Daniele Galtelli

cisco 3650 changing switches, printers are sometimes unreachable

Good morning, I ask for help.
I changed all the switches from 3750 to 3650, after the change I noticed that printers are randomly not reached anymore. I thought it was a problem related to the arp, so I extended the time. This morning, however, he gave me back the problem, on the interface of the switch I see it, the mac address on the dedicated vlan is there
the show interface shows me line protocol up / up, but I can't ping it.
Mark Malone
VIP Mentor

so the mac is there at the layer 2 port where the printer is yes , Is the arp complete at layer 3 switch for that mac address ?

ìs everything else on same switch ok , the printers have correct subnet mask and gateway set yes

if you out a laptop on a printer port as a test does t work ok ?

did you try a static arp to mac entry so it cant time out incase its a dynamic issue

we only changed the switches at access level, so the 2 cores (6509) remained the same as before.

In the 2 cores the arp for that mac address is there.

I also noticed that even some PCs had a similar problem.
That is, during common usage, the yellow triangle appeared on the network connection, preventing me from browsing, pinging the default gateway, etc., etc.
The only way to get it started was to unplug the network cable.

What firmware is the switch running on?

Cisco IOS Software [Everest], Catalyst L3 Switch Software (CAT3K_CAA-UNIVERSALK9-M), Version 16.6.5, RELEASE SOFTWARE (fc1).



@Daniele Galtelli wrote:

we only changed the switches at access level,

Do you have all your access ports have stp portfast enabled?



All access ports have stp porfast and bpduguard enable,

while for ports in trunk spanning tree link type point-to-point

My printer port configurations are as follows:

switchport access vlan 168
switchport mode access
switchport voice vlan 192
switchport port-security maximum 3
switchport port-security violation restrict
switchport port-security aging time 2
switchport port-security
spanning-tree portfast
spanning-tree bpduguard enable

To add to Pauls comment check STP is not spinning out at layer 2 just in case , this command should show it , if timers are resetting , l2 issues could cause intermittent responses from devices at access layer if constantly converging , sounds as if mac/arp is all in place so something else is causing it

show spanning-tree detail | inc ieee|occurr|from|is exec

is this happening on all 3650s that went in ?

VLAN0168 is executing the ieee compatible Spanning Tree protocol
Number of topology changes 14 last change occurred 2w4d ago
from GigabitEthernet2/1/2

It also happens on the other switches and in a completely random way.

I also tried to set the speed and mode of the duplex, but I didn't get any benefit.

I also attach the port's show interface

GigabitEthernet1/0/19 is up, line protocol is up (connected)
Hardware is Gigabit Ethernet, address is d4e8.8021.c813 (bia d4e8.8021.c813)
Description: "PC e SoftPhone"
MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Full-duplex, 100Mb/s, media type is 10/100/1000BaseTX
input flow-control is on, output flow-control is unsupported
ARP type: ARPA, ARP Timeout 04:00:00
Last input never, output 00:00:00, output hang never
Last clearing of "show interface" counters never
Input queue: 0/2000/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
30 second input rate 0 bits/sec, 0 packets/sec
30 second output rate 58000 bits/sec, 53 packets/sec
165505 packets input, 21076953 bytes, 0 no buffer
Received 20646 broadcasts (431 multicasts)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 watchdog, 431 multicast, 0 pause input
0 input packets with dribble condition detected
46236676 packets output, 6722600183 bytes, 0 underruns
0 output errors, 0 collisions, 3 interface resets
0 unknown protocol drops
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier, 0 pause output
0 output buffer failures, 0 output buffers swapped out



I noticed you have port sec applied, Are you getting a port security violations?
Have you tried increasing the aging timeout value?


I'll make this attempt, but it's the exact same value in my old switches.

Should I still have logs if a violation happens? I don't have any logs of this kind

Ok so STP ruled out if last change 2 weeks ago , Could also check a port for PS issues , show port-security interface x/x , should see the violation count increment

Giallo_5#show port-security interface gi1/0/19
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Restrict
Aging Time : 2 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 3
Total MAC Addresses : 1
Configured MAC Addresses : 0
Sticky MAC Addresses : 0
Last Source Address:Vlan : 8425.1932.8c9f:168
Security Violation Count : 0

Not PS either then , is there any logs from when this is happening ?
how many switches effected and do they all have same image ?
if multiple switches effected here all running same ios and no clear fix , i would upgrade one to see if it stabilizes

Also make sure you check the spanning tree and logs on the layer 3 switch too as if that's having issues the access switches trying to talk to will as well but they may not show any symptoms

i dont see any matching bugs in your release notes for that version but that doesn't mean its not a software issue either