cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2756
Views
0
Helpful
8
Replies

Switch port problems 2960

Areyouserious
Level 1
Level 1

Hi all.

 

Had some very strange issues this evening.

 

I have a 2960 Switch that only seems to like certain devices being plugged into it.

 

For example, I tried plugging two different laptops into a few different ports, namely port 4, 5, 6,  but no link is established.  Link reports that ports are down via console SSH.    Both laptops report that the Ethernet is unplugged.

 

Yet.....if I plug a Cisco phone into these ports, or a WAP,  or trunk link, the ports work fine.

 

One of the laptops was working fine this afternoon, then all of a sudden the switch appeared to reject it, as well as the second laptop that we used to test/troubleshoot it.

 

 

Thanks

 

 


service password-encryption
!
hostname XXXXXXXXXX
!
boot-start-marker
boot-end-marker
!
!
username XXXXXXX privilege 15 secret 5 XXXXXXXXX
no aaa new-model
system mtu routing 1500
vtp mode off
!
!
ip domain-name XXXXXX

!

!
spanning-tree mode pvst
spanning-tree extend system-id
no spanning-tree vlan 7
!
vlan internal allocation policy ascending
!
vlan 2-3,5-8
!
!
!
!
!
!
interface FastEthernet0/1
switchport access vlan 2
no cdp enable
spanning-tree portfast
spanning-tree bpduguard enable
spanning-tree guard root
!
interface FastEthernet0/2
switchport access vlan 6
no cdp enable
spanning-tree portfast
spanning-tree bpduguard enable
spanning-tree guard root
!
interface FastEthernet0/3
switchport access vlan 3
no cdp enable
spanning-tree portfast
spanning-tree bpduguard enable
spanning-tree guard root
!
interface FastEthernet0/4
switchport access vlan 6
no cdp enable
spanning-tree portfast
spanning-tree bpduguard enable
spanning-tree guard root
!
interface FastEthernet0/5
switchport access vlan 6
no cdp enable
spanning-tree portfast
spanning-tree bpduguard enable
spanning-tree guard root
!
interface FastEthernet0/6
switchport access vlan 6
no cdp enable
spanning-tree portfast
spanning-tree bpduguard enable
spanning-tree guard root
!
interface FastEthernet0/7
switchport access vlan 7
no cdp enable
spanning-tree portfast
spanning-tree bpduguard enable
spanning-tree guard root
!
interface FastEthernet0/8
switchport access vlan 8
no cdp enable
spanning-tree portfast
spanning-tree bpduguard enable
spanning-tree guard root
!
interface GigabitEthernet0/1
switchport mode trunk
no cdp enable
spanning-tree portfast
spanning-tree bpduguard enable
spanning-tree guard root
!
interface Vlan1
ip address 10.1.1.78 255.255.255.0
no ip route-cache
!
interface Vlan7
no ip address
!
ip default-gateway 10.1.1.5
no ip http server
no ip http secure-server
no cdp run
!
vstack
!
line con 0
line vty 0 4
login local
transport input ssh
line vty 5 15
login
!
end

8 Replies 8

Reza Sharifi
Hall of Fame
Hall of Fame

Hi,

Can you hard set the speed and duplex for the ports that are not functioning correctly and test again?

HTH

Hello,

 

also, try and remove:

 

spanning-tree bpduguard enable
spanning-tree guard root

 

from the ports, and check if that makes a difference.

Hi,

 

This problem resolved it's self when I arrived at this site to fix the problem.

 

I'm rather confident it's being hacked.

 

We have had quite alot of people playing games on our system, possibly some kid down the road with a long range WiFi antenna.

 

Another problem is they keep hacking a security CCTV system attached to this switch on vlan 3.

I've tried adding soo many security ACL's on the 2811 router connected to it to make sure that the only IP that can remotely access the cameras is from our main site over our site to site vpn.  Some how they keep gaining access to it.

Hello

Try reapplying vlan 6 even when ports 4/5/6 are already assigned to it.
What is the reason spanning-tree is disabled for vlan 7

 

Suggest:

 

conf t

spanning-tree vlan 7

 

vlan 6
exit

 


interface GigabitEthernet0/1
no spanning-tree bpduguard enable
no spanning-tree guard root

 

interface Vlan1
ip route-cache

 

no interface Vlan7
no vstack ( only is your not using this feature)


 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Hi Paul,

VLAN7  is assigned to a port that heads to a WAP.

 

This is the only switch being used as router on a stick, GIG0/1 goes to the router as the trunk link.

 

 

I'm confident now that our switch is being hacked.  Possibly through backwards through our WAP.  

 

 

 

 

This is the version running

 

Cisco IOS Software, 2800 Software (C2800NM-ADVIPSERVICESK9-M), Version 15.1(4)M12a, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2016 by Cisco Systems, Inc.
Compiled Tue 04-Oct-16 03:37 by prod_rel_team

ROM: System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1)

Switch1 uptime is 6 hours, 46 minutes
System returned to ROM by power-on
System image file is "flash:c2800nm-advipservicesk9-mz.151-4.M12a.bin"
Last reload type: Normal Reload

 

 

I had a look on the Cisco firmware downloads and apparently from what I can tell, this is the latest firmware version.  

Despite multiple security and CVE releases stating that new versions had been released late this year.

 

Stojmenovic
Cisco Employee
Cisco Employee

Could you please share the output of command show port-security of interface that you tried to connect your laptop?

not sure how to do it for a specific port.....

 

Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action
(Count) (Count) (Count)
---------------------------------------------------------------------------
---------------------------------------------------------------------------
Total Addresses in System (excluding one mac per port) : 0
Max Addresses limit in System (excluding one mac per port) : 8192