Cisco Switch access port receiving Unknown protocol drops and it is Increasing for every 10 seconds

dakshinaeswar1 · ‎01-04-2021

Hi All, We have set of PLC/SCADA devices that is connected to the Cisco switch. All those ports are configured with Same VLAN that it has to be. We can ping the switch from layer 3 perspective but all these end devices are not able to communicate among themselves, when checking the switch access port details I noticed "unknown protocol drops " are increasing for every 10 seconds approximately . I reckon this could be the issue here , have anyone faced the similar kind of issue and what methods have been taken to fix the same ?

Below the output of one of the Interface where it shows constant increase in unknown protocol drops

GigabitEthernet1/0/16 is up, line protocol is up (connected)
Hardware is Gigabit Ethernet, address is 7c21.0ea0.ad90 (bia 7c21.0ea0.ad90)
MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Full-duplex, 100Mb/s, media type is 10/100/1000BaseTX
input flow-control is on, output flow-control is unsupported
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:01, output 00:00:00, output hang never
Last clearing of "show interface" counters 00:23:34
Input queue: 0/2000/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: Class-based queueing
Output queue: 0/40 (size/max)
5 minute input rate 34000 bits/sec, 20 packets/sec
5 minute output rate 148000 bits/sec, 124 packets/sec
24892 packets input, 5083284 bytes, 0 no buffer
Received 3773 broadcasts (3725 multicasts)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 watchdog, 3725 multicast, 0 pause input
0 input packets with dribble condition detected
177738 packets output, 26083788 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
1178 unknown protocol drops //Look here//
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier, 0 pause output
0 output buffer failures, 0 output buffers swapped out

------------------------------------------------------

Next out out taken for the same port after 5 seconds approximately:

GigabitEthernet1/0/16 is up, line protocol is up (connected)
Hardware is Gigabit Ethernet, address is 7c21.0ea0.ad90 (bia 7c21.0ea0.ad90)
MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Full-duplex, 100Mb/s, media type is 10/100/1000BaseTX
input flow-control is on, output flow-control is unsupported
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:01, output 00:00:00, output hang never
Last clearing of "show interface" counters 00:24:51
Input queue: 0/2000/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: Class-based queueing
Output queue: 0/40 (size/max)
5 minute input rate 34000 bits/sec, 20 packets/sec
5 minute output rate 149000 bits/sec, 124 packets/sec
26286 packets input, 5368447 bytes, 0 no buffer
Received 3981 broadcasts (3931 multicasts)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 watchdog, 3931 multicast, 0 pause input
0 input packets with dribble condition detected
187731 packets output, 27548620 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
1242 unknown protocol drops //Look here//
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier, 0 pause output
0 output buffer failures, 0 output buffers swapped out

checked the port status and all the ports shows Up and running fine but noticed this is weird .

paul driver · ‎01-04-2021

Hello

disable cisco DTP

trunk port = switchport nonnegotiate

access port - switch port mode access

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

dakshinaeswar1 · ‎01-04-2021

Hi,

The port is access port. So I don't think we have to apply no negotiate .
Any thoughts?

paul driver · ‎01-04-2021

Hello

I usually apply it anyway it any way

are they actually in an administrative mode of access?

sh interface xx switchport

also are these ports running any link aggregation such as lacp or pagp

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

dakshinaeswar1 · ‎01-05-2021

Hi, I ensured the port is access and switchport mode access is applied.

Switchport: Enabled
Administrative Mode: static access
Operational Mode: static access
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: native
Negotiation of Trunking: Off
Access Mode VLAN: 610 (610-Aircast-PLC)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: disabled
Voice VLAN: none
Administrative private-vlan host-association: none
Administrative private-vlan mapping: none
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk Native VLAN tagging: enabled
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk associations: none
Administrative private-vlan trunk mappings: none
Operational private-vlan: none
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL

Protected: false
Unknown unicast blocked: disabled
Unknown multicast blocked: disabled
Vepa Enabled: false
Appliance trust: none

Still no luck. I think as one of the members in this post mentioned for catalyst switch profinet protocol is not supported.

Regards

Eashwar

Georg Pauwen · ‎01-04-2021

Hello,

I am not really sure what protocol these SCADA devices use, but I think only the Cisco Industrial (IE) switches and (IR) routers support SCADA connectivity.

dakshinaeswar1 · ‎01-04-2021

We are using model "C9200-48P " .Version is 16.12.1 CAT9K_LITE_IOSXE. The end devices communication protocol should be profinet (profinet over ethernet). Any idea if we need to allow this type of protocol in the cisco switch what needs to be done ?

Regards

Eashwar

Georg Pauwen · ‎01-04-2021

Hello,

I don't think the non-IE switches support Profinet. The link below describes how to enable it on an IE switch, I don't think there is an equivalent on your Catalyst...

https://www.cisco.com/c/en/us/td/docs/switches/lan/cisco_ie2000/software/release/15_0_2_ea/configuration/guide/scg-ie2000/swprofinet.html#71392

dakshinaeswar1 · ‎01-05-2021

Hi,

I do saw the same post. But I am really not sure how can I enable it for Catalyst switch.

Regards

Eashwar

Georg Pauwen · ‎01-05-2021

Hello,

as said before, I don't think that command is available at all on 'standard' Catalyst switches...only on IE switches.

Georg Pauwen · ‎01-05-2021

Hello,

did you actually try and configure the ports as trunks ?

interface GigabitEthernet1/0/16

switchport mode trunk

?

dakshinaeswar1 · ‎01-05-2021

Hi, Yes tried that .Still no luck.

Marc D · ‎04-25-2022

Hi @dakshinaeswar1, did you ever figure out the solution? We're have the same devices and are facing the same issue. My understanding is that IE can interact with Profinet and participate, which isn't avaiable in non-IE switches, but regular 9300s should be able to just pass that traffic along, no?