Why is 2960 switch blocking one pc?
I have port security configured on the switch with no STICKY mode. Many computers can connect on that switch and DHCP works well, but a particular win8 laptop gets blocked immediately when I connect to that 2960. I have a second 2960 and the same pc can connect with DHCP no problem.
Jason
Yes, I have the same Port Security setting across the entire switch except the router on a stick line. I have each port with max 5 Mac addresses except cascade line to switch 2.
Similar Messages
-
Why doesn't Iphone have a call blocker, I am getting tired of paying for phone scam calls, why dpesn't someone make one. When my contract is up I am going back to the Droid.
dshargrove wrote:
Why doesn't Iphone have a call blocker, I am getting tired of paying for phone scam calls, why dpesn't someone make one. When my contract is up I am going back to the Droid.
For one thing, true call blocking (ie. where the call NEVER actually connects through to your number) can only be done by the service provider at their switches.
The best a device can do is allow the call to connect, and then use the caller ID information to compare that to a list of allowed and a list of disallowed caller IDs. That is a feature known as blacklisting, but it is not the same as actually blocking a call completely.
So as suggested, contact your carrier and ask what they can do for you. -
I keep asking questions about problems and see them posted in the "support" forum and usually with a note about how many other users have this problem. There are never any answers or replies even though some of the number for others with the problem are huge.
As I say, I have only one answer to many questions, my last one, which is why have I switched to Google Chrome. I know the answer to that one.I so agree with what you say and am in exactly the same position - very sad. Was strong supporter of FF but will have to move elsewhere for my browser after many years with FF
-
Aironet 1142 as supplicant to 2960 switch (NEAT/CISP/MAB)
Hello!
First, my configuration, (then the problem down below):
I have an Aironet 1142 with mulitple SSIDs [mapped to VLANs] connected to Gi1/0/2 on a 2960 switch in a user-accessible area. This switch is uplinked to another 2960 switch in a wiring closet, and the Microsoft NPS server is connected to the wiring closet 2960.
Aironet -- 2960 [user area] --- 2960 [closet] -- NPS RADIUS
I have the user-area 2960 configured as an authenticator switch for dot1x, and port Gi1/0/2 is authenticating the Aironet via MAB to RADIUS. RADIUS is sending VSA device-traffic-class=switch to the 2960. The closet-2960 has no special 802.1x configuration, nor is it an authenticator swtich; it just has a manually-configured trunk port to the user-area 2960 [for now; i'm trying to take this one step at a time!].
The user-area 2960 correctly converts port Gi1/0/1 to a trunk port when the Aironet is authenticated [via MAB]. The Aironet boots up, the port is opened, I can ping the Aironet on the native VLAN, and all is well [so it seems]. The Aironet's dot11Radio is configured for two SSIDs and mapped to VLANs, which are being spanned via STP thru the user-area 2960 and the closet-2960. STP is correct and verified on all switches.
I have DHCP snooping configured on the user-area 2960 but only for VLAN 1 [but NOT the wireless user VLANs], the trunk port to the closet 2960 is a trusted port. Hosts on the wired ports on the user-area 2960 are able to get DHCP IPs. On the Aironet, "show dot11 associations" shows hosts on the SSIDs are getting DHCP addresses. Again, I am *NOT* running dhcp snooping on wireless SSID VLANs [i read elsewhere that can cause problems as users roam between Aironets].
I do have CISP configured on the user-area 2960. I do not have CISP configured on the closet-2960 [best I can tell, that's not required at this stage, but I could be wrong].
Despite the alleged documentation, I could not get the Aironet to use a dot1x credentials profile to authenticate to NPS/RADIUS as an 802.1x supplicant, which is why I resorted to MAB for this exercise. The Aironet simply would not run dot1x [best I could tell]. The documentation and configuration didn't seem complex, so I was quite confused.
I have upgraded the Aironet to the latest 12.4(25d)JA2 software, and the 2960 is at 12.2(55)SE7 [i saw 12.2(58) has some issues, but i'm willing to be persuaded otherwise, based on sound advice].
Ok, now the problem:
Users on the guest wireless SSID (Vlan 20) say they cannot connect. Yep, classic. VLAN 20 is trunked and spanned to all the sufficient places. The Aironet shows users in the associations list for that SSID with IP addresses from the DHCP server! DHCP snooping is not configured on that VLAN.
I read another support forum post saying CISP and MAB could cause problems with "disappearing" ARP entries. I appear to have that problem. However, the user on the Staff wireless (VLAN 10) has full access. Am I running into a problem with "multi-host" authentication config? Via tcpdump on my firewall, I see nothing but broadcast and multicast traffic coming from a host on VLAN 20. What puzzles me is how I do see *SOME* traffic from a VLAN 20 host on this SSID, but no unicast traffic! Argh!
Since you're going to ask, here is my port config for this AP on the 2960 authenticator switch in the user-area, and the AAA config pieces:
#sh run br | in ip dhcp
ip dhcp snooping vlan 1
no ip dhcp snooping information option
ip dhcp snooping database flash:dhcp_snoop.txt
ip dhcp snooping
#sh ip dhcp snoop
Switch DHCP snooping is enabled
DHCP snooping is configured on following VLANs:
1
DHCP snooping is operational on following VLANs:
1
DHCP snooping is configured on the following L3 Interfaces:
Insertion of option 82 is disabled
circuit-id default format: vlan-mod-port
remote-id: ccd5.3947.7980 (MAC)
Option 82 on untrusted port is not allowed
Verification of hwaddr field is enabled
Verification of giaddr field is enabled
DHCP snooping trust/rate is configured on the following Interfaces:
Interface Trusted Allow option Rate limit (pps)
GigabitEthernet1/0/46 no no 15
Custom circuit-ids:
GigabitEthernet1/0/48 yes yes unlimited
Custom circuit-ids:
GigabitEthernet1/0/52 yes yes unlimited
Custom circuit-ids:
#sh run br | incl aaa auth
aaa authentication login default local group rad_eap
aaa authentication dot1x default group radius
aaa authorization console
aaa authorization exec default local group rad_eap
aaa authorization network default group rad_eap local
#sh run int gi1/0/2
interface GigabitEthernet1/0/2
description Wireless Access Points
switchport mode trunk
switchport nonegotiate
srr-queue bandwidth share 1 30 35 5
srr-queue bandwidth limit 50
priority-queue out
authentication host-mode multi-host
authentication order mab dot1x
authentication port-control auto
authentication violation restrict
mab
mls qos trust cos
macro description CISCO_WIRELESS_AP_EVENT
auto qos trust
spanning-tree portfast
#sh int gi1/0/2 sw
Name: Gi1/0/2
Switchport: Enabled
Administrative Mode: trunk
Operational Mode: trunk
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: dot1q
Negotiation of Trunking: Off
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: enabled
Voice VLAN: none
Administrative private-vlan host-association: none
Administrative private-vlan mapping: none
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk Native VLAN tagging: enabled
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk associations: none
Administrative private-vlan trunk mappings: none
Operational private-vlan: none
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL
Protected: false
Unknown unicast blocked: disabled
Unknown multicast blocked: disabled
Appliance trust: none
#sh auth sess int gi1/0/2
Interface: GigabitEthernet1/0/2
MAC Address: acf2.c5f2.8e27
IP Address: 10.100.32.42
User-Name: acf2c5f28e27
Status: Authz Success
Domain: DATA
Oper host mode: multi-host
Oper control dir: both
Authorized By: Authentication Server
Vlan Group: N/A
Session timeout: N/A
Idle timeout: N/A
Common Session ID: 0A64200B00000CDA41AFBEDF
Acct Session ID: 0x00000D00
Handle: 0xDE000CDA
Runnable methods list:
Method State
mab Authc Success
dot1x Not run
#sh mab int gi1/0/2
MAB details for GigabitEthernet1/0/2
Mac-Auth-Bypass = Enabled
#sh int trunk
Port Mode Encapsulation Status Native vlan
Gi1/0/1 on 802.1q trunking 1
Gi1/0/2 on 802.1q trunking 1
Gi1/0/48 on 802.1q trunking 1
Gi1/0/52 on 802.1q trunking 1
Port Vlans allowed on trunk
Gi1/0/1 1-4094
Gi1/0/2 1-4094
Gi1/0/48 1-2,10,20
Gi1/0/52 1-2,10,20
Port Vlans allowed and active in management domain
Gi1/0/1 1-2,10,20
Gi1/0/2 1-2,10,20
Gi1/0/48 1-2,10,20
Gi1/0/52 1-2,10,20
Port Vlans in spanning tree forwarding state and not pruned
Gi1/0/1 1-2,10,20
Gi1/0/2 1-2,10,20
Gi1/0/48 2
Gi1/0/52 1-2,10,20
Ok, what am I missing??The problem lies in the wired Ethernet port on the Aironet. I did not submit that configuration because I thought it was simple and unrelated. Here is what I had:
interface GigabitEthernet0.20
encapsulation dot1Q 20
no ip route-cache
bridge-group 20
no bridge-group 20 source-learning
no bridge-group 20 unicast-flooding
bridge-group 20 spanning-disabled
The correct configuration should have been:
interface GigabitEthernet0.20
encapsulation dot1Q 20
no ip route-cache
bridge-group 20
no bridge-group 20 source-learning
bridge-group 20 spanning-disabled
The line "no bridge-group 20 unicast-flooding" should not be applied to the wired port. That's stupid. With that erroneous command, the wired port will forward only broadcast and multicast traffic! Unicast traffic will be dropped. Oops.
However, I do not understand why applying this to the radio interfaces has no effect there. I have yet to find any conclusive detailed answers, either. Regardless, my original problem is fixed. -
Etherchannel between 2960 switches
Hello All,
I configured etherchannel between two 2960 switches.
Both the switches have SVI with subnet 192.168.2.3 and 192.168.2.4
I have another vlan3 on one of the switch.
so when i created etherchannel between two Gig ports and allowed both the vlans,it gave me an error messg,
Nov 3 12:41:07.332 KSA: %EC-5-CANNOT_BUNDLE2: Gi1/0/19 is not compatible with Gi1/0/20 and will be suspended (vlan mask is different)
Nov 3 12:41:07.339 KSA: %EC-5-CANNOT_BUNDLE2: Gi1/0/19 is not compatible with Po1 and will be suspended (vlan mask is different)
Nov 3 12:41:07.339 KSA: %EC-5-CANNOT_BUNDLE2: Gi1/0/19 is not compatible with Po1 and will be suspended (vlan mask is different)
Nov 3 12:41:07.339 KSA: %EC-5-CANNOT_BUNDLE2: Gi1/0/20 is not compatible with Po1 and will be suspended (vlan m
May i know why....
ThanksHello Mudasir
This will be a problem of allowed vlan mismatch. All the interfaces which are going to add in the etherchannel must have same allowed vlan on both sides.
You can check for the allowed vlan on all the interfaces as well as on Port-channel.
You can see the below forum having the same problem:
https://supportforums.cisco.com/discussion/9757346/etherchannel-prob
Regards,
Mukesh Kumar
Network Engineer
Spooster IT Services -
Connecting 2 3750 Switches in Stack with 2 2960 switches in full Mesh
Hi Friends,
I have attached a pics which DC design of one of our customer , as network engineer i have design this , so i am responsible for implementing it, now request you all to kindly guide me what would be technical problem i have to face in achieving this and how can i over come .Please be in detail. Waiting for your response .
Regards
Amit KulshresthaI have attached modified diagram , please suggest.
The major issue I see is that you have not mentioned whether the 2960's are stacked? For the design to work, they need to be stacked because you cannot create port-channels between them and the Core switches unless then 2960's are stacked.
==> You are right , surely 2960 Switch need to be in stack form.
Personally I would look at more powerful switches than the 2960's, something along the lines of the 3750x range or probably now the 3850's.
==> This is constrain of customer, not our responsibility.
The second issue I see is that your servers are connected to the WAN switches. Is there a reason for this? Usually they would be connected to the core switches.
==> For this If 1 separate 2960 series switch can be used ?.
The final point is that you only have single connections from each of your WAN connections which begs the question as to the purpose of having two WAN switches?
==> Customer is having 1900 series of router , only two ports one used for WAN and other used for LAN.
The objective of having two switches is to provide redundancy/resiliency. If you have only one connection from each WAN then why do you need two switches as there is no redundancy?
==> Customer has agreed to have manual change at the time of failure. -
I have CER ver 7.1.1.10000-5 with the latest patches. I installed this one most recently to support the 2960S switch (
ciscocm.cer7_1_1_CSCtj28150.cop.sgn).
My 2960S switch is running IOS version 12.2(53r)SE. This switch is stacked with two members switches.
Why is it that my CER console is only showing ports 2/0/1 - 48? I don't see any ports on the first switch.
Thanks,
PatrickThere still should be a management interface on the second switch with SNMP. Is SNMP configured on the second switch?
-
My question is can I stack two or more 2960 switches, master/slave design and be able to manage them both using the CMS technology or not. I don't quite understand the SFP, Small Form-Factor Pluggable, and the 2960 uplink ports. It appears as though one uplink will be in standby mode, therefore both ports can't be active at the same time. If that is the case it looks as though you can't stack becasue of only one uplink port being active.
Hi Washro,
You cannot stack 2960 switch like you can do 3750 switches but you can still achieve clustering on this switch.
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat2960/12240se/scg/swclus.htm
Also both uplink ports can be active at a time if they get connected to some other switches but if 2 get uplink to same switch then STP will block one port.
HTH
Ankur
*Pls rate all helpfull post -
why do i get blocked plug in message and how do i fix this? All videos are black.
If you can't install or update Flash, follow these instructions.
If you have installed the latest version of Flash, please take each of the following steps that you haven't already tried. After each step, relaunch Safari and test.
For a "blocked plug-in" error, see Step 4.
For a "missing plug-in" error, start with Step 8.
Back up all data before making any changes.
Step 1
You might have to log out or restart the computer before a Flash update takes effect.
Step 2
From the Safari menu bar, select
Safari ▹ Preferences... ▹ Privacy ▹ Remove All Website Data...
and confirm. Close the window. Then select
▹ System Preferences… ▹ Flash Player ▹ Advanced ▹ Delete All...
In the sheet that opens, check the box marked
Delete All Site Data and Settings
then click Delete Data. Close the preference pane.
Step 3
If you're only having trouble with YouTube videos, log in to YouTube and load this page. You may see a link with the text "Leave the HTML5 Trial." If so, click that link.
Step 4
a. If you get a warning of a "blocked" or "outdated" plug-in, then select the Security tab in the Safari preferences window. In the list of plugins on the left, there should be one—and only one—entry for "Adobe Flash Player," showing the same version number that you installed. Select that entry. On the right there will be a list of websites for which you have specifically allowed Flash, if any. It's normal for the list to be empty. Below that is a menu labeled
When visiting other websites
From that menu, select either Allow or Ask.
b. If you still get the alerts, then go back to the Flash Player preference pane and select the Advanced tab. Click Check Now. Quit and relaunch the browser.
c. If the alerts still persist, triple-click anywhere in the line below on this page to select it:
/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources
Right-click or control-click the highlighted text and select
Services ▹ Open
from the contextual menu.* A folder should open. Inside it, there should be a file named "XProtect.meta.plist". If that file is missing and you know why it's missing, restore it from a backup or copy it from another Mac running the same version of OS X. Otherwise, reinstall OS X.
*If you don't see the contextual menu item, copy the selected text to the Clipboard by pressing the key combination command-C. In the Finder, select
Go ▹ Go to Folder...
from the menu bar and paste into the box that opens by pressing command-V. You won't see what you pasted because a line break is included. Press return.
Step 5
In the Safari preferences window, select the Advanced tab and uncheck the box marked
Stop plug-ins to save power
Step 6
Open this folder as in Step 4:
/Library/Internet Plug-Ins
Delete the following item, or anything with a similar name, if present:
Flash Player (failing).plugin
You may be prompted for your login password.
Step 7
Re-download and reinstall Flash. Download it from the domain "get.adobe.com". Don't click a link from any other website, including this one, because you can't trust links. They may be an attempt to trick you into installing malware masquerading as Flash. Type the address into the browser window. Never download a Flash update from anywhere else.
Step 8
If you get a "missing plug-in" error, select
Safari ▹ Preferences... ▹ Security
from the Safari menu bar and check the box marked
Allow (or Enable) plug-ins
Then click the button marked
Manage Website Settings...
if present and make sure that the website is not blocked for Flash.
Step 9
Select
Safari ▹ Preferences... ▹ Extensions
from the Safari menu bar. If any extensions are installed, disable them. -
Why should I switch from Final Cut X?
Who am I:
Hobbits that has been playing with this stuff since the 80's
Has Premiere and After effects in late 90's early 00 before switching to a Mac
Make no money from my work. It is mostly home video's or fun stuff laughs at the office
I have CC for photography, switched before Apple killed Aperture. For $10/month it is not bad for LightRoom's power and PhotoShop is over kill for me, though I like the power
I have had Final Cut for years, and love the CHEAP price of Final Cut Pro X
Use Motion a fair amount, though no expert
Now to switch up from the Photo package of CC to have one with Premiere and After Effects is 3x the cost, or $240 MORE as year. FCPX is $50, plus Motion $50 add Compressor and you still are 6 month pay off (and I already own them).
I agree with many reviews that FCPX is like iMovie pro, but Why would I switch to Premiere Pro?kcossabo wrote:
Why would I switch to Premiere Pro?
Because:
Transparency. Adobe tells you what it can and can't do with various pieces of hardware (think: GPUs) on your machine. In fact, they list it exactly. Apple just says stuff like, "Oh, it'll be faster with your GPUs. Trust us." They never specifically enumerate the advantages GPU acceleration can provide.
Traditional NLE Format, FCPX's interface isn't exactly what you'd call traditional as it pertains to an NLE. Maybe you can dig it, maybe you can't. Pr's is traditional and if you've used any other NLE, you can easily figure it out.
Superb Integration. Adobe's cross-application integration is ridiculously simple and easy to use. Want to edit a sound track from Pr in Audition? Back-click on the track and tell Pr that; Audition gets launched and the track is loaded. Need some help from AE? No problem, you can easily move tracks back and forth between AE and Pr. Apple's apps aren't integrated really, at all. It's sad, too.
Better Native Editing Support. If Adobe says that Pr can edit something natively, it can. Without transcoding, without copying, without re-wrapping, without anything. FCPX, on the other hand, attempts to do the same thing. Some formats (think: AVCHD) that exist in parts will be wrapped into a single MOV container before you can edit them. This can take a while if the segments are 4GB in size...
I'm sure there are a few more reasons I can think of. FCPX isn't a bad NLE per se. I just happen to like the way Pr (and the other Adobe apps) does things. -
Trouble uplinking to 2960 switch
Hello,
Just installed a new 2960 switch.
Everything is working except that I am no longer to uplink a small unmanged linksys switch that is leftover from previous configuration.
I am using x-over cable and have tried adjusting switchport modes.
If I use a straight through cable, The link goes up and down constantly. If I use a x-over cable, the link stays up but no communications.
What am I doing wrong?
-Brian
www.jaydien.comBrian,
I would guess that the problem your having is a line speed negotiation problem. Without the specific models numbers of the equipment and the ports being used on the equipment for the uplink, it is just a guess.
All Linksys switches auto cross over. While this function can be disabled (on most models), it should not be an issue.
You may be plugging your Linksys into the 10/100/1000 of the 2960 which may be confusing the Linksys terribly if it is only 10/100. Try one of the 10/100 ports on your 2960 or statically set the line speeds on one or both devices, where available.
Get those model and port numbers and we will look deeper.
Thanks,
Chris -
2960 switch SNMP packet errors vs Device Manager Errors
So we use the 2960 switches and monitor the in and out packet errors with snmp. The numbers are not the same in the device manager as the numbers we get from snmp. does anyone know a reason why this would be?
SSL3.0 is disabled in A5(3.1b) and A5(3.2) A5(3.1b) was released in late November 2014 and A5(3.2) was released in April 2015
https://software.cisco.com/download/release.html?mdfid=281222179&flowid=151&softwareid=282775307&release=A5(3.1b)&relind=AVAILABLE&rellifecycle=&reltype=latest -
Why does my Mac block certain websites?
My Mac blocks Yahoo and Facebook most of the time. I was told that this is not my router or modem and is a security issue. Why does it only block specific sites? I can't seem to find anything in my security settings.
You're connected on a private and particularly an access-controlled and restricted network, and the administrators of that network have decided that connected users shall not expend available resources and bandwidth with access to various web sites and/or web services.
If the network administrators have established the blocks correctly, you'll need to use fairly advanced techniques to bypass the blocks, and attempts to bypass these blocks — whether the bypasses are successful or not — may well be considered grounds for network disconnection and/or disciplinary action by the organization.
It's common to log these sorts of failures and attempts to bypass, and — given they have control of the switching gear — it can be feasible to uniquely identify the client computer that's making these requests. If not the specific identity of the client computer system or the credentials used, then the location of the client computer that's attempting the connections.
Check with your network administrators, and with the site's policies and procedures. -
HI, I need to configure a 2960 switch at a client site. They have routers already been installed on site, one is for data traffic another is for voice. I have created two vlans on switch for data and voice. Now I couldn't get any idea what would be the default gateway on switch.
Please give me any suggestions.HI Leo,
Many thanks for your reply.
But there are two up-links going from Gi 0/1 and Gi 0/2. I have configured the S/W like below,
interface GigabitEthernet0/1
description UPLINK TO Data router
switchport access vlan 100
switchport mode access
interface GigabitEthernet0/2
description UPLINK TO voice router
switchport access vlan 100
switchport mode access
interface Vlan1
no ip address
no ip route-cache
shutdown
interface Vlan60
ip address 192.168.1.253 255.255.255.0
ip helper address 192.168.1.1
no ip route-cache
interface Vlan100
ip address 172.16.1.253 255.255.255.0
ip helper address 172.16.1.1
no ip route-cache
I have used IP helper address, but I am getting some connecting issues on PCs and IP phones. Please suggest me, Can I manage it with two uplinks with different IP addresses.
Thanks in advance. -
How to switch from one Data base to another data base
Hi,
How to switch from one Data base to another data base if first data base server like in restoring,blocking,network disconnected state.
Please help out for the same.
Regards,
AnilkumarSounds like a problem for forums/support from the DB provider, as this problem is normally solved through some form of HA provided by the DB (or some cluster software, but still not Java) with, normally, a shared (virtual) IP address.
Maybe you are looking for
-
How to get the values from struct data type using java code..?
Hi , I am newer to java. we are using oracle database. How to get the data from struct data type using java code. Thanks in Advance. Regards, kumar
-
Excluding reduction of assigned funds on movement 411 Q
Hello, we are maintaining a project in which after the goods receipt the following occurs: step 1: goods are transferred from project stock to own using mvt 411 Q step 2: goods issue occurs at consumption at cost centre using mvt 201 now the issue is
-
Error while installing SMD agent
Hi , 1) Can any one please justify/brief the need of installing SMD agent on ABAP stack? 2) When I tried to install the SMD 711 agent on ABAP stack I could see the below error when i click sapinst.exe. " Running msiexec failed with return code 1
-
SOLAR01 / 02 Administration tab - making 'Plan Data' fields non-editable
For the SOLAR01 / 02 t-codes, and under the Administration tab, how can one make the 'Plan Data' non-editable for the users. This is required so that the planned data is controlled only by the Admin / Mgmt team and the functional and technical team c
-
How to replace missing fonts with a specific font (and not a suggested font)
Hello all! Looking to replace missing fonts within my document - but the drop-down selection only gives a couple of suggestions, none of which are the font I want to use. How can I replace the fonts with a font of my choosing? I've attached an image