Cisco LAN :: 6509-e Switch And IDF Closets Have 3750 - Creating Isolated VLan
May 6, 2012
My core switch is a 6509-e and my IDF closets have 3750's.I have a couple of vlans currently setup, that can communicate with each other.VTP is setup Client/Server where as my core is Server, all IDF's are Client.
What i'm trying to do is create an isolated VLAN. I want to setup a DHCP scope and use helper address. When i plug in a client to that VLAN, i want it to get an IP, but not have any other network access.
Is this possible to do without switching to Transparent mode? If not - what reprocussions will i see by switching to transparent mode?
I have two networks at two sites with a dot1q trunk between the two L3 switches at both sites (no routers involved)
SITE A - Cisco 3750 L3 - VLAN ID 50 10.10.50.0/24
SITE B - Cisco 3750 L3 - VLAN ID 50 10.20.50.0/24
I would like to extend the SITE A VLAN to SITE B so that I can move hosts from SITE A to SITE B without needing to change their IP address but the vlan ID is already in use. Obviously the easy solution is to change the VLAN ID for one or other of the sites but both sites contain hosts that run 24/7. Is there a way to join two VLANs with different IDs together.So for example I create a new VLAN 60 at SITE B and associate it with VLAN 50 at SITE A.
I have an ASA that houses 11 VLANs, and I am trying to add a 12th.One of the VLANs is for PCs that have internet only access.The new VLAN will be similar, but for multifunction printers only.VLAN 99 is for internet only and works fine, I can ping the gateway of 10.99.3.33 from any PC in that VLAN.I am creating VLAN 98, modeling it after VLAN 99, and I cannot get a PC in the vlan to ping the gateway of10.98.3.17.Both switch and ASA show the new VLAN 98 as UP, switchport is UP/UP.I have deleted and recreated VLAN 98 a few times, but I cannot get a PC VLAN 98 connectivity.Once it is working on the core switch, I will add it to the trunk to the IDS switches. VTP is not in use, everything is manual. [code]
I'm not sure if I'm missing something basic here however i though that I'd ask the question. I recieved a request from a client who is trying to seperate traffic out of a IBM P780 - one set of VIO servers/clients (Prod) is tagged with vlan x going out LAG 1 and another set of VIO server/clients (Test) is tagged with vlan y and z going out LAG 2. The problem is that the management subnet for these devices is on one subnet.
The infrastructure is the host device is trunked via LACP etherchannel to Nexus 2148TP(5010) which than connects to the distribution layer being a Catalyst 6504 VSS. I have tried many things today, however I feel that the correct solution to get this working is to use an Isolated trunk (as the host device does not have private vlan functionality) even though there is no requirement for hosts to be segregated. I have configured:
1. Private vlan mapping on the SVI; 2. Primary vlan and association, and isolated vlan on Distribution (6504 VSS) and Access Layer (5010/2148) 3. All Vlans are trunked between switches 4. Private vlan isolated trunk and host mappings on the port-channel interface to the host (P780).
I haven't had any luck. What I am seeing is as soon as I configure the Primary vlan on the Nexus 5010 (v5.2) (vlan y | private-vlan primary), this vlan (y) does not forward on any trunk on the Nexus 5010 switch, even without any other private vlan configuration. I believe this may be the cause to most of the issues I am having. Has any one else experienced this behaviour. Also, I haven't had a lot of experience with Private Vlans so I might be missing some fundamentals with this configuration.
I need to create a DMZ Vlan. Core switch is a 6509. FW is an ASA5520. Need to create a VLAN for DMZ purposes for outside facing servers. NAT is used on ASA.
i'm already has one internet connection is connecting directly to the Core Switch 6509,Vlan 500 (1921.168.1.0) and the Switch is route any internet request with default route:
SW6509-conf)# ip route 0.0.0.0 0.0.0.0 10.170.10.10 10.170.10.10 is --> Next hop for the DSL router internal IP, and it's working fine.
The Problem: We have a new internet connection with new Vlan 600 (172.16.1.0) another ISP/ with another DSL router, so i need your kindly support and suggest how to connect both of them to exit from the Core Switch 6509. is it ok if i make another default route to the Next hop to the new DSL router as:
SW6509-conf)# ip route 0.0.0.0 0.0.0.0 10.80.10.10 10.80.10.10 is --> Next hop for the new DSL router internal IP.
is there any way like default route , route-map or any other features to :
route Vlan 500 (192.168.1.0) to exit from DSL 1 --> 10.170.10.10 route Vlan 600 (172.16.1.0) to exit from DSL 2 --> 10.80.10.10
I am planning to upgrade the current core switch(3750) to 6509 series switch. Since we have a production network running we have to plan for an online core switch upgrade.
I am getting very slow window file transfer speed (4 Mbps per second) between two connecting servers in Cisco 6509 switch. I have connect the two laptops in 6509 switch in same module using the same vlan and try to copy the files from one laptop to another and vice versa and got the same speed on 4 to 5 Mbps per second. Switch utilization is not more than 10% and both the laptops are connected in 1 Gbps full duplex.
I have checked by removing the gateway in both laptop but the output is same.
I have a Cisco 6509 with IOS "s222-ipservicesk9_wan-mz.122-18.SXF16.bin"I need to enable dot1x on user's ports on the switch. each user is connected to the switch through the IP phone.
I just found out that I can not enabled dot1x on trunk port. I have tried to use "switchport voice vlan " but I got:
I have set up an ACL on my 3750 switch to deny icmp from PC A on our inside network to PC B on a different VLAN on our inside network using the following ACLs:
These ACLs belong to an access-list that also limits ip traffic to a few specific machines.When I try pinging from PC A I receive a reply message back from PC B. Shouldn't this configuration block any ICMP from PC A to PC B and from PC B to PC A? I would have expected the first ACL statement to block any packets associated with ICMP and when that didn't work I tried the second configuration.
I'm having some trouble getting my head round the following but I think it's routing related?
I have a Cisco 3750 switch with the following configured:
interface Vlan1 ip address 192.168.0.223 255.255.254.0 no ip route-cache
[Code].....
The 3750 is connected to a firewall which handles the routing. From the 3750 I can only ping remote networks from the vlan1 interface not from vlan6,8 or 10 i.e ping 10.34.37.101 (remote network) source 192.168.0.223 (vlan1) works but ping 10.34.37.101 source 10.74.10.1 (vlan10) does not? I can ping 10.34.37.101 from computers on the various vlans but not from the 3750 it self.
I looked at setting a default gateway for the various vlan interfaces
I would like to push route for admin services (Vlan20) to bypass the firewall via an other connection (CSI to CSE). So my first choice was to create a route-map in (CSI) but I don't know how to do it. On my Firewall ASA, I don't have any Context License, that is why I would like to do it like this.
I have included some part of my initial configuration CSI and CSE and diagram.
CSI configuration (Switch L3 3750) { interface GigabitEthernet1/0/1 description To ASA no switchport [Code]....
I have a 2911 router connected to a 3750 switch. I have configured vlan interfaces on the 2911 router:I am using the vlan 89 (89.2) as the management ip address for me to remotely get to the switch. Is this a proper configuration or could this cause issues in the future.
This is regarding VLAN creation on C3750E switch.I want to create new Vlan 94 on this switch and also I want to allowed same interfaces like Vlan 95 & Vlan 96. [code]
we are using 3750 and 2950 switches both of them do not support vlan up to 4000 .we need vlan about 3000 .Whic cisco series switch do support vlan up to 4000.
2950 S-SW1.3(config-vlan)#exi
Proposed configuration has too many VLANs for this platform. Reduce the number of VLANs proposed.
S-SW1.3(config)#end 3750 SW1(config-vlan)#exi
proposed configuration exceeds the limit of 1005 VLANs that can be supported on this platform. Reduce the number of VLANs proposed to be within this limit.
to create intra-chassis redundancy i addedd the following command also there.
firewall module 3 vlan-group 1
after adding that, my firewalls worked fine but there was a issue with site loading. People from outside were able to access inside but from inside, we were not able to go outside.
do we need to clear arp from both FWSM's ? is there any other precautionary step, which we need to follow while working on it.
We have 6509 VSS with FWSM Module and we have created two context on it, one is INTERNALL CONTEXT othe is EXTERNALL Context? We have spanned various VLANS in switches and FWSM context level. All VLAN Gateways are configured in context level.
Activity description : We had planned migration of these devices into a new Datacenter, it was a planned activity. During migration of devices from one Dc to a new DC we broke the VSS and kept the primary running and removed the secondary switch and migrated this secondary to new DC and powered this device ON in the new DC and checked all the config was very much fine but this device was OFF network as secondary was brought to new DC just to limit the downtime during the primary switch movement.
During the activity ( Primary switch movement )We powered off the Primary switch and mean time before shifting into new Data center We had brought up secondary switch which was already existing in the DC was put live in the network and it was working fine without any issues.
Later we had moved Primary into new data center and tried to put into VSS with the secondary , during this period the secondary device into went into RECOVERY MODE and primary device was not responding and devices went off network and immediatly we removed the VSL link and brought up primary into production network without secondary online in the network ( Without VSS just stand alone switch ) network started working, but bringing up the primary we found that some of the VLANS in the FWSM was deleted and some VLAN had misconfiguration ( example : say original VLAN ip 10.200.112.1 has become 10.300.13.1 ) also some of the access list as well as SVI was deleted making configuration mismatch.
Wanted to know while syncronization b/n primary and secondary switch in VSS if we pull out VSL link would create this type of issues.
New to Cisco devices and have had an ASR dropped in my lap.Running ASR1000-RP2 with System image file: asr1000rp2-advipservicesk9.03.03.00.S.151-2.S.bin Show Vlans returns: No Virtual LANs configured Router(config)#interface vlan?
<1-4095> Vlan interface number
But when I try an assign a Vlan number I get % Unrecognized command, or % Incomplete command
we have two Catalyst Express 500 switches and a ESW 520 just purchased. the VLAN on the other two is 2. how do I change the Default to be 2 instead of 100 in the ESW Switch.
I have been looking into this for a while and I can't seem to figure out why my 2nd vlan is not able to connect properly to the net.
My switch has 12 ports where my devices connects directly, they are all on Vlan 1 and they all work perfectly. on Port 12 I have a dlink router that is connected to a cable modem. the dlink router has an Ip address of 192.168.0.20
I created a second vlan (vlan2) and enabled dhcp relay on it. then I assigned port 9 on the switch to (vlan2)my laptop which is connected to port 9 seems to get an ip address fine and able to ping only some devices on my network (vlan1) and is not able to go out to the internet. I think it has to do with the routes. [code]
I'm creating 3 vlans, one private ip addresses and the two for two blocks of public ips. After creating them devices on the same network are able to talk to each other on the private IP but not on the public ips.
I just procured Cisco 3560V2- 48PS-S i would like to know how to set it up from scratch:
1. configuring passwords: enable and privilege 2. Creat Vlan , such that systems connected to the Vlan can connect to internet. 3. enable routing protocols 4. How do i use the switch as a default gateway for the systems on the vlan 5. how do i make sure the desktops connected to the switch are browsing the internet.
I have a problem to create a VLAN with a Cisco 2801.,I need to have base ports FastEthernet 0 / 0 and FastEthernet 0 / 1, in the same VLAN. Basically I'm trying to switch access redundacion, now I have redundant switches in which I have the servers, but if one of these switches fails, and,coincidentally is where I have connected the router, the server runs out of internet connection.,I idea is to connect the FastEthernet 0 / 0 to a switch, and FastEthernet 0 / 1, to the other switch,but I managed to have these two ports in the same vlan, in order to have a unique IP for both FastEthernet ports,As I can do this?. do is a lot of documents using the switchport command, but this command is not available in my router, I tried different IOS, and nothing.,currently I have the following IOS: c2801-adventerprisek9-mz.124-24.T6.bin
We have the next Settings in our SW. We crate an ACL and aplied to a SVI for Incomming Traffic, I understand that is not necesasry to allow the returning traffic in ACL, but we can't access to rdp for example when we add the ACL, if we remove it, the acces is ok, buet when we add again the access is deny, even we have a log entry, and the ACL i just for Incomming traffic. There is no another ACL.
We have observed WS-C4507R-E got rebooted while creating the L3 VLAN ( while No shut).Is there any known bug for below IOS ?cat4500-entservicesk9-mz.122-40.SG.bin,
I have Linksys SPS224Trying to create VLAN through SNMP. Issueing the string to create VLAN ID=100 with name "VLAN100"
snmpset -c private -v2c 10.254.2.144 .1.3.6.1.2.1.17.7.1.4.3.1.1.100 s VLAN100 .1.3.6.1.2.1.17.7.1.4.3.1.5.100 i 4 It reports Error in packet. Reason: (genError) A general failure occured Failed object: iso.3.6.1.2.1.17.7.1.4.3.1.1.100
In same time changing the name of existing vlan snmpset -c private -v2c 10.254.2.144 .1.3.6.1.2.1.17.7.1.4.3.1.1.23 s VLAN23 and even deleting the existing vlan snmpset -c private -v2c 10.254.2.144 .1.3.6.1.2.1.17.7.1.4.3.1.1.510 i 6 are successful.
I was given a task of creating a vlan and isolating one pc to access an internal website (192.168.90.15) on a specific port (port 8080)The pc is connected in the following manner:
PC--> HP Switch --> Cisco Small Business SG200 switch --> 3550 Catalyst 1, 3550 Catalyst 2 and 3550 Catalyst 3.
I have created a vlan 110 on the Main 3550 Catalyst switch and successfully added the pc to that vlan.However, that PC must be able to access the internet and an internal website on port 8080.I have placed an access-list on the main 3550 catalyst switch which is connected to our router as below:
Client ip address: 192.168.100.2 VLAN 110: 192.168.100.3
access-list 110 permit tcp host 192.168.100.2 host 192.168.90.15 eq 8080access-list 110 permit icmp host 192.168.100.2 anyaccess-list 110 deny ip 192.168.100.0 0.0.0.255 ? I was unable to access the webserver even after many attempts.
I am trying to upgrade the switches in one of the buildings to Gigabit HP ProCurve switches. Currently, this building has 3 wiring closets, and each closet has 2 Intel Standalone 460 switches (24 ports). We use them as simple Layer 2 Switches. Nothing fancy.We recently bought 3 48 port HP Procurve Gigabit switches.I was planning on going in and swapping the 2 Intel Switches out with the HP Procurve Switches. The first closet went fine, and we had immediate connectivity (servers, Internet, etc.). However, when I went to the second closet I found that I could not connectivity back to the first closet.I then noticed the patch cable going from Closet A to Closet B is terminated with a female connection on both end. And then a patch cable is connected from the end, to the switch at both sites. I have never seen this before. And I hope I am making sense. Why would this method work with the old Intel switches (that are close to 10 years old) and not with the HP?
We have a low bandwith (15-20 Mbit/s) to the ASA from our Client vlan. If i connect the Client to the same vlan as the ASA is, the bandwith (90 Mbit/s) is good.
And we have following error message in the log from the switch:
%PLATFORM_UCAST-4-PREFIX:
One or more specific prefixes could not be programmed into TCAM and are being covered by a less specific prefix, and the packets may be software forwarded I first get the idea that the switch is overloaded with router traffic. Thats why i assuming i have to check the sdm templates, but i'm not sure if this resolves the issue.
I have a live 28port Catalyst 2960S switch. By live I mean that there is an essential piece of equipment plugged into this switch that can suffer little to no downtime. Over the course of time the number of devices patched into this location has increased to exceed the 24 ports available and we have had to resort to adding unmanaged switches to fill the need. We have acquired an additional 2960 & stacking modules that I would like to stack together, keeping the existing switch as the master. It is my understanding that the stacking modules are hot-swappable and that this member switch can be added without bringing the master switch down, thus creating zero down time for the financial server that is connected.
The steps I believe that need to be followed are as such: write mem to existing switch and backup to our TFTP serverinstall the stack module in the existing (while powered up) and new (while powered down)place the 2 redundant FlexStack link cables on both switchesthen simply power the member switch on After boot the member switch will get it's OS and configuration from the master and I can begin moving CAT5 cables from the unmanaged switches to the stack.
I have been working with ASA 5510,20,40,80 but not with 5505 this vlan and its interfaces are quite confusing.Just want to know how it works and its connectivity to Cisco Switch.Do i have to put the interface of the switch in the same vlan as i am creating the interface vlan in firewall ?Now the switch port connecting to this Eth1 interface should also be in the same vlan ? i.e vlan3 ?? or it will be in trunk ? The default configuration shows the eth0 with no access vlan and interface eth1 with access vlan 2... does it mean the eth0 is in vlan1 ? (Nativ Vlan ) ???
