Spanning Tree Review

Categories Cisco, IOS, Switch

Why do we need Spanning Tree

  • Good network design provides redundancy in devices and network links
  • The simplest solution involves adding a second link between switches to overcome a network link failure or ensuring that a switch is connected to at least two other switches in a topology.
  • This can cause problems when a switch must forward broadcasts or when unknown unicast flooding occurs.
  • Network broadcasts forward in a continuous loop until the link becomes saturated, and the switch is forced to drop packets.
  • Also the MAC address table must constantly change ports as the packets make loops. The packets continue to loop around the topology because there is not a time-to-live (TTL) mechanism for Layer 2 forwarding. The switch CPU utilization increases, as does memory consumption, which could result in the crashing of the switch.

Common Causes of Layer 2 Loops

  • STP disabled on a switch
  • A misconfigured load balancer that transmits traffic out multiple ports with the same MAC address
  • A misconfigured virtual switch that bridges two physical ports (Virtual switches typically do not participate in STP.)
  • End users using a dumb network switch or hub

How Spanning Tree Works

  • Spanning Tree Protocol (STP) enables switches to become aware of other switches through the advertisement and receipt of bridge protocol data units (BPDUs).
  • STP builds a Layer 2 loop-free topology in an environment by temporarily blocking traffic on redundant ports.
  • STP operates by selecting a specific switch as the master switch and running a tree-based algorithm to identify which redundant ports should not forward traffic.

Root bridge: The root bridge is the most important switch in the Layer 2 topology.

Bridge protocol data unit (BPDU): This network packet is used for network switches to identify a hierarchy and notify of changes in the topology.

Two Types of BPDUs:

  • Configuration
  • TCN

Max age: This is the maximum length of time that passes before a bridge port saves its BPDU information.

  • default is 20 seconds command spanning-tree vlan vlan-id max-age maxage. If a switch loses contact with the BPDU’s source, it assumes that the BPDU information is still valid for the duration of the Max Age timer

Hello time: time that a BPDU is advertised out of a port.

  • default is 2 seconds can be configured to 1 to 10 seconds with the command spanning-tree vlan vlan-id hellotime hello-time.

Forward delay: time that a port stays in a listening and learning state.

  • default value is 15 seconds can be 15 to 30 seconds with the command spanning-tree vlan vlan-id forward-time forward-time.

Election

  • Hello BPDUs are exchanged between all switches at the beginning of the root bridge election process
  • each switch considers itself as the root bridge, in fact it sends its BPDUs with its bridge ID as the root bridge ID
  • when a switch receives a BPDU with a lower bridge ID, it “adjusts” its BPDUs by sending them with the received lower bridge ID, otherwise it would just discard that BPDU with a higher bridge ID.
  • That process continues until all switches agree on the root bridge which has the lowest bridge ID.
  • In case all switches have same bridge priority then the tiebreaker here would be the mac address, the switch with the lowest mac address would be the root bridge.
  • The bridge ID is combined by the bridge priority, System ID Extension (based on IEEE 802.1t standard) and the mac address of the switch.

Finding Topology Change Causes

  • determining why TCNs are occurring involves checking a port to see whether it is connected to a host or to another switch.
  •  If it is connected to another switch, you need to connect to that switch and repeat the process of examining the STP details.
  • You might need to examine CDP tables or your network documentation.
  • You can execute the show spanningtree [vlan vlan-id] detail command again to find the last switch in the topology to identify the problematic port.

RSTP (802.1W) Port States

  • Discarding: The switch port is enabled, but the port is not forwarding any traffic to ensure that a loop is not created. This state combines the traditional STP states disabled, blocking, and listening.
  • Learning: The switch port modifies the MAC address table with any network traffic it receives. The switch still does not forward any other network traffic besides BPDUs.
  • Forwarding: The switch port forwards all network traffic and updates the MAC address table as expected. This is the final state for a switch port to forward network traffic.

STP Tuning

  • Ideally the root bridge is placed on a core switch, and a secondary root bridge is designated to minimize changes to the overall spanning tree

Root and Secondary Placement

  • spanning-tree vlan vlan-id priority priority: The priority is a value between 0 and 61,440, in increments of 4,096.
  • spanning-tree vlan vlan-id root {primary | secondary} [diameter diameter]: This command executes a script that modifies certain values. The primary keyword sets the priority
  • Generally, root switches are at Layer 2/Layer 3 boundaries.
  • minimize the number of hops to the furthest switch in the topology.
  • BEST PRACTICE: set the priority to 0 for the primary root switch and to 4096 for the secondary root switch.

Oh Snap, There’s a Loop!

  • Catalyst switches detect a MAC address that is flapping between interfaces and notify via syslog.
  • MAC address of the host, VLAN, and ports between which the MAC address is flapping.
  • These messages should be investigated to ensure that a forwarding loop does not exist

Root Guard

  • Enabled on a port-by-port basis; it prevents a configured port from becoming a root port.
  • Stops downstream switches from becoming the root bridge – Errdisables ports that receive the BPDU
  • Command spanningtree guard root – Root guard is placed on designated ports toward other switches that should never become root bridges.

STP Portfast

  • Placed on host ports, disables TCNs
  • Bypass listen and learning state go straight to forwarding
  • Saves time, used on Access ports
  • Beneficial in environments where computers use Dynamic Host Configuration Protocol (DHCP) or Preboot Execution Environment (PXE).
  • Command spanning-tree portfast trunk. ONLY USED ON SINGLE HOST EX: ESXI SERVER
  • command spanning-tree portfast or globally on all access ports with the command spanning-tree portfast default

BPDU Guard

  • BPDU guard is a safety mechanism that shuts down portfast ports upon receipt of a BPDU.
  • Ensures that a loop cannot accidentally be created if an unauthorized switch is added to a topology.
  • spanning-tree portfast bpduguard default. BPDU guard can be enabled or disabled on a specific interface with the command spanning-tree bpduguard {enable | disable}.
  • BPDU guard is typically configured with all host-facing ports that are enabled with portfast.
  • Use Error Recovery to recover ports that were shut down from BPDU guard errdisable recovery cause bpduguard
  •  The period that the Error Recovery checks for ports is configured with the command errdisable recovery interval time-seconds

BPDU Filter

  • Blocks BPDUs from being transmitted out a port
  • Most network designs do not require BPDU filter, which adds an unnecessary level of complexity and also introduces risk.

UDLD Fiber Trunking

  • Unidirectional Link Detection (UDLD) allows for the bidirectional monitoring of fiber-optic cables.

Lab

SW-01 Configuration

SW-01#sh runn
 Building configuration…
 Current configuration : 3810 bytes
 !
 ! Last configuration change at 19:53:21 UTC Sat Mar 13 2021
 !
 version 15.2
 service timestamps debug datetime msec
 service timestamps log datetime msec
 no service password-encryption
 service compress-config
 !
 hostname SW-01
 !
 boot-start-marker
 boot-end-marker
 !
 !
 !
 no aaa new-model
 !
 !
 !
 !
 !
 !
 !
 !
 ip cef
 no ipv6 cef
 !
 !
 errdisable recovery cause bpduguard
 errdisable recovery interval 30
 !
 spanning-tree mode rapid-pvst
 spanning-tree extend system-id
 !
 vlan internal allocation policy ascending
 !
 !
 !
 !
 !
 !
 !
 !
 !
 !
 !
 !
 !
 !
 interface GigabitEthernet0/0
  switchport trunk encapsulation dot1q
  switchport trunk native vlan 666
  switchport mode trunk
  media-type rj45
  negotiation auto
 !
 interface GigabitEthernet0/1
  switchport trunk encapsulation dot1q
  switchport trunk native vlan 666
  switchport mode trunk
  media-type rj45
  negotiation auto
 !
 interface GigabitEthernet0/2
  switchport trunk encapsulation dot1q
  switchport trunk native vlan 666
  switchport mode trunk
  media-type rj45
  negotiation auto
 !
 interface GigabitEthernet0/3
  description SHUTDOWN-NO-USERS
  switchport access vlan 999
  switchport mode access
  shutdown
  media-type rj45
  negotiation auto
 !
 interface GigabitEthernet1/0
  description SHUTDOWN-NO-USERS
  switchport access vlan 999
  switchport mode access
  shutdown
  media-type rj45
  negotiation auto
 !
 interface GigabitEthernet1/1
  description SHUTDOWN-NO-USERS
  switchport access vlan 999
  switchport mode access
  shutdown
  media-type rj45
  negotiation auto
 !
 interface GigabitEthernet1/2
  description SHUTDOWN-NO-USERS
  switchport access vlan 999
  switchport mode access
  shutdown
  media-type rj45
  negotiation auto
 !
 interface GigabitEthernet1/3
  description ACCESS-WIRED
  switchport access vlan 10
  switchport mode access
  media-type rj45
  negotiation auto
  spanning-tree portfast edge
  spanning-tree bpduguard enable
 !
 ip forward-protocol nd
 !
 no ip http server
 no ip http secure-server
 !
 !
 !
 !
 !
 !
 control-plane
 !
 line con 0
 line aux 0
 line vty 0 4
 !
 !
 end

SW-02 Configuration

SW-02#sh runn
 Building configuration…
 Current configuration : 3810 bytes
 !
 ! Last configuration change at 19:53:22 UTC Sat Mar 13 2021
 !
 version 15.2
 service timestamps debug datetime msec
 service timestamps log datetime msec
 no service password-encryption
 service compress-config
 !
 hostname SW-02
 !
 boot-start-marker
 boot-end-marker
 !
 !
 !
 no aaa new-model
 !
 !
 !
 !
 !
 !
 !
 !
 ip cef
 no ipv6 cef
 !
 !
 errdisable recovery cause bpduguard
 errdisable recovery interval 30
 !
 spanning-tree mode rapid-pvst
 spanning-tree extend system-id
 !
 vlan internal allocation policy ascending
 !
 !
 !
 !
 !
 !
 !
 !
 !
 !
 !
 !
 !
 !
 interface GigabitEthernet0/0
  switchport trunk encapsulation dot1q
  switchport trunk native vlan 666
  switchport mode trunk
  media-type rj45
  negotiation auto
 !
 interface GigabitEthernet0/1
  switchport trunk encapsulation dot1q
  switchport trunk native vlan 666
  switchport mode trunk
  media-type rj45
  negotiation auto
 !
 interface GigabitEthernet0/2
  switchport trunk encapsulation dot1q
  switchport trunk native vlan 666
  switchport mode trunk
  media-type rj45
  negotiation auto
 !
 interface GigabitEthernet0/3
  description SHUTDOWN-NO-USERS
  switchport access vlan 999
  switchport mode access
  shutdown
  media-type rj45
  negotiation auto
 !
 interface GigabitEthernet1/0
  description SHUTDOWN-NO-USERS
  switchport access vlan 999
  switchport mode access
  shutdown
  media-type rj45
  negotiation auto
 !
 interface GigabitEthernet1/1
  description SHUTDOWN-NO-USERS
  switchport access vlan 999
  switchport mode access
  shutdown
  media-type rj45
  negotiation auto
 !
 interface GigabitEthernet1/2
  description SHUTDOWN-NO-USERS
  switchport access vlan 999
  switchport mode access
  shutdown
  media-type rj45
  negotiation auto
 !
 interface GigabitEthernet1/3
  description ACCESS-WIRED
  switchport access vlan 10
  switchport mode access
  media-type rj45
  negotiation auto
  spanning-tree portfast edge
  spanning-tree bpduguard enable
 !
 ip forward-protocol nd
 !
 no ip http server
 no ip http secure-server
 !
 !
 !
 !
 !
 !
 control-plane
!
 line con 0
 line aux 0
 line vty 0 4
 !
 !
 end 
 SW-02#

SW-03 Configuration

SW-03#sh runn
 Building configuration…
 Current configuration : 3443 bytes
 !
 ! Last configuration change at 19:53:38 UTC Sat Mar 13 2021
 !
 version 15.2
 service timestamps debug datetime msec
 service timestamps log datetime msec
 no service password-encryption
 service compress-config
 !
 hostname SW-03
 !
 boot-start-marker
 boot-end-marker
 !
 !
 !
 no aaa new-model
 !
 !
 !
 !
 !
 !
 !
 !
 ip cef
 no ipv6 cef
 !
 !
 !
 spanning-tree mode rapid-pvst
 spanning-tree extend system-id
 spanning-tree vlan 1-4094 priority 0
 !
 vlan internal allocation policy ascending
 !
 !
 !
 !
 !
 !
 !
 !
 !
 !
 !
 !
 !
 !
 interface GigabitEthernet0/0
  switchport trunk encapsulation dot1q
  switchport trunk native vlan 666
  switchport mode trunk
  media-type rj45
  negotiation auto
 !
 interface GigabitEthernet0/1
  switchport trunk encapsulation dot1q
  switchport trunk native vlan 666
  switchport mode trunk
  media-type rj45
  negotiation auto
  spanning-tree guard root
 !
 interface GigabitEthernet0/2
  switchport trunk encapsulation dot1q
  switchport trunk native vlan 666
  switchport mode trunk
  media-type rj45
  negotiation auto
  spanning-tree guard root
 !
 interface GigabitEthernet0/3
  switchport trunk encapsulation dot1q
  switchport trunk native vlan 666
  switchport mode trunk
  media-type rj45
  negotiation auto
 !
 interface GigabitEthernet1/0
  media-type rj45
  negotiation auto
 !
 interface GigabitEthernet1/1
  media-type rj45
  negotiation auto
 !
 interface GigabitEthernet1/2
  media-type rj45
  negotiation auto
 !
 interface GigabitEthernet1/3
  media-type rj45
  negotiation auto
 !
 ip forward-protocol nd
 !
 no ip http server
 no ip http secure-server
 !
 !
 !
 !
 !
 !
 control-plane
 !
 line con 0
 line aux 0
 line vty 0 4
 !
 !
 end 
 SW-03#

SW-04 Configuration

SW-04#sh runn
 Building configuration…
 Current configuration : 3446 bytes
 !
 ! Last configuration change at 19:53:44 UTC Sat Mar 13 2021
 !
 version 15.2
 service timestamps debug datetime msec
 service timestamps log datetime msec
 no service password-encryption
 service compress-config
 !
 hostname SW-04
 !
 boot-start-marker
 boot-end-marker
 !
 !
 !
 no aaa new-model
 !
 !
 !
 !
 !
 !
 !
 !
 ip cef
 no ipv6 cef
 !
 !
 !
 spanning-tree mode rapid-pvst
 spanning-tree extend system-id
 spanning-tree vlan 1-4094 priority 4096
 !
 vlan internal allocation policy ascending
 !
 !
 !
 !
 !
 !
 !
 !
 !
 !
 !
 !
 !
 !
 interface GigabitEthernet0/0
  switchport trunk encapsulation dot1q
  switchport trunk native vlan 666
  switchport mode trunk
  media-type rj45
  negotiation auto
 !
 interface GigabitEthernet0/1
  switchport trunk encapsulation dot1q
  switchport trunk native vlan 666
  switchport mode trunk
  media-type rj45
  negotiation auto
  spanning-tree guard root
 !
 interface GigabitEthernet0/2
  switchport trunk encapsulation dot1q
  switchport trunk native vlan 666
  switchport mode trunk
  media-type rj45
  negotiation auto
  spanning-tree guard root
 !
 interface GigabitEthernet0/3
  switchport trunk encapsulation dot1q
  switchport trunk native vlan 666
  switchport mode trunk
  media-type rj45
  negotiation auto
 !
 interface GigabitEthernet1/0
  media-type rj45
  negotiation auto
 !
 interface GigabitEthernet1/1
  media-type rj45
  negotiation auto
 !
 interface GigabitEthernet1/2
  media-type rj45
  negotiation auto
 !
 interface GigabitEthernet1/3
  media-type rj45
  negotiation auto
 !
 ip forward-protocol nd
 !
 no ip http server
 no ip http secure-server
 !
 !
 !
 !
 !
 !
 control-plane
 !
 line con 0
 line aux 0
 line vty 0 4
 !
 !
 end

VPC Design and Best Practices

Categories Cisco, Switch

What You Say?

In order to understand Virtual Port Channels we must know what a Port-Channel is. A port channel provides a way to aggregate (bond) multiple interfaces together. Traffic is then load balanced across each of the connections.

Port Channel Benefits

  • Redundancy – Should one of the interfaces fail traffic is sent over the remaining links.
  • Bandwidth – Increase in bandwidth due to bundling multiple interfaces together. Traffic is then loadbalanced across each of the links within the ‘bundle’.
  • Spanning Tree – Port-Channels are seen as a single switchport by Spanning-Tree protocols.

Though Port-Channels are great, the problem is that all links within the “bundle” must be connected to the same switch.

vPC: Virtual Port Channel

  • vPC (Virtual Port-Channel), also known as multichassis EtherChannel (MEC) is a feature on the Cisco Nexus switches that provides the ability to configure a Port-Channel across multiple switches (i.e. vPC peers).
  • vPC is similar to Virtual Switch System (VSS) on the Catalyst 6500s. However, the key difference between vPC and VSS is that VSS creates a single logical switch. This results in a single control plane for both management and configuration purposes. Whereas with vPC each switch is managed and configured independently.
  • It is important to remember that with vPC both switches are managed independently. This means you will need to create and permit your VLANs on both Nexus switches.

Design Best Practices

  • You should create a separate Layer 2 trunk port-channel between peer switches to transport non-vPC VLAN traffic.
  • Do not use VPC to connect more than two Data Centers. You should use OTV for that.
  • Use multiple line cards for VPC peer-link. For example, if you choose 6 links for VPC peer-link, take ports from at least two separate line cards, more is better. It’s because, if one line card got faulty, you still have another line-cards to provide backup. Probability of peer-link down issue is less here.
  • Use dedicated link for keep-alive. 1GE port is enough for keep-alive. Port-channel with 2x1G port is even better. In addition, try to take ports from multiple line cards just like peer-link recommendation.

Configuration Best Practices

  • Use a dedicated VRF for keep-alive link. For example, OUR-KEPPALIVE-VRF
  • You must configure vpc keep-alive link before configuring peer-link. Otherwise, VPC will remain down.
  • VLAN Pruning is highly recommended on peer-link. In other words, always configure allowed VLANs list in Peer-link.
  • vPC peer-gateway should be enabled in the vPC domain.
  • vPC ARP Sync should be enabled in the vPC domain.
  • Delay restore should be enabled in the vPC domain & then add the time based on network profile.
  • vPC graceful type-1 check should be enabled in the vPC domain.
  • vPC auto-recovery should be enabled in the vPC domain.
  • Auto-recovery reload-delay should be enabled in the vPC domain.
  • vPC member port configuration must be same on both vPC peer devices.
  • It is not must, but it is a good idea to use same vPC ID as port-channel ID for ease of configuration, monitoring, and troubleshooting.
  • Active-Active LACP is recommended for member port.

Cisco Catalyst 9200 Switch Stacking

Categories Cisco, Switch

Things to know:

  • A switch stack can have up to eight stacking-capable switches connected through their StackWise ports.
  • Only homogenous stacking is supported -Catalyst 9200 switches will only allow other 9200s as stack members.
  • Switch members can’t have different licenses

Overview

  • up to eight stacking-capable switches connected through their StackWise ports
  • The stack as seen as one device across Layers 2 and 3.
  • Active switch controls the operation and managment of the entire stack.
  • The active switch contains the saved and running configuration files for the switch stack. The configuration files include the system-level settings for the switch stack and the interface-level settings for each stack member. Each stack member has a current copy of these files for back-up purposes.

Mac Address and Bridge ID (Layer 2)

  • Configuring MAC persistency so that the stack MAC address never changes to a different MAC address to avoid LACP and PAgP flaps/inconsistencies.
  • If the changes, the MAC address of the new determines the new bridge ID and router MAC address.
  • If the entire switch stack reloads, the switch stack uses the MAC address of the .

Upgrading Software

  • auto-upgrade and auto-advise features enable a switch with software packages that are incompatible with the switch stack to be upgraded to a compatible software version so that it can join the switch stack.

Priority

  • The switch with the higher priority becomes the stack master. This can be seen by using the show switch command and looking at the priority values. switch x priority x if switch 1 priority 15 and switch 2 priority 10 than switch 1 will be elected the master.

Adding a new member

  1. Power off the new switch.
  2. Connect the new switch to the stack using the StackWise cables.
  3. Power on the new switch.

Failure

  • If the stack master is removed or powered off the standby switch will become the new active switch. All other stack members in the stack remain as members and will not reboot.
  • If two devices become stack master one stack will have members the other stack master will show as a standalone device. Use the mode button and port LEDs on the device to identify which device is the master and which devices belong to that stack.

Troubleshooting: C9200L-48P-4X Fuji code Locked Up

Categories Cisco, Switch
  • A C9200L had locked up. All switchports were dead/no light and the Fiber modules were a solid amber lit color. All ports had hosts on the other end that were still alive and sending electrical signal to their ports. I attempted to power cycle by pulling the power cables and reseating the redundant power supplies. After two attempts the switch was still locked up with fans staying on high after POST should have cleared.

Troubleshooting Information

  • Do any lights at all illuminate? I see the switchports don’t, but is any activity seen on the front panel?
    Sfp ports stayed solid amber – switchports none lit, no activity when reseating connections
  • Do the PSUs appear to power on?
    Yes both PSUs appear to power on, switch fans kick on during POST and stay on full speed
  • Has the device ever powered on?
    Yes device was pulled from production
  • What version of code was running (if known/applicable)?
    Fuji – 16.9.4

While attempting to swap the 9200L with a loaner switch I ran into the following warning messages. NOTE: The fiber and SFP modules were being reseated into different members of the stack until the RMA could come in.

No Big Deal

  • I had never ran into the Duplicate GBIC error before. While attempting to do some research on this I ran into bug reports of this occuring on 3850s.

Solution/Work Around

  • Remove the old switch member
  • no errdisable detect cause gbic-invalid
  • reseat connections
  • admin shut/no shut the module ports.










  • I figured that removing the stack member, reseating the connections would be enough but for some reason the ports were still errdisabled.










  • I had to shut/no shut the ports twice after reseating each connection. Once I did this the ports moved out of errdisable.










 SWITCH-NAME(config)#
 *Feb 24 15:00:25.568: %PLATFORM_PM-6-MODULE_REMOVED: SFP module with interface name Te1/1/2 removed
 SWITCH-NAME(config)#
 *Feb 24 15:00:54.982: %PLATFORM_PM-6-MODULE_INSERTED: SFP module inserted with interface name Te1/1/2
 SWITCH-NAME(config)#
 *Feb 24 15:02:52.913: %PLATFORM_PM-6-MODULE_REMOVED: SFP module with interface name Te1/1/3 removed
 SWITCH-NAME(config)#
 *Feb 24 15:04:47.672: %PLATFORM_PM-6-MODULE_INSERTED: SFP module inserted with interface name Te1/1/3
 SWITCH-NAME(config)#Warning: [1 51] is dup of [3 50]
 SWITCH-NAME(config)#end
 SWITCH-NAME#sh logg
 Syslog logging: enabled (0 messages dropped, 7 messages rate-limited, 0 flushes, 0 overruns, xml disabled, filtering disabled)
 No Active Message Discriminator.
 No Inactive Message Discriminator.
 Console logging: level emergencies, 0 messages logged, xml disabled,                  filtering disabled Monitor logging: level debugging, 173 messages logged, xml disabled,                  filtering disabled     Logging to: vty2(7) Buffer logging:  level debugging, 46694 messages logged, xml disabled,                 filtering disabled Exception Logging: size (4096 bytes) Count and timestamp logging messages: disabled File logging: disabled Persistent logging: disabled
 No active filter modules.
 Trap logging: level informational, 46254 message lines logged     Logging Source-Interface:       VRF Name:
 Log Buffer (4096 bytes):
  port Gi1/0/26 and port Gi1/0/25
 *Feb 24 14:25:45.184: %SYS-6-LOGOUT: User pete has exited tty session 2(10.10.16.40)
 *Feb 24 14:46:24.069: %PLATFORM_PM-6-MODULE_INSERTED: SFP module inserted with interface name Te2/1/2Warning: [2 50] is dup of [3 52]
 *Feb 24 14:46:24.069: %PM-4-ERR_DISABLE: gbic-invalid error detected on Te2/1/2, putting Te2/1/2 in err-disable state
 *Feb 24 14:46:49.152: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/42, changed state to down
 *Feb 24 14:46:50.168: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/42, changed state to down
 *Feb 24 14:46:58.360: %PLATFORM_PM-6-MODULE_INSERTED: SFP module inserted with interface name Te1/1/1Warning: [1 49] is dup of [3 49]
 SWITCH-NAME#ter le 0
 SWITCH-NAME#sh logg
 *Feb 24 14:51:02.833: %PLATFORM_PM-6-MODULE_INSERTED: SFP module inserted with interface name Te1/1/1Warning: [1 49] is dup of [3 49]
 *Feb 24 14:51:48.227: %PLATFORM_PM-6-MODULE_INSERTED: SFP module inserted with interface name Te1/1/2Warning: [1 50] is dup of [3 51]
 *Feb 24 14:51:48.227: %PM-4-ERR_DISABLE: gbic-invalid error detected on Te1/1/2, putting Te1/1/2 in err-disable state
 *Feb 24 14:52:18.181: %PLATFORM_PM-6-MODULE_REMOVED: SFP module with interface name Te1/1/2 removed
 *Feb 24 14:52:38.420: %PLATFORM_PM-6-MODULE_INSERTED: SFP module inserted with interface name Te1/1/2Warning: [1 50] is dup of [3 51]
 *Feb 24 14:53:07.578: %PLATFORM_PM-6-MODULE_INSERTED: SFP module inserted with interface name Te1/1/3Warning: [1 51] is dup of [3 50]
 *Feb 24 14:53:07.578: %PM-4-ERR_DISABLE: gbic-invalid error detected on Te1/1/3, putting Te1/1/3 in err-disable state
 SWITCH-NAME#conf t
 Enter configuration commands, one per line.  End with CNTL/Z.
 SWITCH-NAME(config)#no errdisable detect cause gbic-invalid
 SWITCH-NAME(config)#exi
 SWITCH-NAME#
 *Feb 24 15:12:05.166: %PLATFORM_PM-6-MODULE_REMOVED: SFP module with interface name Te2/1/2 removed
 SWITCH-NAME#
 *Feb 24 15:12:32.313: %PLATFORM_PM-6-MODULE_INSERTED: SFP module inserted with interface name Te2/1/2
 SWITCH-NAME#Warning: [2 50] is dup of [3 52]
 SWITCH-NAME#sh logg
 *Feb 24 14:46:24.069: %PLATFORM_PM-6-MODULE_INSERTED: SFP module inserted with interface name Te2/1/2Warning: [2 50] is dup of [3 52]
 *Feb 24 14:46:24.069: %PM-4-ERR_DISABLE: gbic-invalid error detected on Te2/1/2, putting Te2/1/2 in err-disable state
 *Feb 24 14:46:49.152: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/42, changed state to down
 *Feb 24 14:46:50.168: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/42, changed state to down
 *Feb 24 14:46:58.360: %PLATFORM_PM-6-MODULE_INSERTED: SFP module inserted with interface name Te1/1/1Warning: [1 49] is dup of [3 49]
 *Feb 24 14:46:58.360: %PM-4-ERR_DISABLE: gbic-invalid error detected on Te1/1/1, putting Te1/1/1 in err-disable state
 *Feb 24 14:47:00.408: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/42, changed state to up
 *Feb 24 14:47:02.420: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/42, changed state to up
 *Feb 24 14:50:28.930: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/42, changed state to down
 *Feb 24 14:50:29.942: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/42, changed state to down
 *Feb 24 14:50:32.982: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/42, changed state to up
 *Feb 24 14:50:35.463: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/42, changed state to down
 *Feb 24 14:50:38.714: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/42, changed state to up
 *Feb 24 14:50:39.922: %PLATFORM_PM-6-MODULE_REMOVED: SFP module with interface name Te1/1/1 removed
 *Feb 24 14:50:40.721: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/42, changed state to up
 *Feb 24 14:50:52.774: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/42, changed state to down
 *Feb 24 14:50:53.788: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/42, changed state to down
 *Feb 24 14:50:56.717: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/42, changed state to up
 *Feb 24 14:50:58.729: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/42, changed state to up
 *Feb 24 14:51:02.833: %PLATFORM_PM-6-MODULE_INSERTED: SFP module inserted with interface name Te1/1/1Warning: [1 49] is dup of [3 49]
 *Feb 24 14:51:48.227: %PLATFORM_PM-6-MODULE_INSERTED: SFP module inserted with interface name Te1/1/2Warning: [1 50] is dup of [3 51]
 *Feb 24 14:51:48.227: %PM-4-ERR_DISABLE: gbic-invalid error detected on Te1/1/2, putting Te1/1/2 in err-disable state
 *Feb 24 14:52:18.181: %PLATFORM_PM-6-MODULE_REMOVED: SFP module with interface name Te1/1/2 removed
 *Feb 24 14:52:38.420: %PLATFORM_PM-6-MODULE_INSERTED: SFP module inserted with interface name Te1/1/2Warning: [1 50] is dup of [3 51]
 *Feb 24 14:53:07.578: %PLATFORM_PM-6-MODULE_INSERTED: SFP module inserted with interface name Te1/1/3Warning: [1 51] is dup of [3 50]
 *Feb 24 14:53:07.578: %PM-4-ERR_DISABLE: gbic-invalid error detected on Te1/1/3, putting Te1/1/3 in err-disable state
 *Feb 24 14:56:02.489: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: pete] [Source: 192.168.1.5] [localport: 23] at 14:56:02 UTC Wed Feb 24 2021
 *Feb 24 15:00:25.568: %PLATFORM_PM-6-MODULE_REMOVED: SFP module with interface name Te1/1/2 removed
 *Feb 24 15:00:54.982: %PLATFORM_PM-6-MODULE_INSERTED: SFP module inserted with interface name Te1/1/2
 *Feb 24 15:02:52.913: %PLATFORM_PM-6-MODULE_REMOVED: SFP module with interface name Te1/1/3 removed
 *Feb 24 15:04:47.672: %PLATFORM_PM-6-MODULE_INSERTED: SFP module inserted with interface name Te1/1/3Warning: [1 51] is dup of [3 50]
 *Feb 24 15:06:07.071: %SYS-5-CONFIG_I: Configured from console by pete on vty0 (192.168.1.5)
 *Feb 24 15:11:22.731: %SYS-5-CONFIG_I: Configured from console by pete on vty0 (192.168.1.5)
 *Feb 24 15:12:05.166: %PLATFORM_PM-6-MODULE_REMOVED: SFP module with interface name Te2/1/2 removed
 *Feb 24 15:12:32.313: %PLATFORM_PM-6-MODULE_INSERTED: SFP module inserted with interface name Te2/1/2Warning: [2 50] is dup of [3 52]
 SWITCH-NAME#
 *Feb 24 15:14:09.249: %PLATFORM_PM-6-MODULE_REMOVED: SFP module with interface name Te1/1/2 removed
 SWITCH-NAME#
 *Feb 24 15:14:16.391: %PLATFORM_PM-6-MODULE_INSERTED: SFP module inserted with interface name Te1/1/2
 SWITCH-NAME#Warning: [1 50] is dup of [3 51]
 SWITCH-NAME#show sw
 SWITCH-NAME#show switch
 Switch/Stack Mac Address : 10b3.d582.9880 - Local Mac Address
 Mac persistency wait time: Indefinite
                                              H/W   Current
 Switch#   Role    Mac Address     Priority Version  State
 1       Standby  4c71.0d81.xxxx     1      V01     Ready
  2       Member   7c21.0e62.xxxx     1      V01     Ready
  3       Member   0000.0000.xxxx     0      V01     Removed
 *4       Active   10b3.d582.xxxx     1      V01     Ready
 SWITCH-NAME#conf t
 Enter configuration commands, one per line.  End with CNTL/Z.
 SWITCH-NAME(config)#no switch 3 provision
 SWITCH-NAME(config)#
 *Feb 24 15:19:14.899: %PLATFORM_PM-6-MODULE_REMOVED: SFP module with interface name Te1/1/1 removed
 SWITCH-NAME(config)#
 *Feb 24 15:19:24.716: %PLATFORM_PM-6-MODULE_INSERTED: SFP module inserted with interface name Te1/1/1
 SWITCH-NAME(config)#Warning: [1 49] is dup of [3 49]
 SWITCH-NAME(config)#int ra te 1/1/1 - 2
 SWITCH-NAME(config-if-range)#no shut
 SWITCH-NAME(config-if-range)#do sh logg
 Syslog logging: enabled (0 messages dropped, 7 messages rate-limited, 0 flushes, 0 overruns, xml disabled, filtering disabled)
 No Active Message Discriminator.
 No Inactive Message Discriminator.
 Console logging: level emergencies, 0 messages logged, xml disabled,                  filtering disabled Monitor logging: level debugging, 183 messages logged, xml disabled,                  filtering disabled     Logging to: vty2(17) Buffer logging:  level debugging, 46704 messages logged, xml disabled,                 filtering disabled Exception Logging: size (4096 bytes) Count and timestamp logging messages: disabled File logging: disabled Persistent logging: disabled
 No active filter modules.
 Trap logging: level informational, 46261 message lines logged     Logging Source-Interface:       VRF Name:
 Log Buffer (4096 bytes):
 PDOWN: Line protocol on Interface GigabitEthernet1/0/42, changed state to down
 *Feb 24 14:46:50.168: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/42, changed state to down
 *Feb 24 14:46:58.360: %PLATFORM_PM-6-MODULE_INSERTED: SFP module inserted with interface name Te1/1/1Warning: [1 49] is dup of [3 49]
 *Feb 24 14:46:58.360: %PM-4-ERR_DISABLE: gbic-invalid error detected on Te1/1/1, putting Te1/1/1 in err-disable state
 *Feb 24 14:47:00.408: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/42, changed state to up
 *Feb 24 14:47:02.420: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/42, changed state to up
 *Feb 24 14:50:28.930: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/42, changed state to down
 *Feb 24 14:50:29.942: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/42, changed state to down
 *Feb 24 14:50:32.982: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/42, changed state to up
 *Feb 24 14:50:35.463: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/42, changed state to down
 *Feb 24 14:50:38.714: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/42, changed state to up
 *Feb 24 14:50:39.922: %PLATFORM_PM-6-MODULE_REMOVED: SFP module with interface name Te1/1/1 removed
 *Feb 24 14:50:40.721: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/42, changed state to up
 *Feb 24 14:50:52.774: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/42, changed state to down
 *Feb 24 14:50:53.788: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/42, changed state to down
 *Feb 24 14:50:56.717: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/42, changed state to up
 *Feb 24 14:50:58.729: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/42, changed state to up
 *Feb 24 14:51:02.833: %PLATFORM_PM-6-MODULE_INSERTED: SFP module inserted with interface name Te1/1/1Warning: [1 49] is dup of [3 49]
 *Feb 24 14:51:48.227: %PLATFORM_PM-6-MODULE_INSERTED: SFP module inserted with interface name Te1/1/2Warning: [1 50] is dup of [3 51]
 *Feb 24 14:51:48.227: %PM-4-ERR_DISABLE: gbic-invalid error detected on Te1/1/2, putting Te1/1/2 in err-disable state
 *Feb 24 14:52:18.181: %PLATFORM_PM-6-MODULE_REMOVED: SFP module with interface name Te1/1/2 removed
 *Feb 24 14:52:38.420: %PLATFORM_PM-6-MODULE_INSERTED: SFP module inserted with interface name Te1/1/2Warning: [1 50] is dup of [3 51]
 *Feb 24 14:53:07.578: %PLATFORM_PM-6-MODULE_INSERTED: SFP module inserted with interface name Te1/1/3Warning: [1 51] is dup of [3 50]
 *Feb 24 14:53:07.578: %PM-4-ERR_DISABLE: gbic-invalid error detected on Te1/1/3, putting Te1/1/3 in err-disable state
 *Feb 24 14:56:02.489: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: pete] [Source: 192.168.1.5] [localport: 23] at 14:56:02 UTC Wed Feb 24 2021
 *Feb 24 15:00:25.568: %PLATFORM_PM-6-MODULE_REMOVED: SFP module with interface name Te1/1/2 removed
 *Feb 24 15:00:54.982: %PLATFORM_PM-6-MODULE_INSERTED: SFP module inserted with interface name Te1/1/2
 *Feb 24 15:02:52.913: %PLATFORM_PM-6-MODULE_REMOVED: SFP module with interface name Te1/1/3 removed
 *Feb 24 15:04:47.672: %PLATFORM_PM-6-MODULE_INSERTED: SFP module inserted with interface name Te1/1/3Warning: [1 51] is dup of [3 50]
 *Feb 24 15:06:07.071: %SYS-5-CONFIG_I: Configured from console by pete on vty0 (192.168.1.5)
 *Feb 24 15:11:22.731: %SYS-5-CONFIG_I: Configured from console by pete on vty0 (192.168.1.5)
 *Feb 24 15:12:05.166: %PLATFORM_PM-6-MODULE_REMOVED: SFP module with interface name Te2/1/2 removed
 *Feb 24 15:12:32.313: %PLATFORM_PM-6-MODULE_INSERTED: SFP module inserted with interface name Te2/1/2Warning: [2 50] is dup of [3 52]
 *Feb 24 15:14:09.249: %PLATFORM_PM-6-MODULE_REMOVED: SFP module with interface name Te1/1/2 removed
 *Feb 24 15:14:16.391: %PLATFORM_PM-6-MODULE_INSERTED: SFP module inserted with interface name Te1/1/2Warning: [1 50] is dup of [3 51]
 *Feb 24 15:19:14.899: %PLATFORM_PM-6-MODULE_REMOVED: SFP module with interface name Te1/1/1 removed
 *Feb 24 15:19:24.716: %PLATFORM_PM-6-MODULE_INSERTED: SFP module inserted with interface name Te1/1/1Warning: [1 49] is dup of [3 49]
 SWITCH-NAME(config-if-range)#do sh clock
 *15:33:51.262 UTC Wed Feb 24 2021
 SWITCH-NAME(config-if-range)#shut
 SWITCH-NAME(config-if-range)#no shut
 SWITCH-NAME(config-if-range)#
 *Feb 24 15:34:28.246: %LINK-3-UPDOWN: Interface TenGigabitEthernet1/1/1, changed state to up
 *Feb 24 15:34:28.259: %LINK-3-UPDOWN: Interface TenGigabitEthernet1/1/2, changed state to up
 SWITCH-NAME(config-if-range)#
 *Feb 24 15:34:31.578: %LINEPROTO-5-UPDOWN: Line protocol on Interface TenGigabitEthernet1/1/1, changed state to up
 *Feb 24 15:34:31.757: %LINEPROTO-5-UPDOWN: Line protocol on Interface TenGigabitEthernet1/1/2, changed state to up
 SWITCH-NAME(config-if-range)#exi
 SWITCH-NAME(config)#int te 2/1/2
 SWITCH-NAME(config-if)#shut
 SWITCH-NAME(config-if)#no shut
 SWITCH-NAME(config-if)#
 *Feb 24 15:34:54.208: %LINK-3-UPDOWN: Interface TenGigabitEthernet2/1/2, changed state to up
 SWITCH-NAME(config-if)#
 *Feb 24 15:34:57.425: %LINEPROTO-5-UPDOWN: Line protocol on Interface TenGigabitEthernet2/1/2, changed state to up
 

	

	
		
	




	

		
			Cisco Switch Configuration for ISE
		
			

	

		Categories Cisco, ISE, Switch	

	
		

	

Switch Configuration





  • Example configuration used





conf t
 radius server ISE_RADIUS
 address ipv4 10.0.30.40 auth-port 1645 acct-port 1646
 key Temp1234!@#$
 exit
 aaa group server radius ISE
 server name ISE_RADIUS
 ip radius source-interface vlan 30
 exit
 aaa authentication dot1x default group ISE
 aaa authorization network default group ISE
 aaa authorization exec default group ISE local if-authenticated
 aaa accounting update perdiodic 3
 aaa accounting dot1x default start-stop group ISE
 aaa server radius dynamic-author
 client 10.0.30.40 server-key Temp1234!@#$
 radius-server attribute 6 on-for-login-auth
 radius-server attribute 8 include-in-access-req
 radius-server attribute 25 access-request include
 end





Explanation





  • Explain commands










ISE Configuration










  • Add in the name, description, IP address, Device profile, Model name, Software version.
  • Enable the RADIUS Authentication Settings and input the shared secret then submit to add the switch in.










  • To verify after you click on submit you will now see the device listed under the Network Devices section.










Authorization Profile










Policy Set










Verification





  • On the switch you can issue:





show cdp neighbor
show authentication session
show aaa server






  • On ISE GUI you can review the live session and logs under the RADIUS section in Operations:










Troubleshooting





  • No authentication sessions are showing on the network device.










  • Run an authentication test using the network device and review the logs in ISE. 
  • Verify the aaa server configuration










test aaa group radius test-user test-password new-code










  • In ISE GUI:










Verify NTP is matching for Logs





  • Verify the NTP server matches on all devices.
    Cisco Switch:











ISE Server:






	

	
		
	




	

		
			Setting Up SSH On A Cisco Switch
		
			

	

		Categories Cisco	

		

		ssh	

	
	
		

	

Create a username with proper credentials.  Enable ssh on VTY Lines 0 – 4.  Setup a domain and generate a crypto key.  Then save the configuration.







enable
conf t
username lab pass lab
username lab priv 15
line vty 0 4
login local
transport input all
ip domain-name ge.local
crypto key gene rsa
2048
end
wr







Create an IP address for management if the device not have a physical management port:





vlan 1
ip add 10.0.10.24 255.255.255.0





Verify the management interface is up:










Verify SSH access from remote device:





SSH to Cisco Switch

	

	
		
	




	

		
			Factory Resetting a Cisco Switch
		
			

	

		Categories Cisco	

		

		Cisco 3750 Mode Button	

	
	
		

	

Steps to reset a Cisco Switch (we’re using a Cisco 3750v2 for this example).  The 3750v2 is a great labbing switch – I used this model for my CCNP.





It should be noted a better way to do this would be renaming the config.text on the flash. From mode switch:





  • rename flash:config.text flash:config.old





Scenario:  You need access to an IOS device and are locked out.  You have physical access to the device and don’t care about the previous config – you need a vanilla config.










On windows I really like using MobaXterm this application is packed with a ton of features! Check it out: https://mobaxterm.mobatek.net/download.html





Forgot username and password





  • power off the device.
  • Hold down the mode button and plug the power back into the device.
  • wait 20 seconds and release the Mode button.





Switch Prompt





  • Initialize the flash and list the directory contents:
  • flash_init
  • dir flash:





Flash Contents





Next delete the vlan.dat and config.text.





  • del vlan.dat
  • del config.text





deleting vlan.dat and config.text





Issue boot command to reboot the device:





  • boot





Cisco boot command






Success – A Vanilla’d Device