Uplink Catalyst 3560CX 8 port switch to SG300-53 not working

I have a potentially stupid question.

I have only worked with Cisco ASA 5505 appliances and SG/SF 300  series Cisco switches.  Recently I picked up a Catalyst 3560CX 8 TC model switch, and have been having nothing but trouble trying to configure it.

On my bench I was able to assign ports 1-8 a basic 'switch' management IP of 192.168.0.253.  Seemed to work fine.  The PC I plugged into port 1 had no issues pinging it, connecting to it, allowing me to configure it.

I then took the unit onsite and plugged port 1 into a Cisco SG300 series switch.
The port light on the C3560CX went green, switched immediately to amber, and stayed solid amber.  The switch port on the SG300 went dead as though nothing was connected.  I disconnected the cable but the C3560CX still showed a solid amber light for that port.  Just for fun I plugged the cable into port 3.  Exactly the same outcome.

I checked the port on the SG300.  I ensured it was set to Trunk.  I turned off Auto SmartPort for the SG300 interface (GE30).  No change.  
Rebooted C3560CX and waited the 5 minutes for it to come backup - did exactly the same thing = dead amber port.

I disconnected the C3560CX, moved it to a PC, static assigned an IP to the PC, and hooked it up a switch port.  Now I can ping 192.168.0.253 no problem. I can log into the web console no problem.  Everything seems fine.

Everything is VLAN1 - default.  Ports set to trunk.  

Hook it back up to the network by uplinking to SG300 - dead port.

So I reconfigured the switch port to a routed port and set it to DHCP.  Presumably this means the port will pull an address from the DHCP server on the network.  Except I can't find it.  The port no longer goes amber and dies, it's flashing, but it also seems to have no address that I can find.

I installed Cisco FindIT which using Bonjour does find the 4 SG300 series switches I have on the network, but doesn't find the C3560CX.

I figure since I have googled this to death and cannot find anything that even remotely looks like my issue, I must have done something stupid.  I need to get this router up as it's required for a Fiber connection to a branch office.  That's a whole other headache.  First I need to be able to get this thing to talk to my other switches.

Please advise.
LVL 3
WiReDWolfAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

giltjrCommented:
Couple of suggestion.  Although I think both devices support MIDI-X, try using a cross over cable.  Also try hard coding the speed and duplex on both devices.
0
WiReDWolfAuthor Commented:
They do both support MIDI-X but I tried a crossover cable anyway - no change.
Setting speed and duplex on both sides to match - no change.

Here's what I'm getting:

On the C3560CX
System Messages - Critical Events
Facility          Severity         Status                                  Description
SPANTREE    2                     BLOCK_PBDUGUARD       Received BPDU on port Gi0/1 with BPDU Guard enabled.  Disabling port.

Disconnecting the cable and shutting down the port and bring it back up again works, but if still uplinked to the switch it just fails again.

I've been looking at how to shut off the BPDU Guard, but I'm concerned that I really do have a routing loop somewhere and I'll crash the whole network.  I just don't know enough about Cisco products to know where to look next.
0
giltjrCommented:
As long as there is nothing else but a single SG300 connected to  the C3560X there there is no way you can have a loop.

Is the port on the C3560CX actually configured as a trunk port?  I thought that only non-trunking ports would go into error mode if it received a BPDU.
0
Become an IT Security Management Expert

In today’s fast-paced, digitally transformed world of business, the need to protect network data and ensure cloud privacy has never been greater. With a B.S. in Network Operations and Security, you can get the credentials it takes to become an IT security management expert.

WiReDWolfAuthor Commented:
I have 2 distinct networks separated by a SonicWALL router, but each network spans a plant uplinked with fiber.

192.168.0.0/24
2 x SG300-52 switches
1 x SG300-24 switch

10.220.0.0/24
1 x SG300-28P switch
1 x SF300-24P switch

All ports on all switches are set to Trunk.

I need to add a dedicated fiber connection to a branch office on the other side of the country.  The other end of the fiber is EIGRP on yet another subnets, which is why I needed the Catalyst switch.  The SG's can't do EIGRP.

In the end my SonicWALL will stll be the core of the network:

X0 (LAN) 192.168.0.1 (gateway)
X1 WAN
X2 (WLAN) 192.168.220.1 (gateway)
X5 (VOICE) 10.220.0.254 (gateway)

I will uplink one LAN SG switch to a routed port 192.168.0.15 on the C3560CX
I will uplink one WLAN SG switch to a routed port 192.168.220.15 on the C3560CX
I will uplink the fiber to the C3560CX with the IP the provider gave me
I don't need to uplink the VOICE network

As a test I bound X4 interface on the SonicWALL to the LAN as well and plugged the C3560CX directly into the SonicWALL.  Instantly the port shut down, same as when directly uplinked to the SG300.  So even indirectly it's picking up something.  Yet I know I don't have any routing loops - my network is fine.

I confirmed that I had set the interfaces on the switch ports on the C3560CX to Trunk (All VLAN's accepted) and I tried both GENERAL and TRUNK on the port on the SG300. In GENERAL mode I disabled INGRESS FILTER.  Made no difference.

Clearly there is something about how these two Cisco products talk to one another that they don't like.  I just can't seem to figure out what it is.
0
WiReDWolfAuthor Commented:
This may be a mistake but I've decided to disable BPDU:

C3560CX(config)#int gigabitethernet0/12
C3560CX(config-if)#spanning-tree bpdufilter disable
C3560CX(config-if)#spanning-tree bpduguard disable
C3560CX(config-if)#end

I've applied the same configuration to all ports.

Based on this forum post:

https://supportforums.cisco.com/t5/lan-switching-and-routing/switch-bpdu-question/td-p/3005568

Never configure BPDU Guard on trunk ports because they will disable the ports and no communication will work.

Also Portfast over a trunk can generate problems.

So Portfast and BPDU Guard must be configured on access ports only.

I haven't managed to dig into the SG300 configuration, but I do think BPDU is enabled, and I think that's what's causing the issue.  Proof will be in the pudding tomorrow when I go back onsite and hook the 3560CX up again.

As a test I hooked up the 3560CX at home and directly connected to my SonicWALL router.  It worked exactly as expected, so that confirms that it's something the SG's are broadcasting that's causing the ports on the C3560CX to err.
0
giltjrCommented:
BPDU guard and filter should be disabled on trunks.  I'm fairly sure the SG300 can have BPDU guard disabled.  Other than reading about them, I don't know anything about SonicWALL firewalls.  However unless you are actually trunking traffic to them, they should not be configured as trunks and BPDU guard should be enabled on them (if they support that) and on the Cisco switch ports that are connected to them.

Just to make sure we are on the same page, when I use the terms below, this is what I mean:

An uplink is a connection between 2 network devices, exampels: switch-to-switch, switch-to-router, switch-to-firewall

An trunk is a connection between two devices that support multiple VLAN's.

A uplink is NOT always a trunk and a trunk is not always a uplink.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
WiReDWolfAuthor Commented:
Thanks for the input giltjr!

I am actually not sure why all the ports were set to trunk, but it's consistent across every switch port on every switch.  Other than SonicWALL SonicPoints (which do use VLAN's on sub-interfaces on the SonicWALL) we have never really needed to use VLAN for anything.  The ports could be set to ACCESS or GENERAL or TRUNK - it won't make any difference.

I have needed to ask very few questions on Experts Exchange, but when I do it almost always revolves around these SG300 series switches.  They are like some cheap cousin to the enterprise products, and don't seem to configure or behave the same way.  Finding support has been - excruciating.

I do understand the terms, VLAN, Uplink, Trunk, and I know what they do.  I am less familiar with PortFast, SpanTree, and BPDU protocols, or how they related to one another.

Anyway, disabling BPDUFilter and BPDUGuard on all the switch ports on the C3560CX did the trick.  I have uplinked the  C3560CX to an SG300-52 without the port dropping, and I can connect and manage it now.

Moving forward I would ultimately like to set this all up properly, using proper VLAN's to segment my networks, and route all my LAN and WLAN traffic through the C3560 instead of through the SonicWALL router.  That will require a lot of planning, and for me a lot of reading, because that's not something I've ever attempted before.  Cisco is well outside of my comfort zone.
0
giltjrCommented:
I'm not 100% sure, but IIRC the SG200/SG300 family were another vendors devices that Cisco acquired and then re-branded as "Cisco".  Could have been rebranded Linksys devices from back  when Cisco owned them.

You do have to be careful with some terms, like trunking.  In some other manufacturers devices trunking is the same as Cisco's Etherchannel, combining multiple physical interfaces into a single logical interface for increased bandwidth.

Thanks for the points and good luck with the re-design.  It is a good idea not to have all internal traffic routed through your firewall.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.