We have a 3750 which has a few vlans configured. One Vlan is for public access wifi and another for our security system (door access, cameras, etc.). I don't want the public wifi vlan to access the security system vlan. How can I accomplish this in the 3750?
View 4 RepliesDoes PBR with deny ACL entries on a 3750 are still punted to the CPU? I found this article: URL
High CPU Due to Policy Based RoutingPolicy Based Routing (PBR) implementation in Cisco Catalyst 3750 switches has some limitations. If these restrictions are not followed, it can cause high CPU utilization. You can enable PBR on a routed port or an SVI. The switch does not support route-map deny statements for PBR. Multicast traffic is not policy-routed. PBR applies only to unicast traffic. Do not match ACLs that permit packets destined for a local address. PBR forwards these packets, which can cause ping or Telnet failure or route protocol flapping.
Do not match ACLs with deny ACEs. Packets that match a deny ACE are sent to the CPU, which can cause high CPU utilization.
In order to use PBR, you must first enable the routing template with the sdm prefer routing global configuration command. PBR is not supported with the VLAN or default template
I checked the latest config guide, and those same guidelines are still listed. If that limitation is still there, are those packets switched at the process level (ip_input) or the interrupt level?
How to configure internet access for different VLANs in cisco 3750 switc,ISP connection directly connecting to 3750 ,3750 have 18 VLANs
View 9 Replies View RelatedWe are currently designing a complete Layer 3 to the edge solution for our customers. The network design is a combination of a collapsed core (Core to access) as well as a three layer model (Core/Distro/Access) for connectivity to the Data Centre, Internet and Wireless Blocks.
The core of the network contains two 6509E switches interconnected on a Layer 3 Port channel (no VSS). Access Layer switches (3750 Stacks) connect to the core switches over p2p routed links (Collapsed core part of the design). Distribution layer switches provide connectivity to the Data centre, Internet and Wireless Blocks.(three layer model.
All IP addressing is being planned for assignment from the private RFC 1918 address block(10.0.0.0/8) for both Infrastructure and Access layer VLANs for users.
Clarifications required for the following:
[code]...
Hardware: Cisco 3750 switch and Cisco autonomous access point (AIR-AP1142N-E-K9).Requirement: A single broadcast SSID; use dot1x to assign vlan 98 to authenticated clients (computer certificate); assign vlan 3 (guest) if the authentication fails.I can achieve assigning a guest vlan on authentication failure when using a wired connection by using the following command on the interface:authentication event fail action authorize vlan 3 I'm after a way to achieve the above using the wireless access point. The main point is that internal users cannot access vlan 3 as they have a valid certificate and that guests do not have to authenticate.
View 2 Replies View RelatedI have two networks at two sites with a dot1q trunk between the two L3 switches at both sites (no routers involved)
SITE A - Cisco 3750 L3 - VLAN ID 50
10.10.50.0/24
SITE B - Cisco 3750 L3 - VLAN ID 50
10.20.50.0/24
I would like to extend the SITE A VLAN to SITE B so that I can move hosts from SITE A to SITE B without needing to change their IP address but the vlan ID is already in use. Obviously the easy solution is to change the VLAN ID for one or other of the sites but both sites contain hosts that run 24/7. Is there a way to join two VLANs with different IDs together.So for example I create a new VLAN 60 at SITE B and associate it with VLAN 50 at SITE A.
i have Cisco L3 switch configured with diff vlan and assign diff subnet for all vlan . if i connect pc to vlan 2 i am able to ping host related to other vlan
View 5 Replies View RelatedWe have a low bandwith (15-20 Mbit/s) to the ASA from our Client vlan. If i connect the Client to the same vlan as the ASA is, the bandwith (90 Mbit/s) is good.
Here are the Layer 3 Design:
Client -> vlan 2 - Switch - vlan 7 -> vlan 1 - ASA 5505 -> ISP
The Layer 2 Design:
Client -> Gig2/0/13 - Switch - Gig4/0/43 -> Eth0/1 ASA5505 -> ISP
IP Address:
Client: 172.16.2.10Vlan2: 172.16.2.1Vlan7: 172.16.7.1ASA: 172.16.7.2
I assuming the switch has a problem with routing ?It is a stacked Switch with following members:
switch 1 provision ws-c3750g-12sswitch 2 provision ws-c3750g-24tsswitch 3 provision ws-c3750g-24tsswitch 4 provision ws-c3750x-48
And we have following error message in the log from the switch:
%PLATFORM_UCAST-4-PREFIX:
One or more specific prefixes could not be programmed into TCAM and are being covered by a less specific prefix, and the packets may be software forwarded I first get the idea that the switch is overloaded with router traffic. Thats why i assuming i have to check the sdm templates, but i'm not sure if this resolves the issue.
Here are the relevant config:
ASA Interface on the Switch:
interface GigabitEthernet4/0/43description ASA-inside LANswitchport access vlan 7switchport mode accessspanning-tree portfast
Client Interface on the Switch:
interface GigabitEthernet3/0/1switchport access vlan 2switchport mode accessswitchport port-securityswitchport port-security aging time 2switchport port-security violation restrictswitchport port-security aging type inactivitymacro description cisco-desktopspanning-tree portfastspanning-tree bpduguard enable
[code]...
I need developing a acl that can block a computer on the LAN from accessing the internet from midnight to 7am everyday. The router is a 857W, the computer is 192.168.2.33 the internal gw 192.168.2.254 (dialer 1 is 1.2.3.4).acl 101 deny tcp host 192.168.2.33 eq wwwwhat I need to figure out is how to add a time based acl to just this computer.
View 2 Replies View RelatedI have ACS 5.1.I have created the Identity Group 'Admin' and added 2 users in that, say User1 and User2.How do I permit only User1 to get authenticated when he logins in to the device?There is option to select 'UserName' while creating Service Access Policy , but I have observed that though I have mentioned only User1 in the rule, User2 is also getting permitted
View 1 Replies View RelatedI have a 2801 router. Is there another way to deny access to a specify web site ( like youtube, facebook .. etc ) without create acl's with specifed ip's ? The router doesen't support url filtering. I thought to do something like redirect traffic to another site : for example if one client want to access url.. that the browser will open url...
View 4 Replies View RelatedRecently a router crashed and some suspicious about the client arised. The point is that now the order is to deny all kind of router admin access for the client. I was thinking, is this a good idea or will be better to give him limited access to the router, to avoid the client to try to access the router at all cost? Something like to stop the motivation to crack the router password.
View 7 Replies View RelatedI have 5 VLANs, I assign VLANs to its ports and make them all Untagged.I created ACLs and a ACE rules for each ACL, and then assigned to the ports.So what i am trying to do is to deny access to from one port to other 4 ports and granted access to any other ports. But it is not working, without last rule "allow any any" it has no access to any ports, with the last rule it grants access to every port even to those I denied.Router in Layer 3 mode, all VLANs have their IP's.
At some moment I was able to work it properly but without using any rules, I just tagged my untagged VLANs to those ports which I wanna get access to. As you can see I want allow ports GE1 - GE4 communicate with 1 to 24 ports but not to each other.
Is it possible to deny all access except specific IP's to a service on a Dlink DIR-655 ?Say a web server on port 1234.The allowed IP's are not in a range.
View 1 Replies View RelatedI would like to know if exists some configuration using a WLC 4402 that deny network acces to smartphones but not to netbooks and laptops.
View 1 Replies View RelatedI set-up my law firm network with a server 2008 database. Now I am renting out one of my offices to a separate lawyer and I want him to be able to use my network to access the internet, but not my server 2008. Is that possible or is it already secure being I haven't installed any of my software on his computer?
View 2 Replies View RelatedHow to protect shared folders to denie access from server???i am really in need of a software where i can share files on network but i don't want the system administrator to access those files.
View 1 Replies View RelatedI have block some website in URL Blocking.But they can access the website which i have blocked through proxy server? Can i deny user access proxy server? It has many proxy server,i can not block the proxy server one by one.
View 1 Replies View Relatedi have got the below long on the acs 5.2,one the vpn client user connect to asa 5510
Description
Selected Shell Profile is DenyAccess
Resolution Steps
Check whether the Device Administration Authorization Policy rules are correct
My network topology consists of 3 directly connected routers where the central router contains sensitive data and i need to block traffic from ENTERING the LAN adjoined to that router. My issue is creating an access list to DENY traffic from entering the network connected to Fa0/1 but ALLOW traffic to exit from that network. I am using one class C network which is subnetted 7 times to provide me with the required LAN's.
View 2 Replies View RelatedI have a SG300 Switche working in layer 3 mode.I configured 3 VLANs on the switch, assigned all ports, given IP addresses to VLANs interfaces, etc.Now I want to implement ACL to permit or deny access between vlans and hosts.Can I apply an ACL to a whole VLAN (in or out) like Catalyst models?I mean apply the ACL to the entire vlan or the only way in this model is to implement that ACL port by port?Every time I have a new port configure to work in a Vlan I have to implement the ACL?
View 4 Replies View RelatedMy home network is all Windows 7 computers (4 total), and are Ultimates except for my laptop, which is Home Pro. So that's 3 computers with Ultimate and 1 with home pro. I have one computer (also Win 7 Ult.) that's my primary computer, the other 2 computers are mostly HTPC computers that I have set up to stream from my main computer.I do know how to set up Home groups for sharing files, but I could only set it up that there would be full access to the shares or no access at all. [For simplicity: My primary computer will be PC-1, the 2 HTPC's will be PC-2 and PC-3, and my laptop PC-4.]PC-1 will host all the files I want access to. PC-2 and PC-3 will access my music and videos folders for streaming. PC-4 which is my own personal laptop will have full access to shared folders that I DO NOT want being able to be accessed on PC-2 and PC-3.I have tried many and various types of ways to deny access from PC-2 and PC-3, where PC-4 would be allowed access to on my PC-1, but every time it's either all PC's get access or NO access to the shared folders. I also want to keep all my user accounts as admins.
View 2 Replies View RelatedRegion : UnitedKingdom
Model : TL-WDR4300
Hardware Version : V1
Firmware Version : 3.13.31 Build 130319 Rel.57876n
ISP : BT Infinity
I have 11 wireless devices connected to WDR4300. These are PCs, phones, tablets, PS3 etc. All devices have assigned DHCP addresses.I have read lots of faqs and searched the web, but still can not figure out a simple way to achieve the following:
I would like some of my devices have NO access to the Internet from 2200 to 0600.
I've setup a site to site vpn on an ASA 5510 using ASDM (as I have many times before) and the tunnel appears to be up but I am not able to pass traffic. When I run the packet tracer from my inside network to the remote destination network, it shows that it is blocked by the implicit deny ip any any rule on my inside incoming access list.
View 5 Replies View RelatedI am into creating a new VLAN, what I have missed in the setup / configuration. I have multiple Cisco switches, the VLAN is configured on a 3750. My attempt was to place the VLAN on one port (as concept) and work from there - - so it is on 2-02 of my main Cisco stack. The new VLAN is 220 - Printer. My present IP scope is 192.168.200.x - running out of addresses - trying to add 192.168.220.x. on VLAN 220 to relieve some pressure - -- Most I can do is ping the VLAN IP - 192.168.220.1 and that resolves - - but if I attach a networked device with a 192.168.220.x address - - cannot get there..
Here is the switch info...
version 12.2
parser config cache interface
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime
service timestamps log datetime localtime
service password-encryption
[code]....
i have linksys modem which already working for different v lans then for lab we take other switch 3750 switch and created different v lans. v lans are working fine but we need internet for different v lans for that linksys modem how we can make interface V lan1/
ip address 10.1.1.10 255.255.255.0
ip default- gateway 10.1.1.1
no sh
interface Vlan10
ip address 10.1.2.1 255.255.255.0
no ip route-cache
!!interface Vlan20
ip address 10.1.3.1 255.255.255.0
ip route 0.0.0.0 0.0.0.0 10.1.1.1
ip dhcp pool vlan10
network 10.1.2.0 255.255.255.0
default-router 10.1.2.1
dns-server 10.1.1.1
!
!ip dhcp pool vlan20 network 10.1.3.0 255.255.255.0 default-router 10.1.3.1 dns-server 10.1.1.1
I have a rather large network with multiple VLANs and routing. Here's the layout:
5540 subinterface = gi0/2.18 = 10.16.18.1/24 TRUNKED to a 2960
2960 has an interface set to VLAN 18 (no IP) goes to a Cisco 4507 with an int. set to VLAN 18 (no IP)
4507 then has a trunk to a Cisco 7206
7206 then trunks to a Cisco 3845
3845 trunks to a 3750 (single)
3750 (single) trunks to a 3750 Stack
3750 Stack has int. set to VLAN 18 that goes to a 3750(lab) w/ int set to VLAN 18 w/ IP 10.16.18.251/24, VLAN502 = 10.202.255.1/30,
VLAN510 = 10.203.255.1/30
3750(lab) then has a trunk that connects to ASA 5510 w/ subinterfaces: e0/1.18 = 10.16.18.253/24, e0/1.510 = 10.203.255.2/30, e0/1.502 = 10.202.255.2/30
ASA5510 then goes to Internet
Any trunks are set to allow all VLANs. From the 2960 to the 3750 stack it's obviously all Layer 2 with trunking.
Issue:If I sit at the 5540, I can ping 10.16.18.251 and .253 with no problems. I can also ping 10.203.255.1 with no problems. Problem is that I cannot get to the other subinterfaces on the 5510 for VLANs 502 and 510. How do I ensure that my trunk is set up right? I have a route in the 5540 pointing to the 10.203 and 10.202 using the 10.16.18.251 address. It seems like a traceroute gets to the 10.16.18.251 address but then it stops. What route should be on the 5510 to make sure it gets back? The default route on the 5510 points to the Outside. I think it's something to do with the trunk that's just something I don't understand yet.
5510:
show int ip bri:
Ethernet0/1.18 10.16.18.253 YES manual up up
Ethernet0/1.502 10.202.255.2 YES manual up up
Ethernet0/1.510 10.203.255.2 YES manual up up
[code]....
Scenario: I have a vmserver w four virtual servers all in configured w in different subnets. What's the best way to configure a 3750-x switch to route traffic from the virtual servers to their vlans?
View 2 Replies View RelatedI have cisco switch model WS-C3750G-12S-D. It is in transparent mode. I am getting below error message when tried to create new vlan.
Proposed configuration exceeds the limit of 1005 VLANs that can be supported on this platform. Reduce the number of VLANs proposed to be within this limit.
After deleting few unnecessary vlans, it allowed me to create.
3750#sh vtp statusVTP Version : running VTP1 (VTP2 capable)Configuration Revision : 0Maximum VLANs supported locally : 1005Number of existing VLANs : 959VTP Operating Mode : TransparentVTP Domain Name : VTP Pruning Mode : DisabledVTP V2 Mode : DisabledVTP Traps Generation : DisabledMD5 digest : 0xBC 0xA7 0xEC 0xDE 0x36 0x6C 0x61 0xB4 Configuration last modified by 97.193.17.172 at 0-0-00 00:00:00
I confused with terms 'maximum supported vlans' and 'maximum locally supported vlans'. If switch is supporting vlans 1-4094 means it should also allow to create locally. Otherwise how they will pass through the switch trunks without local creation.
I am working on the exact same configuration as noted here [URL] that uses subinterfaces on the asa. I have two interfaces on my stacked 3750's configured as trunk ports (primary ASA on primary 3750 stack member, secondary ASA on secondary 3750 stack member).
My questions is what should the DG be configured on the 3750. Can I keep the 3750 in L2 or will I have to enable L3 routing? Should the VLAN interfaces be configured.
The port that the ASA is configured with has 3 subinterfaces on VLAN 100, 200, and 300.
The subinterfaces are G0/2.100, G0/2.200, and G0/2.300.I am in the middle of converting from 3 separate DMZ switches, each attached to their own port on the asa which is their default gateway to one physical port on the ASA broken into 3 subinterfaces which then connect to stacked 3750's. The stack will then have the 3 separate DMZs in actual separate VLANs.
My goal is to leave the default gateway for each dmz on the ASA so I don't have to modify other areas of the ASA config.
Lets say I have the following topology.
DataCenter<---Etherchannel(2)-->BuildingB<---Etherchannel(2)--->BuildingA
There arer 3 stacks of 3750 at each building. The core switch/router in our network is at location B. The way it was originally setupis every L3 device has an ip address for each lan. So let's say we have VLAN 200 withnetwork 192.168.200.0/24. The DataCenter would be assigned (192.168.200.3), Building B would be assigned (192.168.200.1), and Building A would be assigned (192.168.200.2). I'm configuring the DC and BA to be L2 only and Building B to be the only real router in the network besides a few ASAs. When I ran a 'no ip address' on the vlan interface on Building A, the internet connectivity for 192.168.200.0 dies, but local connectivity is fine. After doing some research and troubleshooting, I found out that if I set the next hop on the ASA for the local networks for an IP address on building B everything works perfectly.
The way the routes on the ASA are setup for local networks are as follows.
All local networks have ip route localnetwork mask x.110.215.17. This address is the IP address of the inside interface on the ASA. Now, when I kill the IP address on the vlan interface on Building A internet connectivity goes down, while the next hop is still pointed to this address, BUT if I give it a next hop of the vlan interface ip address on B everything works fine. Now, I can easily fix this, I was just wondering why this is happening?
Have a quick question regarding inter-vlan routing on a 3750. Overview of network is ISP --> ASA --> 3750 (acting as my core and default gw). I have 5 vlan interfaces on my 3750, all w/ 192.192.x.x subnets, a 6th w/ 192.168.100.x, and a 7th w/ 192.168.200.x. I have enabled "ip routing" on the switch and can successfully ping from subnet A to subnet B as long as both devices are using the correct DG for their vlan, which is the switch. I have a few ports that are trunked as well that go to ESX hosts which break out the vlans according to the subnet the vm should be attached to. The ASA is set to nat internal traffic for all the vlans.
Now my question: short of applying an ACL to each vlan interface to block traffic from other 192.192.x.x subnets is there a better way to accomplish this? I want my 192.168.10.x subnet to be able to reach all the subnets, but don't want 192.192.10.x to be able to talk to 192.192.20.x for example. I was thinking to create an acl like this:
access-list 120 permit ip 192.192.10.0 0.0.0.255 access-list 120 deny ip 192.192.0.0 0.0.255.255 192.192.10.0 0.0.0.255access-list 120 permit ip any 192.168.100.0 0.0.0.255 192.192.10.0 0.0.0.255
and then applying this to the interface for the appropriate vlan.
I have one VLAN on a 3750 where I do not see any MAC addresses even though it is in use. This is an unrouted VLAN between a WLC on a port- channel /LAG and an access port to an ASA for guest traffic. When I do a show MAC add I get nothing for VLAN 60 (guest DMZ) but all other VLANs seem to be OK. Spanning tree is not showing TC counters incrementing either.
I also was told when put a port on this VLAN the laptop did not get a DHCP address form the ASA, but the wireless guest clients are working fine. I can see the DHCP leases and ARP entries in the ASA and the ASA ARP in the WLC so some traffic is passing fine. I'm not onsite right now so troubleshooting is all remote which limits some options.