Cisco and HP have also different STP path-costs -.-

Our next problem was, that two connected Cisco Switches auto-negotiat their interconnects as trunk-ports (VLAN 2-4094 tagged). In case that we migrate to our new 5700 HPE comware switch, we needed also to configure each uplink port like this:

interface GigabitEthernet0/1
switchport trunk encapsulation dot1q
switchport mode trunk

we consistent configured this stp configuration on the cisco switches:

spanning-tree mode rapid-pvst
spanning-tree extend system-id

keeping in mind, that we need the same path-cost at Cisco and HP switches, this was our final HP configuration (this switch was also the root-bridge):

stp vlan 1-4094 priority 0
stp mode pvst
stp pathcost-standard dot1d-1998
stp global enable

So “dot1d-1998” brings the path-cost-calculation to the Cisco level :) I hope that I can help some people. Didn’t find any direct solution to my problem online about this.

The post Spanning-Tree between HP Comware and Cisco appeared first on Network Guy.

“Cisco is warning of a new critical zero-day IOS / IOS XE vulnerability that affects more than 300 of its switch models. The company identified this highest level of vulnerability in its product while analyzing “Vault 7” — a roughly 8,761 documents and files leaked by Wikileaks last week, claiming to detail hacking tools and tactics of the Central Intelligence Agency (CIA).”

More here: http://thehackernews.com/2017/03/cisco-network-switch-exploit.html

The post Cisco Telnet hack available :) appeared first on Network Guy.

012844: Aug 22 09:51:45: CDP-EV: Unrecognized type (22) seen in TLV
012845: Aug 22 09:51:45: CDP-EV: Number of addresses <0> in Address Tlv is NOT > 0
012846: Aug 22 09:51:45: CDP-EV: Number of addresses <0> in Mgmt Address Tlv is NOT > 0
012847: Aug 22 09:51:52: CDP-EV: Unrecognized type (22) seen in TLV
012848: Aug 22 09:51:52: CDP-EV: Invalid protocol type (0)
012849: Aug 22 09:51:53: CDP-EV: Unrecognized type (22) seen in TLV
012850: Aug 22 09:51:53: CDP-EV: Invalid protocol type (0)
012851: Aug 22 09:52:49: CDP-EV: Unrecognized type (19) seen in TLV
012852: Aug 22 09:52:49: CDP-EV: Unrecognized type (22) seen in TLV
012853: Aug 22 09:52:49: CDP-EV: Invalid protocol type (0)
012854: Aug 22 09:52:49: %ILPOWER-5-ILPOWER_POWER_DENY: Interface Fa0/11: inline power denied

Normally, the APs are taking 15 or 15.4 watt power but the 2700er series needs at least 16.8 watt to run at “PoE/Full Power”. So it asks via CDP to get more. The old switch (or maybe the old firmware) doesn’t understand the new AP CDP, so the switch denys inline power as a precaution. Deactivating CDP on this specific port also solves the problem, but the AP is running in “PoE/Medium Power” (which is not good; Cyclic Shift Diversity (CSD) disabled, 2 of 4 transmitters disabled, data rates MCS  8-15 disabled), no spatial stream possible, etc.; see here and here).

Maybe a firmware update could solve the problem, we couldn’t test this by now. The customer will use newer switches at the new aimed location.

The post Cisco switch “inline power denied” appeared first on Network Guy.

with Cisco StackWise you can bound several standalone-switches to one core-switch (the backbone will be connected together with Stacking-Cables (0,5, 1 or 3 meters):

You can connect two devices with only one StackWise-Cable but for full bandwith and redundant connection, you need to connect the devices to a ring topology:

Before connecting two devices together, make sure that both devices have the same IOS software installed. The configuration of the StackWise Cluster is done automatically by connecting the stack cable. One switch will be the master within the cluster. The election is done as follow at connect or boot:

1. Specified by user
2. Switch with the highest IOS feature-set (Advanced Enterprise wins against Advanced IP Services)
3. Uptime (longest running Switch wins)
4. MAC Address (Switch with the lowest mac addresses will become master)

I recommend to configure the priority value of each switch so the configuration and the physical structure (top-down, A, B, C, etc.) keeps straight and didn’t confuse the administrator or someone who needs to troubleshoot the infrastructure OR you have differnet switch-models within one cluster. In our example Switch A is running for an hour and we connect another device (same device-model, same IOS software) to the main switch with a stacking cable. The second device “Switch B” will be select as Slave, because we didn’t configure anything and “Switch A” has a longer uptime. You will see that other interfaces are coming up and you can view all devices with this:

CoreSwitch# show switch
                                               Current
Switch#  Role      Mac Address     Priority     State
--------------------------------------------------------
 1       Master    0016.4748.ff12     5         Ready
 2       Slave     0016.9d59.db00     1         Ready

The stack member number is the same as can be seen in the interfaces:

interface GigabitEthernet1/0/1 = 1st Port of  Switch with ID #1
interface GigabitEthernet2/0/1 = 1st Port of Switch with ID #2

You can define the priority of each switch. The higher the priority, the lower the switch stack-member-number. For example, we have three switches named 1,2 and 3 from top to down, 1 is connected with 2, 2 is connected with 3 and 3 is connected with 1 to connect a ring topology. We will configure the priority value with this commands:

switch 1 priority 15
switch 2 priority 14
switch 3 priority 13

in this case switch 2 will keep his stack-member-number 2, regardless at which time the device is rebooting or powered on. This is important because the configuration is shared on all switches within the StackWise Cluster and we don’t want to have similar port configurations on switch-members where the specific devices aren’t connected. Let us see this example:

As you can see we are using two StackWise switches with the same model. The upper switch has ethernet ports defined from 1/0/1 to 1/0/24. The bottom switch has the ports 2/0/1 to 2/0/24. So the stack number defines the first backbone-number in the gigabitEthernet port name. When you didn’t configure the priorit values, the master election will always select the switch with the longest uptime as the master. Let us consider, that the first switch is a master and the second one (top-down) is the slave, if both switches are powered down and you first start the bottom one and after seconds the top one: The bottom switch will become the master node (port-configuration 1/../..) and the top one will be elected to a slave node with ID #2 (port-configuration 2/../..). When both switches are configured as a mirror, you will have no problem, but if the ports are configured different, you will get problems.

You can also stack different models together or can pre-configure a cluster configuration by just adding this line to your configuration:

switch 2 provision ws-c3750x-12s

In this case, the IOS knows that there will be another switch clustered together and the C3750X-12S has twelve ports, so you can see that another twelve ports are coming up to be configured. At the moment you connect a fresh 3750-X-12S Catalyst switch, the device will add himself to the Stack, reboots and the pre-configured ports can be used directly.

To view and verify you stack-healthness you can use this command:

CoreSwitch# show platform stack-manager all

I hope I could explain as much as you need :) feel free to add comments and help me to complete this guide and explainations. I will add a new post for switch virtualization built with HP A5500 switches soon.

The post StackWise configuration with Cisco Catalyst 3750-X Series appeared first on Network Guy.

• Blocking – A port that would cause a switching loop if it were active. No user data is sent or received over a blocking port, but it may go into forwarding mode if the other links in use fail and the spanning tree algorithm determines the port may transition to the forwarding state. BPDU data is still received in blocking state. Prevents the use of looped paths.
• Listening – The switch processes BPDUs and awaits possible new information that would cause it to return to the blocking state. It does not populate the MAC address table and it does not forward frames.
• Learning – While the port does not yet forward frames it does learn source addresses from frames received and adds them to the filtering database (switching database). It populates the MAC Address table, but does not forward frames.
• Forwarding – A port receiving and sending data, normal operation. STP still monitors incoming BPDUs that would indicate it should return to the blocking state to prevent a loop.

So when the desktop pc is starting, the port is coming up and is listening to BPDU packets and learning source addresses from received frames (in STP this longs to 45 seconds). You can see this also that the port LED is shining in an orange color. If the port will be switched to forwarding state (green LED) packets are forwarded (for example broadcast packet for receiving an IP address from a DHCP server). This procedure cost some seconds and the desktop PCs are mostly faster than this, so the client isn’t getting an IP address and can’t boot from a PXE server.

You can solve this problem by activate PortFast globally or on specific ports (which I prefer):

MySwitch(config)# interface range GigabitEthernet1/0/1 -20
MySwitch(config-if-range)# spanning-tree portfast

You will get a warning like this:

%Warning: portfast should only be enabled on ports connected to a single
host. Connecting hubs, concentrators, switches, bridges, etc… to this
interface when portfast is enabled, can cause temporary bridging loops.
Use with CAUTION
%Portfast will be configured in 20 interfaces due to the range command
but will only have effect when the interfaces are in a non-trunking mode.

With this action you disable STP on this ports, so you will be able to setup loops in your network which is not a good idea. You can prevent this by configuring the command “spanning-tree bpduguard enable” so the port is also listening for BDPU packets from other STP-switches to prevent loops. If the interface is receiving BDPU packets you will have no loop because the interface state is changing to “err-disable” with warning “%SPANTREE-2-BLOCK_BPDUGUARD”. You can disconnect this port from the other switch and can bring him back to life with “shutdown” and “no shutdown” the specific interface. After activating PortFast on the client ports of my customer, the clients are getting IP addresses fine and can boot via PXE.

To globally activate PortFast on all access mode ports with BPDU guard enable you can configure this:

MySwitch(config)# spanning-tree portfast bpduguard

The post Spanning Tree Protocol and PXE Boot appeared first on Network Guy.