I have several 1852i's with one acting as the controller. Apparently over the weekend they took an update (The login page says copyright 2019 now) and none of them work. They don't broadcast SSID and the user/ password to log into mobility express now longer works. I can't ssh into them, or at least the credentials don't work there either. I unplug the 'master' and the next AP shows the login screen but with the same issues. Any ideas? They were working last week. (enclosed photo). Thanks for you time
... View more
Thanks for the reply. I don't really understand where to add the default route. I looked at my other site that works (I have enclosed the config of the 3650x below with a core 4500 with a similar setup) and I don't see a default route in the config, but yet I can ping from the switch across other VLANS (see pings at bottom). I don't understand what the difference is and why I can ping everywhere there.. Is there some kind of difference between a 2960/Nexus 3548 vs 3650/4500 regarding this? I also don't see anything in the 4500 core regarding a default gateway, I just issued the ip routing command.. Any more ideas would be greatly appreciated.. ***** Current configuration : 8737 bytes ! ! Last configuration change at 15:30:05 EST Tue Sep 4 2018 ! NVRAM config last updated at 15:30:07 EST Tue Sep 4 2018 ! version 15.2 no service pad service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption service compress-config ! hostname SYSTEM1_24 ! boot-start-marker boot-end-marker ! ! vrf definition Mgmt-vrf ! address-family ipv4 exit-address-family ! address-family ipv6 exit-address-family ! enable secret 5 $1$Ahvi$TRARKMpF1UL/WPhoqJVaR0 ! no aaa new-model clock timezone EST -5 0 switch 1 provision ws-c3650-24ps ! ! ! ! ! ! ! ! ! ! ! ! ! crypto pki trustpoint TP-self-signed-812598115 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-812598115 revocation-check none rsakeypair TP-self-signed-812598115 ! ! crypto pki certificate chain TP-self-signed-812598115 certificate self-signed 01 3082023D 308201A6 A0030201 02020101 300D0609 2A864886 F70D0101 04050030 30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274 69666963 6174652D 38313235 39383131 35301E17 0D313731 31303631 37353430 375A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F 532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3831 32353938 31313530 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100 95704E94 7FBB62E1 B981CC71 F68D9353 6004016E 510B8687 1CB1A189 90530671 9F26A948 0FF95562 EBAA25BC B09E27E7 94DDA659 484F983D 8F3C15E5 ACCB5E88 4D35AD98 9B05ED4B 4DE0A481 763170FA 99C934A7 2B463CF8 C4967DFE A203D354 B03C3529 89D0FA23 AECA0C2F 28B85CE4 F3E19EA2 1A194201 494E931A E6FBCD63 02030100 01A36730 65300F06 03551D13 0101FF04 05300301 01FF3012 0603551D 11040B30 09820753 59535445 4D31301F 0603551D 23041830 1680144E 2CFCEBB0 B2D90710 E55AA35C DB34F80D AB437930 1D060355 1D0E0416 04144E2C FCEBB0B2 D90710E5 5AA35CDB 34F80DAB 4379300D 06092A86 4886F70D 01010405 00038181 00639D6D E0259B96 73160FC5 70D1FAC8 8094CED1 C9F9CDAE F7C340C2 75763992 1E586A43 CAC5DCBD EF2791EC 8558DBBA E1CC516E 56C7DF7D 1E6DF631 FAB53C49 835D9F81 2F000A94 EE93CF35 72420CA8 3BD1B36E DD23B127 A7967918 619040B7 53457A52 CC1337A0 9872EA92 B082557A 554B8EB8 8BCAC8D0 45AE6B34 0DBABB4E 35 quit diagnostic bootup level minimal spanning-tree mode rapid-pvst spanning-tree extend system-id hw-switch switch 1 logging onboard message level 3 ! redundancy mode sso ! ! ! class-map match-any non-client-nrt-class ! policy-map port_child_policy class non-client-nrt-class bandwidth remaining ratio 10 ! ! ! ! ! ! ! ! ! ! ! ! ! ! interface GigabitEthernet0/0 vrf forwarding Mgmt-vrf no ip address negotiation auto ! interface GigabitEthernet1/0/1 switchport mode access spanning-tree portfast ! interface GigabitEthernet1/0/2 switchport mode access spanning-tree portfast ! interface GigabitEthernet1/0/3 switchport mode access spanning-tree portfast ! interface GigabitEthernet1/0/4 switchport mode access spanning-tree portfast ! interface GigabitEthernet1/0/5 switchport mode access spanning-tree portfast ! interface GigabitEthernet1/0/6 switchport mode access spanning-tree portfast ! interface GigabitEthernet1/0/7 switchport mode access spanning-tree portfast ! interface GigabitEthernet1/0/8 switchport mode access spanning-tree portfast ! interface GigabitEthernet1/0/9 switchport mode access spanning-tree portfast ! interface GigabitEthernet1/0/10 switchport mode access spanning-tree portfast ! interface GigabitEthernet1/0/11 switchport mode access spanning-tree portfast ! interface GigabitEthernet1/0/12 switchport mode access spanning-tree portfast ! interface GigabitEthernet1/0/13 switchport mode access spanning-tree portfast ! interface GigabitEthernet1/0/14 switchport mode access spanning-tree portfast ! interface GigabitEthernet1/0/15 switchport mode access spanning-tree portfast ! interface GigabitEthernet1/0/16 switchport mode access spanning-tree portfast ! interface GigabitEthernet1/0/17 switchport mode access spanning-tree portfast ! interface GigabitEthernet1/0/18 switchport mode access spanning-tree portfast ! interface GigabitEthernet1/0/19 switchport mode access spanning-tree portfast ! interface GigabitEthernet1/0/20 switchport mode access spanning-tree portfast ! interface GigabitEthernet1/0/21 switchport mode access spanning-tree portfast ! interface GigabitEthernet1/0/22 switchport mode access spanning-tree portfast ! interface GigabitEthernet1/0/23 switchport mode access spanning-tree portfast ! interface GigabitEthernet1/0/24 switchport mode access spanning-tree portfast ! interface GigabitEthernet1/1/1 switchport mode trunk ! interface GigabitEthernet1/1/2 switchport mode trunk ! interface GigabitEthernet1/1/3 switchport mode trunk ! interface GigabitEthernet1/1/4 switchport mode trunk ! interface Vlan1 ip address 192.168.0.50 255.255.255.0 ! interface Vlan5 no ip address ! ip forward-protocol nd ip http server ip http secure-server ! ip access-list extended AutoQos-4.0-wlan-Acl-Bulk-Data permit tcp any any eq 22 permit tcp any any eq 465 permit tcp any any eq 143 permit tcp any any eq 993 permit tcp any any eq 995 permit tcp any any eq 1914 permit tcp any any eq ftp permit tcp any any eq ftp-data permit tcp any any eq smtp permit tcp any any eq pop3 ip access-list extended AutoQos-4.0-wlan-Acl-MultiEnhanced-Conf permit udp any any range 16384 32767 permit tcp any any range 50000 59999 ip access-list extended AutoQos-4.0-wlan-Acl-Scavanger permit tcp any any range 2300 2400 permit udp any any range 2300 2400 permit tcp any any range 6881 6999 permit tcp any any range 28800 29100 permit tcp any any eq 1214 permit udp any any eq 1214 permit tcp any any eq 3689 permit udp any any eq 3689 permit tcp any any eq 11999 ip access-list extended AutoQos-4.0-wlan-Acl-Signaling permit tcp any any range 2000 2002 permit tcp any any range 5060 5061 permit udp any any range 5060 5061 ip access-list extended AutoQos-4.0-wlan-Acl-Transactional-Data permit tcp any any eq 443 permit tcp any any eq 1521 permit udp any any eq 1521 permit tcp any any eq 1526 permit udp any any eq 1526 permit tcp any any eq 1575 permit udp any any eq 1575 permit tcp any any eq 1630 permit udp any any eq 1630 permit tcp any any eq 1527 permit tcp any any eq 6200 permit tcp any any eq 3389 permit tcp any any eq 5985 permit tcp any any eq 8080 ! ! ! ! ! wsma agent exec profile httplistener profile httpslistener ! wsma agent config profile httplistener profile httpslistener ! wsma agent filesys profile httplistener profile httpslistener ! wsma agent notify profile httplistener profile httpslistener ! ! wsma profile listener httplistener transport http ! wsma profile listener httpslistener transport https ! ap group default-group end SYSTEM1_24#ping 192.168.0.50 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.0.50, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms SYSTEM1_24#ping 192.168.0.84 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.0.84, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/10 ms SYSTEM1_24#ping 220.127.116.11 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 18.104.22.168, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/200/1000 ms SYSTEM1_24# The show ip route from both sites show this: Working site: SYSTEM1_24#sh ip route removed codes..... Gateway of last resort is not set 192.168.0.0/24 is variably subnetted, 2 subnets, 2 masks C 192.168.0.0/24 is directly connected, Vlan1 L 192.168.0.50/32 is directly connected, Vlan1 Current Nonworking Site: CCTV1-SYS1-48#sh ip route Gateway of last resort is not set 192.168.6.0/24 is variably subnetted, 2 subnets, 2 masks C 192.168.6.0/24 is directly connected, Vlan1 L 192.168.6.1/32 is directly connected, Vlan1
... View more
I have any existing installation with 2 vlans, a core switch, edge switches, and hosts. I have ip routing enabled on the core / edge switches and all hosts can ping each other and the switches as well as switches ping themselves any which way. (4500 and 3650's).. Works Great.. I have tried the same setup / config with a Nexus 3548x (Core) and 2960x's (EDGE) like the above setup, but it doesn't work right. I have 2 VLANS on the CORE.. IP ROUTING ENABLED VLAN 1 192.168.6.254/24 VLAN 5 192.168.5.254/24 Each vlan is configed on the 2960's as well... switches are trunked to the 3548X Each switch has the VLAN #1 IP at 192.168.6.1/24 and the other switch at 192.168.6.2/24. IP ROUTING is ENABLED I have one PC at 192.168.6.201/24 GTWY 192.168.6.254 on one of the 2960's. The Gi1/0/1 port is setup for VLAN 1 I have one PC at 192.168.5.201/24 GTWY 192.168.5.254 on one of the 2960's. The Gi1/0/1 port is setup for VLAN 5. The computers CAN ping themselves across the both VLANS and switches. The computers can ping the gateways of each of the VLANS. I ping 192.168.6.1 from computer 6.201/24 I get a reply (local switch) I ping 192.168.6.2 from computer 6.201/24 I get a reply (remote switch) I ping 192.168.6.254 from computer 6.201/24 I get a reply (core VLAN1) I ping 192.168.5.254 from computer 6.201/24 I get a reply (core VLAN5) I ping 192.168.5.201 from computer 6.201/24 I get a reply (remote PC on the other switch) The other computer at .5.201/24 can ping the other way. However, It can ping the VLAN1 gateway (6.254) but not the switches on the other side of it. 6.1 and 6.2 for some reason. Also, if I console into the switch this computer is connected to, I CANNOT ping anything on VLAN5, either .5.201 or the .5.254 on the CORE switch, but can ping (VLAN1) stuff .6.201 and .6.1 and 6.2 If I console to the CORE I can ping everything.. everyway... How can the computers ping correctly but not the switches?? This is very confusing and makes no sense. Thanks..
... View more
I need to block broadcast traffic on a single port on a 3650 switch. I have setup a test bed in house with 2 computers connected to a 3650. One computer is 192.168.0.1 (port gi1/0/1)and the other 192.168.0.2 (gi1/0/2) with a 255.255.252.0 /22 subnet. I know the broadcast address for this subnet is 192.168.3.255 so I wrote a small vb program on the .2 computer to send (flood) a small bogus UDP packet every 2ms to address 192.168.3.255. I can see the UDP flood at the other computer(.1) via wireshark. I WILL NEED unicast packets on the 192.168.0-3 IP addresses to get through though..
I need to block these broadcasts. I tried to use storm control:
storm-control broadcast level 0
on the gi1/0/1 interface but that seems to do nothing. The broadcast packets get through. I tried several variations of the storm-control settings with no luck. When I do a show storm-control it shows the gi1/0/1 interface but always says 0KB when I am purposely flooding it.
I am trying now to do and ACL for the port (gi1/0/1), I can't seem to get the correct ACL to block these broadcasts. I don't know the correct combo to do this for the 192.168.3.255 /22 packets.
deny 255.0.0.0 0.0.255.255
deny 255.0.0.0 0.0.0.255
deny 192.168.3.255 0.0.0.255
and several other guesses...
Apparently I'm not doing this correct as the broadcast packets still get through. I think I am applying the ACL to the port correctly because I can add a line to stop ICMP to make sure it is actually working on the individual port. I wish I could get storm control to work but I have no clue what is going on there, but an ACL will be just as good. In the real world I will need to do this on several ports. I can't really change anything else.
Thanks for the help.
... View more
Summary. We have a network with a 4506E and multiple 3650's all LAYER 2. and about 400 IP cameras in one VLAN. Everything is multicast. 4506e is the IGMP query node. All switches are showing low/nominal use and cameras can be viewed OK at viewing stations. The camera network is 192.167.0/22 with camera IP's across this flat space.
A Cisco network person comes in and says the setup won't work correctly this way. He says the Class C IP address with the subnet is illegal and won't pass multicast traffic correctly, that the switches will pass the incorrect camera (multicast) stream to the viewing stations. He also says you cannot put more than 254 addresses into one VLAN. He says the IP must be a class B address instead of class C.
Is he correct on each statement on the class B, that class C's cannot be used with supernet and multicast? What's the deal with Class B vs Class C supernet for multicast
Too many devices in a vlan?
I know this is not the optimal setup, but saying the setup just won't work right as above worries me.
Thanks for your time.
... View more
I am trying to determine the overall bandwidth going through the switch (or at least add up the line cards). I have seen where the show platform health command gives this but I don't understand the output. Here is a partial output of what I think contains the data:
------------- %CPU Totals 394.50 44.75 Allocation ceiling Current allocation ------------------ ------------------ kbytes % in use kbytes % in use Chassis 1 Linecard 1 5120.00 10% 522.47 100% Chassis 1 Linecard 2 5120.00 49% 2519.16 100% Chassis 1 Linecard 3 5120.00 49% 2519.16 100% Chassis 1 Linecard 4 5120.00 68% 3519.37 100% Chassis 1 Linecard 5 5120.00 0% 0.00 0% Chassis 1 Linecard 6 5120.00 0% 0.00 0% TSM objects ------------------ ------------------
A bunch of objects..
------------------ ------------------ TSM totals 904405.91 0% 2730.67 84%
Does this mean the linecards are at max 100%. Under the current allocation the kbytes entry is low so why is it showing 100%, or is this even the correct place to look?
... View more
I have (15) WS-C3650-48PD switches daisy-chained together with the SFP ports and fiber. I have added an additional VLAN (#2) to each switch.
24 ports are assigned to vlan 1 with device IP ranges from 192.168.0.x - 192.168.3.x 255.255.252.0
24 ports are assigned to vlan 2 with device IP ranges from 192.167.0.x - 192.167.3.x 255.255.252.0
I have a computer (IP of 192.168.0.1) plugged into SWITCH #1 into one of the VLAN 1 ports.
I need to manage each switch with telnet (I know, not secure). I have created a new IP address on EACH switch for each VLAN 1, so I have used 15 IP addresses just to manage the switches. Is this correct? It works, I can telnet or http to each switch, but I am confused as to where I need this many addresses for all the switches. I have seen documentation that says a VLAN only needs one IP address.
Maybe I am confusing a management VLAN with a VLAN or VLAN interface.
I just need to manage the switches with telnet / http at this point. Is the multiple address for telnet/ or http the way to go, or can I jump through switch 1 to the others somehow without the need for individual addresses on each switch?
Thanks for your time..
... View more
I have isolated several by disconnecting the fiber to make them just a standalone switch. They still have a stack packet error rate above 90% under the WEB GUI dashboard on the STACK PACKET ERROR graph shown on the attachment. I am really confused. These are practically new out of the box. I have had no luck finding out what that actually is or what causes it.
Thanks for any help
... View more
No stack at all. These are standalone switches in different locations throughout a building connected by a fiber cable. The Gi1/1/1 and Gi1/1/2 ports are daisy chained to other switches. I have not configured any stacking
... View more
I have (24) new purchased standalone 3560G switches linked by a single fiber trunk in a daisy chain. I have done basic config on the GIB ports to make them trunk ports. (switchport mode trunk). and switchport mode access on the other ports. I can ping devices from one end to the other. No special routing or vlan routing.
However, when I web into any of these switches I see a STACK PACKET ERROR: 99% (or up to 101%) all the time. Enclosed image...
What does this mean? I haven't really found out anything on google. Are they all bad? or does something need turning off?
... View more
I have 3 3750's in a stack config. I can see Gi1/0/1 - Gi3/0/48 in the console and through the web interface. If I do show vlan it shows VLAN1 and shows included ports on all three switches 1/0/1 - 3/0/48. I try to setup a vlan331 on Switch 1 port 17 - Switch 3 port 48 config t int vlan331 interface range Gi1/0/17-3/0/48 OR interface range Gi1/0/17-Gi3/0/48 --barks at the 3/0/48. It does let me do a test like interface range Gi1/0/17-18. That works.. How can I include the other ports on the other two switches which are stacked into this one VLAN331?
... View more
Yes, that solved the problem, BUT Cisco threw me a curveball. I flashed the prior version of the IOS 12.xxx.(37) back on two of the switches, and the problem disappeared. I guess the IOS (55) release is buggy, since it showed the same problem on all five switches. I do not want to be forced to enter authentication for the web gui. I will have to reload the prior version of the IOS. I am hoping this problem will be fixed. Thanks, Kyndall
... View more