Yesterday I had an issue where ip source guard with mac-address filtering was applied across a range of switches including 3560g's and 2960s'. The majority of switches functioned fine with the applied changes not affecting users. One issue appeared with a pair of 2960s switches which were running in series (one trunked to the next), where users could not obtain ip addresses from the DHCP server.
A different building with the same switches with the same IOS version and the same configuration were functioning correctly (as well as many others but on different VLANS.
I then took steps of restoring the previous working configuration and adding in the new configuration one line at a time. The changes that were being made was the implementation of dynamic arp inspection, port security and ip source guard.
If the command ip verify source was applied all was well (I checked this by shutting down ports, clearing the ip snooping binding table adding the command and then activating the ports again and checking if ip's were obtained.
The command ip verify source port-security was causing issues, which I originally thought that could have been caused by an option 82 issue, but it was allowed in the configuration and the DHCP server has had no issues with it in the past.
I then decided to upgrade the IOS version from 15.0(1)SE1 to 15.0(2)SE. This surprisingly fixed the issue and all was well with ip source guard once more.
I came across a problem recently, I needed to configure a Cisco switch and all I had was a Ubuntu machine that had a serial port. Since then I've got a Cisco 2511, with octal cable, which is very handy when configuring many devices, but that is for another post.
I found a program called 'minicom' which is available as far as I'm aware in all the main repositories. This post is a brief explanation on how to find your serial port and setup / use minicom.
1. First of all lets start with finding the computers serial ports, make sure you have your device powered on and connected:
dmesg | grep tty
This shows in my example that the physical serial port is at ttyS0, where as usb > serial converters will show as ttyUSB0
2. Time to open up minicom, I believe the later versions will allow running as an unprivileged user, but this will mean that you can not save configurations. Better to run as root if you have the option.
3. Checking the options available is very easy, to put minicom in to command mode control+a needs to be pressed, with a following 'z' to show the options. For example, control+a then x will close minicom.
4. Now it is time to setup minicom, as you can see from the help page you need to use control+a then o (for options). Scroll down to "Serial port setup" and hit enter.
5. From there is is pretty straight forward to follow the prompts to change to your required settings. Typically Cisco networking equipment uses 9600 Bps/Par/Bits, "8-N-1", Yes to Hardware Control Flow and no to Software Control Flow. Also set your serial device to the one you found in the first step.
6. Now save your configuration for quicker access in the future, personally I save it as "Cisco".
7. Now close minicom with control+a then x will prompt you the option to close the program or simply scroll to "Exit".
8. If you saved a configuration within minicom, it can be used to open minicom directly in to those settings. For example, "minicom cisco".
9. Everything should be ready for using your serial device.
I've had a little struggle getting a Cisco SG 200-08 trunking with several vlans to a Cisco 3560G switch.
I'll quickly explain what was throwing me off for speed readers, but I will go in depth later on. On the proper Cisco switch the standard dot1q encapsulation and trunk mode needs to be used, this is similar to the SG 200-08 where the default 'trunk' port setting needs to be used. The only changes that need to be changed on the smart switch is to create the vlans before hand and put them as a member of the trunk port in the "Port VLAN Membership". This gave me strife because I am used to in 3560s' where all ports are allowed on a trunk from default where as they specifically need to be applied on the smart switches trunk ports.
How to setup a Cisco SG 200-08 with trunking and a non default management vlan:
- First off I would start with providing the SG 200-08 a access port on a vlan that has DHCP access so the web interface can be access for configuration.
- The device should now be access through the DHCP address, find this by looking up the server or doing an nmap scan and look for Cisco equipment.
- Now create the VLANs you need and name them under the "Create VLAN tab".
- The created VLAN/s now need to be added to the desired trunk port on the smart switch, this is done through "Port VLAN Membership". Simply select the trunk port, edit the details and select the VLAN that is to be allowed on the trunk, tick Membership and then click the arrow to move it in to the selected column.
- The VLANs that are needed on the trunk should now be showing on the Port VLAN Membership page.
- Access ports can now be configured, which is straight forward by changing the required ports to access ports and defining which VLAN is required, which is done through "Interface Settings". This won't actually work until we configure a trunk port on the other switch.
- Depending on your native vlan settings, you may have to change the management vlan setting before changing the port on the other switch to a trunk. Just a reminder make sure the management vlan is a member of the trunk port. This can be done through the "IPv4 Interface".
- The smart switch might be unconnectable if the management VLAN has been changed, therefore we need to enable a trunk port on the other switch to gain access again.
The switch should now be accessed through the IP entered in the management settings and trunking should be working correctly.
Just a note: A port setting called "General" can be used, which I believe will give you more options for Ingress Filtering and allowing tagging on that port, which would give you more options for VLAN compatible devices.
Recently I have been setting up a new logging system, but have needed to log to a different port than the usual 514 (UDP).
This is relatively easy depending on the version of IOS running. The following command will allow it:
logging host <IP> transport udp port <port number>
Some versions of IOS will not allow the command:
From my experience 2960S and 3560E series switchs running Universal based IOS seem to allow the command but 3560G series dont allow it running an IPBased IOS.
Im assuming the command is only available in certain feature set versions of IOS.