I am trying to use deny mac acl in the 4500 series switch runnning cisco IOS but the command seems to be not working.
Here is the command,
mac access-list extended ABC
deny host 0001.8052.25FF any
int f4/11
mac access-group ABC in
Is there anything I am missing or is it a bug.
I'm looking to implement a vlan filter to keep unnecessary stuff off my access-layer. Things like IPv6, IPX etc. I really only want IPv4, ARP and 802.1q on these 4500s. I know on 3750, 3560s etc, when I create the mac access-list, I can do it by ethertype, but on the 4500, I dont have that option.
4th_floor(config)#mac access-list extended Drop-traffic
4th_floor(config-ext-macl)#permit any any ?
protocol-family An Ethernet protocol family
<cr>
4th_floor(config-ext-macl)#permit any any protocol-family ?
appletalk
arp-non-ipv4
decnet
[Code]....
Extended IP access list VLAN20
10 permit tcp any any established
11 permit icmp any any
20 permit tcp any 192.168.20.0 0.0.0.255 eq 80
30 permit tcp any 192.168.20.0 0.0.0.255 eq 443
40 deny ip any any log
[code].....
Above is the network diagram and access list for VLAN 20 and VLAN 30, applied on incoming direction of each valn.But still able to access other port which is not on access list, tried changing the direction with no luck.Inter vlan routing is enabled on CoreSwitch default router is 192.168.10.10
Not sure why the N7K M1 card doesn't take this command. It works on other N7K at different site. [code]
View 1 Replies View RelatedI have a setup using LogMeIn Hamachi and the network type creates a Windows Bridge. I also use the DHCP Reservations List to assign the same IP to specific devices. Well I have the MAC Address for my NIC in the list which works when I am not using the bridge. When using the bridge, of course the MAC address changes and when I try to add it to the list I get the following message in a popup window. The MAC Address is 02:e0:61:05:45:3e I have tried manually entering it, letting the router enter it from the list of computers and just to rule out something stupid, I have tried changing the letters to upper case and removing the colons.
Another issue I can see when this issue is resolved is that I do not believe it will let me add this reservation since I will be using the same IP used by another reservation. My DGL-4500 allowed this if I had the other reservations using the same IP disabled.Below these comments/rants are some feature requests. I have put them last as some of the requests are explained in the comment/rant section.I have read through this list and I have to say that after I purchased the router, which I ordered on-line, I was dreading it, but I have not had issues. It is possible that I am not using features that cause this issue. I believe the issues occur when using certain configurations with the "Enable Advanced DNS Service" enabled. I am not using this service. Since I knew people were having issue s with it, I wanted to see my results leaving that out. I have had this router running since a week before Christmas and I have many Virtual Server entires, QoS and port forwarding entries, https based remote administration, both 5GHz and 2.4GHz networks enabled supporting a/b/g/n(on both networks) and a guest network enabled on both bands all supporting WPA (TKIP and AES). I have 2 Giga wired connections that are always active, a 100Mb connection that is on an off but used almost daily, 2 Laptops that use the 2.4GHz network daily and one is 802.11g 54Mb and the other is 802.11n 150Mb and they are on at the same time almost daily, a printer that is on and used multiple times a week that uses 802.11g and a game system that uses 802.11a this device is used daily. Most devices are on and used at the same time daily and we have a good deal of regular Internet traffic and moderate other network traffic during these times. At night all computers are backed up over the network and most of the other network devices are off or not during this time. Other than having to reboot my Internet hardware provided by my ISP, I have not had issues. The router has been rebooted for config changes and I usually cycle it when I cycle the Internet hardware. Point is, so far no issues, good performance and it works and I have of course had other devices connected using the guest network and I have been testing features, performance, etc.
What's up with having so much variation in how features work across routers?e.g. My DHCP Reservation issue above. This router does not work with a setup like my DGL-4500.This router allows a preset amount of services like QoS and Virtual Server entries while the DGL-4500 just lets you add entries. Now maybe there is a limit and it just looks like there is no limit. Of course, there is at least a limit that is reached when you have used a certain amount of memory with the configuration.so many routers while leaving gaps and the lack of feature explanation and comparison?I switched to this router because I wanted a dual band setup which my DGL-4500 does not provide. That leads to the issue of the new way D-Link deals with dual-band. When I purchased the router it did not list that you had to choose 2.4GHz or 5GHz or it is not simultaneous dual-band. I was duped because I used to install DWL-7100AP for people that needed better wireless options for home businesses and small businesses and that provides simultaneous dual-band and back then if it was dual-band it was simultaneous. But I am disappointed in some of the features lost like WISH support and a few options here and there which do not seem like they are specific to gaming routers and this router is more on the mid range and low high range end of consumer, prosumer, home business and lower traffic small business routers, so why is it missing these features and why does it have the limitations I listed in the "variation in how features work" section above?
Other examples of lack of feature clarity are with Game Fuel, HD FUEL and Intelligent QoS. Isn't Game Fuel Intelligent QoS of some sort. Now from the example provided in the overview for the DGL-4500, Game Fuel optimizes game performance, but it does not say this is automatic or if it works along with the rules you set in the Game Fuel section which is the same as the QoS Engine section in the DIR-825. The difference is that the DIR-825 has a "Enable QoS Engine" option while the DGL-4500 has an "Enable Game Fuel" option. It seems that Intelligent QoS does what Game Fuel does, but expands that to VOIP, Media Streaming, etc. and it may be more automatic. HD Fuel in the only place I have seen it mentioned seems to refer to the combination of Intelligent QoS and the inclusion of 5GHz wireless support. Of course there is no version and feature documentation and in fact while the overview of the DIR-825 talks about gaming with Intelligent QoS, but if you bring up a comparison of routers, the chart has no in the gaming section for the DIR-825. I can't say I have noticed better or worse gaming performance with the DIR-825 compared with the DGL-4500, but given the shear lack of documentation on how to use Game Fuel and Intelligent QoS properly, who knows if I have this setup correctly. I will say the QoS Engine section in the DIR-825 is easier to use than the Game Fuel section in the DGL-4500.
1) The ability to reduce the brightness of the status lights, set them to solid if enabled with brightness options and to set them to off with an option to have some very faint light to show that the router is on. Of course I should be able to set different options to be applied at specific times.
2) Add the applicable features missing from the DIR-825 that are found in the DGL-4500 and applicable features from other routers. Also, get them all so they work the same on each router and let get the best from them all and make that the standard. e.g. In my DHCP reservation example above don't set the standard to the limitations of the DIR-825, but make the DGL-4500 function set or better function set of all routers combined for each feature the standard with-in router categories. e.g. the DIR-825, DGL-4500 and DIR-855 would be in the high end router category for consumer, prosumer, home business and lower traffic small business routers.
3) For DHCP reservations, you should not be limited to the DHCP IP Address Range.
4) On the log-in screen, get a better captcha and fix the tab order.
5) Add a log-out option in the web interface.
6) Allow for a next hop option in the DCHP server section. It would be cool, if there could be a list of IPs allows one to be enabled at a time.
7) Allow different DHCP server settings for each network. There are 5 on the DIR-825. Wired, 2.4GHz regular, 2.4GHz Guest, 5GHz regular and 5GHz Guest. Would be nice if you could set a couple of VLANs on the Ethernet ports and then have different DHCP setings for each VLAN.
For guest wireless networks, allow rules to be set to allow access to certain services on the network. E.g. I may want to allow printing. So allow a single port or multiple ports with easy settings for consecutive port ranges to be opened to an IP, IP range or all IPs and allow all ports for an IP or range of IPs. Of course, leave the allow full access option.
8a) Allow users to set rule sets that can be enabled/disabled like the full access option.
8b) Allow a control that can be set in the rule sets that controls if the wireless devices can talk to each other and another that controls if they can access devices on the wired network and another that controls if the wireless devices can access the Internet.
8c) Allow rules above to be limited to be applied to specific MAC Addresses.
8d) These options would be good to have for the non-guest wireless networks and wired network as well.
I have an 871 setup at home with a fairly basic configuration (NAT, Firewall, EasyVPN, Wireless). What I've noticed is that for traffic going from the WAN interface (FastEthernet4), it seems to be hitting the ACL in place for NAT. My config: [Code] .......
Where 76.22.98.39 is the dynamic IP address from the cable provider. If the traffic isn't passing through the router, why is it trying to NAT it?
IOS Version is 12.4(6)T9
There is a vlan Finance in my office. The requrement : Vlan Finance is allow to access internet and selected host/network and not allow to access internal network. But from internal network can access to Vlan Finance (Full access). I want to configure using Reflexive ACL, but from Datasheet 4500 doesn't support Reflexive ACL. Intervlan routing is in 4500. Is there any ACL configuration to support my requirement without using Reflexive ACL?
View 1 Replies View RelatedI have a C3825, and have been using standard ACLs and a PBR to route certain HTTP traffic via an alternative default gateway:
route-map RTRMAP-OfficeLAN permit 10
match ip address RTRMAP-OfficeLAN-toADSL
set ip next-hop x.x.x.x
This is working absolutely fine, and as expected, all traffic matching the ACL is being sent to x.x.x.x However, we have recently expanded our network, and I am now receiving various networks via BGP from various sources. All BGP incoming via iBGP is tagged in communities:
Community (expanded) access list 100
permit 37xxx:100
Community (expanded) access list 200
permit 37xxx:200
Community (expanded) access list 300
permit 37xxx:300
[code].....
All communities are also matching prefixes when executing either 'sh ip bgp community 37xxx:100' or 'sh ip bgp community-list 100' What I am trying to achieve, is create an EXCEPTION for the policy route. Traffic matching the community lists, must be forwarded based on the routers routing table, whilst traffic maching the ACL, must be sent via the policy route...
route-map RTRMAP-OfficeLAN permit 5
match community 100 200 300 400 500
!
route-map RTRMAP-OfficeLAN permit 10
match ip address RTRMAP-OfficeLAN-toADSL
set ip next-hop x.x.x.x
My logic dictates to me that the above should work, but looking at the route-map, I get matches on seq 5 and pacets are exiting the route-map as expected (first matched). However no traffic that does NOT match community 100,200,300,400 or 500 and that DOES match the RTRMAP-OfficeLAN-toADSL never matches.
The counters on the route-map for seq 5 is increasing, but no counters are increasing at seq 10.. It's almost as if seq 5 is matching all traffic.
access-list <#> permit/deny <protocol> <sourceAddress> <sourceMask> <destinationAdd> <destinationMask>Say I applied an ACL inbound on Fa0/0, would the source address be the outside the LAN?So if took the same ACL and applied it as outbound, would the source need to be change to an IP inside the LAN?I am a bit confused by the data flow I'm seeing in packet tracer simulation mode to. I set up an ACL for testing purposes "access-list 199 permit ip 193.20.30.0 0.0.0.63 any" set as inbound, the idea being it permits any traffic from the .0 subnet.When I watch the packet in the simulation, it makes it to the destination address then is dropped by the router on it's way back out to the sender.
View 4 Replies View RelatedI am trying to allow telnet to port 551 but i couldn't get it to work.I am using a cisco 1720 router running on IOS 12.2.I am using the below commands to set the access list to allow access to port 551 using remote telnet to the Cisco router.hostname R1!interface ethernet0ip access-group 102 in!access-list 102 permit tcp any any eq 551.After i enter the above command the router will disconnect me and i will not be able to connect to it for awhile. Once the router is up i am still unable to telnet to port 551.
View 14 Replies View RelatedSince a couple of weeks I have a linksys EA6500. When I go to the device list to see which devices are online the device list is not displayig the correct data. I see devices online that are offline and also devices are offline that are at the moment online. When I try to delete a device that is offline in the list I get error 2315. I have that error in the local and cloud interface. The list has a frozen state from a particular moment.
When I reboot the router then all devices in the list have status offline and the device list stays that way. Nothing gets online anymore or will be added. When I reset the router to factory default all keeps working without problems for approximately 24 hours and after that the problem occurs again. The list freezes again and you are not able to delete a device.
I searched the forums but no one has this problem. I only can find a post that describes my problem but for them a reset worked. In my case a factory reset works also but the problem keeps coming back.
after an upgrade of NCS 1.1.1.24 to CPI 1.2 on green field, it was not possible to reuse the GUI. During the upgrade, I''ve shortly seen an oracle DB error, but the upgrade was going through, without problems.At the end, it was not possible to use the GUI, and every trial to start the services was stopped with errors.I've found the following severe Bug ID's in the support forum: Bug CSCuc29378 Prime Infrastructure 1.2 won't start after a db restore/Upgrade from NCS1.1.1.24 Oracle DB bug as well: CSCtw59460.I see only a new installation from scratch (1.2) as solution, but the bug is not resolved in V1.2, as seen in the bug tool.
- As the customer has an v.1.0 license who worked with NCS 1.1.1, do I need an upgrade order to be able to activate an installation from the v 1.2 ova (new PAK)??
- I'm searching for a one year CPI partner license, because I heard about in some Cisco Live sessions, but I did not find a way to acces´s to it.
I have configured a SVI in my 4500 ( Sup 7-E 10GE,,,,,,and,,,,,cat4500e-universalk9.SPA.03.02.00.SG.150-2.SG.bin) switch and it is showing Down Down, because there were no active switch port in the vlan, I added one switch port to this vlan but this port also in the down state, so i added the SWITCH PORT AUTO STATE EXCLUDE command under this port, even after this also the SVI never came up, So i added one systen to the port so both the switch port and the SVI came up...So why SWITCH PORT AUTO STATE EXCLUDE command have no effect in this model of the switch..
View 4 Replies View RelatedI need to apply DHCP snooping on 4500 series switches working as L2 in my Network. We have external DHCL Server in another location connected with 6500 series switch.
Running EIGRP Configured Voice & Data Vlan both
DHCP Server -------- 6509 switch<----------------------------------->6509 Switch -------- 4500 switch ----------------------------------------------------------Ip Phones.
(ving Redundant) (ving Redundant)
I need to know whether the configuration which I mentioned in scenario is enough for apply DHCP snooping in my network.
We just got many 3560x switches for a project. Curiously and in a very rate event (at least for me ) 4 of them died after workijg normally. 3 for some days and the last one for 3 weeks.Power supplies are ok and light up, they work on other switches, fans dont start kn the damagdd switch but work in ither switches.Syslog server doesnt show anything. It just goes puff. They are brand new switches biught one month ago from official channek distributor.
View 2 Replies View RelatedWe have a 6509 running 5.4(2). We have set up a hyperterm session and connect to multiple devices, then we get to the 6509 and it will not work. When we reload the 6509 and we are consoled into it, we get data until it is finished reloading. Then the console connections is no longer there.
View 5 Replies View RelatedWe're using a CSS501 to load balance http requests over three servers running windows server 2003 and IIS 6. On Saturday I attempted to switch over to three new servers running the app on Server 2008 and IIS 7.5, I mirrored the used the existing setup to create the new environment (pwgecashwww01,02,03 Owner ACMENewServers and group NewServer).
View 2 Replies View RelatedSteps to repeat the bug:
1) Physical Reset of SR520-FE to factory defaults
2) Run CCA 3.1(1) and connect to 192.168.75.1 using the default cisco/cisco login
3) Under the Home Menu, click the Device Setup Wizard
4) In Step 1, sellect the SR520 and observe that there is also a photograph of the SR520-FE(W) model displayed as feedback for Step 1
5) Try variations of Steps 2 through 4
Note: Step 4 has a problem because it says to plug the power into the device, but if the power was not already plugged in to begin with, we could not run the Device Setup Wizard in the first place.
6) Step 5 prompts for a user name and password.
BUG: No permutations of the documented default usernames and passwords "cisco" or "admin" work. The result is always the error dialog:Device Connectivity Status - "Failure: Not Connected.""Return to Step 1. Make sure that your PC is not connected to a network and you follow all the instructions."A search of the web indicates others are also had this unresolved issue with previous CCA releases.
WS-C2960G-24TC-L 12.2(25)SEE3 C2960-LANBASE-M
I would like to get the temperature status from this 2960 switch (and several other models. Normally this OID should be:.1.3.6.1.4.1.9.9.13.1.3.1.6 But it does not return anything.
The termperature status can be found from the command line by running:"sh env temp" This reports back ok, so I assume there is a temperate gauge in the switch.
This oid is part of the "CISCO-ENVMON-MIB" mib and accouding to the Cisco MIB selector it is supported on my switch and IOS - 12.2(25).
(Another thing I woudl like to monitor and should be supported is the fan status oid (.1.3.6.1.4.1.9.9.13.1.4.1.3). That doesn't return anything either.
What do I need to do to get the temperature environment status from SNMP query?
We were unable to login to a 3825 with a known good password, so we used Cisco's Password Recovery Procedure for that device. We were successful in resetting the password, and had access to the CLI. However, when we logged out of the router, then attempted to log back in, the 'Invalid Password' prompt again came up.We have to use password recovery each and every time we need to access the CLI. Might this be an NVRAM problem?
Show version for this device is: C3825-advsecurityk9-m 12.4(3a).
Ciscowork 3.2.1 daemon manager is not working after patch installation.
C:Documents and SettingsAdministrator>net start crmdmgtdThe CiscoWorks Daemon Manager service is starting.The CiscoWorks Daemon Manager service could not be started. The service did not report an error. More help is available by typing NET HELPMSG 3534.
Also I checked syslog.log and it is showing below error an 17 14:39:34 127.0.0.1 100: <28> dmgt[1316]: 2507(W):Daemon manager anonymous user has not been set up: 00000569
How to implement mac access-list in 881 and 892 router ? As you now that we can get additional switch-port in the same router but I can't see the function in this router. I guess the switch port must function like the catalyst 2960 switch.
View 3 Replies View RelatedI'm creating an access-list that will contain all networks and host that will be redistribute into EIGRP.Till now, this access-list contains 72 entries but this number can increase anytime.
I'm using a 3750-x layer 3 switch, and I'm wondering how big this access-list can be, regarding CPU and memory utilization and performance.
we installed a cisco router in a school with two vlans (VLAN 1 & VLAN 2) VLAN 1 is for teachers and Admin and VLAN 2 is for students. We want so that VLAN 2 shouldn't be able to access any device in VLAN 1 but VLAN 1 should be able to access all devices in VLAN 1 & 2
VLAN 1 192.168.11.0/24
VLAN 2 192.168.12.0/24
I am using VLAN interfaces. I know we have to use some access lists but if i apply
access-list 100 permit ip 192.168.10.0 0.0.255 any
access-list 100 deny ip 192.168.12.0 0.0.0.255 192.168.10.0 0.0.0.255
With this access list two subnets can not access each other. How these access list should look likes ?
I was reviewing some old configs at work today and noticed somthing weird in the access-lists. What is this?
View 6 Replies View RelatedCreating an Access Control List
View 2 Replies View Relatedso far i also knew that if u assign an access-list to an interface:
for example:
int vlan1
ip access-group 150 in
and the access-list does not exist in the configuration it will block everything meaning it will be an implicit deny empty access-list but lately i've noticed on new routers that its different,if i assign an acl to an interface where the acl doesnt exist in the configuration it acts as permit all,
this is a project and my configred file:I can't config access list according to the project.
View 19 Replies View RelatedHow to apply access list on Vlans ?
my Scenario is
13 Vlans in cisco 3560 switch (Vlan 10,20,30........ 130)
vlan 10 ---- ip range 192.168.10.0/24 interface vlan 10 ip add : 192.168.10.1
vlan 20 ---- ip range 192.168.20.0/24 interface vlan 20 ip add : 192.168.20.1
here i want to block vlan 10 access to vlan 20 i created extended access list deny ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255
and applied in interface vlan 10 as out now i cant able to access any host in vlan 20 (host 192.168.20.1) but i can able ping vlan 20's gateway 192.168.20.1
I have a question about access-lists on ASA: (5520 running 8.4)Often I want to permit all traffic from networks behind an interface (let's say DMZ in this example) to Internet, but NOT to internal networks. Then I first configure a Deny from DMZ to all internal network and then a Permit to ANY. If I forget the first Deny I will allow all traffic also to my internal networks. Is it possible to configure an access-list that permit all traffic from a network to all networks that are reachable via a given interface? In this example: Permit all traffic from DMZ to all networks that are reachable via the Outside-interface? This should permit traffic to Internet and deny traffic to internal networks in one statement.If I specify the outside-interface as the destination only traffic to the interface itself will be allowed.
View 1 Replies View RelatedI reported a really strange issue on a Cisco Router 3945. Here below info about release software used: [code] Please look at a brief extract of router running configuration file: [code] It’s an easy configuration of Extended ACL and the application on an Ethernet interface. The expected result is:
- The interface works properly (because access list is permitting every kind of data traffic in input)
- Checking “show access-list 180”, the counter of matched packets increments for all the packets that are forwarded inside the fa0/0/1.
But actually the Fastethernet 0/0/1 drops all the packets as if all the packets don’t match with access list (And this behavior is really incredible). The interface couldn't be used anymore because any kind of data traffic is denied.
how to perform port security or mac access-list on LAN ports of router 861 or 881.There are commands access-list 700-799 , but I don't know how to apply that access list on configured vlan or particular port.
View 1 Replies View RelatedI want to block access of some clients from the vlan1 to acces internet blocking their MAC address. How can i do this?
I have tring this way:
access-list 700 deny mac address 0000.0000.0000
access-list 700 permit 0000.0000.0000 ffff.ffff.ffff
int fa00
bridge-group 1 {input-address-list 700 output-address-list 700}
but it's not working .