Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Security issue or IOS bug - Connecting with manually configured Media Mode

I have an ethernet device that's manually configured in 100Mbps/HalfDuplex with a static IP address, and when I plug it into my Cisco Catalyst 2955 switch I get the following behavior:

1. The green light eventually comes on for the port, signifying that the device is recognized.

2. I can enter the console for the switch and ping my device - no problem.

3. On a PC connected to the switch, I reset the ARP table and attempt to ping the device. My ARP table in the PC is properly updated with the MAC address of the device during the ping, but the ping fails in all attempts.

4. Specific types of packets seem to be able to reach the device (call me crazy if I say all Broadcast packets), but I cannot use FTP, ICMP, or any other "standard" protocols to connect to the device (yes, there's an FTP server on the device).

5. If I force the device to autonegotiate with the Cisco switch, the Cisco switch once again gives me the green light and now I can access the device from the outside.

Is this a security thing enabled in the switch somehow (factory default settings, no MAC addresses are configured for any given port) or is this an IOS bug?

I am currently running IOS version 12.1(22)EA6.



Re: Security issue or IOS bug - Connecting with manually configu

Hello Danny,

The observed behaviour should not be a "security thing", assuming a 2955 with factory default port settings.

1) As your results vary with auto-negotiation on/off you might have a mismatch in settings. Auto-negotiation is known to cause troubles with some ethernet chip sets. The general recommendation would be to set speed and duplex to fixed values on both devices (PC and 2955) or to test a working combination. In your case this would be autonegotiation on the device (What is the outcome of it: 10 or 100 Mbps, half or full duplex?).

2) It could be an IOS bug. But before heading this direction I would check option 1) first.

3) Make sure there is no personal firewall on the destination PC interfereing with your connectivity? It would typically allow f.e. ARP, but then block ICMP requests (maybe except default gateway). This is not really consistent with your observations, but should be checked to simplify trouble shooting.

So please check the port settings in the switch when setting the device to fixed speed/duplex. Also make sure, that the 2955 port is in factory default as starting point for trouble shooting. Then turn on all the features you´d like to activate on the port one by one and check in each state, whether it interferes with your connectivity requirements.

Hope this helps! Please rate all posts.

Regards, Martin


Re: Security issue or IOS bug - Connecting with manually configu

It could be as simple as your cable. Did you make it yourself? Did you follow the EIA/TIA568a or 568b color pin-outs?

If you created the cable such that you have then you'd have what's caled a split pair on pins 3&6 (you'd be using two different colored wires to make a pair - pair 2, pins 3&6)

If that's the case, then you don't have "twisted pair" for that pair, and the crosstalk is increased considerably .... to the point that the cable cannot perform well.

When you force 100 mbps, the communication fails (depending on the bit density of the communication), when you set it to autonegotiate, both devices fall back to 10mbps (but are still probably working at less than optimal performance).

The green led is just a link light, all it does is tell you that there's continuity ... a link light doesn't mean you have a functional connection......just a connection.

Try it with a pre-made / commercial / purchased cable and see if it works. If you want to make your own, then use the following pinout:

(assumes clip down, open end towards you - pin 1 is on the left)

1 - White-orange

2 - Orange

3 - White-green

4 - BLUE

5 - White-blue

6 - Green

7 - White-brown

8 - Brown

Note that the blue pair is "flipped" opposite the order of the other pairs (wh-grn, blue, wht-blu, grn).

Ethernet and Fast Ethernet use pins 1&2 (pair) and 3&6 (pair).

The order I presented is the "EIA/TIA 568b" spec. If you exchange the orange and green pairs, that would be EIA/TIA 568a (grn-wht, grn, wht-orng, BLUE, blue-white, orng, wht-brn, brn).

You can also do a "sh int" and look at the numbers for the port - if you see a lot of collisions, then it's probably a duplex mismatch (one side is full duplex, the other side is half duplex).

Some equipment doesn't auto-negotiate well, sometime it's the only mode (auto-negotiate) that'll work. Some of the older Cisco equipment will always show a duplex-mismatch when "hard set" ... even if the duplex is right .... and won't work (even if the port shows "Up Up").

Look at the "show int" on the switch and "ipconfig /all" on the (Windows-based) PC (or an "ifconfig" on *nix) it'll show you what the port speed and duplex settings are that the ports are using.

If they agree (and it doesn't work) then set both sides to auto. If you set both sides manually and it doesn't work, try another cable.

Good Luck


CreatePlease to create content