CiscoForums.it

Buongiorno a tutta la community, perdonate la domanda ma sono un newbie degli apparati CISCO e mi trovo alla prese con qualche problema credo forse di configurazione. Ho eredito una infrastruttura di rete che prevede un 2960 collegato ad un'appliance Palo Alto (PA-500). Il CISCO è configurato con 4 VLAN, molto semplicemente, che non hanno nessun IP assegnato, di fatto mi serve soltanto per separare il traffico della macchine ad esso collegato tra le LAN BackEnd, frontEnd e MGMT. La cosa strana è che se provo ad eseguire un ping tra le macchine collegate al mio apparato, indifferentemente dalla VLAN a cui queste sono collegate, succede che, ad esempio su alcune porte questo funzioni mentre su altre no. Posto la configurazione del CISCO 2960 per maggiore chiarezza.

!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service sequence-numbers
!
hostname C2960-S01
!
boot-start-marker
boot-end-marker
!
enable secret 5 .........................................................................
!
!
!
macro global description cisco-global
no aaa new-model
clock timezone UTC 1
clock summer-time UTC recurring last Sun Mar 2:00 last Sun Oct 3:00
authentication mac-move permit
ip subnet-zero
!
!
udld aggressive

!
!
crypto pki trustpoint TP-self-signed-1292758784
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1292758784
revocation-check none
rsakeypair TP-self-signed-1292758784
!
!
crypto pki certificate chain TP-self-signed-1292758784
certificate self-signed 01 nvram:IOS-Self-Sig#3434.cer
!
spanning-tree mode rapid-pvst
spanning-tree loopguard default
spanning-tree etherchannel guard misconfig
spanning-tree extend system-id
no spanning-tree vlan 10,89,172
!
!
!
errdisable recovery cause link-flap
errdisable recovery interval 60
!
vlan internal allocation policy ascending
!
!
interface FastEthernet0
ip address 172.16.30.252 255.255.255.0
!
interface GigabitEthernet0/1
switchport access vlan 172
switchport mode access
switchport port-security
switchport port-security aging time 2
switchport port-security violation restrict
switchport port-security aging type inactivity
macro description cisco-desktop
spanning-tree portfast
spanning-tree bpduguard enable
!
interface GigabitEthernet0/2
switchport access vlan 89
switchport mode access
switchport port-security
switchport port-security aging time 2
switchport port-security violation restrict
switchport port-security aging type inactivity
macro description cisco-desktop
spanning-tree portfast
spanning-tree bpduguard enable
!
interface GigabitEthernet0/3
switchport access vlan 172
switchport mode access
switchport port-security
switchport port-security aging time 2
switchport port-security violation restrict
switchport port-security aging type inactivity
macro description cisco-desktop
spanning-tree portfast
spanning-tree bpduguard enable
!
interface GigabitEthernet0/4
switchport access vlan 89
switchport mode access
switchport port-security
switchport port-security aging time 2
switchport port-security violation restrict
switchport port-security aging type inactivity
macro description cisco-desktop
spanning-tree portfast
spanning-tree bpduguard enable
!
interface GigabitEthernet0/5
switchport access vlan 172
switchport mode access
switchport port-security
switchport port-security aging time 2
switchport port-security violation restrict
switchport port-security aging type inactivity
macro description cisco-desktop
spanning-tree portfast
spanning-tree bpduguard enable
!
interface GigabitEthernet0/6
switchport access vlan 89
switchport mode access
switchport port-security
switchport port-security aging time 2
switchport port-security violation restrict
switchport port-security aging type inactivity
macro description cisco-desktop
spanning-tree portfast
spanning-tree bpduguard enable
!
interface GigabitEthernet0/7
switchport access vlan 172
switchport mode access
switchport port-security
switchport port-security aging time 2
switchport port-security violation restrict
switchport port-security aging type inactivity
macro description cisco-desktop
spanning-tree portfast
spanning-tree bpduguard enable
!
interface GigabitEthernet0/8
switchport access vlan 89
switchport mode access
switchport port-security
switchport port-security aging time 2
switchport port-security violation restrict
switchport port-security aging type inactivity
macro description cisco-desktop
spanning-tree portfast
spanning-tree bpduguard enable
!
interface GigabitEthernet0/9
switchport access vlan 172
switchport mode access
switchport port-security
switchport port-security aging time 2
switchport port-security violation restrict
switchport port-security aging type inactivity
macro description cisco-desktop
spanning-tree portfast
spanning-tree bpduguard enable
!
interface GigabitEthernet0/10
switchport access vlan 89
switchport mode access
switchport port-security
switchport port-security aging time 2
switchport port-security violation restrict
switchport port-security aging type inactivity
macro description cisco-desktop
spanning-tree portfast
spanning-tree bpduguard enable
!
interface GigabitEthernet0/11
switchport access vlan 172
switchport mode access
switchport port-security
switchport port-security aging time 2
switchport port-security violation restrict
switchport port-security aging type inactivity
macro description cisco-desktop
spanning-tree portfast
spanning-tree bpduguard enable
!
interface GigabitEthernet0/12
switchport access vlan 89
switchport mode access
switchport port-security
switchport port-security aging time 2
switchport port-security violation restrict
switchport port-security aging type inactivity
macro description cisco-desktop
spanning-tree portfast
spanning-tree bpduguard enable
!
interface GigabitEthernet0/13
switchport access vlan 10
switchport mode access
switchport port-security
switchport port-security aging time 2
switchport port-security violation restrict
switchport port-security aging type inactivity
macro description cisco-desktop
spanning-tree portfast
spanning-tree bpduguard enable
!
interface GigabitEthernet0/14
switchport mode access
switchport port-security
switchport port-security aging time 2
switchport port-security violation restrict
switchport port-security aging type inactivity
macro description cisco-desktop
spanning-tree portfast
spanning-tree bpduguard enable
!
interface GigabitEthernet0/15
switchport access vlan 10
switchport mode access
switchport port-security
switchport port-security aging time 2
switchport port-security violation restrict
switchport port-security aging type inactivity
macro description cisco-desktop
spanning-tree portfast
spanning-tree bpduguard enable
!
interface GigabitEthernet0/16
switchport mode access
switchport port-security
switchport port-security aging time 2
switchport port-security violation restrict
switchport port-security aging type inactivity
macro description cisco-desktop
spanning-tree portfast
spanning-tree bpduguard enable
!
interface GigabitEthernet0/17
switchport access vlan 10
switchport mode access
switchport port-security
switchport port-security aging time 2
switchport port-security violation restrict
switchport port-security aging type inactivity
macro description cisco-desktop
spanning-tree portfast
spanning-tree bpduguard enable
!
interface GigabitEthernet0/18
switchport mode access
switchport port-security
switchport port-security aging time 2
switchport port-security violation restrict
switchport port-security aging type inactivity
macro description cisco-desktop
spanning-tree portfast
spanning-tree bpduguard enable
!
interface GigabitEthernet0/19
switchport access vlan 10
switchport mode access
switchport port-security
switchport port-security aging time 2
switchport port-security violation restrict
switchport port-security aging type inactivity
macro description cisco-desktop
spanning-tree portfast
spanning-tree bpduguard enable
!
interface GigabitEthernet0/20
switchport mode access
switchport port-security
switchport port-security aging time 2
switchport port-security violation restrict
switchport port-security aging type inactivity
macro description cisco-desktop
spanning-tree portfast
spanning-tree bpduguard enable
!
interface GigabitEthernet0/21
switchport access vlan 10
switchport mode access
switchport port-security
switchport port-security aging time 2
switchport port-security violation restrict
switchport port-security aging type inactivity
macro description cisco-desktop
spanning-tree portfast
spanning-tree bpduguard enable
!
interface GigabitEthernet0/22
switchport mode access
switchport port-security
switchport port-security aging time 2
switchport port-security violation restrict
switchport port-security aging type inactivity
macro description cisco-desktop
spanning-tree portfast
spanning-tree bpduguard enable
!
interface GigabitEthernet0/23
switchport access vlan 10
switchport mode access
switchport port-security
switchport port-security aging time 2
switchport port-security violation restrict
switchport port-security aging type inactivity
macro description cisco-desktop
spanning-tree portfast
spanning-tree bpduguard enable
!
interface GigabitEthernet0/24
switchport mode access
switchport port-security
switchport port-secucription cisco-desktop
spanning-tree portfast
spanning-tree bpduguard enable
!
interface GigabitEthernet0/23
switchport access vlan 10
switchport mode access
switchport port-security
switchport port-security aging time 2
switchport port-security violation restrict
switchport port-security aging type inactivity
macro description cisco-desktop
spanning-tree portfast
spanning-tree bpduguard enable
!
interface GigabitEthernet0/24
switchport mode access
switchport port-security
switchport port-security aging time 2
switchport port-security violation restrict
switchport port-security aging type inactivity
macro description cisco-desktop
spanning-tree portfast
spanning-tree bpduguard enable
!
interface GigabitEthernet0/25
!
interface GigabitEthernet0/26
!
interface Vlan1
ip address 192.168.100.252 255.255.255.0
!
interface Vlan192
ip address 192.168.1.253 255.255.255.0
!
ip default-gateway 192.168.1.254
ip http server
ip http secure-server
!
!
line con 0
line vty 0 4
login
line vty 5 15
login
!
end

Qualcuno mi può cortesemente aiutare prima che io ne esca pazzo, grazie.

Io comincerei con il togliere queste righe sulle porte su cui fai i test:

switchport port-security
switchport port-security aging time 2
switchport port-security violation restrict
switchport port-security aging type inactivity
macro description cisco-desktop
spanning-tree portfast
spanning-tree bpduguard enable

Poi quando non pinghi guarda la situazione dello switch a livello di spanning-tree (che, per qualche strano motivo non messo la porta in blocked), verifica anche eventuali porte in err-disable a causa della security (se non l'hai disabilitato)

Rizio

Grazie Rizio, sono fuori sede per lavoro ma appena rientro, nel weekend, proverò ad effettuare le mofiche consigliate.

BertocciL ha scritto:Grazie Rizio, sono fuori sede per lavoro ma appena rientro, nel weekend, proverò ad effettuare le mofiche consigliate.

Tieni presente che io farei solo delle prove senza quelle righe perchè non è detto che siano quelle security a bloccare la porta.
Diciamo che io comincerei da lì a fare dei test, poi, dopo valuti, però intanto le eliminerei solo per i test.

Rizio

Puoi postare la topologia di rete ? Come giustamente dice Rizio, il problema potrebbe essere l'STP.

ciao

P.S. Non lo sapevo, ma i 2960:

Routing: Basic Layer 3 static routing with 16 routes

omg.. stanno "spostando" il routing anche livello access?

intel ha scritto:P.S. Non lo sapevo, ma i 2960:

Routing: Basic Layer 3 static routing with 16 routes

omg.. stanno "spostando" il routing anche livello access?

Urgh ! Giunge nuova anche a me questa, ne tanti sparsi in azienda e non mi ero mai "imbattuto" nelle loro funzionalità di routing (anche se statico).

Va bene, grazie dell'info perchè può essere utile per risolvere qualche contingenza dell'ultimo minuto.

Rizio