Catalyst 3560 causing switches to freeze?

- J
- justin_ltg
  
  Contact options for registered users
posted
17 years ago

Mon, May 8, 2006 8:21 PM

I have a new 3560, and when I uplink a different switch to either port

48 , the Catalyst starts complaining about:

A security violation has occured. Then it gives the MAC of the offending switch, and states that BDPU has passed and the port is being shut down.

No response from the other switch. the switch stops passing traffice, PC's hooked to that switch lose there DHCP address and cannot renew.

The management IP of this switch is a free IP/Mask with in our network, so I am confused.

I have tried this with 3com switches and Dell switches.

Any idea why I can't pass traffic between the switches?

- M
- Merv
  
  Contact options for registered users
Vote on answer
posted
17 years ago

Mon, May 8, 2006 8:39 PM

Post the complete switch config

- J
- justin_ltg
  
  Contact options for registered users
Vote on answer
posted
17 years ago

Tue, May 9, 2006 12:53 PM

here it is pretty basic

rfg3560#sh run inactivity Building configuration... macro

Current configuration : 16070 bytes spanning-tre !p version 12.2 no service pad-tree bpduguar service timestamps debug uptime ! interface FastEthern service timestamps log uptime switchport mode access no service password-encryptionport-security ! hostname rfg3560 port-security a !n enable secret 5 $1$QL32$YrGAfHdOYW1iXRjC217ka0 switchport port-security violation restrict ! no aaa new-model ip subnet-zeroort port-secur !y !g !g !y no file verify auto spanning-tree mode pvs switchport mode a switchport port-security switchport port-secur switchport port-security aging time 2t port-security aging time 2

switchport port-security violation restrict-security violation restrict switchport port-security aging type inactivitycurity aging type inactivity macro description cisco-desktopro description cisco-desktop spanning-tree portfast spanning-tree por spanning-tree bpduguard enableanning-tree bpduguard enable ! interface FastEthernet0/2! interface FastEthernet switchport mode access switchport mode a switchport port-security switchport port-secur switchport mode access switchport port-security switchport port-security aging time 2 switchport port-security violation restrict switchport port-security aging type inactivity macro description cisco-desktop spanning-tree portfast spanning-tree bpduguard enable

interface FastEthernet0/3 switchport mode access switchport port-security switchport port-security aging time 2

switchport port-security violation restrict

switchport port-security aging type inactivity

macro description cisco-desktop spanning-tree portfast spanning-tree bpduguard enable ! interface FastEthernet0/4 switchport mode access switchport port-security switchport port-security aging time 2

switchport port-security violation restrict

switchport port-security aging type inactivity

macro description cisco-desktop spanning-tree portfast spanning-tree bpduguard enable ! interface FastEthernet0/5 switchport mode access switchport port-security switchport port-security aging time 2

switchport port-security violation restrict

switchport port-security aging type inactivity

macro description cisco-desktop spanning-tree portfast spanning-tree bpduguard enable ! interface FastEthernet0/6 switchport mode access switchport port-security switchport port-security aging time 2

switchport port-security violation restrict

switchport port-security aging type inactivity

macro description cisco-desktop spanning-tree portfast spanning-tree bpduguard enable ! interface FastEthernet0/7 switchport mode access switchport port-security switchport port-security aging time 2

switchport port-security violation restrict

switchport port-security aging type inactivity

macro description cisco-desktop spanning-tree portfast spanning-tree bpduguard enable ! interface FastEthernet0/8 switchport mode access switchport port-security switchport port-security aging time 2

switchport port-security violation restrict

switchport port-security aging type inactivity

macro description cisco-desktop spanning-tree portfast spanning-tree bpduguard enable ! interface FastEthernet0/9 switchport mode access switchport port-security switchport port-security aging time 2

switchport port-security violation restrict

switchport port-security aging type inactivity

macro description cisco-desktop spanning-tree portfast spanning-tree bpduguard enable ! interface FastEthernet0/10 switchport mode access switchport port-security switchport port-security aging time 2

switchport port-security violation restrict

switchport port-security aging type inactivity

macro description cisco-desktop spanning-tree portfast spanning-tree bpduguard enable ! interface FastEthernet0/11 switchport mode access switchport port-security switchport port-security aging time 2

switchport port-security violation restrict

switchport port-security aging type inactivity

macro description cisco-desktop spanning-tree portfast spanning-tree bpduguard enable ! interface FastEthernet0/12 switchport mode access switchport port-security switchport port-security aging time 2

switchport port-security violation restrict

switchport port-security aging type inactivity

macro description cisco-desktop spanning-tree portfast spanning-tree bpduguard enable ! interface FastEthernet0/13 switchport mode access switchport port-security switchport port-security aging time 2

switchport port-security violation restrict

switchport port-security aging type inactivity

macro description cisco-desktop spanning-tree portfast spanning-tree bpduguard enable ! interface FastEthernet0/14 switchport mode access switchport port-security switchport port-security aging time 2

switchport port-security violation restrict

switchport port-security aging type inactivity

macro description cisco-desktop spanning-tree portfast spanning-tree bpduguard enable ! interface FastEthernet0/15 switchport mode access switchport port-security switchport port-security aging time 2

switchport port-security violation restrict

switchport port-security aging type inactivity

macro description cisco-desktop spanning-tree portfast spanning-tree bpduguard enable ! interface FastEthernet0/16 switchport mode access switchport port-security switchport port-security aging time 2

switchport port-security violation restrict

switchport port-security aging type inactivity

macro description cisco-desktop spanning-tree portfast spanning-tree bpduguard enable ! interface FastEthernet0/17 switchport mode access switchport port-security switchport port-security aging time 2

switchport port-security violation restrict

switchport port-security aging type inactivity

macro description cisco-desktop spanning-tree portfast spanning-tree bpduguard enable ! interface FastEthernet0/18 switchport mode access switchport port-security switchport port-security aging time 2

switchport port-security violation restrict

switchport port-security aging type inactivity

macro description cisco-desktop spanning-tree portfast spanning-tree bpduguard enable ! interface FastEthernet0/19 switchport mode access switchport port-security switchport port-security aging time 2

switchport port-security violation restrict

switchport port-security aging type inactivity

macro description cisco-desktop spanning-tree portfast spanning-tree bpduguard enable ! interface FastEthernet0/20 switchport mode access switchport port-security switchport port-security aging time 2

switchport port-security violation restrict

switchport port-security aging type inactivity

macro description cisco-desktop spanning-tree portfast spanning-tree bpduguard enable ! interface FastEthernet0/21 switchport mode access switchport port-security switchport port-security aging time 2

switchport port-security violation restrict

switchport port-security aging type inactivity

macro description cisco-desktop spanning-tree portfast spanning-tree bpduguard enable ! interface FastEthernet0/22 switchport mode access switchport port-security switchport port-security aging time 2

switchport port-security violation restrict

switchport port-security aging type inactivity

macro description cisco-desktop spanning-tree portfast spanning-tree bpduguard enable ! interface FastEthernet0/23 switchport mode access switchport port-security switchport port-security aging time 2

switchport port-security violation restrict

switchport port-security aging type inactivity

macro description cisco-desktop spanning-tree portfast spanning-tree bpduguard enable ! interface FastEthernet0/24 switchport mode access switchport port-security switchport port-security aging time 2

switchport port-security violation restrict

switchport port-security aging type inactivity

macro description cisco-desktop spanning-tree portfast spanning-tree bpduguard enable ! interface FastEthernet0/25 switchport mode access switchport port-security switchport port-security aging time 2

switchport port-security violation restrict

switchport port-security aging type inactivity

macro description cisco-desktop spanning-tree portfast spanning-tree bpduguard enable ! interface FastEthernet0/26 switchport mode access switchport port-security switchport port-security aging time 2

switchport port-security violation restrict

switchport port-security aging type inactivity

macro description cisco-desktop spanning-tree portfast spanning-tree bpduguard enable ! interface FastEthernet0/27 switchport mode access switchport port-security switchport port-security aging time 2

switchport port-security violation restrict

switchport port-security aging type inactivity

macro description cisco-desktop spanning-tree portfast spanning-tree bpduguard enable ! interface FastEthernet0/28 switchport mode access switchport port-security switchport port-security aging time 2

switchport port-security violation restrict

switchport port-security aging type inactivity

macro description cisco-desktop spanning-tree portfast spanning-tree bpduguard enable ! interface FastEthernet0/29 switchport mode access switchport port-security switchport port-security aging time 2

switchport port-security violation restrict

switchport port-security aging type inactivity

macro description cisco-desktop spanning-tree portfast spanning-tree bpduguard enable ! interface FastEthernet0/30 switchport mode access switchport port-security switchport port-security aging time 2

switchport port-security violation restrict

switchport port-security aging type inactivity

macro description cisco-desktop spanning-tree portfast spanning-tree bpduguard enable ! interface FastEthernet0/31 switchport mode access switchport port-security switchport port-security aging time 2

switchport port-security violation restrict

switchport port-security aging type inactivity

macro description cisco-desktop spanning-tree portfast spanning-tree bpduguard enable ! interface FastEthernet0/32 switchport mode access switchport port-security switchport port-security aging time 2

switchport port-security violation restrict

switchport port-security aging type inactivity

macro description cisco-desktop spanning-tree portfast spanning-tree bpduguard enable ! interface FastEthernet0/33 switchport mode access switchport port-security switchport port-security aging time 2

switchport port-security violation restrict

switchport port-security aging type inactivity

macro description cisco-desktop spanning-tree portfast spanning-tree bpduguard enable ! interface FastEthernet0/34 switchport mode access switchport port-security switchport port-security aging time 2

switchport port-security violation restrict

switchport port-security aging type inactivity

macro description cisco-desktop spanning-tree portfast spanning-tree bpduguard enable ! interface FastEthernet0/35 switchport mode access switchport port-security switchport port-security aging time 2

switchport port-security violation restrict

switchport port-security aging type inactivity

macro description cisco-desktop spanning-tree portfast spanning-tree bpduguard enable ! interface FastEthernet0/36 switchport mode access switchport port-security switchport port-security aging time 2

switchport port-security violation restrict

switchport port-security aging type inactivity

macro description cisco-desktop spanning-tree portfast spanning-tree bpduguard enable ! interface FastEthernet0/37 switchport mode access switchport port-security switchport port-security aging time 2

switchport port-security violation restrict

switchport port-security aging type inactivity

macro description cisco-desktop spanning-tree portfast spanning-tree bpduguard enable ! interface FastEthernet0/38 switchport mode access switchport port-security switchport port-security aging time 2

switchport port-security violation restrict

switchport port-security aging type inactivity

macro description cisco-desktop spanning-tree portfast spanning-tree bpduguard enable ! interface FastEthernet0/39 switchport mode access switchport port-security switchport port-security aging time 2

switchport port-security violation restrict

switchport port-security aging type inactivity

macro description cisco-desktop@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ spanning-tree portfast spanning-tree bpduguard enable @@@@@@@@@@@@@ !@ interface FastEthernet0/40@@@@@@@@@@@@@@@@@@@@@@@@@@ switchport mode access switchport port-security @@@@@@ switchport port-security aging time

2@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ switchport port-security violation restrict

@@@@@@@@@@@ switchport port-security aging type inactivity@@@@@@@@@@@@@@@@@@@@@

macro description cisco-desktop @@@@@@@@@@ spanning-tree portfast@@@@@@@@@@@@@@@@@@@@@@@ spanning-tree bpduguard enable ! interface FastEthernet0/41 @@@@@@@@@@@@@@@ switchport mode access@@@@@@@@@@@@@@@@@@@@@@@ switchport port-security switchport port-security aging time 2

!@ interface FastEthernet0/42@@@@@@@@@@@@@@ switchport mode access switchport port-security@@@@@@@@@@@@@@@@@@@@@@@@@ switchport port-security aging time 2@@@@@@@@@@@@

switchport port-security violation restrict @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ switchport port-security aging type inactivity

macro description cisco-desktop@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ spanning-tree portfast@@@@@@@@@@@@@@@@@@@@@@@ spanning-tree bpduguard enable ! interface FastEthernet0/43 switchport port-security aging time 2 @@@@@@@@@@@@@ switchport port-security violation restrict@@@@@@@@@@@@@@@@@@@@@@

switchport port-security aging type inactivity @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ macro description cisco-desktop@@@@@@@@@@@ spanning-tree portfast spanning-tree bpduguard enablec3560-ipbase-mz.122-25.SEB2/c35 !- interface FastEthernet0/44uncompr switchport mode access switchport port-securitynstalled, entry point: 0x switchport port-security aging time 2 executing...

switchport port-security violation restrict

Use, duplication, switchport port-security aging type inactivity

subject macro description cisco-desktopsu switchport port-security aging time 2 Software clause switchport port-security violation restrict

cisco switchport port-security aging type inactivity 170 West Tasman Drive macro description cisco-desktope, California 95134-1706 spanning-tree portfast

Cisco IOS spanning-tree bpduguard enable-IPBASE-M), Version 12.2(25)SEB ! interface FastEthernet0/46 switchport mode access SE SOFTWARE (f switchport port-securityight (c) 1986-2005 by Cis switchport port-security aging time 2 Compiled Tue 0 switchport port-security violation restrict

switchport port-security aging type inactivityn complete....done Initializing flashfs. macro description cisco-desktop

POST: spanning-tree portfast: Begin spanning-tree bpduguard enableIC register Tests : End, Status !a interface FastEthernet0/48 switchport trunk encapsulation dot1q

switchport mode ! interface GigabitEthernet0/1 CPU MIC PortASIC interface switchport mode accessatus Passed switchport port-security switchport port-security aging time 2s : Begin

switchport port-security violation restricts : End, Status Passed

switchport port-security aging type inactivityower Controller Tests : Begin macro description cisco-desktopnline Power Controller Tests : E spanning-tree portfast spanning-tree bpduguard enable: PortASIC CAM Subsystem Tests !B interface GigabitEthernet0/2 POST: Port switchport mode access : End, Status Passed switchport port-security switchport port-security aging time 2: Begin

spanning-tree portfast spanning-tree bpduguard enable es of memor ! interface GigabitEthernet0/3ID CAT0925N2HU switchport mode accessset from power-on switchport port-securityal Ethernet interface switchport port-security aging time 2t interfaces

switchport port-security violation restrict The password-recovery mechani switchport port-security aging type inactivity

512K bytes of flash-simulated non-vo macro description cisco-desktop spanning-tree portfast Base ethernet MAC A spanning-tree bpduguard enable ! interface GigabitEthernet0/4 assembly numbe switchport port-security aging type inactivity

Motherboard macro description cisco-desktop ! interface Vlan1 ip address 10.0.0.24 255.255.255.0 ! ip default-gateway 10.0.0.1 ip classless ip http server ! ! control-plane ! ! line con 0 line vty 0 4 password Wolv3rin3 login line vty 5 15 password Wolv3rin3 login ! ! end

- J
- justin_ltg
  
  Contact options for registered users
Vote on answer
posted
17 years ago

Tue, May 9, 2006 1:11 PM

okay. this is weird. I threw up a psuedo lab. 1 El cheapo netgear 5 port switch. I plugged my PC into that. Then Plugged an open port into Port 17 of the 3560. Assigned my PC an IP address, and no problems. Connectivity all day.

So I went back to what I was trying to do. Basically I have a 16 port

3com switch in my office, ran back to (2) Catalyst 2950

I plugged the 3Com into port 24 on the 3560 and this is what happens:

rfg3560#

00:22:04: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, cause d by MAC address 020d.56fe.149e on port FastEthernet0/24. 00:22:05: %SPANTREE-2-BLOCK_BPDUGUARD: Received BPDU on port FastEthernet0/24 wi th BPDU Guard enabled. Disabling port. 00:22:05: %PM-4-ERR_DISABLE: bpduguard error detected on Fa0/24, putting Fa0/24 in err-disable state

- M
- Merv
  
  Contact options for registered users
Vote on answer
posted
17 years ago

Tue, May 9, 2006 1:13 PM

When the Cisco switch receives a BPDU from the other switch it disables the port since the BPDU guard feature is enabled.

So any switch port to which you are going to connect another switch must have BPDU guard feature removed first. And it would be a good idea to remove portfast from the same port.

- J
- justin_ltg
  
  Contact options for registered users
Vote on answer
posted
17 years ago

Tue, May 9, 2006 1:44 PM

It says that its disabled globally

rfg3560#show spanning-tree summary totals Switch is in pvst mode Root bridge for: VLAN0001 Extended system ID is enabled Portfast Default is disabled PortFast BPDU Guard Default is disabled Portfast BPDU Filter Default is disabled Loopguard Default is disabled EtherChannel misconfig guard is enabled UplinkFast is disabled BackboneFast is disabled Configured Pathcost method used is short

Name Blocking Listening Learning Forwarding STP Active

---------------------- -------- --------- -------- ----------

----------

1 vlan 0 0 0 1 1 rfg3560#

- M
- Merv
  
  Contact options for registered users
Vote on answer
posted
17 years ago

Tue, May 9, 2006 2:06 PM

You can enable the BPDU guard feature globally or on an interface-by-interface basis.

You have it disabled globally but looks like it is enabled on most interfaces

- J
- justin_ltg
  
  Contact options for registered users
Vote on answer
posted
17 years ago

Tue, May 9, 2006 3:03 PM

Thank you. I was not aware that the global config was independent of the per port config.