1

I recently upgraded from an old ISA to a Forefront box. I'm now receiving a ton of 0xc0040050 errors. The vast majority are to an internal broadcast address - 100.100.100.255. This is a legacy subnet that runs on VLAN 1. I have three VLANs defined on my Forefront box - 40, 50, 250. These are configured with HP's NCU and function perfectly. It sounds like Forefront sees these packets and throws an error since it is not expecting any direct traffic in that IP range. I need to stop this logging, either by removing VLAN1 from the switchport or at the Forefront side.

The router in question is an aging 2811 running IOS 12.4. Forefront is on SP 1 rollup 3. I'm really hoping that I can somehow remove this VLAN from the switchport – that seems the cleanest solution. I can’t pull it by default and I’m not familiar with a way of overriding that behavior. 

interface FastEthernet1/8
 switchport trunk native vlan 250
 switchport trunk allowed vlan 1,2,40,50,250,1002-1005
 switchport mode trunk

When I attempt to remove the VLAN I receive

Command rejected: Bad VLAN allowed list. You have to include all default vlans, e.g. 1-2,1002-1005.

Tim Brigham
  • 15,465
  • 7
  • 72
  • 113
  • 1
    Re: edit: yeah, some older devices are picky about that. Can you drop that vlan on the remote end of this trunk connection instead? – Shane Madden Sep 22 '11 at 18:41
  • That is exactly what I was hoping to find out - the other end of the cable is connected directly to the Forefront box and I think Windows / Forefront is too stupid to drop the VLAN. Would an upgraded IOS version help? – Tim Brigham Sep 22 '11 at 18:47
  • Unfortunately I think that isn't a problem that will be fixed via upgrade. You might find it easier to just move the other devices that are in VLAN 1 into some other VLAN (assuming you have a small number of switches) – Aaron Sep 22 '11 at 19:01
  • Assuming that I'm not using VLAN 1 in some tagged fashion should it theoretically be possible to create a new VLAN (say #3) and simply change the default VLAN on all the associated ports to use this as the default? From there all I should need to do is set up the old IP on that vlan interface right? – Tim Brigham Sep 22 '11 at 20:08
  • 1
    That is correct - there's nothing "magical" about VLANs, and in fact, any port that is in switchport mode access, the hosts that are on that port have no idea what VLAN they're in. – Aaron Oct 03 '11 at 18:22

5 Answers5

1
interface f1/8
 switchport trunk allowed vlan remove 1

This will stop the vlan 1 traffic from being sent over the port.

Shane Madden
  • 112,982
  • 12
  • 174
  • 248
1
conf t
int f1/8
switchport trunk allowed vlan remove 1

This will remove vlan 1 from being trunked on that port.

Aaron
  • 2,968
  • 1
  • 22
  • 36
0

Paper over the problem!

Create a Deny rule that matches the traffic, order it first in the list, and turn off logging for that rule.

(might work :) )

TristanK
  • 8,953
  • 2
  • 27
  • 39
  • Unfortunately I already tried that - since it isn't actually a *rule* that is catching this traffic that doesn't work. See http://serverfault.com/questions/308632/forefront-0xc0040017 for details. – Tim Brigham Sep 23 '11 at 14:39
0

In the end we opted to paper over the problem. We started using a syslog-ng filter to drop the messages before they reached our central log server.

Tim Brigham
  • 15,465
  • 7
  • 72
  • 113
-1

You can't remove vlan1 from this switch (see step 3), but you can remove the port from the vlan:

conf t

interface FastEthernet1/8

no switchport access vlan 1

This will remove the trunk port from vlan1.

I prefer to keep traffic off vlan1, because I don't like things I can't completely configure. Try to eliminate the broadcast packets from your network if they are unnecessary.

mbrownnyc
  • 1,825
  • 8
  • 30
  • 50