Saturday, March 31, 2018

Cisco 3650/3850 3.6.7 exposes stupid mistake

S***post about something that happened at work. I sometimes dump frustrating or stupid things that happened on here so I can remember why I hate my career field.

Every network admin knows to not put access ports in the native VLAN. It opens up the threat vector for double-tagged frames. IOS XE will not stop you from doing it however and I have a neat trick to figure out if you have any such misconfigurations in your network. Upgrade to 3.6.7e.

How it came to me: I have a switch configured this way* that I have just now upgraded to IOS XE 3.6.7e to get around one of the numerous bugs in 3.6.2ae. Users on the access ports are not passing traffic. GD. IP device tracking, the dhcp server itself, ARP cache, all confirm nobody is getting an IP. Netflow or interface statistics would have shown it more easily during a busy time of day. I don't remember if the SVI for the mgmt IP was in the native VLAN or not but I could SSH in. Easy fix, 3.6.6e does not exhibit this behavior 3.6.8e is out now but I haven't tested it for this.

*I help manage a ~5000 switch/router wide network so please allow me to put the blame squarely on "whatever idiot" configured it this way.



No comments:

Post a Comment