Buy or Renew
Buy or Renew
COMING SOON: Umbrella and Secure Access release notes are coming to Cisco Community. The community will be in read-only August 16 – 19. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1056
Views
0
Helpful
6
Replies

Cisco 2960C management connectivity issues

J_Rega
Level 1
Level 1

‎04-09-2021 09:16 AM

I have a network made up of Cisco 9300, 2960G/C/X/XR and a 3560CX. None of the switches are more than 7 hops away from each other and I can generally ping or SSH into any of the switches without a problem. I have been having issues lately with connecting to the 2960Cs (both are on the same VLAN as the computer I am accessing them on, 1 is one hop from the switch I am connected to and the other is 5). In order to connect, I have to SSH into the switch directly attached to the 2960C I want to connect to, ping it from there, and then I can access it from my computer.

 

I assume I am having a spanning-tree issue and that the mac entries are being flushed and are causing these issues but I do not know how to figure it out. I am running rapid PVST on all switches and each of the trunk ports is configured as follows:

switchport trunk allowed vlan 5,10-20

switchport trunk native vlan 5

switchport mode trunk

switchport nonegotiate

ip arp inspection trust

 

Any insight would be greatly appriciated!

Labels:
0 Helpful
6 Replies 6

Reza Sharifi
Hall of Fame
Hall of Fame

‎04-09-2021 09:29 AM

Do you have redundant uplinks on these switches? STP usually blocks secondary connections/uplinks to the same device to prevent loops on the network. Also, do you have the root bridge configured correctly? It may be helpful if you can provide a diagram.

Also, the trunk port config you posted looks correct. Have you tried removing the below command from the trunk ports and test connectivity?

ip arp inspection trust

HTH

0 Helpful

J_Rega
Level 1
Level 1
In response to Reza Sharifi

‎04-09-2021 09:58 AM

Reza,

We do have redundant uplinks on some of the switches. I have checked for inconsistent ports and so far have found none. I need to do some research to see if I have the root bridge configured correctly as I have not modified the configs to change any root bridge settings.

 

I have removed ip arp inspection trust before and the problem remained.

 

Rough diagram attached.

Preview file
8 KB
0 Helpful

Reza Sharifi
Hall of Fame
Hall of Fame
In response to J_Rega

‎04-09-2021 11:13 AM

Hi,

Thanks for providing the diagram. The only place I see 2 links (potential for loop) between any 2 switches is the connectivity from the 9300 to 2960G. All the other switches are singly connected and you should not see any loop. Is STP blocking one of the links between the 9300 and the 2960G? Also, how many VLANs do you have in this network and what device does the routing between them?

HTH

0 Helpful

J_Rega
Level 1
Level 1
In response to Reza Sharifi

‎04-09-2021 11:18 AM

STP is blocking one of the loops. I have removed the redundant link in the past to see if that was causing the issue but the problem remained.

We have a total of 20 VLANs and use intervlan routing which is performed by the 9300.

0 Helpful

Reza Sharifi
Hall of Fame
Hall of Fame
In response to J_Rega

‎04-09-2021 12:37 PM

Do the switches with this issue have only one IP address configured for management only? Can you post "sh run" from one of them?

HTH

 

0 Helpful

J_Rega
Level 1
Level 1
In response to Reza Sharifi

‎04-16-2021 04:01 AM

Sorry it took so long to respond, here is an edited sh run (I have been setting "switchport block unicast" on the trunk ports as well, but currently have it removed):

 

version 15.2
no service pad
service tcp-keepalives-in
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service unsupported-transceiver
no service dhcp
!
hostname 2960C-8TC-L
!
boot-start-marker
boot-end-marker
!
!
logging userinfo
logging buffered 40960 informational
enable secret 5 XXXXXXXXXXXXXXXXXXXXXXXXX
!
username XXXXXXXXX privilege 15 secret 5 XXXXXXXXXXXXXXXXXXXXXXX
aaa new-model
!
!
aaa authentication login default local
!
aaa common-criteria policy PASSWORDS
 min-length 1
 max-length 127
 numeric-count 1
 upper-case 1
 lower-case 1
 special-case 1
 char-changes 1
!
aaa session-id common
system mtu routing 1500
no ip source-route
!
ip dhcp snooping vlan 10-20
ip dhcp snooping
no ip domain-lookup
ip domain-name XXXXXXXXXXXXXXX
login block-for 1800 attempts 3 within 120
login on-failure log
login on-success log
vtp mode off
!
authentication mac-move permit
!
crypto pki trustpoint 1
 XXXXXXXXXXXXXXX
!
crypto pki certificate chain 1
 certificate XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
  	quit
 certificate ca XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
  	quit
archive
 log config
  logging enable
!
spanning-tree mode rapid-pvst
spanning-tree loopguard default
spanning-tree portfast edge default
spanning-tree extend system-id
spanning-tree vlan 1-4094 priority 61440
no errdisable detect cause gbic-invalid
!
vlan internal allocation policy ascending
!
vlan 5
 name Trunk
!
vlan 10
 name Unused
!
vlan 11
 name XXXXXXXXXXXXXXX
!
vlan 12
 name XXXXXXXXXXXXXXX
!
vlan 13
 name XXXXXXXXXXXXXXX
!
vlan 14
 name XXXXXXXXXXXXXXX
!
vlan 15
 name XXXXXXXXXXXXXXX
!
vlan 16
 name XXXXXXXXXXXXXXX
!
vlan 17
 name XXXXXXXXXXXXXXX
!
vlan 18
 name XXXXXXXXXXXXXXX
!
vlan 19
 name XXXXXXXXXXXXXXX
!
vlan 20
 name Management
!
interface Loopback1
 no ip address
 no ip route-cache
 downshift disable
!
interface FastEthernet0/1
 description Trunk To 2960G
 switchport trunk allowed vlan 5,11-20
 switchport trunk native vlan 5
 switchport mode trunk
 switchport nonegotiate
 ip arp inspection trust
!
interface FastEthernet0/2
 description XXXXXXXXXXXXXXX
 switchport access vlan 12
 switchport mode access
 switchport block unicast
 switchport port-security mac-address sticky
 switchport port-security mac-address sticky XXXXXXXXXXXXXXX
 switchport port-security
 ip device tracking maximum 1
 no cdp enable
 storm-control broadcast level bps 30m
 spanning-tree bpduguard enable
 spanning-tree guard root
 ip verify source tracking port-security
!
interface FastEthernet0/3
 description XXXXXXXXXXXXXXX
 switchport access vlan 14
 switchport mode access
 switchport block unicast
 switchport port-security maximum 5
 switchport port-security mac-address sticky
 ip device tracking maximum 5
 no cdp enable
 storm-control broadcast level bps 30m
 spanning-tree bpduguard enable
 spanning-tree guard root
 ip verify source tracking port-security
!
interface FastEthernet0/4
 description XXXXXXXXXXXXXXX
 switchport access vlan 11
 switchport mode access
 switchport block unicast
 switchport port-security mac-address sticky
 switchport port-security mac-address sticky XXXXXXXXXXXXXXX
 switchport port-security
 ip device tracking maximum 1
 no cdp enable
 storm-control broadcast level bps 30m
 spanning-tree bpduguard enable
 spanning-tree guard root
 ip verify source tracking port-security
!
interface FastEthernet0/5
 description XXXXXXXXXXXXXXX
 switchport access vlan 14
 switchport mode access
 switchport block unicast
 switchport port-security mac-address sticky
 switchport port-security mac-address sticky XXXXXXXXXXXXXXX
 switchport port-security
 ip device tracking maximum 1
 no cdp enable
 storm-control broadcast level bps 30m
 spanning-tree bpduguard enable
 spanning-tree guard root
 ip verify source tracking port-security
!
interface FastEthernet0/6
 description XXXXXXXXXXXXXXX
 switchport access vlan 11
 switchport mode access
 switchport block unicast
 switchport port-security mac-address sticky
 switchport port-security mac-address sticky XXXXXXXXXXXXXXX
 switchport port-security
 ip device tracking maximum 1
 no cdp enable
 storm-control broadcast level bps 30m
 spanning-tree bpduguard enable
 spanning-tree guard root
 ip verify source tracking port-security
!
interface FastEthernet0/7
 description XXXXXXXXXXXXXXX
 switchport access vlan 11
 switchport mode access
 switchport block unicast
 switchport port-security mac-address sticky
 switchport port-security
 ip device tracking maximum 1
 no cdp enable
 storm-control broadcast level bps 30m
 spanning-tree bpduguard enable
 spanning-tree guard root
 ip verify source tracking port-security
!
interface FastEthernet0/8
 description XXXXXXXXXXXXXXX
 switchport access vlan 11
 switchport mode access
 switchport block unicast
 switchport port-security mac-address sticky
 switchport port-security
 ip device tracking maximum 1
 no cdp enable
 storm-control broadcast level bps 30m
 spanning-tree bpduguard enable
 spanning-tree guard root
 ip verify source tracking port-security
!
interface GigabitEthernet0/1
 description Unused
 switchport access vlan 10
 switchport mode access
 switchport block unicast
 switchport port-security mac-address sticky
 switchport port-security
 ip device tracking maximum 1
 shutdown
 no cdp enable
 storm-control broadcast level bps 30m
 spanning-tree bpduguard enable
 spanning-tree guard root
 ip verify source tracking port-security
!
interface GigabitEthernet0/2
 description Unused
 switchport access vlan 10
 switchport mode access
 switchport block unicast
 switchport port-security mac-address sticky
 switchport port-security
 ip device tracking maximum 1
 shutdown
 no cdp enable
 storm-control broadcast level bps 30m
 spanning-tree bpduguard enable
 spanning-tree guard root
 ip verify source tracking port-security
!
interface Vlan1
 description DEFAULT
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 no ip route-cache
 shutdown
!
interface Vlan5
 description Trunk VLAN
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 no ip route-cache
!
interface Vlan10
 description UNUSED
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 no ip route-cache
 shutdown
!
interface Vlan11
 description XXXXXXXXXXXXXXX
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 no ip route-cache
!
interface Vlan12
 description XXXXXXXXXXXXXXX
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 no ip route-cache
!
interface Vlan13
 description XXXXXXXXXXXXXXX
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 no ip route-cache
!
interface Vlan14
 description XXXXXXXXXXXXXXX
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 no ip route-cache
!
interface Vlan20
 description Management VLAN
 ip address X.X.0.101 255.255.254.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 no ip route-cache
!
ip default-gateway X.X.1.254
!
no ip ftp passive
ip ftp source-interface Loopback1
ip tcp synwait-time 10
no ip http server
ip http banner
ip http secure-server
ip http secure-ciphersuite aes-256-cbc-sha edche-rsa-aes-256-cbc-sha 
ip http tls-version TLSv1.2 
ip http secure-trustpoint 1
ip http max-connections 15
ip http timeout-policy idle 1200 life 3000 requests 86400 
ip ssh maxstartups 2
ip ssh time-out 60
ip ssh rsa keypair-name XXXXXXXXXXXXXXX
ip ssh version 2
ip ssh server algorithm mac hmac-sha2-256 hmac-sha2-512
!
access-list 22 permit X.X.0.0 0.0.254.255
access-list 22 deny   any log
access-list 23 permit X.X.12.254
access-list 23 deny   any log
access-list 24 deny   any log
!
banner motd 
This is a banner.
!
line con 0
 exec-timeout 10 0
line vty 0 4
 access-class 22 in
 exec-timeout 10 0
 logging synchronous
 transport input ssh
line vty 5 15
 access-class 22 in
 exec-timeout 10 0
 logging synchronous
 transport input ssh
!
ntp authentication-key 1 md5 XXXXXXXXXXXXXXX
ntp trusted-key 1
ntp access-group peer 23
ntp access-group serve-only 24
ntp access-group query-only 24
ntp server X.X.12.254 key 1
end
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card