Trunk port as a destination for SPAN session

Similar Messages

• Can I 'monitor session' trunk ports to a Cisco IDS?

  I ran across an existing config that has two trunk ports on a 3560 being port monitored to another port which is plugged in to a port on an ids 4515. Will the IDS be able to interpret that trunk traffic? The customer is complaining that they aren't able to see events on a local network (VLAN 1) and this is suppose to be the port they get that traffic from.
  Not sure why they chose to monitor trunk ports and I'm not sure it's even possible. I want to change the monitored port to some other local VLAN port that makes sense.
  Here are the existing lines:
  interface G0/47
  switchport turn encap dot1q
  switchport mode trunk
  interface G0/48
  switchport turn encap dot1q
  switchport mode trunk
  monitor session 2 source interface Gi0/47 - 48
  monitor session 2 destination interface Gi0/20
  ...port 20 goes to the ids.

  There are 3 modes of sensing supported on the sensors: promiscuous, inline interface pair, and inline vlan pair.
  Each mode interacts with vlan headers slightly differently.
  Promiscuous:
  A promiscuous sensor is fully capable of analyzing 802.1q trunk packets. The vlan will also be reported in any alerts generated.
  The trick when monitoring using a trunk is to ensure the span (or vacl capture) configuration is correct on the switch to get the packets you are expecting.
  Many types of switches have special caveats when a trunk is a source or destination port in the span.
  We also even support Vlan Group subinterfaces on the promiscuous interface.
  This allows sets of vlans on the same monitoring port to be monitored by different virtual sensors.
  So you could take vlans 1-10 and monitor with vs0, and then take vlans 11-20 and monitor with vs1, etc....
  However, to use this feature the switch must be very consistent in how packets are sent to the sensor. When monitoring a connection the sensor needs to see both client and server traffic. And when using Vlan Groups the sensor needs to see the client and server traffic ON THE SAME VLAN. It is this on the same vlan requirement that is not always possible with some span configurations when the switch itself is routing between vlans. Most switches are deployed with routing between vlans by the switch, and so in many cases you won't see the client and server traffic on the same vlans. This is very switch code dependant so you would need to do some research on your specific switch.
  Inline Interface Pair:
  With an inline interface you are pairing 2 physical interfaces together. A common deployment is to place the inline interface pair in the middle of an existing 802.1q trunk port. Interface 1 would be plugged into the switch, and interface 2 plugged into the other switch or other type of device (like router or firewall).
  In this setup the sensor is fully capable of monitoring these packets with 802.1q headers.
  However, there is something to keep in mind in these deployments. Often that other device (router, firewall, or switch) will route packets between vlans. So a packet going through the sensor on vlan 10 could be routed right back through the sensor again on vlan 20. Seeing the same packet again can cause TCP tracking confusion on the sensor (especially when the other device is doing small modifications to the packet like sequence number randomization).
  To address these we have 2 features.
  On InLine Interface Pairs we have the same Vlan Group feature as I discussed above in Promiscuous mode. (Do not confuse Vlan Groups with InLine Vlan Pairs discussed later in this response).
  So with Vlan Groups you could separate the vlans across virtual sensors. So if the packet gets routed back into the sensor you could configure it so that packet gets monitored by a separate virtual sensor and it will prevent the sensor confusion with state tracking.
  However, there will still be some situations where the packet may still need to cross the same virtual sensor twice. For this deployment scenario we have a configuration setting where you can tell the sensor to track tcp sessions uniquely per vlan. So long as the return packet is on a different vlan this should prevent the tcp tracking confusion. BUT there is a bug this code right now. It should be fixed in an upcoming service pack. The workaround is to go ahead and create a unique Vlan Group for each vlan (one vlan per group instead of multiple vlans in a group), and assign all of the Vlan Groups to the virtual sensor(s).
  And then you InLine Vlan Pairs:
  With InLine Vlan Pairs the monitoring interface Must be an 802.1q trunk port.
  Instead taking packets in one interface and passing to the next interface, the sensor actually takes packets in on one vlan and then sends it back on the other vlan of the pair on the same interface. It does this by modifying the vlan number in the 802.1q header.

• Enable BPDUGuard on Spanning-tree Portfast Trunk Port: Yes or No?

  Hello to all the Cisco Experts,
  I have been searching around to get a confirmed answer as per my subject, but yet unable to come into any conclusion that could help me.
  This is all started when I configured the switchport configuration for my ESXi Server which is a dot1q trunk port. The reference will be as below URL:
  http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1006628
  The configuration of the switchport will be as below:
  interface GigabitEthernet1/0/1
   description ESXi
   switchport trunk encapsulation dot1q
   switchport trunk allowed vlan 11,15
   switchport mode trunk
   spanning-tree portfast trunk
  end
  The catch is, I had the bpduguard enabled on the global level in my switch = spanning-tree portfast bpduguard default.
  This will enable the bpduguard on the trunk port above due to the switchport is in portfast (the command: spanning-tree portfast trunk).
  Some of the guys in this forum mentioned that it is not recommended to have bpduguard on trunk port and some mentioned it is okay to have this.
  So, what do you all think on this? Any real life experience dealing with this kind of situtation that can be shared to us over here?
  Thank you in advance.

  Hi Leo,
  First of all, I would never, ever, consider any comment of yours as being offensive so don't worry, none taken. :)
  Enabling portfast on a trunk is so "yesterday", in my opinion.  If a trunk port(s) or an etherchannel is configured correctly, there's a significant chance portfast is irrelevant.  The speed to get the ports to go from down to passing traffic is really boils down to one or two seconds.
  Perhaps this is at the core of our different views. To my best knowledge, without the PortFast, a trunk - be it a single port or an EtherChannel - will become forwarding 30 seconds after entering the up/up state, not less. This is valid for STP, RSTP, and MSTP. In addition, if a new VLAN is created or added to the list of enabled VLANs on the trunk, it may take additional 30 seconds for that VLAN to become operational (forwarding) on that trunk. There is nothing besides PortFast and Proposal/Agreement that can cut down this time: the STP must go over the Listening-Learning-Forwarding sequence, and RSTP/MSTP must go through the Discarding-Learning-Forwarding sequence. The "one or two seconds" you have mentioned is perhaps the combined delay incurred by autonegotiation, LACP/PAgP, and DTP, but STP will take its own time and will not be deterred by any of these mechanisms.
  I see no benefit but mischief when you enable BPDU Guard on an inter-switch link.   
  Absolutely agree. That is why it doesn't make any sense to put a BPDU Guard on an inter-switch link, and I have never suggested doing that. The original post, however, deals with enabling PortFast on a trunk link that does not go to another switch but rather connects to an ESXi server on which, obviously, different virtual machines are bridged onto different VLANs.
  So what is the reaction of the port if you do happen to enable portfast and BPDU guard on an inter-switch link?  Wouldn't the two be a "Jekyll & Hyde", wouldn't it?
  It would be just the same as enabling PortFast and BPDU Guard on an access port that happens to be connected to another switch. Upon link-up, the port would become forwarding immediately, and after receiving a BPDU, it would be shot down to err-disabled. The fact the port is an access port or a trunk port makes no difference here. Just as before, I stress that this kind of configuration simply isn't meant to be used on inter-switch links. However, on trunks connected directly to routers, servers, autonomous APs supporting several SSIDs mapped to different VLANs, even to IP phones (remember the mini-trunk config used on old switches on which the switchport voice vlan command only instructed CDP to advertise the voice VLAN but did not cause the port to accept tagged frames in the voice VLAN so it had to be configured as a trunk?) - in all these situations, the PortFast can be beneficial. The BPDU Guard is a natural protective companion to the PortFast - wherever PortFast is eligible to be configured, the BPDU Guard is a natural additional protection to be activated as well.
  But given the complexity of interconnection of different switches to various stuff going around, we're happy with leaving portfast on a trunk port disabled.
  No argument here - but again, this is about trunks between switches on which I would never suggest using the PortFast or the BPDU Guard. The original post is talking about trunks to end hosts (i.e. edge trunk ports if we extend the terminology a little).
  Best regards,
  Peter

• Best practices for configure Rogue Detector AP and trunk port?

  I'm using a 2504 controller.  I dont have WCS.
  My questions are about the best way to configure a Rogue Detector AP.
  In my lab environment I setup the WLC with 2 APs.  One AP was in local mode, and I put the other in Rogue Detector mode.
  The Rogue Detector AP was connected to a trunk port on my switch.  But the AP needed to get its IP address from the DHCP server running on the WLC.  So I set the native vlan of the trunk port to be the vlan on which the WLC management interface resides.  If the trunk port was not configured with a native vlan, the AP couldn't get an address through DHCP, nor could the AP communicate with the WLC.  This makes sense because untagged traffic on the trunk port will be delivered to the native vlan.  So I take it that the AP doesn't know how to tag frames.
  Everything looked like it was working ok.
  So I connected an autonomous AP (to be used as the rogue), and associated a wireless client to it.  Sure enough it showed up on the WLC as a rogue AP, but it didn't say that it was connected on the wire.  From the rogue client I was able to successfully ping the management interface of the WLC.
  But the WLC never actually reported the rogue AP as being connected to the wired network.
  So my questions are:
  1. What is the correct configuration for the trunk port?  Should it not be configured with a native vlan?  If not, then I'm assuming the rogue detector AP will have to have a static IP address defined, and it would have to be told which vlan it's supposed to use to communicate with the WLC.
  2.  Assuming there is a rogue client associated with the rogue AP, how long should it reasonably take before it is determined that the rogue AP is connected to the wired network?  I know this depends on if the rogue client is actually generating traffic, but in my lab environment I had the rogue client pinging the management interface of the WLC and still wasn't being picked up as an on-the-wire rogue.
  Thanks for any input!!

  #what's the autonomous AP's(as Rogue AP) Wired and Wireless MAC address?
  it has to be +1 or -1 difference. If Wired MAC is x.x.x.x.x.05 and the wireless mac should be x.x.x.x.x.04 or 06. It is not going to detect if the difference is more than + 1 or - 1.
  #Does the switch sees the Rogue AP's wired MAC on its MAC table.
  Rogue Detector listens to ARPs to get all the Wired MAC info and forwards to WLC, It compares with Wireless MAC, if there is a +1 or -1 difference then it will be flagged as Rogue on wire. And the client that connected to it is also marked as found on wire.
  Regards to Trunking, Only Native vlan matters per trunk link, just configure the right vlan as native and we're done.
  It is not mandatory to keep the Rogue detector on Management vlan of wlc. It can also be on L3 vlan also as long as it can join the WLC to forward the learnt wired MACs.
  So if we don't have +1, -1 difference on Rogues then you've to use RLDP which will work with your existing setup to find Rogue on wire. there's a performance hit when we use this feature on local mode APs.
  Note: For AP join - AP can't understand Trunk, meaning if AP connected to Trunk it'll only talk to its native vlan irrespective of AP mode, however rogue detector listens to the Trunk port to learn MACs via ARPs from different VLANs and forwards to WLC using native vlan.

• Define Logical Port and Back-End Destinations for ESOA use of this config

  Hi,
     Please let me know what is the use of this config I am not able to get a documentation.
  Define Logical Port and Back-End Destinations for ESOA

  Hi Autobots,
  Even I am looking for the same information. Did u get some headstart into the matter?
  Pl provide me with the inputs too.
  Cheers
  Nikhil

• Trunk Port for 2950 and 2960G

  Hi Guys,
  I have tried connecting 2 switch using a trunk port in able for VLAN to run on 2950 switch, 2950 and 2960G, but the problem is, it keeps going up and down when I check the logs. The client experienced intermittent network connection by this problem. What seems to be the problem here? I already replaced the cables.
  Here is the config:
  They are connected via cross-cable
  2950:
  Int f0/24 --> 100mbps port
  switchport mode trunk
  2960G:
  Int G0/1 --> 1Gbps port
  switchport mode trunk
  *I believe they will auto negotiate their current speed and duplex.
  Thanks in advance.
  Cheers!

  Yes, they have the same settings.
  Here it is:
  int g0/2
  MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,
  reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ARPA, loopback not set
  Keepalive set (10 sec)
  Full-duplex, 100Mb/s, media type is 10/100/1000BaseTX
  input flow-control is off, output flow-control is unsupported
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input 00:00:23, output 00:00:00, output hang never
  Last clearing of "show interface" counters 5d18h
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  5 minute input rate 21000 bits/sec, 21 packets/sec
  5 minute output rate 495000 bits/sec, 180 packets/sec
  5180581 packets input, 1243581478 bytes, 0 no buffer
  Received 62493 broadcasts (0 multicast)
  0 runts, 0 giants, 0 throttles
  2 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
  0 watchdog, 30119 multicast, 0 pause input
  0 input packets with dribble condition detected
  179416978 packets output, 2694243274 bytes, 0 underruns
  0 output errors, 0 collisions, 0 interface resets
  0 babbles, 0 late collision, 0 deferred
  0 lost carrier, 0 no carrier, 0 PAUSE output
  0 output buffer failures, 0 output buffers swapped out
  int f0/24
  MTU 1500 bytes, BW 100000 Kbit, DLY 1000 usec,
  reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ARPA, loopback not set
  Keepalive set (10 sec)
  Full-duplex, 100Mb/s, media type is 100BaseTX
  input flow-control is unsupported output flow-control is unsupported
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input 00:00:00, output 00:00:00, output hang never
  Last clearing of "show interface" counters 5d18h
  Input queue: 2/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  5 minute input rate 504000 bits/sec, 180 packets/sec
  5 minute output rate 22000 bits/sec, 22 packets/sec
  179389710 packets input, 2690183405 bytes, 0 no buffer
  Received 26481884 broadcasts (0 multicast)
  0 runts, 0 giants, 0 throttles
  4510 input errors, 3566 CRC, 243 frame, 0 overrun, 0 ignored
  0 watchdog, 17984825 multicast, 0 pause input
  0 input packets with dribble condition detected
  5180070 packets output, 1243477217 bytes, 0 underruns
  0 output errors, 0 collisions, 0 interface resets
  0 babbles, 0 late collision, 0 deferred
  0 lost carrier, 0 no carrier, 0 PAUSE output
  0 output buffer failures, 0 output buffers swapped out

• Access to trunk port clarification

  Hello-
  I am looking to clarify a point of confusion for myself regrading connecting an access port to a trunk port. Consider the following switchport config on switch1:
  Switch#1
  interface GigabitEthernet0/5
   switchport
   switchport access vlan 6
  ....and the corresponding config on it's neighbor:
  Switch#2
  Interface GigabitEthernet10/8
  switchport
  switchport mode trunk
  switchport trunk allowed vlan 1,6,100
  My first question is- Is this a valid configuration? Secondly, what would the expected results be? I am curious about what vlans would be allowed to pass through..
  Thanks in advance-
  Brian

  This would work fine but not recommended.
  Also the traffic between the switches would be only Native Vlan and vlan 6 will pass through.
  SW1-----F0/1----------f0/1----SW2
  SW1#sh int trunk 
  Port        Mode         Encapsulation  Status        Native vlan
  Fa0/1       auto         n-802.1q       trunking      1
  Port        Vlans allowed on trunk
  Fa0/1       1-1005
  Port        Vlans allowed and active in management domain
  Fa0/1       1,6
  Port        Vlans in spanning tree forwarding state and not pruned
  Fa0/1       1,6
  SW1#
  SW2
  SW2#sh int trunk 
  Port        Mode         Encapsulation  Status        Native vlan
  Fa0/1       on           802.1q         trunking      1
  Port        Vlans allowed on trunk
  Fa0/1       1,6,100
  Port        Vlans allowed and active in management domain
  Fa0/1       1,6,100
  Port        Vlans in spanning tree forwarding state and not pruned
  Fa0/1       1,6,100
  SW2#
  2) Part of this config is that any vlans which are been configured under the SW1 would be allowed through that access port.
  ex:
  SW1#sh int trunk 
  Port        Mode         Encapsulation  Status        Native vlan
  Fa0/1       auto         n-802.1q       trunking      1
  Port        Vlans allowed on trunk
  Fa0/1       1-1005
  Port        Vlans allowed and active in management domain
  Fa0/1       1,6,10,20,30,40,50,60,70,80,90,100
  Port        Vlans in spanning tree forwarding state and not pruned
  Fa0/1       1,6,10,20,30,40,50,60,70,80,90,100 ...>>>>>>>>>>all vlans are allowed here.
  b)
  Were as on Switch 2 if you create all these vlans and u dont allow that to go through the trunk interface which you have configured those vlans would nt be flowing through.
  eg;
  SW2#sh int tr
  Port        Mode         Encapsulation  Status        Native vlan
  Fa0/1       on           802.1q         trunking      1
  Port        Vlans allowed on trunk
  Fa0/1       1,6,100
  Port        Vlans allowed and active in management domain
  Fa0/1       1,6,100
  Port        Vlans in spanning tree forwarding state and not pruned
  Fa0/1       1,6,100>>>>>>>>>>>>>>>.Only 3 vlans would be flowing through due to explicit defined. but if you defined allowed all then all vlans would be shown here.
  i created all the vlans above on sw2 but you can see only 3 vlans are allowd as you have explicitly defined it.
  Hope this clarifies your query.
  Regards
  Inayath
  *************Plz dont forget to rate posts***********

• Can't create span session with NAM

  Hi,
  I have a 6500 with a module WS-SVC-NAM-2 installed (slot3) and I have recently also installed an IDSM module (slot2).
  I am trying to configure a SPAN session via the web interface of the NAM:
  menu setup-> Data sources-> create
  but on the next screen, I choose SPAN type: switchport,  but doesn't appears the modules installed in 6500 (in menu Switch module) so I can't choose either the source port. Besides doesn't appears the destination ports: DATAPORT1 and DATAPORT2.
  I restarted the module but still not working, may be an incompatibility between NAM and IDSM?
  I also tried setting the CLI, but this configuration doesn't appear in the NAM web interface:
  switch (config) # monitor session 2 source interface both giga1/8/43
  switch (config) # monitor session 2 destination-switch 1 analysis module 3 data-port 1
  any idea?
  thanks.

  Thank you very much! this bug explains the problem I have.
  I will try to do the upgrade of the NAM.
  How can I tell if the NAM is running in the application image or not?
  thanks in advance!

• SPAN session CPU usage

  Hi,
  A while ago we tried doing logging on some ACLs on a 3750X running version 15.02SE. After some time the CPU spiked and caused a memory leak which forced the switch to reboot. I did some reading and found that the CPU usage does spike when logging on ACLs, there are ways to rate limit the logging but that doesn't give full visibility into what is going through the switch.
  I'm guessing the alternative is running a monitoring session.
  My question about the SPAN session is, will it greatly impact the CPU of the switch the same way ACL logging did? And if so, will monitoring 10 Vlans in both directions and sending them to a single destination cause the same type of crash as we experienced with ACL logging?
  If we can do the monitoring sessions, it would be a good workaround seeing as the logging interval will give us limited visibility.
  Cheers,
  Waqas

  Why do you need three different browsers running at the same time? Maybe that's causing a problem or what your are doing with them.
  Suppose you create a new user account and log into that account. Does this problem persist? If not then you have a problem with file corruption in your account. Could be preference files for the browsers, could be caches, could be both.

• TRUNK PORTS (HELP URGENT)

  Dear all
  Last night I configured the trunk ports between all my switches, Its a redundant circuit. I did the last one that plugs back into the core switch and it took all of my building out, I could not get to any other switch, For some reason spanning tree blocked the trunk ports that I set up on the last switch !!!!
  When setting up trunks between switches I presume you have to set 2 trunks per switch ? i.e 1 trunk to previous switch and another to the next switch !!!!
  I have never been so scared !!!!

  here are the configs,
  here is the backbone
  version 12.1
  no service pad
  service timestamps debug uptime
  service timestamps log uptime
  service password-encryption
  hostname TK-BACKBONE-3550
  enable secret xxxx
  enable password xxx
  ip subnet-zero
  spanning-tree mode pvst
  spanning-tree extend system-id
  interface GigabitEthernet0/1
  switchport mode dynamic desirable
  interface GigabitEthernet0/2
  switchport mode dynamic desirable
  interface GigabitEthernet0/3
  switchport mode dynamic desirable
  interface GigabitEthernet0/4
  switchport mode dynamic desirable
  interface GigabitEthernet0/5
  switchport mode dynamic desirable
  interface GigabitEthernet0/6
  switchport mode dynamic desirable
  interface GigabitEthernet0/7
  switchport trunk encapsulation dot1q
  switchport mode dynamic desirable
  interface GigabitEthernet0/8
  switchport mode dynamic desirable
  interface GigabitEthernet0/9
  switchport mode dynamic desirable
  interface GigabitEthernet0/10
  switchport mode dynamic desirable
  interface GigabitEthernet0/11
  switchport mode dynamic desirable
  interface GigabitEthernet0/12
  switchport mode dynamic desirable
  interface Vlan1
  ip address 10.1.2.30 255.0.0.0
  interface Vlan200
  no ip address
  ip default-gateway 10.1.1.1
  ip classless
  ip http server
  snmp-server community public RO
  line con 0
  line vty 0 4
  password xxx
  login
  line vty 5 15
  password xxx
  login
  end
  here is the last switch in the circuit
  version 12.1
  no service pad
  service timestamps debug uptime
  service timestamps log uptime
  no service password-encryption
  hostname BCR-2950-2
  enable secret xxxx
  enable password xxx
  ip subnet-zero
  no ip finger
  interface FastEthernet0/1
  interface FastEthernet0/2
  interface FastEthernet0/3
  interface FastEthernet0/4
  interface FastEthernet0/5
  interface FastEthernet0/6
  interface FastEthernet0/7
  interface FastEthernet0/8
  interface FastEthernet0/9
  interface FastEthernet0/10
  interface FastEthernet0/11
  interface FastEthernet0/12
  interface FastEthernet0/13
  interface FastEthernet0/14
  interface FastEthernet0/15
  interface FastEthernet0/16
  interface FastEthernet0/17
  interface FastEthernet0/18
  interface FastEthernet0/19
  spanning-tree portfast
  interface FastEthernet0/20
  interface FastEthernet0/21
  interface FastEthernet0/22
  interface FastEthernet0/23
  interface FastEthernet0/24
  interface GigabitEthernet0/1
  interface GigabitEthernet0/2
  interface Vlan1
  ip address 10.1.2.24 255.0.0.0
  no ip route-cache
  ip default-gateway 10.1.1.1
  no ip http server
  snmp-server engineID local xxxx
  snmp-server community private RW
  snmp-server community public RO
  line con 0
  exec-timeout 0 0
  transport input none
  line vty 0 4
  password parker2710
  login
  line vty 5 15
  password parker2710
  login
  end
  hope this helps
  Carl

• Multiple trunk ports on switch

  How many ports on a 2950 can be configured as dot1q trunks? I need to place an intermediary switch in my network to pass trunk data beween 10 other Cisco switches and therefore need to configure 10 ports as trunk ports. Is this possible or would a different switch work better for this purpose?

  Hi Scott,
  There's no limitation on the number of trunk ports you can configure. However, there is a switch-wide limitation of 64 instances of Spanning Tree. In other words, you can only have 64 active VLANs on the switch.
  See:
  http://www.cisco.com/univercd/cc/td/doc/product/lan/cat2950/12119ea1/2950scg/swstp.htm#1150172
  HTH,
  Bobby
  *Please rate helpful posts.

• Private VLAN Promiscuous Trunk Port - Switches which support this function

  Can anyone confirm if the "Private VLAN Promiscuous Trunk Port" feature is supported in any lower end switches such as Nexus 5548/5672 or 4500X? According to the feature navigator support seems to be restricted to the Catalyst 4500 range (excluding the 4500X) as shown below. If the feature is going to be supported in the Cat 3850 this would be good to know, thanks

  4500x Yes
  http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/release/note/OL_26674-01.html
  Nexus 5k Yes
  http://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5000/sw/layer2/521_n1_3/b_5k_Layer2_Config_521N13/b_5k_Layer2_Config_521N13_chapter_0100.html
  3850s
  They dont support pvs at all yet
  http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3850/software/release/3se/vlan/configuration_guide/b_vlan_3se_3850_cg/b_vlan_3se_3850_cg_chapter_0100.html
  Restrictions for VLANs
  The following are restrictions for VLANs:
  The switch supports per-VLAN spanning-tree plus (PVST+) or rapid PVST+ with a maximum of 128 spanning-tree instances. One spanning-tree instance is allowed per VLAN.
  The switch supports IEEE 802.1Q trunking methods for sending VLAN traffic over Ethernet ports.
  Configuring an interface VLAN router's MAC address is not supported. The interface VLAN already has an MAC address assigned by default.
  Private VLANs are not supported on the switch.
  You cannot have a switch stack containing a mix of Catalyst 3850 and Catalyst 3650 switches.

• Authenticating Trunk Ports - VLAN list

  I have a requirement to authenticate trunk ports to wireless access-points on our Cisco switch, By default all ports are access ports and we run MAB authentication. I have managed to change the port to a trunk using Cisco-av-pair attribute in ACS (cisco-av-pair = deivce-traffic-class=switch)
  My problem now is that I need to add a VLAN allowed list on the port once it has changed to a trunk port (switchport trunk allowed vlan x,y,z). ideally we would not want to statically assign the VLAN's on each port as an AP could be on any port and may wish to authenticate other trunk ports using different VLAN's in the future. Below is the configuration used on the ports.
  cisp enable
  interface FastEthernet0/2
   description *** Client Device ***
   switchport access vlan 2
   switchport mode access
   no logging event link-status
   authentication event fail action next-method
   authentication event server dead action reinitialize vlan 3
   authentication event server alive action reinitialize
   authentication order mab dot1x webauth
   authentication priority mab dot1x webauth
   authentication port-control auto
   authentication fallback GUEST_FALLBACK
   mab eap
   dot1x pae authenticator
   dot1x timeout tx-period 3
   dot1x timeout supp-timeout 10
   dot1x max-reauth-req 1
   dot1x timeout auth-period 600
   no cdp enable
   spanning-tree portfast
  Any help will be greatly appreciated. 
  Thanks
  John

  Hello
  I would suggest the following:
  >> Arrange for some physical enclosure (locked) or  any other physical security control to ensure authorized access to the device. Any technical work-around or band-aid solution should only be temporary. What is someone just switches of your switches? DOS attack!! This could also be done by mistake, resulting in an unstructred threat.
  >> Enable monitoring for these switches (ICMP,SNMP) so that you are alerted when they are unplugged.
  >> Change the NATIVE VLAN from the default (VLAN 1)
  >> Disable Trunk negotiation (ON mode)
  Regards
  Farrukh

• How to enable remote debugging for a session other than the current one

  Hi all,
  I am trying to figure out how to enable remote debugging for a session other than the one I am currently using.
  More specifically, we have an application that is making database calls to Oracle 11gR2. Something is causing an exception during this invocation. My system is currently not set up to recompile said application, so I can't just add the debug call to the code and recompile. Therefore I would like to be able to log into the database (as sys, if necessary) and invoke dbms_debug_jdwp.connect_tcp on the desired session.
  The docs indicate that I should be able to do so:
  dbms_debug_jdwp.connect_tcp(
  host IN VARCHAR2,
  port IN VARCHAR2,
  session_id IN PLS_INTEGER := NULL,
  session_serial IN PLS_INTEGER := NULL,
  debug_role IN VARCHAR2 := NULL,
  debug_role_pwd IN VARCHAR2 := NULL,
  option_flags IN PLS_INTEGER := 0,
  extensions_cmd_set IN PLS_INTEGER := 128);
  But when I try (even as sys), I get the following:
  exec dbms_debug_jdwp.connect_tcp('1.2.3.4',5678,<session id>,<session serial>);ORA-00022: invalid session ID; access denied
  ORA-06512: at "SYS.DBMS_DEBUG_JDWP", line 68
  ORA-06512: at line 1
  00022. 00000 - "invalid session ID; access denied"
  *Cause:    Either the session specified does not exist or the caller
  does not have the privilege to access it.
  *Action:   Specify a valid session ID that you have privilege to access,
  that is either you own it or you have the CHANGE_USER privilege.
  I've tried granting the 'BECOME USER' privilege for the relevant users, but that didn't help. I read something about having to set some kind of ACL as of 11gR1, but the reference documentation was very confusing.
  Would someone be able to point me in the right direction? Is this even possible, or did I misread the documentation?

  Interesting deduction, that would be very useful indeed. I hate recompiling just to add the debug call, and it can't be done in our production environment. But it seems unlikely to me it would be implemented this way.
  I would cross-post this in the SQL AND PL/SQL forum though, as this is really a database issue, not with the SQL Developer tool. Do add the links to the other posts in each.
  Regards,
  K.

• Can I use straight cable to connect trunk ports between 2 switches?

  Hi,
  Am I able to use straight instead of cross cable to connect trunk ports between 2 switches??
  thanks!

  Hi Devang,
  When a 10/100 Fast Ethernet interface is enabled, one end of the link must perform media dependent interface (MDI) crossover (MDIX), so that the transmitter on one end of the data link is connected to the receiver on the other end of the data link (a crossover cable is typically used).
  The Auto-MDIX feature eliminates the need for crossover cabling by performing an internal crossover when a straight cable is detected during the auto-negotiation phase.
  HTH, if yes please rate the post.
  Ankur