Re: Connectivity Issues - Page 4

netguyz08 · ‎03-24-2010

Just deployed Thunderbolt in my office network today, and suddenly noticed all of the Logmein icons in the System Trays on the servers and PCs had a yellow exclamation point, meaning there is a network error and they can't connect out.

Connected to a client through Logmein and kept getting kicked out during the session. The session would disconnect and I'd have to reconnect. Unplugged the Thunderbolt device only (still have the ESW 520 8 port and Cisco WAP4410N running) and Logmein is solid again. All of the icons on the computers are back to normal, too.

Brian Bergin · ‎03-30-2010

Just so I don't have to hunt for it, yes I'm lazy, where did you find this setting? We've had no problems on any of our ESW's and I'm wondering why it was 'on' on your ESW and causing problems but we're not having any.

Never mind, I found it, but the help file states things that don't appear to be the defaults as we've changed none of these settings here. For example, it states "Max Entries — Specifies the number of MAC addresses that can be learned on the port. The Max Entries field is enabled only if Locked is selected in the Interface Status field. In addition, the Limited Dynamic Lock mode is selected. The possible range is 1-128. The default is 1." but our status says "3" as the Max Entries for ports 1-8, port 9 is set to 1.

It also states at the bottom of the help page "Trap Frequency — Displays the amount of time (in seconds) between traps. The default value is 10 seconds." but in the middle of the page it states "Trap Frequency — Displays the amount of time (in seconds) between traps. The default value is 60 seconds." 60 appears to be correct.

I've also done nothing to enable 802.1x authentication as it's not something we find in small businesses regularly, so given we've chagned no defaults any thoughts on why not all of us are seeing the same problems?

john.grange · ‎03-31-2010

Brian,

On the switch go to Security / Traffic Control / Port Security , under there simply edit the ports and uncheck interface lock. This has completely resolved the issue I was having.

Brian Bergin · ‎03-31-2010

John,

I've added the changes you made to our internal ESW, but I'm still concerned why a small biz switch would ship with this setting enabled if it could potentially cause the major disruptions you're seeing. Marcus, can you ask the ESW folks for an explaination? I've never deployed a managed switch that would lock out systems by default so I'm wondering what the thought process here is and as this is our forst venture with ESW's I'd like to understand more. In fact, I've deployed Cisco enterprise switches in the past that didn't do this, though it's been many years so the default config may have changed.

Marcos Hernandez · ‎03-31-2010

Brian et al,

As I mentioned earlier, the Smartport rules for "AP" should have taken care of this setting. PLease refer to the answer from the ESW TME:

This is the age old what should be default or not depending on where they are deployed (making this smarter defaults is a bigger task and also involves security concerns)

AP issue (Assume this is the complaint) – the default smartport roles on the switches is Cisco IP Phone + desktop which restricts the # of MACs behind the switch port to 3 for port security reasons (which limits the devices behind the AP to 2). However some partners go and connect the AP to these ports without changing the smartport role to AccessPoint on the ESW – if they change the smartports role to AP, no issues are seen. You could argue, why not change the smart port role to match the device based on CDP on the ESW automatically – however it’s a huge security risk as anyone could plug an AP in and be in the network per se.

john.grange · ‎03-31-2010

Marcos,

I did make changes to the CDP settings as originally since it was playing havoc with my phones. I will make some changes to the system again and try with the CDP enabled.

Marcos Hernandez · ‎03-31-2010

Below is a snip of the ESW functional spec on the various macros:

IP-Phone + Desktop macro – Port Configuration (Default):

• Configure as a Trunk mode Port – so that Voice and data can be sent on different VLANs.
• Enable Port Security and Limit to three MAC Addresses - allows up to 3 MAC addresses (for ip-phone +
desktop)
• Config Traffic-Shape on the voice queue (only on GE platforms)
• Set the port description to ‘IP-Phone + Desktop’.
• Set Broadcast Storm Control to 10% of the port’s speed.
• Enable PortFast - Allows for quick link recovery.
• Enable BPDU Guard - Protects the network by disabling ports if an unauthorized, Spanning Tree enabled switch is connected to an edge port.
• Config voice-map policy on the port.

Access Point macro – Port Configuration:

• Configure as a Trunk mode Port – so that Voice and data can be sent on different VLANs.
• Set the port description to ‘Access Point’.
• Set Broadcast Storm Control to 10% of the port’s speed.
• Config general-map policy on the port.

john.grange · ‎04-04-2010

Marcos,

I had a chance to turn CDP back on this afternoon and after turning port security back on I was again locked out after the 3rd MAC address on that port. Interestingly enough, I only see the Linksys phone I have on the network and not the switch if I look under the cdp section of the switch, I have tried rebooting the access point and this did not resolve the issue or allow it to show up in the CDP section on the EWS switch. So my guess is the problem stems from CDP not seeing the access point. Let me know if there is anything else I should try / change.

Marcos Hernandez · ‎04-05-2010

Hi John,

Port security should be OFF if you are connecting an AP to that port.

Thanks,

Marcos

john.grange · ‎04-05-2010

Ok, sorry I misunderstood your previous post then. I thought you said CDP and the macros should take care of that automatically ?

Marcos Hernandez · ‎04-05-2010

Correct. CDP should be on and if you configure the Smartport role to "AP", port security should be disabled. I tested this and it worked for me.

john.grange · ‎04-05-2010

Marcos,

Can you please explain the steps to "configure" the smartport role to "AP". It was my understanding that this was the part that was handled by the CDP (detecting that an AP was plugged into that port there fore configure the port for these settings) ?

john.grange · ‎04-14-2010

Do you have any updates for me, I am still unsure how this is supposed to work correctly out of the box.

Marcos Hernandez · ‎04-16-2010

Hi John,

Sorry for the delay. Here is the switch admin guide. Check out page 35.

Thanks!

Marcos

john.grange · ‎04-16-2010

Thank you for your assistance in clarifying this.

netguyz08 · ‎03-26-2010

Ok, just powered up the Thunderbolt in my office again, and I decided to try resetting the device from scratch. I noticed afterwards that I ended up with Base Firmware Version 13.11. Definitely updated now from 12.314. And the Current Release field is blank for me. However, I get "Awaiting Database Update" for the Firmware Status field for the TBA.

I noticed some devices on my network are cutting out, and some are continuing to work OK since it has been on for the past 15-20 minutes. I noticed my office in the TBP shows up as "offline" in the Customer List, but opening it and going to Status shows 3 green checks. Nevermind, the Customer List finally updated after going back and forth. :)

I will leave my TBA powered on if the engineers want to tweak any settings to see what is happening.