I am using 1841 LAN router. Recently some broadcast is happening in our network when some users are connected. I need to block them automatically by detecting who are they.
I can block them manually but i want router to detect them and block.
Our network feels slow and trying to find the best way to investigate this properly. We have Cisco chassis 4500 with mix of 3560/2950 Edge switches 1GB backbones and WLC/WCS in place. The network is broken into multiple V LANS and IOS on our switches haven't been updated in 3-4 years.
On a wireless laptop (G) with get throughput of 1-2MB/s transfer speed with usually 10 clients per AP and LAN we get anywhere between 7-15 MB/s transfer. Using wire shark on a wireless laptop we see a lot broadcast traffic from other clients and the same for LAN. What is the best way to troubleshoot performance issues on the network and where do I start?
SG-300 52 native VLAN blocking network packets
View 3 Replies View RelatedI am working on wi-fi networks (ISP), So I need to block the peer to peer on my network.My network involves cisco switch 2950/2960, cisco 2800 routers and Access Points, config for peer to peer blocking, for this where I need to config either switches or router.My network basic setup is, The internet will pass from router to switch and then Access Points.
View 1 Replies View RelatedSince a upgrade in IOS XE 3.0.9, our ASR 1002 have a problem with the DHCPDISCOVER.
View 1 Replies View RelatedCan I configure a cisco router 1841 to block specific sites?
View 4 Replies View RelatedI have 2821 router configured with two subinterfaces. This router is connected on cisco 2960 switch. The trunk on 2960 is configured without any prunning of vlans. I noticed that udp broadcast traffic is being forwarded through my router on native vlan 1 (this interaface do not have ip address configured). Below is configuration:
Router:
interface GigabitEthernet0/0
no ip address
duplex auto
[Code]....
I'm working with some 891W's that have the internal 800-series AP. I have this router set up initially using Cisco Config Express, then, using Cisco Config Professional 2.5 I set up the firewall and other featuress that CCE doesn't do. Overall this is a very simple router, meant to be a small business Internet gateway device but is currently in my lab.
The intended WLAN setup is very simple. One SSID, with broadcast enabled, using WPA2-Personal. Auth: open Encryption is both TKIP and AES-CCM.
However no matter what I do I cannot get thhis thing to broadcast . In the past I had sometimes run into issues where if I had more than one AP running independently it would cause a channel conflict and one or both would cancel each other's radio, so I disabled all other AP's in my vicinity.
Also I've had issues in the past where f I enabled both TKIP and AES, sometimes clients can't find the AP as a result. My solution had been to disable one of them leaving just the other - no change here however.
Via the IOS, ssid config shows mbssid guest-mode which I believce is default.
Interestingly, if I do the following:
ap# Config t
ap(config)# dot11 ssid <myssid>
ap(config - ssid)#guest-mode
end
I end up with both "guest-mode" and "mbssid guest-mode" in the sh run for the AP, and voila, my AP broadcasts the SSID. However clients end up joining without any security at all, no prompts for pre-shared key or anything.
I have 30 branch all over the country.There we have Cisco 3825 Series router at HO, and 892/k9m 1841 and 1811 routers in BO.My branches are being connected to HO via dual link which has been linked with two ISPs,both are Layer 2 link provided by the service provider,
-ISP1 subnet: 172.19.0.0/24
-ISP2 subnet: 172.20.0.0/24
usually i have the route pointing to HO ip from each branch routers. [code] Where, there are four branches acting as the gateway for the branch router 172.20.0.13. What cause the problem,and how can I solve this issue permanently?
how to configure the ASA 5500 with "Directed Broadcast" for Wake of lan from other networksegment. we want pass traffic from 192.168.10.0 network to 192.168.100.0 DMZ Network to turn on the server with Wake on Lan.
I read something about "Static NAT" but how do i make this one?
I have a 3945 with a basic DHCP configuration applied to it. This 3945 is connected into one of the access ports of my nexus switch. I'd like to simply have the 3945 hand ip addresses out to other clients connected to the nexus switch. I have zero experience with nexus & haven't been able to turn much up through searching the net.
View 1 Replies View RelatedI recently bought SG-300 28P to create the VLAN. My network hs 3 subnet 192.168.1.0, 192.168.2.0 and 192.168.3.0.My main net work is 192.168.1.0. I want to divide it to VLAN to eliminate the boardcast storm; especially from the domain 192.168.3.0
But I want all the devices from 192.168.1.0 to access other subnet.
We have 2 switches split across 2 datacentres connected via an interconnect. Over the past couple of days the interconnect provider's Cisco kit has shut down our port (err-disabled) due to a broadcast storm. They had the level set at 1 which I thought was a bit low. They say they tried to set to 2, then 5 but still kept tripping the storm-control feature so they set at 10. They say they've always had it set at 1% (on a 100Mb switch) and so we must be generating more broadcast traffic.
I'm trying to identify where the broadcast traffic is coming from. On our Cisco 3750 I've clear interface counters and when I do a sh run | i broadcasts there are a few ports which have what seems like a high broadcast count. The one port that is especially high and the only one tripping the storm-control feature (I've enabled on all our ports to try to identify where the traffic is coming from) is the port connected to the 100Mb interconnect. I've mirrored that port to another port and connected a server with wireshark so I can capture all the traffic across that port.
What I'm struggling to find is the source of the broadcast traffic.I have a few questions are these broadcasts layer 3 or layer 2 broadcasts. Also in the output below when it says broadcasts received is this inbound to the port i.e. from the connected device or is this a total of inbound and outbound broadcasts.
When I use wireshark and filter the capture on broadcasts (ff:ff:ff:ff:ff:ff) I see only 200-300 compared to the thousands the switch is reporting.If I filter on the broadcast IP address I also don't see the numbers corresponding to what I see in the show interface output.
GigabitEthernet1/0/1 is up, line protocol is up (connected)
Hardware is Gigabit Ethernet, address is 0014.a93f.7401 (bia 0014.a93f.7401)
Description: Interconnect
MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,
reliability 255/255, txload 4/255, rxload 44/255
Encapsulation ARPA, loopback not set
[code].....
also I'm currently doing : monitor session 1 source int g1/0/1 both, and also tried just rx incase I just need to be looking at receive traffic but still nothing is standing out.
Is there away to disable the mulicasting of eigrp and hsrp to the end user ports on a 6509?
View 2 Replies View RelatedHow do I limit broadcast/mulitcast traffic on a switchport to e.g. 5000 pps ? I don't want the port to shut down, just block or drop broadcast traffic that exceeds 5000 pps.
View 19 Replies View RelatedI have a bunch of 3750x switches that each have a 10 gig routed link back to a central 4507 (loopback = 172.30.255.255).We carved up a /24 (of course, the /24 doesn't really exist except in our address tracking spreadsheet) into a bunch of /30's for routed WAN links and /32's for loopback addresses.We started on the low end for /30 subnets (ie 172.30.255.0/30, 172.30.255.4/30, etc.).We started at the high end for the /32 loopbacks (ie 172.30.255.255/32, 172.30.255.254/32, etc.)
Well, when I try pinging 172.30.255.255 from the access layer 3750x switches, the 3750x seems to be treating it as a broadcast ping where it lists each member that responds instead of the regular !!!!! response (this makes think something is odd with the 3750x). Of course, only one member responds (the core). But even the core seems to respond with the other end of the /30 instead of the actual /32 loopback (which makes me think something is odd in the core). I could have sworn that I've setup similar topologies without problems (ie, using 10.0.0.0/32, 10.255.255.255/32, etc as loopbacks) and as long as the mask is a /32, it should work.Also, I can ping/ssh to that loopback if my laptop is on a directly connected subnet. But I can't do it from any of the 3750x switches (which are also directly connected).I've double checked for overlapping subnets, but nope. I don't see any. Routing looks fine. The actual /32 is being propagated everywhere properly.
We run a network of several 2960G and 3650G switches in a network with a number of VLANs. One one particular VLAN (let's call it VLAN 10) it appears that non-broadcast traffic (i.e. normal unicast traffic) is being copied to every port in VLAN 10 only on one switch . The traffic is not crossing trunk ports and does not appear on other switches that have ports in VLAN 10. We first spotted this by noticing that a UPS port had an unusual amount of activity on our port througput graphs:
This traffic at 4 am is not expected and this profile is repeated across all ports in VLAN 10 on this switch (a WS-C2960S-48TD-L stack running IOS 15.0(1)SE3)\iffed one port using local SPAN (the UPS port) and discovered that this traffic was not broadcast, which was running at a normal low rate at all times. The traffic appeared to be unicast traffic from other ports of the sort you might see on a hub. It was from various hosts that live on VLAN 10, most (not all) of the conversations had one end station homed on the 'problem' switch. There are about 800 non-broadcast packets per hour and this is a busy VLAN so it does not account for all the traffic on the VLAN.
I have recently configured secondary ip address on LAN Interface of Cisco C6509.. We have some application which needs to use broadcast traffic communication to communicate with client... Broadcast is working within subnet & also working from broadcast server to primary subnet. But not working from secondary subnet.. I have checked broadcast within secondary IP range & it's working fine... Secondary not working broadcast with primary and also with broadcast server... broadcast address is different for these subnet but both should be communicate since configured on same interface... When I went through Cisco website found that command "ip directed broadcast" which will pass broadcast to different subnet... But I'm not sure whether any other impact if I enable that command on particular Ethernet interface...
View 6 Replies View RelatedI have a 1921 K9 with a 4 port 10/100/1000 EHWIC switch.
Interface 0/1 = 192.168.1.0
EHWIC = 192.168.5.0
I have Active Directory setup on the 192.168.1.0 network. When I attempt to join the domain from 192.168.5.0 it joins but I get errors. After some troubleshooting using portqry I have found that the services related to class map DomainTrafficUDP are being reported by portqry as being filtered regardless of policy map settings (currently set to allow).
Building configuration...
Current configuration : 18833 bytes
!
! Last configuration change at 11:20:25 NewYork Thu Apr 19 2012 by dave
! NVRAM config last updated at 13:56:45 NewYork Wed Apr 18 2012 by dave
!
[Code].....
We have a group of computers on their own VLAN. A router allows internet access while keeping them sandboxed. We don't want them accidentally connect to our production network. We blocked their wireless MACs in unauthorized WAPs. I'd like to do the same thing for their ethernet MACs on our switches, (a mixture of 2950,2960 and 2960G currently testing on C2960-LANBASE-M, Version 12.2(25)SEE2). I've been unable to locate the correct method on google, by searching these boards or in the command reference.
What is the best practice for blocking a group of MACs from accessing a particular VLAN on a network consisting of several Layer 2 Switches?
Blocking Ports don´t send BPDUs, but they can receive them from designated ports.Blocking ports, can it hold BPDUs?
I think that Blocking Ports only receive, analyse and then discard the BPDU.But, what happen if the blocking port receive a better o worse BPDU? in this case, must be the bpdu stored?
We've got 5 remote offices with cisco 881 routers, Win Clients behind them and all routers connected via vpn site-to-site to central software router.
Mostly all clients recieve ip addresses from routers in their subnets 192.168.x.024
We have Win DHCP Server in subnet 192.168.181.024
The problem is that some of clients,physically sutuated in 192.168.10.024 subnet, recieve ip addresses from Win DHCP server from 192.168.181.024 subnet.
Here's part of cisco cfg:
interface FastEthernet0
no ip address
!
interface FastEthernet1
[Code].....
I've run into an odd problem - I have connected two 2960s together with copper on FastEthernet interfaces, and STP on the new switch immediately puts that port into blocking mode. I don't understand why this would be, since there is only one connection between the two, in fact, there is only one connection at all on the switch that is blocking.
View 6 Replies View RelatedI inherited a Cisco ASA 5505 and am trying to piggy back the device off of an established Network. Here is the basic layout:
192.168.10.1 (Core Router - Handles DHCP/DNS)
192.168.10.9 (ASA 5505 - Piggy backing off of Network)
192.168.40.x (ASA 5505 - VLAN)
I'm able to get onto the Internet without any problems. Devices from the 192.168.10x Network can not ping the inside VLAN1 (192.168.40.x). However, I would like traffic going from the inside VLAN to the Outside VLAN to be blocked, except for 192.168.10.1 and 192.168.10.9. I've tried using ACL's but end up killing my Internet connection. 192.168.10.1 is the default route and is how I get out to the Internet. Is this possible? Essentially, I'm trying to set up a small Network that guests can connect to. The idea is that they can get to the Internet, but that is it. They can't get to internal resources on the 192.168.10.x Network
Here is the config:
ASA Version 8.2(1)
!
hostname ciscoasa
enable password EeCsulrpu.9LalEE encrypted
[Code].....
I have a strange issue where spanning-tree is blocking vlans through a mesh network.Here is my set up.
2-Cisco 3560's that have two trunk ports set with do1q and a native vlan of 2. I'm allowing a client vlan (2) and a voice vlan (103) to come over the trunk. They have a native vlan of 2 so the mesh APs can get an address through DHCP. Spanning-tree loop guard is also enabled.
When connected to the mesh network, the voice vlan is being blocked by spanning-tree. I get the following erros:
000129: *Feb 28 19:24:58.289 EST: %SPANTREE-2-LOOPGUARD_BLOCK: Loop guard blocking port FastEthernet0/1 on VLAN0103.000130: *Feb 28 19:24:58.448 EST: %SPANTREE-2-LOOPGUARD_UNBLOCK: Loop guard unblocking port FastEthernet0/1 on VLAN0103.
Eventually the loop is cleared and the port is set back to a forwarding state from a blocking state. I don't want to disabled spanning-tree loopguard since I don't want to create a loop. The mesh network is supposed to act as a P2P connection between two switches. As a test I disconnected the APs from their trunk ports. I then used a cross over cable to connect the switches and no spanning tree loops occured. The mesh doesn't have STP enabled on it and should just be acting as an over-the-air connection from one switch to another.
We have a Cisco 2911 router in our company. I didn't set it up myself nor I was involved. I only started working here recently, bit over 3 months ago. I have been given ongoing task which other IT Technicians been struggling for almost a year with a idea that maybe because I'm fresh person in the company I will find a original idea why could this thing not work.
Our router have a problem with blocking a single IP address, but not completely It's hard to explain but I will try my best. Company is hosting their website externally and accessing the host and FTP on the host on daily bases. It is important for the website to work on the internal network in company. It does work sometimes, but from time-to-time the website showing time-out error 118 on any point before Cisco router using both http and https, have tried putting just the IP address( doesn't matter is it on the general network or last ISA server on DMZ ). I am able to connect to the website using any of proxy gates but not directly to the website. I have also tested the connection past the router and I was able to connect to the website without any problems. I am also able to ping the host's address from the router and internal network.
I have eliminated the possibility of not correctly setup proxy or firewall on the network as problem also occur on the DMZ. I have also checked access-lists on the router and firewall rules for Any possibilities and I can't really see a way why would the router do this.
I have a connection between switches, There are a 3560 (Gi0/37) and a 2960 (Gi0/1), the problem is in the port Gi0/37 of the 3560 switch and this is the log. [code]
I dont understand what is the problem, actually i have added the command power inline never on the port and the problem is solved, but we haven´t changed configuration.
I have a cisco2960 with c2960-lanbasek9-mz.122-50.SE4 imagebase.This switch is connected with 3 unmanaged switches.Though 2960 is managed and only a single vlan is given accessed to connected other unmanaged switches.Problem is this, if at user end, a laptop is connected ( Microsoft Vista OS) and its IPv6 is checked in the LAN properties settings then the laptop's IP address changed from our VLAN to 192.168.100.x series and due to this other connected user's DNS addresses become changed.Hence I want to block this IP or its MAC on Cisco 2960.
View 1 Replies View RelatedI have a stack of Catalyst 3750E switches.
IOS image :c3750e-ipbasek9-mz.122-55.SE3.bin
I have been seeing multiple occurance of the below message in the switch logs.
"Failed to send hrpc non blocking message"
I could not find a relevant reference for this message in the Cisco.com.
We had a core switch (Cisco 4503), distribution switches(Cisco 3750) and access switches in our network and consists of many vlans. Almost all vlans uses DHCP Pools. But for few vlans DHCP is not yet configured due to initial design poblems. Recently one of the rogue user in vlan 1 connected to one of the access switch send rogue arp packets to the network (suspecting arp packet with interface vlan 1 ip of core switch with wrong mac-address (gateway ip of vlan 1)) and resulted in a prolonged network outage for the vlan 1. Any way we are going to seggregate vlan 1 into different vlans, but before that we need a temporary plan to block such kinds of attack like enabling DAI in the switch. I have checked the DAI implemenation feasibility with my knowledge and found that it is not possible to configure to the access switches(Cisco 2960) in which the user directly connected. But found that Distribution switch connected to that particular access switch seems to be able to configure since DAI commands are available to configure in switch.
Is it possible to block ARP packets with the interface vlan 1 IP Address with rogue mac-address by configuring DAI in the above mentioned Distribution switch and the port connected to the mentioned access switch?
I'm just getting started with cisco kit so you will have to bare with me.I have a cisco 1841.i have a very wierd issue of routing...i cannot ping and browse through this.
View 3 Replies View RelatedI have a problem accessing my wireless router through VLAN sub-interface on my Cisco 1841 router. My hardware:
Cisco Catalyst 2960 switch (192.168.100.4 /24)
Cisco Catalyst 3550 switch (192.168.100.6 /24)
Cisco 1841 router (192.168.100.7 /24)
Asus RT N66U wireless router (192.168.100.2 /24)
Here's my network topology:
I have two VLANs - 10 and 20. 2 DHCP pools are configured on 2 1841's interfaces - 192.168.1.0 /25 and 192.168.1.128/26 with default router sitting on 192.168.1.1 and 192.168.1.129 respectively. No issues with obtaining IP address from any of those pools.Laptop connects to L3 3550 switch (switchport access vlan 10), which, in turn, connects to 1841 router through trunk (with VLANs 10 and 20 allowed).3550 is connected to 2960 through trunk with VLANs 10 and 20 allowed.Wireless router is connected to 2960.I can successfully ping my wireless router and outside world from 1841 from fa0/1 interface, but not from fa0/1.10 or fa0/1.20 sub-interfaces - all packets got dropped. My laptop can obtain IP from both pools (depending on port I connect it to), but can't ping my wireless router and anything beyond it.
I attach my configs:Cisco Catalyst 3550:interface FastEthernet0/1 switchport trunk encapsulation dot1q switchport mode trunk switchport port-security mac-address sticky speed 100!interface FastEthernet0/2 switchport trunk encapsulation dot1q switchport mode trunk!interface FastEthernet0/3 switchport access vlan 10 switchport mode access!interface FastEthernet0/4 switchport access vlan 20 switchport mode access!Cisco 1841:
ip dhcp pool Vlan10DHCP network 192.168.1.0 255.255.255.128 default-router 192.168.1.1 dns-server 208.67.220.220 domain-name home.local
!ip dhcp pool Vlan20DHCP network 192.168.1.128 255.255.255.192 default-router 192.168.1.129 dns-server 208.67.220.220 lease 0 12
interface FastEthernet0/1 ip address 192.168.100.7 255.255.255.0 duplex auto speed auto!interface FastEthernet0/1.10 description VLAN10 Sub Interface encapsulation dot1Q 10 ip address 192.168.1.1 255.255.255.128!interface FastEthernet0/1.20 description VLAN20 Sub Interface encapsulation dot1Q 20 ip address 192.168.1.129 255.255.255.192!
Routing table on 1841:
[code]....
Why the below configuration does not work? BGP exchanges routes without a problem all the time the distribute list is removed from the config. When I apply the distribute list it blocks all routes, not just those intended in the prefix list.
[CODE]....