Cisco Firewall :: Multicast LAN With ASA 3750 And IP BASE LAN Internal Router
Jun 7, 2011
I have a LAN with multiple VLANs connected through Catalyst 3750 with IP Base image. In IP Base the router only supports PIM stub multicast (no PIM multicast routing),But I have an ASA connected to the internal router and to the internet router.Asa supports PIM multicast routing and can act as PIM RP. With this configuration, is there a way to configure an internal multicast network? That is a multicast server in one internal vlan (VLAN 1) and multicast clients in VLAN 2. Both VLANs connected to the C3750 router.
View 3 Replies
ADVERTISEMENT
Dec 18, 2011
we have a cisco ASA5505 with base license and 3 interface configured. Internal 192.168.1.1/24 DMZ 172.16.0.1/24 Outside 20.20.20.20/24 The DMZ is configured to allow the traffic pass to the outside interface only (base license allow only traffic to one interface) in order to let clients on this network to browse internet. On the outside interface there's a nat configuration that let the port 443 to be natted to an in internal server. Is it possible to let the clients in DMZ to access to the internal server on port 443 from the outside interface?
View 3 Replies
View Related
Feb 19, 2013
I try to pass multicast traffic between two vrf on the same 3750 switch. I have IP services IOS and sdm template routing.
here is my config:
ip routing
!
ip vrf vpn2
rd 1:1
mdt default 232.1.1.1
route-target export 1:1
route-target import 1:1
[code]....
Now I'm stuck - I don't know what to do to pass multicast traffic. Do I have any chance to run this config on 3750 chassis?Perhaps "Configuring Multicast VPN Extranet Support" document will be useful, but it concerns Catalyst 6500? [URL]
View 0 Replies
View Related
Oct 29, 2012
I upgraded an image on 3750 from Lan base to IP base, it worked fine. howver im just wondering if there any licensing implications, did the upgrade a few weeks ago, would the switches still work on a temp license somehow?
View 2 Replies
View Related
Feb 25, 2012
I have 3750 Switch and need to activate the ipservices on it , it is need a license file to switch from ipbase to ipservices , if i installed the ipservices image from cisco site , do i still need an activation key to use it??
View 7 Replies
View Related
Mar 3, 2013
I am bringing up a 3750x and a 2911 to replace a 3745 router with switchport module. I was plannng on moving all the VLAN interfaces off the 3745 onto the 3750x and turning up EIGRP. I discoved the 3750 has the LAN Base license, so I can't run eigrp off of it. My question or worry now is, will the LAN base license prevent the switch from doing interface VLAN routing between the different VLAN's configured on it or will I have keep all the VLAN interfaces on the new router and just have a router on a stick setup?
View 4 Replies
View Related
Jun 23, 2011
Facing a problem of double multicast on one of our cisco 3750 switch. On checking with sniffer it was found that out of double packet’s one packet is having source mac-address of vlan and another packet is having a source mac-address of switch base mac-address.
View 3 Replies
View Related
Dec 10, 2012
I have a subnet with a GPS clock on it that connects into a Cisco 3750. The 3750 has another subnet hanging off of it that connects into a firewall then to a server. I need the server to get time from the GPS clock. Any way to pass the NTP through the 3750? The 3750 has the 3750-IPBase code running on it so the multicast support is limited. I am under regulatory restrictions that only allow traffic to flow from the higher security level (were the time server is) to lower security level (were the server is). This prevents me from having the server go to the clock for updates.
View 1 Replies
View Related
Aug 14, 2012
I've got a bunch of 3750-X switches all running IP Base and acting as a routed access layer. They run OSPF in a totally stubby area with the distribution layer (Nexus 7K) as the ABR. We also have a physically separate management network into which the fa0 management interface of the 3750-X is connected. The management network itself runs OSPF and has multiple subnets and external access.
On the 3750-X, I'd ideally like to be able to run some sort of separate OSPF process for the management network or at the very least have a static default route for management traffic pointing out the fa0 interface, but clearly not have it interfere with the main default route for data traffic coming from the N7K ABR. Normally I'd just create a management VRF, sling the fa0 interface into it and run a separate OSPF process in that VRF. The problem is you can't create VRFs in IP Base! Surely there must be a way to do this? Cisco don't really expect customers to upgrade to IP Services just to have a working OOB Management network, do they?!
View 4 Replies
View Related
May 12, 2013
I've been handed a requirement to try and get a multicast server working on my setup. Trouble is, I don't know if I can with the feature set I have on my switches. What is desired is that a multicast server (stand alone, but network connected, obviously) be accessible by everyone on the local network (multiple V LAN's, multiple SVI's) in the building.
All users will be connected to the one switch stack, although some will want to be wireless (which is one of the separate V LAN's) - I don't care if the wireless requirement goes by the wayside - they can sod off. :-) The main purpose will be multicast, high quality video.
I have a single switch stack consisting of two (soon to be 3) WS-C3750X-48P switches running the IP BASE feature set.
Question - can I do this on IP BASE, or do I need to upgrade to IP SERVICES?
If I can do it on IP BASE, does anyone have any links/pointers to setup this properly? Currently installed IOS is 12.2(58)SE2.
View 3 Replies
View Related
Apr 16, 2013
I have PC_A and PC_B connected to the same switch, and are put in the same vlan. PC_A is the master (source) and PC_B is the destination (client). IGMP Snooping is enabled by default.
Is there any reason why this should fail? There is no RP or any interface with PIM enabled. Its a flat network with a source and client in the same vlan...
IH-3750-LOADTEST-101#show ip igmp snooping vlan 724
Global IGMP Snooping configuration:
-------------------------------------------
IGMP snooping : Enabled
[Code].....
View 19 Replies
View Related
Dec 17, 2012
We are experiencing some issues with the Apple TV and WLC. We currently have a Apple TV and iPhone same sub net connecting via Lightweight AP (different sub net) which connects to a Cisco3750 running IP Base. This connects to WAN routers managed by third party over a WAN and connects to far end Managed routers, these connect to other Cisco3750 IP Base and onto a 2504 Wireless LAN controller. We have used the the following document for WLC configuration; [URL]
We turn on Multicast globally, with IGMP snooping enabled also enable Multicast Multicast under controller (only option available on 2504) and give the device M Cast address 239.21.1.150 . The P2P blocking action is disabled. Going to Monitor Multicast we can see the Report for 224.0.0.251 and MGID. However the issue is at the Sender Receiver side the iPhone cannot see the Airplay on the iPhone that should be seen if the end to end stream is working. My focus is now on the Cisco3750's, although I do not totally understand why the device needs Multicast enabled as the Multicast Join and Group Traffic is encapsulated in the CAP WAP Tunnel is it not? Anyway I have enabled the only option "ip multicast routing distributed" and under the V LANs that connect to WLC and AP the only option available is the "ip pim passive" there is no "ip pim sparese-dense mode"
I am sure the WLC is configured correctly, but I suspect that this will not work due to the IP Base image on the 3750's not being able to run full multicast or we need to use uni cast for this solution that the 2504 does not support.
View 5 Replies
View Related
May 28, 2008
I'm swapping out a PIX, IOS 6.3 with an ASA 5520 v8. The PIX has the following 2 commands in it's config:
multicast interface outside
multicast interface inside
These commands do not exist on the ASA. I do not wish to enable multicast routing. What commands on the ASA are equivalent to the multicast commands on the PIX?
View 2 Replies
View Related
Mar 3, 2013
I have one server which run some application for wireless user. this server forward multicast packet to wireless user. server and wlc physically connect to cisco 3750 switch.i want the server forward the multicast packet to wireless users.server access vlan 4.wlc controller have 2 vlan: 90 and 110.and wireless user some of vlan 90 and some of vlan 110.i enable igmp snooping on wireless controller. and enable globally command but it is not working.which additional configuration i need on cisco switch.
Switch(config)# ip igmp snooping
View 16 Replies
View Related
Jun 19, 2012
A multisite network is currently supporting muticast using PIM dense mode, which is enabled on router/switch LAN and WAN interfaces across all locations. I am about to introduce Nexus switches to the main LAN. How can I make dense and sparse mode coexist to ensure flow of muticast traffic between devices supporting and dense and sparse mode? Eventually, I want to transition to the sparse mode; however, it has to be done gradually, even within a single site. The leacy equipment includes Cat 3750 and 4500s.
View 2 Replies
View Related
Mar 28, 2012
1)For 3650X I found some contradiction in the Q&A about feature set LAN Base vs IP Base:
LAN Base: Can I do static IP routing ?
LAN Base: SVI => is this for intervlan routing ?
2)For 2960, there are 2 flavors (LAN lite and LAN BASE) Q: Can I do static routing on one of these flavors ?
View 2 Replies
View Related
May 6, 2012
I have a WS-C3750X-12S-S (IP Services) that I THINK I'd like to downgrade to LAN Base so I can stack it with a WS-C3750X-48T-L that is already LAN Base..
View 4 Replies
View Related
Nov 14, 2011
can we upgrade 2960 switch from Lanbase IOS to IPbase
View 4 Replies
View Related
Apr 24, 2013
I am trying to understand zone base firewalls? I attempted to make the ip address 10.2.22.231 available to the outside world using port 80 and 443 on external interface(4) public IP address. I can see hits on the access list and Nat entries but it's not getting through.
Here is the config.
crypto pki trustpoint TP-self-signed
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-
revocation-check none
[code].....
View 3 Replies
View Related
Dec 31, 2012
I am aware that we can allow external admins to telnet over a custom port to the internal router. Even i was allowed to connect to a remote router via the remote firewall. The way i was accessing the router is by telnet to the remote ASA address on port 8023.I am not sure how exactly we can configure this on a ASA.
View 2 Replies
View Related
Jan 21, 2013
Any example, tested on 3750-24/48TS and 3750G-24TS to remove the fan to make the switch more silent. I'm not interested in replies telling that is risky, I'm interested to know how is the switch acting. Has shutdown at overheating? I will use the switches only for my CCIE studies, a couple of hours per day, no heavy load.
I tested with 2950 switches are there were absolutely no problems, the devices were even in production.
View 1 Replies
View Related
Dec 23, 2011
Currently I have an ASA setup as a Firewall with 1 outside interface and 2 inside interfaces. Initially, the Guest interface was setup to receive DHCP from the ASA and everything was working. I'm adding router and a server for the guest interface and what I'm trying to accomplish now is the following: ASA 5505 > Airport Extreme with a public static IP (69.xx.xx.6), handling DHCP and NAT > Mac Server as DNS Server.Right now, when I connect to my Airport Extreme with any computer, I don't have internet. I don't understand what's wrong. My DNS Server has a reserved IP address: 192.168.226.2 and it's pointing to itself and forwarding the ISP DNS servers, the Airport Extreme is handling the DNS Server IP and the ISP DNS Server IP but I can't connect to the internet from the server. [code]
View 31 Replies
View Related
May 8, 2013
What is the best way to monitor an Internet Edge router from the Internal network behind the Firewall?We want to pull more information from the edge router like netflow. We can use SNMPv3 and ACLs to keep the router secure.
But I am looking for the best config to keep both the router and firewall as secure as possible while still allowing us to monitor performance and faults.I am running an ASA and a 2821.
View 2 Replies
View Related
Feb 23, 2012
I was just checking my router's firewall log and I noticed a couple of entries which appear somewhat suspicious, amongst all the 'normal' background radiation of (mainly) Russian and Chinese IPs: [code] The source IP for these 'attacks' is/was unused on my internal network.
My router is a Billion BiPAC 7800N running 1.06e firmware. There are a number of devices permanently connected to the internal network and a number which are connected at other times (e.g. desktops, laptops, mobile/cell phones, games consoles). Some are wired, some are wireless. Some have static IPs (none of which are listed in the above 'attacks'), some have dynamic IPs (assigned by DHCP by the router in a range not listed above). The WiFi is secured with a strong key on WPA/WPA2-PSK, AES (no WPS). Web Access Control for the router is disabled. Block WAN PING (and Block WAN (IPv6) PING) are both enabled.
View 2 Replies
View Related
Jan 27, 2013
We have purchased an ASA 5510 with CSC module. Unfortunatelly, white envelope with PAK for activation a Base License was lost before we managed to register it.
View 1 Replies
View Related
Jul 17, 2012
I am working on ASA 5505 with Base License that uses 3 VLAN's.
-My VLAN 1 is for used for my home network.
-VLAN 2 is connected to the public Internet and my IP gets assigned by ISP dynamically.
-VLAN 3 is DMZ where I will have few VM's that would need access to and from the Internet.
I am looking to work with following:
1) 172.16.0.2 that sits on DMZ will need to access public Internet over port 80
2) Permit access from the Internet over port 3389 to 172.16.0.2
3) Permit any host on private VLAN (192.168.0.0 network) to access 172.16.0.2 over the port 3389
4) Permit second VM on the DMZ VLAN let say 172.16.0.3 to access public Internet on all ports. Access in to this host is not permitted.
5) For some reason DHCP hosts are NOT getting DNS (8.8.8.8) entry when IP hets assigned or renew. I have a statements below but it is not working.
Also, if ACL rules for VoIP are written correctly. The goal is to permit these ports (SIP related) to access VoIP router. [code]
View 1 Replies
View Related
Dec 28, 2011
I'm tring to setup a DMZ for a guest wireless off of a 5505. So this device has a base license. It has vlan1 and vlan 2 for inside and outside.Another vlan is configured to be a failover for the currently active wan connection. It is using the "no forward interface" command.Can I add another vlan as a DMZ if I use the "no forward interface" command? [code]
View 6 Replies
View Related
May 11, 2011
I have ASA 5505 with base licence. I configured NATing and VPN(site to site). All are working fine.My ASA is base license so i created 2 VLANS, one is inside and outside.Inside i am using 10.91.40.0/24 serie IP addresses.Below are the new requirements that i need to configre:
1. First 30 IP addresses only needs internet directly.( Servers and Management)
2. If remaining IPs likes to use web then traffic needs to forward one proxy server( where he gives user authentiation)
View 2 Replies
View Related
May 24, 2011
My ASA 5505 base license allows for three VLANs, the third one can only initiate traffic to one other VLAN (as specified by no forward interface vlan <number> on the third VLAN). This doesn't mean it can't "access" the other VLAN, it just can't initiate traffic to it. A lot of people get that wrong.Let's say you've got three VLANs, one is OUTSIDE, two is DMZ, and three is INSIDE. On the second VLAN would I enter the no forward interface as vlan 3, then set the name via the nameif command and everything will work just fine. The DMZ will not be able to initiate traffic to the INSIDE, but will to the outside, and assuming you have your ACLs and NAT set up properly, it will be able to respond to traffic from the INSIDE.
Would that be best practice or would I enter the "no forward" interface as in VLAN 1, thus is being able to respond to traffic from the outside as opposed to the inside.
I had a DMZ set up but since there was an intrusion into my network, I am building it again.
View 2 Replies
View Related
May 17, 2012
I am just about to start on a project where we are moving from Old Cyberguard firewalls to ASA 5520 firewalls, any rule base converstion tool that would be able to do a lot of the basic work? And so of the NAT conversions?
View 1 Replies
View Related
Apr 18, 2012
Why do we need MP-BGP (and not BGP) to exchange multicast prefixes between multicast domains?
View 2 Replies
View Related
Sep 22, 2012
I have a couple of 5505's with base licenses. One of the two has a limited output when running the sho version command, as it has a restricted license. What license I would need to buy in order to bring it up to "normal" base license ?
View 1 Replies
View Related
Sep 1, 2011
Well, I tried using the cisco configuration for ASA 5505 for blocking P2P: url...but this configuration only is usefull with programs like Kazaa, so I try this configuration to block ARES but the problem is that ARES try to make downloads from different ports, ¿How do I block ARES if there are sereveral ports ?
View 1 Replies
View Related
