Cisco Switching/Routing :: 2600 - Accessing Servers / Ports From One VLAN To Another
Jan 24, 2013
I’m working with a managed switch that has three V LANs setup on it. Recently the domain changed and the wireless V LAN can no longer access the internal website. I found access rules, in the switch that allowed the wireless V LAN to use the DNS server on the private/staff V LAN. Their DHCP scope is on the switch and DNS is set there. The Website is also on the V LAN with the DNS server. This configuration totally cuts out external DNS usage. It stopped working though. It is as if when things switched on the Domain the wireless users were denied DNS requests. The switch was not touched at that time. I’m looking at it though and it seems that I may have conflicting rules.
The version is 12.2. I believe its a Catalyst 2600~
DHCP scopes: ip dhcp pool INSIDE network 192.168.1.0 255.255.255.0 default-router 192.168.1.1 dns-server 192.168.1.6 192.168.1.4 domain-name saline.lib.mi.us
ip dhcp pool WIRELESS
network 172.16.0.0 255.255.255.0 default-router 172.16.0.1 dns-server 192.168.1.6 192.168.1.4
Here is the V LAN Setup:
Interface Vlan1
ip address 192.168.1.1 255.255.255.0
[code]...
Here are two access lists that should be allowing the traffic from 172.16.0.0 into the list IPs/Ports. These do no work.
During my testing I removed the Deny rule and everything worked. deny ip 172.16.0.0 0.0.0.255 192.168.1.0 0.0.0.255
However, the “ permit ip any any “ rule, makes all the port rules pointless because when this rule is in place solo, I can ping and access everything on the 192.168.1.0 network. Is there a way to deny everything, except what I permit? Because when I remove the ip any any, then they cant even get out. Perhaps there a better way to say, the wireless users can get out but only get into the sub net over specific ports? I have a feeling it may have not be thought out entirely when initially created. However, the big mystery is that it worked before secondary domain controller failed.
My network generally runs older routers (2600 series) with 16 port switch modules (NM-ESW-16). This has always worked great since I can configure the router and the switch ports on the fly, making changes to either as necessary. Well I am upgrading to 2811 routers, and we wanted to get gigabit ethernet ports on our switch modules. I think I made an error when I purchased a few of these switch modules: NME-16ES-1G.
The first problem, is that the switch ports don't even show up on the router config, I have to establish a session into the switch, (And I can't seem to get back to the router unless I manually switch off power and restart). I don't like this type of switch module, it's like I'm running a completely separate device, and while having a layer 3 switch is cool, It doesn't let me setup routing protocols so I don't like doing it this way. I want to go back to using a switch module that simply adds a ton of ports to my router like the NM-ESW-16. (Note: The NM-ESW-16 does actually work in the 2811 and would be perfect if it were Gigabit speed.)
The seconds problem is that the NME-16ES-1G isn't actually a Gigabit switch. It has a single gigabit port, but the 16 ports are all Fastethernet, and not gigabitethernet. So ideally, I am looking for a switch module that I can fully configure from the router interface that has 16 gigabitethernet ports, and works with a 2811. IE I want to do this. [code]
I have a LAN with 6 vlans and a 2821 router. By default, intervlan routing is enabled for all vlans, however, I want specific vlans to be denied access to others, though all should still be able to use the Internet being served from GE/0.
Before these servers were directly connected to the internet with two nics (Nightmare, I know). The Public IP on internet facing NIC and private ip on LAN facing nic. I'm in the process of changing this.I'm able to access internet from my vlans and also able to send emails but cannot receive emails on these servers.
My router congif is as follows:
Building configuration... Current configuration : 6234 bytes ! version 15.1 no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone
New to Cisco and want to know if I can segment a port. I have two v lans. I have one internet connection at the opposite end of the building. Can the port the internet is connected to serve both V lans?
I have two questions for a Cisco 2960 (WS-C2960-24TC-L)
1. I am working to setup a few Cisco 2960 switches for HP iLO access to our servers. We are going to segregate the iLO network (VLAN 40) from the data network (VLAN 10) by using a different VLAN. All of the HP servers will be configured with static addresses. My question is, how do I set all the ports to VLAN 40 so that untagged devices will automatically go onto VLAN 40? I don't want to have to configure the VLAN on each iLO port on the server. I tried to set the port to: "switchport trunk native vlan 40", but that didn't work.
2. Also, how do you access the web GUI for these switches? I get a login box, but putting in the enable password doesn't work. I have the following commands in the config: [code]
Is it possible to assign 2 ports to a vlan on this switch and have the 2 machines connected to those ports be able to see each other without having to go off of the switch? If so, how would it need to be setup on the switch?
At present we are having a 4900 series switch where we are running one monitor session.Additionaly we are in need of capturing VLAN traffic and set the destination to 2 * GE ports , both are in the same switch.Due to the limitation of two monitor sessions per switch , we thought of putting the destination ports as port channel but it looks like it is not supported.
I have a Cisco 6509 with IOS "s222-ipservicesk9_wan-mz.122-18.SXF16.bin"I need to enable dot1x on user's ports on the switch. each user is connected to the switch through the IP phone.
I just found out that I can not enabled dot1x on trunk port. I have tried to use "switchport voice vlan " but I got:
I have a Cisco ASA 5505 with the base License. I want to split my network and add a new Internet Access, the first network in Orange works fine. My question is how can i access the file server from the second network (192.168.X.0 /24) ? The 3 switches are Cisco SF300-24P.
I have some problem in my small network.I have 2 SF-300 48 port switches and connected to 847 router for intervlan routing. I configure 7 vlan in SW1 and uplink to SW2 with trunkport.
The problem is that if i used default gateway for users ip address of interface (vlan interface) is ok. I bring two adsl modem and connected to vlan1 and vlan2 for internet access. When i connected this two modem vlan 1 and vlan 2 are not going to access other vlan 3,4,5,6,7 and wise versa.
vlan1 users getting default gateway from adsl modem ip, how i can permit this two vlan should to access other vlan 3,4,5,6,7 and 3,4,5,6,7 should access to internet also.
Was just wondering if we can segregate users using subnets and not vlans in cisco switches? We have few groups we want to segregate onto different subnets, but don't want to use Vlans. Apparently I have been told that vlans do way too much packet processing and slows the network.
we are working on a school network. Want to segregate staff/students/admin.Further segregate students by year levels. This means if we were to use vlans we would have around 15 vlans. will it slow the network? (thats what I have been told and i dont agree to it). How to implement this topology without vlans and by just using subnets.PS: we use Juniper EX4200 (layer3), Juniper EX2200 x15,H3C 3100 x16 and cisco 2600 x1 switches on campus.
- I have an older router 2600 running 12.1(4) IOS. - There are a few clients connected to it via the frame relay connection. - There is an IP that clients access 192.168.1.10 for example - We need to do a NAT for this IP for one specific client only like "ip nat inside source static 192.168.1.10 1.1.1.1" - However if I do that, that will effect other clients too - On the interface for this client I'll be using "ip nat outside" - Is there a way to accomplish this without effecting other customers?
I've been working with these two Cisco devices in my home off and on for several months now but I just can't take it anymore, I'm about to throw them away and go back to Linksys router.
I have a Cisco 2600 Router with only one Ethernet card in it so I have to trunk from my 3550 Switch to that device. I'd like to have my ISP and all users plug into switch and all trunk back to the router's sub interfaces. Currently, I have started over...again, and am unable to simply get the router and switch to ping each other if I put sub-interfaces on the router. See my configs:
2600 ROUTER: Router#sho run Building configuration... Current configuration : 555 bytes [code]......
3550 SWITCH: Switch#sho run Building configuration... Current configuration : 2302 bytes ! version 12.2 [code]..........
Port F0/24 is in VLAN 1, as are all ports but Port F0/1 which is my desktop PC. I mocked it up in Packet Tracer and it works just fine. This is just a simple setup and I'm making sure I can ping between switch and router before I move to each next step.
I am trying to configure SDM 2.5 on a cisco 2600.I have access via telnet to the router and was able to change the enable password - which i think is level 15 (right?) and setup (and bring up) the ip on the ethernet interface. I can ping - and get response from - the router Trying to install SDM on the router i need to provide the default username i tried both admin/administrator but SDM can't communicate with the router?
Got a problem accessing our webservers on the inside interface from other clients on the inside interface on our ASA 5505.As in, they type in url... in their browser, and it wont work.
However, if we use a PC on another outside network, it works just fine! [code]
We have recently leased an internet connection in our office which comes from the service provider as radio link and BW is 2M. I have clients more than 60 that will share the connection and access internet. I have configured a Cisco 2600 router as below:
Building configuration... Current configuration : 988 bytes ! version 12.2 no service single-slot-reload-enable no service timestamps debug uptime no service timestamps log uptime
[code].....
So far I have read regard NAT it degrades performance as it need to translate every data packet comes from the source and goes to internet. So a question comes in my mind is there any other way how I can share this connection among users with private ip address? Or NAT is the only method to share internet connection among users with private ip addresses?
I am connecting a 2600 router to an ISP. Interface 0/0 is connected to the ISP using DHCP. Interface 0/1 is connected to the inside providing DHCP services to the inside. At least it should only be providing DHCP services to the inside. I also have a public static IP that is NAT to a private static IP. Everything is working except the computer on the static IP. From the router I am able to ping inside and out from each interface. I am able to ping both interfaces of the router from the computer on the static IP but I cannot ping outside the router. If I do a debug all I see a reject for the gateway of the static IP but it has “mobile IP” in the text string. Not sure what mobile IP is relating to. Networks are as follows:
0/0 DHCP 10.X.X.X 0/1 192x.x.x Static 75.X.X.X no ip dhcp use vrf connected ip dhcp excluded-address 192.X.X.1 ip dhcp excluded-address 192.X.X.2 ip dhcp pool CLIENT
I have a 2600 Router series and I cannot remember the Password. I have tried following web pages that state to use control Break on the boot up but its not working.can reset that pw and write erase my configuration file?Here is my boot up. I have tried hitting control break at the very beginning over and over and then again when at the cold boot it has not worked....
System Bootstrap, Version 12.2(7r) [cmong 7r], RELEASE SOFTWARE (fc1)Copyright (c) 2002 by cisco Systems, Inc.C2600 platform with 131072 Kbytes of main memory program load complete, entry point: 0x80008000, size: 0x1c9468cSelf decompressing the image : ######################################################################################################################################################################################################################################################################################################################################################################################################################################################################## [OK] Smart Init is enabledsmart init is sizing iomem ID MEMORY_REQ TYPE00036A 0X000B3B80 C2610XM Single Fast Ethernet 0X00098670
I have a cable modem with my 2600 Router and i have a little speed problem when I'm going out to the web via my F0/0.. according to regular speed test sites my speed is around 20mbps but when i hook up to my modem directly i get a solid 40mbps.. now I've changed my Cat 6 cable from my modem to my router and this are my settings in the router.
[Code] ...........
I see some drops and lost carriers but not sure what those might mean?
I'm trying to configure a disco router 2600, my internet connection is via a cable modem. I get a dynamic IP from the cable modem but when I ping to any external IP I have errors.Copy show config and show interface f0/1
GUEST#show config Using 1103 out of 29688 bytes ! version 12.2 service timestamps debug uptime service timestamps log uptime no service password-encryption [ code]...
I have a Cisco 2600. I would like to know how to redirect traffic going to a certain IP address three hops away to an IP address on a locally connected segment.
Ex. Packet leaves a device with source IP of 10.10.10.10 and destination of 20.20,20.20 When the packet hits the router (10.10.10.1) I want the router to redirect the destination of 20.20.20.20 to 30.30.30.30 (locally connected segment).
The router has two physical interfaces.I am thinking along the lines of creating a VLAN with an ip of 30.30.30.1 and then doing a NAT translation from 20.20.20.20 to 30.30.30.30.
Got an ASA5525-X with 8.6 release. We have an inside interface (10.11.1.0/24) and a DMZ interface (10.254.1.0/24). On that DMZ interface theres an SMTP server; by using the Public server feature in ASDM we created a rule so we have mapped the 10.254.1.29 internal ip to an external ip 217.x.x.x Everything is fine; working ok, but for several reasons we need to access the public ip 217.x.x.x from an inside ip (10.11.1.10). I tried to do it by creating an exemption for the dynamic nat; if i don't do that i have a 'deny ip spoof from...' message rolling on my syslogs.Seems to do the trick.....but only for pings! i ping the public ip from the inside ip, and got the reply from the internal ip on the DMZ. But if i want to telnet port 25 from inside to public; its not working.
I just moved from a Linksys wired router to the Cisco EA2700 wired/wireless router.I have three web servers on my network that serve up content via standard web URLs. For example, pretend www.domain.com pointed to the WAN side of my EA2700. Port forwarding routes port 80 traffic to the server, located on an internal, private IP (ie, 192.168.1.21).All works well when accessing these servers from outside my network (I checked this via my mobile broadband connection). But when I'm on a workstation internal to the same network as the servers, I cannot connect to the servers via the web URL. Of course, I can hit them via the IP or an internal-only DNS network entry. For example, when on 192.168.1.55 on a desktop machine, and I type the URL in the form www.domain.com, it just hangs and times out. I was able to do this on the old Linky router. Traffic should go stop at the router and be re-routed back internally to the port-forwarded server - but it does not.
I have to route properly via the web URL and not the internal DNS name or IP addy, as I am running virtual web servers on IIS on one of the servers.Is there a setting I failed to set on the EA2700?
We have Cisco IP phones behind a 2600 series router:Most of the time when the PBX receives a packet from the phone, the source IP of the packet is set to the public IP of the router (1.2.3.4) as expected. However, once in a while, we get packets (at the PBX) with the source IP set to the private IP of the phone (10.0.0.12).The router is configured by our provider, and they can't give us any explanation for this behaviour. Is it safe to assume that PAT is not configured properly at the router?
So I have a 2600 that I have configured three sub interfaces on. FA0.0.1 is set for DHCP and supports VLAN 1. FA 0/0.2 for Voice, FA 0/0.3 for Data. I have this router interface plugged into FA 0/24 on my 3550 and the 3550 is configured as a dot1Q trunk (I have attached configs for RTR and SW).I have most ports configured as access VLAN 1 which is where i have my ISP connection plugged FA0/1 on the 3550. When I connect the service provider link FA0/0.1 never picks up an address. If I take my internal DHCP server and connect it to FA0/1 of the 3550 it snags an address almost immediately.In my mind this validates that my config is fine. I also took the same cable from the service provider cable modem and connected it to my laptop and the laptop is pulling DHCP.
I have been saving money to build my ccna voice lab. Recently I bought 2600 and 1700 series routers.One of the 2600 router needed a password recovery so after a refreshing nap i got to work.
During the password recovery procedure, I mistyped confreg 0x1242; by the time I realized my mistake, my computer screen was full of "C" characters Now the whole story is i can not console into it.
Edit:After some research, I found If I use the baud rate 1200 in hyperterminal.i will be able to console into it.When I did that, I noticed that Rommon kept incrementing as:
How to configure my serial modules on my 2600 and 3640? Each router has the WIC-2T with two cables connecting them. I tried to ping one router from the other, but no luck. Serial IP address I just made up, this is my home lab, so if I messed those up some how,
Here is the running config for each rotuer:
2610: Current configuration : 1071 bytes ! version 12.3 [Code]...
I recently lost my configuration when attempting to reset the password for our Cisco 3560g switch, the switch connects to a Cisco 4506 switch via fiber back to our main office.
I have the switch temporarily routing all traffic to our 4506 by using the default route of 0.0.0.0 0.0.0.0 10.10.10.254 but the same switch is connected to a cisco 2600 router that is on a 10.10.20.0 network and the 3560g is on a 10.0.0.0 network.
Host computers sit on the 10.0.0.0 network, but they need to go to the 10.10.10.0 network for internet, domain, etc the same computers need to go to the 10.10.10.20 for remote connections and other services.
The address of the 3560g is: 10.0.0.254 The address of the 2600 is 10.10.20.2
When the default route is set to 0.0.0.0 0.0.0.0 10.10.10.254 (4560 switch) domain browsing works perfectly When the default route is set to 0.0.0.0 0.0.0.0 10.10.20.2 (3560G) switch I can ping any ip address in that range and the address on the other interface ip adresses on the 2600 (eg. 10.10.30.1 / eth2, 10.10.40.1/ eth3 etc.)
I have tried to weight the routes after adding them both to the configuration, but that doesn't seem to work at all.
The switch connects back to the office via vlan1 (10.10.10.253) The 2600 is connected to port 1, which belongs to Vlan2 (10.10.20.1) And client computers sit on ports 2-12 belonging to Vlan10 (10.0.0.240)
So in a nut shell, how would I go about setting it up so the machines on 10.0.0.0 can connect to 10.10.20.0 and 10.10.10.0 and vice versa at the same time? Everything was working fine until I rebooted the switch (3560g), which makes me think the person that configured this before me didn't save the running config to the start up config.
