11 replies to this topic

[slugman]

Hello,

I have 2 x cisco 3750G in a stacking configuration,

I have practically no config on this stack only:

#vlan 2
#interface range gig 1/0/1 - 36 > switchport access vlan 2

i keep getting the errors:

6d21h: %CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered on GigabitEt hernet2/0/1 (1), with Switch GigabitEthernet1/0/1 (2).
4d23h: %CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered on GigabitEt hernet2/0/1 (1), with Switch GigabitEthernet1/0/1 (2). (Switch-2)


Any one help ?

Sluggerzz...

[Infiltrator]

Don't know if you read this thread or not, but worth a read.

http://cciepursuit.w...s-of-the-trunk/

[janjensen]

Got it solved?

[Infiltrator]

Got it solved?

What was the problem?

[stealthkit]

Well without seeing the entire config I can't be sure but I think it your problem lies with how you have wired/configured it.... Make sure and configure the stack before configuring the switchports. This is good practice and I outlined the steps below. My diag of you error message is stated below as well.

6d21h: %CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered on GigabitEthernet2/0/1 (1), with Switch GigabitEthernet1/0/1 (2).
4d23h: %CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered on GigabitEthernet2/0/1 (1), with Switch GigabitEthernet1/0/1 (2). (Switch-2)

On the back of the 3750 switches there are stacking ports and should have some cables that came with them. That is where you should be stacking the switch. So either you have the switch stacked with the right stacking cables and have switchport 1/0/1 and 2/0/1 plugged into each other or you did not use the stacking cables and are trying to stack the switches together using 1/0/1 and 2/0/1. If you did use the stacking cables then you need to unplug g 1/0/1 - g 2/0/1 between the switches and just use the stacking built into the switch. The stack as I hope you know is seen a 1 logical switch. So the ethernet connection would cause a spanning-tree loop / broadcast storm if spanning-tree is not configured correctly. I hope this makes sense. In short...

The error is because on switch 1 you have either not configured anything and the switch is defaulting to its native vlan 1. Also the other possibly is the command "switchport trunk native vlan 1" was issued on switch 1 instead of "switchport access vlan 2". Also, I have no idea why those switches are connected via ethernet g 1/0/1 and 2/0/1 if the switches are stacked. If this is how you were trying to stack them STOP and rip that off and look for the stacking cables that came with the switches. Not trying to talk down on you, so sorry if I come off a little harsh. Then again this is just a guess but I feel that this above is most likely the issue. If you have questions let me know.

First make sure you set the switch numbers in the stack


#show switch
#switch 2 renumber 1

The "switch 2 renumber 1" part is optional if it is not already the way you need it in the rack. Next set the priority of the switches in the stack, so the same router will boot as the master during the stackmaster election.

#switch 1 priority 15
#switch 2 priority 14
#wr
#reload

This will get the switches in the stack configured correctly (Well at lease the stack part of the config) If you have a question please let me know. Good Luck

-Stealthkit

Edited by stealthkit, 30 November 2012 - 10:23 AM.

[Random_N00b]

We've had this issue with a Layer 3 switch and a misconfigured ASA that wasn't translating the dot1q tags right. From my experience, this issue comes up when you plug a cable that's connected to a trunk port on one end into a user port on the other. Those are what I've experienced. Then again, in our network we have stackable switches (Catalyst 3750/3750G), but we do not use the stacking function of them, so I cannot speak on that aspect.

[The Sorrow]

OP should post the configs for both switches (exempting the password information of course)

[Random_N00b]

OP should post the configs for both switches (exempting the password information of course)

 

First off, OP shouldn't have to block out the password information.  Username, maybe, password, no.  The passwords are encrypted in the config by:

 

switch(config)#service password-encryption

 

in older IOS versions.  I know the newest version of IOS for 3750 (all versions that I'm aware of in the catalyst series of switches) supports a new command which encrypts the password and is integrated into the user command.  It is:

 

switch(config)#username <user> privilege <1-15> secret <password>

If you were to use the username of bob, and wanted him to be fully enabled upon login, and have the password of password123, it would look like:

switch(config)#username bob privilege 15 secret password123

 

A "show run" command would show the line as:

username bob privilege 15 secret @ts24%s0asr42siowd42$  or some other hash

 

However, still probably not a bad idea to block that line out.  I am aware of some tools (Solar Winds Engineer Toolset) that come with Cisco password decryptors, but I have never seen it actually work.

[hexophrenic]

The tool in solarwinds is for older hashing cisco provided (10 years ago?).  It worked well against those.

[Random_N00b]

The tool in solarwinds is for older hashing cisco provided (10 years ago?).  It worked well against those.

 

Did not know that.  I mean, I was sure that it worked at one point, but for the time that I've been in the industry (about 4 years) I've never seen that tool work.  Maybe on the default IOS's, but I've never tried it.  Also, if you're to the point where you're trying to decrypt the hash, you can probably just do a password recovery.  Probably be easier. 

[stealthkit]

The tool in solarwinds is for older hashing cisco provided (10 years ago?).  It worked well against those.

 

Watch out for Cain and Able, as its main purpose is to crack hash keys. I have never tried cracking any hashes with it, I only used the ARP poisoning portion of the software.

[Random_N00b]

Watch out for Cain and Able, as its main purpose is to crack hash keys. I have never tried cracking any hashes with it, I only used the ARP poisoning portion of the software.

 

For the purposes of security testing, and I really do mean that, I think I'll throw one of my password hashes into Cain and Able.  The only problem is, I've never worked much with it, and never got it working.  However, this isn't an issue for this forum.  Actually, I think it's on Hiren's...