We have the next Settings in our SW. We crate an ACL and aplied to a SVI for Incomming Traffic, I understand that is not necesasry to allow the returning traffic in ACL, but we can't access to rdp for example when we add the ACL, if we remove it, the acces is ok, buet when we add again the access is deny, even we have a log entry, and the ACL i just for Incomming traffic. There is no another ACL.
I have set up an ACL on my 3750 switch to deny icmp from PC A on our inside network to PC B on a different VLAN on our inside network using the following ACLs:
These ACLs belong to an access-list that also limits ip traffic to a few specific machines.When I try pinging from PC A I receive a reply message back from PC B. Shouldn't this configuration block any ICMP from PC A to PC B and from PC B to PC A? I would have expected the first ACL statement to block any packets associated with ICMP and when that didn't work I tried the second configuration.
We have a data center with servers set up for different projects, some servers from partner companies and several small LANs. The traffic between all those needs to be controlled and firewalled. The servers and LANs are divided into different subnets and VLANs. Physically, their traffic is aggregated on a couple of 4506 and then sent to a FreeBSD server, where the logical gateways are set up and traffic is filtered between them.The BSD server is dying and having it there is incorrect in the first place, so we are planning to replace it with two ASA (5520) in failover.The question that arises is how to correctly implement firewalling between VLANs. Originally we thought to set up the firewalls in transparent mode and logically terminate VLANs on a stack of 3750 switches behind them, but would that filter the traffic between the VLANs? Then we thought to perhaps terminate the VLANs on the ASAs, use routing mode, and do filtering there, as well. Or should we implement multiple contexts? We have about 20 VLANs and all of them differ in rules of what should go there. None of this can be concidered an "inside" - trusted - zone, nor "outside". Internet and external links are connected and filtered in a different place.
Unable to limit traffic on catalyst 3750 gigabit ports it has fiber modules,
I want to limit traffic 2mb per port
I have tried srr-queue and policier but it is not working and there is no ratelimit command under any interface, Applying policy to output is not supported of the interface
policy-map rate-limit class class-default police 2000000 8000 exceed-action drop int gi1/0/3 service-policy input rate-limit
I have catalyst 3750 I want to controle traffics on every port I have tried Frame-Relay Traffice shaping and Quality of service but there is no support for these commands in the switch.do we have any way to limit traffic on every port in catalyst 3750 and 2960 switches ?
is there a cisco command to check the list of incoming vlans on a catalyst 4640 or at least that will give you the same output?we're having an issue with an ethernet circuit, links are up but ping won't go through(no ACLs) and I want to see if the vlan tag from the the other side(side B) is properly reaching side A.
I would like to block incoming traffic from a specific ip on a specific port
This is what I have
source: interface: wan ip address range: 5.xxx.xxx.226 - second one is empty (valid ip instead of x's) protocol: tcp
dest: interface: lan ip address range: both fields empty port range: 139 - empty field
ON and DENY box is ticked name field has some text in it
I click save and get this pop-up: Incorrect source ip address. Invalid format of the start IP address. Current Firmware Version : 2.11 The ip is obviously valid, what should I do?
I was reading the documentation of the Catalyst 4500-X for creating VSS and MEC (multichassis etherchannel).In the VSS specific part, it's written"Cisco Release IOS XE 3.4.0SG does not support Layer 3 MEC".
Can I still use VlanX interfaces ad route through them?In my setup I only have IP addresses assigned to vlanX interfaces (with some VRF-lite magic)[code] Does that sentence only mean that I can't have IP assigned directly to the MEC?
I'm new to ASA's and PIX units. I've setup a few VPN's now but know next to nothing about logging on these units. I read the config guide for the PIX, but cannot figure out how to get a log of incoming SMTP traffic going on the console.Do I need to use a SYSLOG server? I can probably set one up on my laptop.
I am trying to switch out a cisco pix 501 firewall with a cisco ASA 5505 firewall. I am not very familiar with all of the commands for the firewalls and have always relied on a standard command line script that I use when building a new one. Unfortunately, my script is not working with the 5505. What I am doing wrong with the following script? I've masked public IP info with xxx.xxx.xxx and I run it right after restoring the firewall to the factory defaults. I am able to get out to the internet if I browse directly from one of the servers, but cannot access a web page when trying to browse to it from an outside network. [code]
I was configure 3 interface on ASA1st - managemetn (only for management)2nd - gig0/0 is connected to internet with real IP3rd - gig0/1 is connected to local networkI was configure routed NAT to internet.But I have problem with restriction incomming traffic to inside interface (ifname is inside)but I can connect to ip address of inside interface from other ip. It is wrong and i can't understand where is my mistake.
I have a licensing server. Other computers need to turn on a program, they send a message to the licensing server, and it responds that they have permission to run.Until today the licensing server was plugged into its own ethernet wall socket and configured with a static IP address. Today I put a router into that wall socket and now the server's plugged into the router.The router (WRT-54G) was set to the static IP - and now the internet on its network works. I set all ports to be forwarded to the server's internal IP address - and now my programs can detect and ping it. But now the server won't send back permissions to use licensed software, or even reply with a list of the software which it can license.
We have a switch gc2960. It has ports configured on vlan 27 and vlan 29.It is connected to switch ch3550. It has presence of vlan 27 vlan 29 and also vlan 18 and several other vlans.Our internet firewall is connected to ch3550. It is a fortinet product, so this is not indicated on the diagram.
When the two switches were connected on vlan 29 access ports, pc's on vlan 29 on gc2960 worked as expected. vlan 27 clients of course did not work.When we switched the connecting ports to trunk ports, some weird stuff happened. Clients on gc2960 on vlan 29 could ping and resolve dns, but not browse the intenet. The same was true for clients on gc2960 vlan 27. We verified that packets from the web were coming in through the firewall. What we were thinking, is that they somehow were not being tagged to vlan 29 even though we were trunking.
When we set native vlan 29 on the trunk, then clients on gc2960 vlan 29 operated as expected. However, clients on gc2960 vlan 27 are still having this problem, we can ping and resolve dns but not browse.Consider the other switch ch2960-jstreet which has presence of vlan 18 and vlan 27. It is also connected on trunk to ch3550. We are not using native vlan on this trunk, and traffic works as expected.Is the lack of presence of vlan 18 a factor as to why gc2960 is not receiving the tagged packets correctly? Should the interface vlan18 on gc2960 have an ip address on the vlan 18 network?
We have Cisco ASA 5505, 90.x.y.2/29 IP is assigned to outside interface. We have one internal HTTP server so that I use static (inside,outside) tcp interface [URL] to forward all incoming HTTP traffic to internal HTTP server 1. Now we need to add new physical HTTP server 2 so that I would like to forward
HTTP traffic to e.g. 90.x.y.3/29 to 172.16.0.11.
How can I do that? See scenario image (scenario.png) if needed.
I need to block incoming traffic with Dlink DIR 600. I know how to create the rule source (WAN) to destination (LAN) to deny all protocols. But what IP will I put in WAN? IP address of my Internet? Or how can I enter the ALL IP range in source...format for the IP (it's not 0.0.0.0).
I want to do this because in the DIR log section I'm being PING Flooded. I already un-check "Enable WAN Ping Response" but still receiving the message.
Since the power failure two days ago, my -ASA stops forwarding traffic to internal servers, for no apparent reason. Packet trace shows all OK, packet capture buffer stays empty when I try to http into the mail server. The only way to get it working is to change the Outside Ip to the one used for mail, then to change it back. It will work OK for a few hours, then stop, with nothing obvious in the logs.
We have a Cisco ASA 5520 and im looking for a way to monitor largest outgoing and incoming traffic per ip in real time so to know which of my internal computers are using the most of our Internet Line. Is there a way to this through ADSM ? We use version 6.3.
My core switch is a 6509-e and my IDF closets have 3750's.I have a couple of vlans currently setup, that can communicate with each other.VTP is setup Client/Server where as my core is Server, all IDF's are Client.
What i'm trying to do is create an isolated VLAN. I want to setup a DHCP scope and use helper address. When i plug in a client to that VLAN, i want it to get an IP, but not have any other network access.
Is this possible to do without switching to Transparent mode? If not - what reprocussions will i see by switching to transparent mode?
The manual states how to create an inbound traffic policy but if you follow the directions there is no place to select inbound traffic.From the manual: To Create an Inbound Traffic Policy1. Enter a Policy Name in the field provided. SelectInbound Traffic as the Policy Type.2. Enter the IP Address from which you want to block.Select the Protocol: TCP, UDP, or Both. Enter the portnumber or select Any. Enter the IP Address to whichyou want to block.3. Select Deny or Allow as appropriate.4. By selecting the appropriate setting next to Days andTime, choose when the Inbound Traffic will be filtered.5. Lastly, click the Save Settings button to activate thepolicy.When finished making your changes on this tab, click theSave Settings button to save these changes, or click theCancel Changes button to undo your changes.I want to filter out a range of ip addresses from trying to connect to my network.
I am trying to come up with the best way to traffic shape traffic with 3750 Me switches. the traffic will be coming from a 6504 Sup-7203b downstream and going out the wan. Core---L3---->6504--intvlan80--trunkport to--->3750Me---g/1/1/1-trunkport to---MetroE network--->int f0/0.80--branch router. The idea is to use the 3750 to traffic shape the traffic going towards the wan/branch to 500 to match the contracted rate and then to use qos on shaped rate. I tried to apply it to g1/1/1 using port based policies but it did not shape the traffic. I changed everything to IP interfaces and it worked. I need to break up the metroe into different vlans so I can bring branch offices in on different vlans.c
i have few catalyst switches (2960, 3750) and i can't upload to them any files by tftp from my laptop, but i can download from them, and this bug don't appears on two routers.I was change tftp server, type of connection (wifi, cable), turn off firewall on win7, but no dice.
I have a Catalyst 4006 with Supervisor II engine. I have 48 port 10/100/1000 blades installed in it for connection to my servers. I am having a lot of problems with performance when connecting servers that are using 100 MB NICs. The speed of the connection is really bad. I have attempted setting the ports and NICs to 100MB Full duplex instead of auto-detect, but still get the same results.
I also have a 10/100 quad-port card installed in a NetApp filer. All four ports are trunked together and connect to 4 ports in the Catalyst. The ports in the Catalyst are trunked using the Port Channel feature of the CatOS. When I look at the port statistics on 3 of the 4 ports from the quad-card, there are a ton of runts and errors (both transmit and receive). The 4th port is fine, no errors.
I need to configure on a cisco catalyst 6509 two VACL. On cisco 6509 there are already two SPAN ports configured, there are problems configuring other two VACL?
These VACLs send traffic to a Traffic Analyzer (SIEM), there are particular configurations to facilitate the operation?
IGMP Snooping configuration for Multicasting on Cisco Catalyst 3020
Our switch model is "Cisco Catalyst Blade Switch 3020 for HP" We are building HA (High Availability) Databases infrastructure. Currently, there are two nodes(hosts- servers) and two above switch for HA.
Oracle said we need to turn off the IGMP Snooping in order to use the multicasting for their interconnect communication. So my question is:
Q1> Is there any way to use Multicasting without turning off IGMP Snooping on Switch side?
Q2> If 'yes', how can we configure the switch for Multicasting ?
Oracle uses 230.0.1.0 & 224.0.0.251 IPs with 42000 range port for Multicasting communication.
I have several 2960s and 3750s and two 6506 (ws-cac-3000w) recently move to new location The power outlet is the same ,but Volt is different current 2960/3750 use this(one phase 3 wire) 220v and new location change to (from 3 phase 4 wire -> one phase 220v)6506 current using(one phase 3 wire) and will be change to (from 3 phase 4 wire -> one phase 220v)
I had search doc about power supply /cable , only show support single phase 220 v ,but not description vlot between each wire !!Does new location power outlet suit for 2960/3750s power and 6500 ws-cac-3000w ?!? Do I need chane power outlet back to current using?
