when it had NO SVI's!!! (i know mind numbing). if you disconnected the pc and connected it to an old cisco switch - it worked fine!!! wow.
  sh switch
  2 identical 3850's in working stack. power and network stacked. both at same version, etc - upgraded each time with "software install file flash:<long ios name>.bin
  tested all power and general 3850 stacking. saw no issues.
  sh int trunk
  >all ports are now trunks (hence the workaround used to get it up).
  has 20 trunks to PC's and some single connected switches (far away on fiber) - all allow only vlan 1 - no other vlans were created - very very simple network. vlan 1 is native
  sh vlan brief
  >just vlan 1 - no vlans created, checked this many times - had vlan 100 at one point - made sure it was gone over a period of hours.
  sh vtp status
  not setup - left complete default; no vtp domain set - connected to all switches in transparent model if a switch connection exists.
  sh cdp neighbours
  cant post (for god and country LOL) but there is one link back to our "core" so to speak - that switch is hardened not to allow any settings to slip over to new switches so hence no vtp, cdp is one to help troubleshooting.
  sh ip route
  just the L and C routes for the vlan 1 ip address 192.168.17.1/24
  no static routes
  no vlan interfaces other than int vlan 1
  no ip address on g0/0/0 -> the default 3850 management interface hard assigned to the 3850 VRF you cant remove.
  int g0/0/0
  ip vrf forwarding Switch_Mgmt
  i can get over there if you think of anything else key to show the group.
  thanks,
  Joe

• Cisco SG500 switch and 5 gbit links without stacking

  Does the sfp ports link up to 5 gigabit when you don't use the stacking function?

  Good question.  I can tell you that yesterday I was adding a switch to an existing stack via fiber and on the master switch I accidentally plugged into slot 3 or 4.  On the new switch I did the same and connected to port 3 or 4 and noticed that it came up as a trunk link and did not join the stack.  In my case I wanted it to join the stack and discovered that 1G Fiber stack is only supported in slots 1 and 2.  I have not idea if the trunk was 5G, but I think not because my fiber would only be 1G.  I think the 5G link uses copper SFP, no?

• Cisco ASA 5510 and Spiceworks port forward

  So you want to set up a static NAT from 207.123.123.123:9876 to 192.168.0.11:9876. (I assume you're keeping the same port on the public interface.)
  Here's a link to a how-to for setting it up. (I'm headed out the door for the weekend. Sorry!) Hope this helps.
  http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/asdm64/configuration_guide/asdm_64_config/na..
  Skip down to the section "Configuring Static NAT or Static NAT-with-Port-Translation"

  I know this topic has been beaten to death, but I'm rather green with firewalls and would like some guidance with why my config is not working. I'm using ASDM 6.4.
  My public address is 207.123.123.123 (simplified for this example)
  My Spiceworks server is 192.168.0.11 (SpiceServer)
  My SpiceServer SSL port for SW is 9876
  I've created a NAT for SpiceServer to Any Outside connection. I've created an access rule for Outside where Any is destined for SpiceServer and I created a Service Group for TCP-UDP for Port 9876.
  Where am I going wrong (besides everywhere)??
  This topic first appeared in the Spiceworks Community

• Connecting Router between Switch and Ethernet Port

  I uploaded both of the router configurations I used on the 1750 router and I unable to get pass E1/0 which should put me on my companies Lan. Thanks

  Well I guess the best way to explain what I trying to accomplish it create my own LAN off my companies LAN
  Wall Jax-------------1751 E 1/0-----------1751 FA 0/0-------------2950 Switch
  Nat the 1751 Router with FA 0/0 with this interface address 192.168.3.1 /24
  And E 1/0 with a static address of 192.168.2.253 or preferable use the
  "ip address dhcp” Command.

• Converting Eth port to FC port in a cisco 6001 switch

  Hi,
  Back to forum after a long time. I have one issue to discuss regarding cisco 6001 switch. We purchased a new 6001 switch. Want to convert some of the Ethernet ports out of total 48 to FC to join the switch into a existing fabric.
  cisco Nexus 6001 Chassis ("Norcal 64 Supervisor")  - This is what H/W version look like from show version command.
  In the past, we have quite a few Cisco 5548UP switch and the way convert the Ethernet port into FC port is, by going to correct slot/module and then
  (config)# slot 1
  (config-slot)# port 41-48 type fc
  Then "reload" willl complete the conversion. But in the new 6001 switch, it throws the following error when above command is typed. We have full license for the switch including  FC_FEATURES_PKG
  "ERROR: Module type doesn't support this CLI"
  We are running firmware : 6.0(2)N2(2)
  Any help in this regard will be helpful.
  Thanks.

  I have this exact same error;
   show ver
  Cisco Nexus Operating System (NX-OS) Software
  TAC support: http://www.cisco.com/tac
  Documents: http://www.cisco.com/en/US/products/ps9372/tsd_products_support_series_home.html
  Copyright (c) 2002-2014, Cisco Systems, Inc. All rights reserved.
  The copyrights to certain works contained herein are owned by
  other third parties and are used and distributed under license.
  Some parts of this software are covered under the GNU Public
  License. A copy of the license is available at
  http://www.gnu.org/licenses/gpl.html.
  Software
    BIOS:      version 1.5.0
    loader:    version N/A
    kickstart: version 7.0(5)N1(1)
    system:    version 7.0(5)N1(1)
    Power Sequencer Firmware:
               Module 1: version v4.0
               Module 2: version v4.0
    Fabric Power Sequencer Firmware: Module 1: version v4.0
    Microcontroller Firmware:        version v1.2.0.5
    QSFP Microcontroller Firmware:
               Module 2: v1.3.0.0
    SFP Microcontroller Firmware:
               Module 1: v1.1.0.0
    BIOS compile time:       12/29/2012
    kickstart image file is: bootflash:///n6000-uk9-kickstart.7.0.5.N1.1.bin
    kickstart compile time:  10/29/2014 22:00:00 [10/30/2014 11:46:56]
    system image file is:    bootflash:///n6000-uk9.7.0.5.N1.1.bin
    system compile time:     10/29/2014 22:00:00 [10/30/2014 11:47:58]
  Hardware
    cisco Nexus 6001 Chassis ("Nexus 64 Supervisor")
    Intel(R) Xeon(R) CPU  @ 2.00 with 8238120 kB of memory.
    Processor Board ID FOC181506P3
    Device name: xxxxxxxxxxxxxx
    bootflash:    7823360 kB
  Kernel uptime is 3 day(s), 17 hour(s), 25 minute(s), 49 second(s)
  Last reset at 642096 usecs after  Fri Feb 27 15:24:40 2015
    Reason: Disruptive upgrade
    System version: 6.0(2)N2(3)
    Service:
  plugin
    Core Plugin, Ethernet Plugin, Fc Plugin
  xxxxxx# conf t
  Enter configuration commands, one per line.  End with CNTL/Z.
  xxxxxx(config)# slot 1
  xxxxxx# port 47-48 type fc
  ERROR: Module type doesn't support this CLI

• AAA and Cisco MDS switches.........

  have configured Cisco ACS 4.0 (TACACS) with Windows AD for all Cisco MDS switches and it is working fine. But local "admin" access to the Cisco MDS switches via telnet is not working. At the same time , if I create a user with "network-admin" role locally, that works but not the default admin user.
  Could anyone help me in this regard.

  local. Below is the script I used to configure TACACS (Cisco ACS 4.0) on Cisco MDS switches.
  config t
  # Enable TACACS+
  tacacs+ enable
  tacacs-server host nnn.nnn.nnn.nnn key 0 xxxxxx
  tacacs-server host mmm.mmm.mmm.mmm key 0 xxxxx
  # Specify TACACS+ Server groups
  aaa group server tacacs+ tacgrp
  server nnn.nnn.nnn.nnn
  server mmm.mmm.mmm.mmm
  aaa authentication login default group tacgrp
  aaa authentication login console local
  # Enable TACACS+ Accounting
  aaa accounting default group tacgrp local
  end
  copy running-config startup-config
  Thanks
  MOhan

• CS11800 - Can I have a SPAN port for my IDS box?

  I have a network design that calls for a few CS11800s and it's smaller brother. The security team has asked if this content switch has a SPAN port that is availble so we can hang our IDS box off.
  Thanks
  B

  I am not extremely familiar with the CS11xxx series and its configuration options, but I can tell you that from experience with Cisco Catalyst switches and non-Cisco IDS devices a SPAN port is not always the best solution. In some instances I have had to disable packet learning in the SPAN session, and in other cases I have had to forego using SPAN at all and settled for an uplink to a hub that connected the IDS device and my router(s). This is especially true if the IDS device needs to be a member of the same VLAN as the traffic it is monitoring in order to send RST packets back onto the segment.
  I have researched this issue on my own and even opened TAC cases for a solution, but have received solutions ranging from "There's no reason this shouldn't work" to "You can not set up a SPAN session for IDS purposes." My recommendation would be (even though it does decrease performance a bit) to implement the hub solution, regardless of the CS11800 capabilities. This will prove to remove any potential X factors in the SPAN functionality and make your life a lot easier.
  Just my 2 cents. :)

• Nexus 9k span port

  Can someone provide instructions of how to configure a span port/monitor session on a 9k?

  Hi Joris,
  SPAN source functionality on satellite ports and host interface port channels is not supported when the FEX is connected to F2 Series modules. Beginning with Cisco NX-OS Release 6.2(2), FEX ports are supported as an egress SPAN source on F2e Series modules.
  http://www.cisco.com/en/US/docs/switches/datacenter/sw/6_x/nx-os/system_management/configuration/guide/sm_14span.html#wp1239670
  Nexus7k# show module
  Mod  Ports  Module-Type                         Model              Status
  1    0      Supervisor module                 N7K-SUP2           active *
  3    48     1/10 Gbps Ethernet Module           N7K-F248XP-25      ok
  Mod  Sw              Hw
  1    6.x(x)          1.0
  3    6.x(x)          1.1
  Mod  MAC-Address(es)                         Serial-Num
  1    84-xx-xxx to 84-xx-xxxx  JAxxxxxxxx
  3    00-xxx to 00-xxxxx JAxxxxxxx
  Mod  Online Diag Status
  1    Pass
  3    Pass
  * this terminal session
  Regards
  Jens

• Passive network tap or span port on all trafic

  i want to insert a tap/span between the uverse in my house and the wall jack so i can push all traffic to security onion. the wall jack is RJ-11 and the pinout doe snot allow for a passive network jack. i bought a smart switch and spanned the ports and that didnot work either. 1. is there a way to designate one port on my i3812V residential device as a span and span all other ports to it? 2. what is the pinout needed for me to build a passive tap to sniff traffic? 3. has this been done before, and if so, am i missing something obvious?

  Garland,
  SPAN session are only available on the Switches. If you setup an SPAN session on the port where the ASA is connected you should be able to see all the traffic that is leaving/getting to that switchport; so it doesn't matter if the ASA drops the packet; if the switch was able to send it you will see it.
  There is also the capture feature on the ASA; you can capture the traffic that gets to the interface of the ASA you are troubleshooting.
  http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080a9edd6.shtml
  HTH
  Luis Silva
  "If you need PDI (Planning, Design, Implement) assistance feel free to reach us"
  http://www.cisco.com/web/partners/tools/pdihd.html

• Remote Command Tool for Cisco Routers/Switches

  Is anyone aware of any tools or scripts out there which allow preconfigured commands to be remotely run again Cisco Router/Switches and display the output result?
  I'm looking for a tool which I can give our Service Desk personnel that will allow them to select from a list of commands enter a target IP Address of a router/switch and then the tool will display the vlan table or the running config of a particular switch-port so they can see if its configured on the correct data vlan or its missing its voice vlan etc.
  For example a Service Desk Operator needs to check what vlan a switch-port is on. So they open the tool, enter the switches IP address and the port number and select an option like "display a switch-ports vlan" and the tool will login into the switch in the background run a show command on the switch and then output the result.
  Thanks.

  Check out rConfig. You will be able to run multiple instances of it i.e. one instance for your standard configuration backups and another for more specific configuration downloads info like show vlan bri commands etc for service desk staff to view.
  You could also use the IOS menu function and create menus or role based access on each of your devices for your users.
  Regards
  Stephen
  ==========================
  http://www.rConfig.com 
  A free, open source network device configuration management tool, customizable to your needs!
  - Always vote on an answer if you found it helpful

• Cisco 4506 switch in Err-disable mode

      I have a Cisco 4506 switch and its 10 gig interface is in error disable mode.I tried Shut and no shut the port couple of times but it transits from up to down number of times and then to error-disable. Did anyone else encountered this issue before. kindly advise the solution for the same. thanks         

  Hi Shariq,
  Can you post the output of the show interface status err-disable ? That output contains the reason for putting your port into err-disabled state.
  Best regards,
  Peter

• LACP between optical port and RJ45 port ?

  Dear all:
  I got one problem about lacp.This is the case:
  Our core switch is cisco 4506e switch, and recently we got one huawei s5700-28C-EI which uplink to our cisco 4506. We want to enable lacp between them. But there is one problem, my s5700 and 4506e all just leave one 10GE port. I know they cannot support lacp between 10GE and 1GE now. So  I want to enable lacp between 1GE optical port and 1GE RJ45 port.  May I ?

  Etherchannel does not care about the media in use as long as the speeds/duplex etc. are the same so you should be able to mix copper and fibre into the same etherchannel.
  Jon

• Unable to Remove Metal Casing for Cisco 1924 Switch

  Hi Guys,
  I just bought a Cisco 1924 switch and would like to check out its insides but I can't seem to work out how to remove the metal cover.
  I have removed all the visable screws and have also checked out the Cisco Support site and Internet but considering that the 1924 switch is an end of line product, I'm finding it extremely to find any support resources for the 1924 switch.
  I don't really want to force it open as I don't want to crack or snap anything.
  Thanks all
  two5om

  Hi,
  Here you are the Catalyst 1900 Series Installation and Configuration Guide, but unfortunately it doesn't contain how to remove the metal cover, please try to softly remove it, try to move it to the back before lifting it:
  http://www.cisco.com/en/US/docs/switches/lan/catalyst2900xl_3500xl/catalyst1900_2820/version9.00.00/icgf/19icinst.html
  HTH,
  Mohammed Mahmoud.