I have a network with 3 segments and a 2921 router.v172.16.5.0/24, 172.16.0.0/27 and 172.16.2.0/23 .
I want to block all 135 TCP traffic from/to IP 172.16.5.5 to any host in other segment, but only TCP port 135 and only to the specified IP.
is it possible to shutdown a specific port on my 3750x and monitor this port at the same time .for example , im dealing with a mac authenticated network using port security , i want to shut down all the ports that are not used at the moment , however , if some one gets connected to the one of the shutdown ports i want to know the mac address of the user or atleast to know that i have someone who is just plugged in to the one of the shutdowned ports .
View 4 Replies View RelatedHow can I implement this with Zone-based Firewall on my 1921?
I'm looking for something as simple as the port triggering function on a Linksys or Netgear router.
when plugging a Cisco 7060 to the specific switch port it does not power on. The inline power consumption is abnormally high compared to the other phones that are plugged in, maybe double the amount.
non Poe devices work on the same port.
I used multiple cables and phones.
Ask this question, if someone came across a 6513, one of the RJ45 ports are constantly falling.The question is how to disable logging on a specific portno logging event link-status does not work.
View 1 Replies View RelatedWe are using catalyst 2960S Lan Base IOS on Radio towers. We just bought 50 Accest points, thas are GPS synchronized. Problem is the APs need to be connected on L2-mac betwen each other. But at this time we are using port isolation on each switch (tower) by protected port function to isolate clients from each other.
My question is, is possible to specifi a Mac addresses in specific vlan thats can comunicate betwen protected ports? On tower is one Master unit and others are slave. I thing there is only 1 dirrection comunication - from master to slave.
I am looking to simply monitor Port-Security , Error-Disable and HSRP. I would like to receive an email when any of these are triggered.
Port Security - Port Is shut down
Err-Disable - Port goes into err-disable state (securedown)
HSRP - When HSRP standyby changes are detected
I need to receive emails with any of the able are triggered. What is the easiest way to do this? I know SNMP is the main option but I have never worked with SNMP and dont understand it too much.
Equipment:
2x Cisco 1921 series routers
3x Cisco 2960 POE switches stacked
I am trying to filter ARP answer arriving on a C6500 trunk port, for a specific vlan.Filtering conditions are:
- packet arrive from vlan ID x on the trunk (on only for this vlan ID)
- source MAC address = xx:xx:xx:xx:xx:xx
Thae aim is that the C6500 with never enter into its CAM table this MAC address.I looked at several methos like service policy or vlan filter, but no solution for the moment.
Is it possible to deny all access except specific IP's to a service on a Dlink DIR-655 ?Say a web server on port 1234.The allowed IP's are not in a range.
View 1 Replies View RelatedIs it possible to configure the span(switch port analyzer) port and restrict it to only listen to ingress and egress of TCP/1433 from the source port?
View 2 Replies View RelatedWe want to puchase new Cisco ISR 1921/K9 . i want to know does it support the following sample IP-SLA commands
ip sla 2icmp-echo 172.16.1.2timeout 500frequency 1ip sla schedule 2 life forever start-time now
track 10 rtr 1 reachability
delay down 1 up 1
!
track 20 rtr 2 reachability
delay down 1 up 1
ip route 0.0.0.0 0.0.0.0 192.168.1.2 track 10ip route 0.0.0.0 0.0.0.0 172.16.1.2 track 20
Im asking above question because we will need to enable ip-sla on the mentioned router. as i read on the cisco webside, it says Cisco-ISR-1921/K9-IP Base support only IP-SLA RESPONDER feature nothing else. If Cisco-921/K9 does not support the above commands , should i go for ordering Cisco-1921-SEC/K9 ?
Does PBR with deny ACL entries on a 3750 are still punted to the CPU? I found this article: URL
High CPU Due to Policy Based RoutingPolicy Based Routing (PBR) implementation in Cisco Catalyst 3750 switches has some limitations. If these restrictions are not followed, it can cause high CPU utilization. You can enable PBR on a routed port or an SVI. The switch does not support route-map deny statements for PBR. Multicast traffic is not policy-routed. PBR applies only to unicast traffic. Do not match ACLs that permit packets destined for a local address. PBR forwards these packets, which can cause ping or Telnet failure or route protocol flapping.
Do not match ACLs with deny ACEs. Packets that match a deny ACE are sent to the CPU, which can cause high CPU utilization.
In order to use PBR, you must first enable the routing template with the sdm prefer routing global configuration command. PBR is not supported with the VLAN or default template
I checked the latest config guide, and those same guidelines are still listed. If that limitation is still there, are those packets switched at the process level (ip_input) or the interrupt level?
I am trying to configure an IPSEC tunnel on a 1921 router. What I hope to accomplish is that using a IP SLA that the IPSEC tunnel will only be brought up IF the normal WAN connection is not responding. My thoughts were to route the traffic that needed to come back to corporate through a loopback interface but I havent found a way to do that.
View 1 Replies View RelatedI use a router RV082 with load balancing. My problem is when I try to access a specific site, I get the error message that my IP address changes and I can not use 2 ip address. I want to specify an ip range to always use the same WAN port.
View 2 Replies View RelatedIs it possible to enable an absolute value rate limit using QOS on a HP ProCurve 5406 switch for a particular IP range on a specific port? Is there a way to configure our HP 5406 with an absolute rate limit on "WAN" port for that server's IP range? I would like to limit it to only being capable of sending 1Mbps worth of traffic over the head end at once.Everything in the documentation points towards priority queues, which as far as I can tell, isn't really what I want.Baring accomplishing this goal using rate limiting is there a better way to prevent our services from accidentally saturating this connection?i thimkong about somthing like that:
class ipv4 rate-limit-port-A1
match ip 10.136.0.0/16 any
exit
policy qos port-a1-ratelimit
class servers-to-be-slowed action rate-limit kbps 1000
exit
interface A1 service-policy port-a1-ratelimit inI'm not sure about this.
force something such as a Telnet client to use a particular outbound port when opening the TCP connection?
View 3 Replies View RelatedI have 5 VLANs, I assign VLANs to its ports and make them all Untagged.I created ACLs and a ACE rules for each ACL, and then assigned to the ports.So what i am trying to do is to deny access to from one port to other 4 ports and granted access to any other ports. But it is not working, without last rule "allow any any" it has no access to any ports, with the last rule it grants access to every port even to those I denied.Router in Layer 3 mode, all VLANs have their IP's.
At some moment I was able to work it properly but without using any rules, I just tagged my untagged VLANs to those ports which I wanna get access to. As you can see I want allow ports GE1 - GE4 communicate with 1 to 24 ports but not to each other.
(Setup routing and iptables for new VPN connection to redirect **only** ports 80 and 443) Only my goal is a bit different. I am running a headless gui-less install of Ubuntu Server 12.04 that is being used for a variety of different purposes... I would like all traffic to travel un-prohibited through my ISP except for my transmission traffic. I have a VPN i subscribe to that allows me access for which I only want to direct a single port's traffic to. I am currently using a modified version of the code from the above link. My current code is below:
#!/bin/sh
sleep 200
DEV1=eth0
[Code].....
I have the following config using a Cisco 1921. I am trying to get devices on the the native VLAN to get internet access via the gateway x.x.x.73.Any thing being routed from the other Vlans 15/20/30 can get access, but nothing from an internal IP address. Is there something I am missing.
The Xs replace the same 3 octets for each interface.I am trying to route from VLANs 15/20/30 to see VLAN 5. I have tried a few things, in terms of adding extra ip routes, but can't get anything to work. Each of those Vlans have another router on the other side of them, which I have also tried adding ip routes too, but nothing. One of the routers (Vlan15 is a Draytek 2830). [code]
I will be installing two Cisco 1921 Routers to connnect a T1 between two offices. We are changing out our current AdTran routers as we would like to bridge three VLAN's across the T1 link. I followed the instructions at (URL) shtml to the best of my ability and my two Gigabit Ethernet ports are tied into a bridged virtual interface (BVI1). I then assigned a IP to BVI1 and another to my Serial0/0/0 then made a route to get to the other side of the T1 and a defualt route out our proxy. What I want to do now is setup QoS to make sure my voice data gets priority.
I setup a QoS ACL called "Voice" with the TCP and UDP source and destination ports that our phone system uses. I then setup a QoS policy on the Serial0/0/0 outgoing interface called "VoiceTraffic" and under the "match" list I match DSCP 46 or my "Voice" access rule. For the action I turned on "Queuing" and set it up for LLQ at 50%. Does this sound about right? Is there anything els eI can setup? I tried ot setup something else on the ethernet side but because they have the BVI I can't. I read some article sin this forum that said I could still apply QoS to the GigabitEthernet ports even if they are in the bridge group but it doens't let me do that.
How do I set a password? new Cisco 2911 router, C1900 Software (C1900-UNIVERSALK9-M), Version 15.1(4)M4 ?
View 6 Replies View RelatedI am setting up a new 1921 for a public library and I am running into a problem and I bet I am missing something simple. All the internal stuff works and I can ping the outside IP on the 1921 but can't go any further to the internet. The 1921 has the 2 gig ethernet ports, 0/0 is connected to a DSL getting DHCP settings fine from the DSL modem. The other gig ethernet port 0/1 is running the inside network and its function fine, I have a server on it and other clients and they can ping and get dhcp settings etc.I've pasted the config output below and IP addresses of the main actors. [code]
View 1 Replies View RelatedHow I can upgrade the iOS from CISCO 1921 ISR? Without losing my configurations.
View 3 Replies View RelatedI have already ordered a Cisco ISR 1921/K9. but as i read on Cisco website, it is written that Cisco 1921/K9 only support (IP SLA Responder) feature.
I don't know actually what is sla- responder. but our requirement is we will connect that Router 1921/K9 into 2-ISP links and i want to enable IP- SLA probes on that router so that it can track both the routes into those isp links. so my question is does CISCO 1921/K9 have the support for what i need ?How about Cisco 1921-SEC/K9 ?
I need to set up a L2 llink between my LAN and this 1921 router. I though IRB would do it but its not working yet. Here is the topology- I dont want to see another hop on this 1921 rtr so I hope I can just trunk it or something with IRB. Not working.
View 6 Replies View RelatedI have recently configured a cisco 1921 router for internal routing on my network. Here is what i am trying to accomplish:
Main network 10.65.1.0 mask 255.255.255.0- all office devies and computers.
Second network 10.65.2.0 mask 255.255.255.0 - All plant equipment machinery and production lines
i have configure gig 0/0 for my company network and gig 0/1 for my plant network. I can ping the router from both networks but am unable to route traffic betwenn them. what am i missing?
Im having some major issues with my new setup. I have a Cisco Router (1921ISR) that is connected to the internet through a t1. In addition to that is another cable modem. Each of these are connected to my firebox through an external interface.My router is on the 10.1.10.X network. My internal network is 192.168.1.X I have several NAT statements on my router pointing to 10.1.10.X addresses. These addresses are defined on my firebox as seconday external addresses and I am SNAT'ing them to 192.168.1.X addresses on my local LAN.This is mostly working well for everything. However, there is an FTP I am connecting to through the a VPN on the cisco that will not connect. The source is a 192.168.1.X address.
View 1 Replies View RelatedI have an ASA 5510, with Ethernet0 connected to Internet via a T1 line, Ethernet1 connected to LAN1, and Ethernet2 connected to LAN2. LAN1 & LAN2 are independant, but share the Internet connection, via the T1 line. On LAN2, I have another router that connects to the Internet, via a Comcast line. I wish to route some of the traffic on LAN2 (10.38.77.0) to the other Router, on LAN2 (10.38.77.12) (connected to the Comcast line). I have entered the following lines:
route inside2 10.11.0.0 255.255.0.0 10.38.77.12 1
route inside2 10.252.0.0 255.255.0.0 10.38.77.12 1
route inside2 172.22.6.0 255.255.255.0 10.38.77.12 1
I can trace the routes from the ASA 5510 (1st hop is to 10.38.77.12), but not from anything else on LAN2.
I am attempting to filter a specific host(s) from my OSPF routiing table on a ASA 5550 (ABR) using LSA prefix lists. However, when I look at the other routers in that area, I notice that ALL LSA type-3's are being removed (10 hosts are now missing from the routing table). I have verified the filter is working on the ABR, but I can't figure why ALL hosts/routes that were coming into the area are now being filtered instead of the specific one that I want to filter out.
Here is the config on the ABR:
prefix-list pdm_pl_000 seq 10 permit 206.253.180.137/32
!
!
router ospf 1
network 10.0.0.0 255.255.255.0 area 0
network 10.150.10.0 255.255.255.0 area 10
network 10.150.252.0 255.255.255.224 area 10
[code]....
The 206.253.180.137 host is actually coming from Area '3'. Am I doing something that is removing all type-3 LSA's?
We purchased a cisco 1921 router to replace a software firwall not long ago. The router was sold as a firewall with the suggestion that an ASA would be unnecessary.Unfortunately a router does not replace/do the jobs a firewall does, so I looked online and noticed that Cisco do offer firweall security features in one of their IOS.How do I tell if this is implemented on my router?If not, does my IOS support this, or do I need to buy an extension/another version of the IOS?,The version of the IOS I have is: c1900-universalk9-mz.SPA.151-4.M4.bin.
View 3 Replies View RelatedThe Cisco 1921 router has two routed adapters. One is GE0/0 which I am using for my WAN interface. It is working properly. The 2nd interface is GE0/1 which is being used as my internal adapter. It is running NAT. When I attempt to reach the internet it fails while checking the exit interface. Here is the report.
AttributeValueRouter ModelCISCO1921/K9Image Namec1900-universalk9-mz.SPA.151-3.T.binIOS Version15.1(3)THostnameBulldog
Interface Details
AttributeValueInterfaceGigabitEthernet0/1IP address192.168.1.1DescriptionNOC Link Test Activity Summary
[Code].....
I have a brand new 1921 router that I can't login to using cisco/cisco. Is there a new password?
[URL]
I don't have physical access so I can't reboot it until Monday. Just wanted to get it working today.
I am trying to decipher the differences between the two models of the 1921 router. One has an IP Base IOS and the other has a Security IOS. I have an ASA so I don't think I need all the Security IOS bells and whistles on an internal router. Although, does the IP Base IOS allow for trunking and sub interfaces? I definitely need that and on CDW's website it says that the 1921-Sec/K9 w/ Security IOS includes 802.1Q and that spec is not listed on the 1921/K9 IP Base IOS model.
View 3 Replies View Related
