I have an ASA 5510 that I want to connect to 2 isp (one of my private network uses the isp1, and all others the isp2). Excluding the 5510 does not accept PBR(policy based routing), i saw that you could put a router, like cisco 2811 in front of the ISP. my questions are : can i put a switch 3750 in place of the 2811 router? , I have vpn connections in isp1, this architecture is compatible?
View 2 RepliesI'm currently trying to setup a VPN to a Amazon instance but running into a few problems. My current setup is optimum lightpath into a windows 2003 server running ISA 2004 out the a switch handling several servers and laptops/desktops. To setup a VPN connection we purchased a Cisco 1941 IAS but having a problem running this through the ISA Firewall. I giving it a static address and porting it to a external address through ISA <opening UDP and the IPsec 50 and 5000> but nothing. Unles to get this to work I decided to just put a switch before the firewall plugging the optimum router into the switch and then plugging the VPN router and the ISA server in the switch so all the IAS doesn't have to run through the firewall <if I lost you be tell me>
View 7 Replies View RelatedHow to place security + a password on a folder that is shared on a local area network. i don't want other users to access the contents in the folder since we are all on the same local network.
View 4 Replies View RelatedI have a 3750 switch stack running version 12.2(53)SE2 IPBASEK9-M. I have dot1x configured on the switch and have a Windows 7 PC connected with 802.1x configured on the interface. I see the EAPoL start message from the PC, but I don't see any RADIUS packets from the switch to the RADIUS server. I have a simple dot1x config just to try to get it working prior to adding additional features such as guest-vlan...
Config and debug file attached.
I don't know if the ip dhcp snooping and arp inspection configuration is causing an issue with this or not. I see the EAPoL packet received on the switch as seen in the debug attachment, but I still never see the RADIUS packet. I did set both to trust on the interface but still the same outcome. I can't disable it since it is a production switch with a test interface.
How do you configure port-security on a 2811 router? If not, is there a way to configure some type of security on each port ?
View 3 Replies View RelatedI am trying to configure router on a stick with 2811 and 3750, but I just cannot get it to work - vlans are not getting propagated from 3750 to 2811: 3750:
Code...
I'm trying to set up QoS between a 2811 router and a 3750g switch. I'm currently using the 3750 as the router for one side, having the interface connecting to the router as a routed interface.
I have this config on the router side:
class-map match-any IPTel-Traffic-CL
match ip dscp ef
match ip precedence 5
[Code]......
Seeing very strange behaviour my 2811 Router is sitting behind 3650 switch, when the link between switch and router is trunk the router start rebooting itself, to test i changed to access mode then I can see ip address of router on cdp neig de or else not seeing ip address of router.
View 3 Replies View Relatedwe have cisco 2960 switch which is connected to a cisco 2811 router. flapping issue between these two devices??
The following actions i have taken, but no result.. I have changed cables. have set speed to 100 and duplex full on both the interfaces but the interfaces are showing up up still not getting connectivity. same i have to auto on both sides still no result what configurations should i set to resolve this issue...?
what's the meaning of the output:
Interface Speed Local pair Pair length Remote pair Pair status
--------- ----- ---------- ------------------ ----------- --------------------
Gi0/40 100M Pair A 2 +/- 4 meters Pair A Normal
Pair B 2 +/- 4 meters Pair B Normal
Pair C 2 +/- 4 meters Pair C Short
Pair D 2 +/- 4 meters Pair D Short
From the command
test cable-diagnostics tdr int gi 0/40
It's normal?If not, then. the problem is on the cable or on one of the interfaces?The interface is connected between a fastethenert on a 2811 router and a 3560-48 switch.The cable is a straight through cat 5e cable. (I have changed several cables with same result).
We have a site and on that site we have a server which is down form last two days. However , to manage these devices we are not using any tools. We are not able to find this server that where it is located and on which switch it is connected to.
I want to know that the timer for mac address is 5 minutes and arp timeout is 4 hours . Is there any way to find out the mac address of the server . I feel like this can we done with cef ? Is it true or not I am not sure. I am running 3750 stacks and 2811 routers. 3750 stacks are working as layer 3 devices. They are also running the pretty new IOS 12.2(53)SE.
According to my understanding now a days CEF entry does not expire if we are not using them. They remain in cache as we are running with destination base CEF.
I'm trying to setup a SSL VPN on a 2811. I believe I have the SSL VPN portion understood, but I can't tell because I keep getting stuck on the Certificate Server, ca trustpoint and identity trustpoint configuration.
guide that walks you through the CA cert, Cert Server, ca trustpoint and identitiy trustpoint to ios SSL VPN?
I have a 2811 ISR configured to provide the following services to my network:
Internet access to LAN users Cisco Call Manager ExpressSite-to-stie VPN to 3rd party networksVPN server to provide VPN access to remote usersSecurity Zone configurationsStatic NAT configurations Now I recently just got the ASA5510 device and I am not sure how to go about with the setup, whether to put the ASA in between the internet and the ISR (Internet - ASA - ISR - LAN), or put the ISR in between the internet and the ASA (Internet - ISR - ASA - LAN)? While i know I can move most of the config unto the ASA, i know that the CME cannot be moved, hence I would like to do the setup such that users on the network still have access to CME.
I have Network Magic Essentials and use a Linksys WRT54GS router. I just received a Cisco Linksys 2500 and assumed that it would be a breeze to set-up in place of the WRT54, so that I could gain faster internet and improved range. After about six hours of frustration trying to set it up, I am pulling my hair out! I live in a remote area near a lake, and our only option here is a
Wi-Fi signal beamed to our homes via an antenna, coax cable to a "radio" ( Alvarion BreezeAccess). This has always worked very well with the WRT54, but with with the Cisco 2500, I can get on my local network just fine, but I cannot get connected to the internet. I can disconnect the 2500, and reconnect the WRT54, and get right back on the internet.
I've created a scenario using a 3750 cisco as core switch ad other 6 switch model 2900 in access level.my problem is this, the router is not a cisco router, and this router is not able to make NAT on more than one subnet.Into the core switch I've created 4 VLAN and I must to give internet access to 3 of them, 192.168.0.0/24 (vlan1), 172.16.0.0/24 (vlan2), 172.17.0.0/24 (vlan3).I've connected the switch to router via gigabit ethernet 0/1 and I've assigned to this interface ip address 192.168.10.2, the router ip address is 192.168.10.1, Switch ip default-gateway is router ip address 192.168.10.1, ip default route is 0.0.0.0 0.0.0.0 192.168.10.1 I've enabled ip routing feature and I've set no switchport feature to interface gigabit ethernet 0/1.From core switch I can ping router ip address but I can't make it from all other user, and the users not able to have internet access.
Below the switch configuration (only necessary strings)
version 12.1
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
[code].....
i have an issue to connect a trunk between cisco switch and extreme switch i have many vlans that i want to cross via a link between cisco 3750 switch and a Extreme Alpine 3800 switch
View 12 Replies View RelatedI have two 3750-X configured to be a stack and I am planning to re-rack these somewhere else. What I would like to know is what are the effects of having the master switch itself lose power? Does it immediately just make the member take over master (there should be no election since there are only 2 switches??) and there would be no loss of connectivity?
View 1 Replies View RelatedToday, I received the Dell Inspiron 660s I ordered and I had a question about the network port on the computer. Is the network port the place for connecting a router and then the router connects to a modem, or is there another connection I should make?
View 1 Replies View RelatedI use a BEFVP41 VPN router. I have changed several settings. How can I backup these settings and store these settings in a save place.
View 3 Replies View RelatedI have a year old E1200 router. I just updated the firmware today, made adjustments to the MTU range to suit cable service and selected a different channel (9) as the neighbors were mostly on channels 2 and 6.My question is really in regard to the speed results of the router. In the immediate room where the router is located I am getting 17.6 Mbs download speed/ 3.53 upload speeds but if I move to my living room - less than 20 feet away and a few walls - the upload speed drops sharply to 3.21 Mbs download/3.21Mbs uploas.I have read where the router placement can be key. My router is sitting on the desktop. If I elevate the router will it improve performance 20 feet away or should I invest in upgraded router like a E3200 or look into a plug in type repeater?
View 2 Replies View Related1. How I can manage those devices, the Switch and the router? What is the BEST SOLUTION to manage this devices?
2. I want to monitor the traffic on this environment, how I can do it? How I can monitor the traffic from customer A, Customer B, and my own LAN traffic, in terms of bandwidth that has passed throught my devices? Is it possible to monitor on MY LAN, or I have to monitor from the EXTERNAL switch?
3. How I can limit the bandwidth? I was trying to configure it using access list, with policy-map, etc....and limit this on each interface. [code]
The interface does not support the specified policy configuration and/or parameter values.Assigning a policy map to the output side of an interface not supported.With I few reading, I could see that the SWITCH 3750 doesnt support this configs.My INTERNET LINK is 30 Mbps, the ports on the Switch (WS-C3750X-48P-L) are Gigabit Ethernet.How I can limit the bandwidth here? For example, How I can limit a interface to 3Mbps..I was thinking about this:
- Limit the interface to 10Mbps: speed 10
- and limit the interface with 30% of this speed: srr-queue bandwidth limit 30
Does this work for both UPLOAD and DOWNLOAD?When the packets passes that 3Mbps limitation, will they be droped?
I have a problem, i would like todo MACSEC betwwen two switches cisco catalyst 3560-x but I know that for this operation i needed ACS server 5.1 is it possible to encryp dataflow without ACS server and if you have the configuration
View 7 Replies View RelatedI have a 2811 router with a 9 port switch module and a four port ISDN module. The ISDN Module is our connection to the outside world. FE 0/0 and FE 0/1 are connected to separate networks and both route our the ISDN connections.We are getting a new satcom system that consists of a modem, antenna control unit (ACU), and an antenna. The ACU and the modem communicate accross Ethernet and are generally hooked to a switch. Anything computer hooked to the switch can simply use the modem IP as it's gateway and be surfing the Internet without much hassle (just need the correct DNS addresses).I'd like the networks behind FE 0/0 and FE 0/1 to be able to route out the satellite modem for their Internet connection -- when the satellite is available. Is it possible to put two switch ports in a VLAN (one for the modem and one for the ACU), give the VLAN an IP in the same subnet as the modem and ACU, and then tell the router to route traffic out the modem IP address ?
View 4 Replies View RelatedWe have our WAN setup as explained in the attachment herewith. As of now, We have a IP 1 configured as HSRP IP in the LAN switch end at Site A and Site B. As per the HSRP priority, Site A's WAN router will preempt to be the Active WAN router. 1*1Gig link at both DCs connect to the respectve WAN router.
But with this setup, we experience a WAN outage whenever there is a link disconect at Site A - as HSRP fails over from Active to Standby(Site B) and again when the link at Site gets restored. To avoid this :
Is it possible to have the HSRP configured over a port channel at Site A and B (or atleast at Site A) ? In that case, will there be a need for the ISP to change their configuration except to configure a port channel ? The ISP has Cisco 7000 series router which connects to 3750 stack at DC lan.
I have a Cisco 2811 router with C288nm-advsecuruityk9-mz.151-4-4.M.bin IOS version.The router has two LAN interface FE 0/0 and FE 0/1.The router have too, two interfaces ADSL ATM0.0.0 and ATM 0.0.1, both are connect to internet..I need the next configuration.The interface FE 0/0 is directly connect to a Switch A.The interface FE 0/1 is directly connect to a Access Point Cisco.The Access Point and the Switch is not connecting between.The subnet of Switch A and AP are different (Switch A 192.168.180.0/24 and AP 192.168.181.0/24)The devices in the switch A have dynamic IP address, the router must be a DHCP pool to assign theses IP.The device in the AP have dynamic IP address, the router must be a DHCP pool to assign theses IP.I created two DHCP pools in the router, one for the subnet 192.168.180.0 and other for 192.168.181.0, but the devices of FE 0/0 assign IP of 192.168.180.0 or 192.168.181. 0, but not only in the 192.168.180.0.
View 5 Replies View RelatedI'm trying to see if I can use both ethernet ports on a 2811 to run hsrp for non-stacked dual switch fail over. Then link the the NM-32A ports to L0, so the remote access server trying to use them can use the l0 ip and failover much faster (it's programming is limited). This is on IOS 12.4(25)f, though we are moving to 15 soon.
View 2 Replies View RelatedI have a 1941 that I am going to deploy with a HWIC-D-9ESW switch module (I only need 3 switch ports but need the PoE). I am going to hang a 1262 autonomous AP off one of the ports but I need to configure MAC address port-security so that only that AP can pass traffic. I know the switch modules are 'almost' exactly like a switch for commands but I can't seem to enable or configure any port-security settings. Is port-security no available on the switch modules?
View 3 Replies View RelatedI currently have a Cisco 2621 powering a network at our co-location facility... It's a simple setup and is working well. The colo provides a redundant HSRP uplink, so I have their two uplinks going into a Dell switch. From that Dell switch I have a uplink into FastEthernet0/0 on the 2621, configured with my routing network, and then FastEthernet0/1 gets an address from my block of routable IP. FastEthernet0/1 then plugs into another Dell switch where I have all my servers connected. The servers get public routable IP addresses and use the address on FastEthernet0/1 as their default gateway.
It's time to upgrade off the 2621, so I aquired a Cisco 2811 which has two FE interfaces, as well as a modular HWIC-4ESW switch. My question is, can I get rid of the Dell Switch A in the setup above and just use the internal switch on the 2811 to accomplish the same thing? And I if I did this, would my two uplinks from the colo plug into ports 1 and 2 of that HWIC, and then port 3 would physically connect into FE 0/0? Or can I logically do that via configuration in the Cisco? I'm not sure how all this works and haven't received the new router yet, so I thought I'd get a head start and reach out to the experts.
My second question is unrelated, but each port on the HWIC switch cannot be configured as a network interface right? I'm pretty sure they can't as they aren't considered network interfaces but just thought I'd ask.
I have a laptop with a single physical NIC which I have used the advanced management tools to create two virtual NICs (say vlan 10 and vlan 20) and both are on the same subnet (say 192.168.4.x). One NIC is for normal TCP/IP traffic and one is for broadcast/multicast traffic (I have some custom software that requires this to be the case and works fine on an older laptops with built-in physical NIC and PCMCIA XIRCOM NIC). The dual NIC laptop communicates with a dual NIC server via a Cisco 2811 router (which has a 16 port switch module at the back) and has vlans set up so.
What I want is for the single NIC laptop (with two virtual NICs) to be able to also communicate with the server. Basically, one NIC is for normal traffic and one is for multicast/broadcast traffic. All three machines need to be able to talk to each other using the NIC for normal traffic and both laptops must be able to receive broadcasts from the server. What is the best way to configure the router to handle the trunking/tagging? Most configuration documentation I read has two complete subnets for the two virtual NICs. Note that all three machines use static IPs and are part of a workgroup so no DNS and domain servers etc.
I was wondering if there is a workaround to have a mac access-list bond to a port security violation action our need is the following: we have a range of 10 mac addresses that can use any port on the 3750, we only want to allow those ones yet we also need to tak action if a denied mac appears on any port of the switch.the only work around I found is to basically go into a port-rage mode and list all the allowed mac addresses under all the ports of the switch. I would also add to that a port violation action. did not test it but should work. problem is, it would be a huge config.I did read that we can create a mac access list and then bind that mac to physical ports wich will actually simplify our solution yet I did not find a way to bind the mac list with a port violation action.
View 1 Replies View RelatedI have a network of 3750's configured for DAI with DHCP Snooping implanted and working with windows XP for around a year. Now we've changed a couple machines for windows 7. I have a floor with around 200 workstations on XP and about 4 on Seven.Two of these WIN7 are triggering the err-disable for arp inspection (configured by default to block interfaces sending over 15 arp pps) I noticed that when I go on windows -> network and I do a refresh, sometimes (most of the time after boot up or idle time) it will trigger the massive arp response on the network. I noticed that all hosts on the network updated their arp entry for that computer(win7) at the same time, for some reason I don't know. The windows 7 tries to reply over fifty arp requests for its IP which caused the port to be put on err-disable.There were no applications running on the windows7 computer at the time of the tests, only wireshark and its default services.This computer has configured:DHCP with WINS Its on a windows domain has netbios over TCP.
View 1 Replies View RelatedIs it possible to use Port Security mechanism between two switch (3750 or 3560) ports while trunk has been configured? If it's not possible, is there any other way to ensure that no other Switch can be connected other then the one switch which has been configured/placed by a network engineer?
View 4 Replies View RelatedI'm currently investigating an issue for one of our customers where one of their 3750 Core Switch Stacks crash / becomes unresponsive during a NESSUS Scan.
They've diabled DoS testing and have ensured that safe scanning is enabled. For the test they are port scanning all of their VLANs (around 600 internal addresses).
The network consists of 2x 3750 Switch Stacks connected via fiber, edge switches connect into these cores. Both cores are running HSRP, for VLAN gateway redundancy.
Issue Being faced is as follows:
During the scan, Core 1 becomes unreachable from Core 2. We can telnet to Core 2 and administer as necessary. However we cannot telnet to Core1, a console connection also fails - the switch stack is unresponsive, but does respond to pings.
On Core 2 I've performed a show proc cpu sorted and can see the IP Input process is running at around 60% and the CPU is highly utilised.
Once Core 1 becomes unreachable the network gradually grinds to a halt, almost mimicking some sort of broadcast storm or Spanning Tree loop.
Interestingly Core 1 HSRP is still active, so the hello packets are still being sent.
The only resolution to the issue is to perform a hard reset of the Core to restore service.
Logs from core 1 show the CPU becomes fully utilised. There is also an error logged indiciating:
%FIB-2-FIBDOWN: CEF has been disabled due to a low memory condition. It can be re-enabled by configuring "ip cef [distributed]"
Both cores are running IOS 12.2.(52) SE IPBASE. I've attempted to reproduce the issue in the office here and although a NESSUS scan does increase switch CPU utilisation I couldn't reproduce the failure scenario.
What may be causing the 1st core to become unresponsive? I've found some articles with regard to a 6500 switch rebooting during a NESSUS scan, and also some HP switches exhibiting similar behaviour but nothing that matches the exact scenario I'm investigating.