I need to only allow 5 Mac Addresses on a range of ports on a 2955 switch. If I do the following it only changes the first port in the range:
interface range fastEthernet 0/5 - 10
no spanning-tree portfastswitchport port-securityswitchport port-security maximum 5switchport port-security violation restrictswitchport port-security mac-address 00:1D:24:25:F7:AA
[Code].....
I was wondering how to tighten the security of my email delivery to a range of ip addresses (I know how on my old firewall but the cisco is quite a bit different). Right now anyone sending email to a particular ip address on my firewall can do so. I want to restrict that to two ip address ranges it will accept deliver from. I'm thinking I need two network objects for the two ranges then add to a network object group. Configuring the ACL for delivery using that group if I'm correct about that ?
View 4 Replies View RelatedI have a XSR-1805 (Version 7.5.0.0) enterasys router here. Got SNMP server to work successfully. The thing is that I couldn't make the router restrict a range of address allowed to use a community. Only 10.1.0.13 is allowed to use SNMP in this case.
View 1 Replies View Relatedwe have a 3560 switch configured with EIGRP with dhcp. We have a user that we cannot ping, however the interface show up / up and no errors on interface. the ip address is 10.2.0.199 - however we have dhcp configured to exclude the range from dhcp ip dhcp excluded-address 10.22.0.1 10.22.0.200 how can this work station get a dhcp address if we have that ip range excluded from the dhcp pool?
The user is off a different switch that is a uplink to this distribution switch. Traceroutes shows that the problem is with the distribution switch.
I'm been telnetting onto a 2955 and then upgraded the IOS and enabled ssh version 2 and then issues a "write", when I came back the exec-timeout had been issued and I was logged out of the router and now it is asking for a username and password and not just a password liek it did before enabling ssh. I havent yet put a username and password on yet, just the telnet.What would the username be if I havent set one?
View 12 Replies View RelatedI'm on a Cisco 2955 switch and need to get ssh working which I have done on another 2955 (but don't have near me), what am I doing wrong?
2955-02-PJ-CamdT.LU#sh run Building configuration...
Current configuration : 4061 bytes!version 12.1no service padservice timestamps debug datetime msec [code]....
I'm trying to allow 2 users to access as 2955 switch.
-admin privilege 15
-eousers privilege 2
When they both log in they just get to the user exec mode, how can I get them to go to their respective modes? [code]
I'm about to configure radius on a 2960 and 2955 switch as I have been testing this on a 1841 router and to my dismay I can't see the options to configure radius, do these L2 switches not supoprt radius?
edit - apoligies I forgot the "aaa new-model" all ok now
Although when I added:
radius-server host 10.1.1.1 auth-port 1645 acct-port 1646 key 123456789
radius-server host 10.1.1.2 auth-port 1645 acct-port 1646 key 123456789
radius-server vsa send accountingradius-server vsa send authentication
I got this:
Warning: This CLI will be deprecated soon. Please move to radius server <name> CLI.
And what woudl the above look like if I configured it that way?
I have installed Cisco 2955 Switch which already have x.x.x.x EA12 IOS and I copied x.x.x.x.EA13 into the flash: with intention to have EA13 enabled for IOS. I set the Global config for boot system by 'boot system (no falsh)x.x.EA13;x.x.EA12' but then also no luck and was showing EA12 in 'sh ver'. I then deleted the EA12 IOS and set the 'boot system flash:x.x.EA13'. I also had varified IOS EA13 by 'verify flash:IOS Filename', it verified the IOS.
But when I reloaded my switch, I'm unable to login and its in 'switch:' prompt (ROMmon mode - I believe). I then tried for flash_init, load_helper, dir flash: (showing me EA13 there) and finally boot flash:IOS Image file but no good news here... Output like this
Error loading "flash:IOS Image File EA13" Interrupt within 5 seconds to abort boot process. Error loading "flash:c2950-i6q4l2-mz.121-12c.EA1.bin"Interrupt within 5 seconds to abort boot process.
My guessing is that the IOS is corrupted (but its not showing me Error loading Image blabla...) I'm trying with EA14 of 4MB and I have 3 MB free spare and decided to remove EA13 first then through XModem try to upload EA14.
Any useful way and recommend me deleting EA13 and upgrading EA14... Also option to set boot image with having two IOS at the same time for permanent use.
I can't seem to send config changes to our syslog server on a 2950, I'm fine with 2960's and 3750's. The Cisco 2955 is using the latest IOS c2955-i6k2l2q4-mz.121-22.EA14.bin.
Here is what I have added:
logging buffered 64000 debugging
logging console informational
logging monitor informational
[Code].....
The only sylog message I get is "Configured from console by username on vty0 (10.1.1.35)
I come across to use the Catalyst Switch 2955 and it has two Relay Connector with one Major (MAJ) and one Minor (MIN) as below picture.There is command line to trigger these two Relay Connectors. As below command to set the Relay Connector to minor for monitoring the power supply: alarm facility power-supply relay minor
1. My questions are when there is power-supply faulty, the Minor Relay Connctor (right picture) will be short-circuited, right?
2. If we connector the two ports (ports 4 & 5 at the left picture) with a normal cable to drive an Alram Bell (in short-circuiled or closed loop situation), do we need an external power supply to the Alram Bell? Or there will be power supply from Catalyst 2955 to the Alram Bell as well?
I am having an issue with this device after setting the ip address and rebooting. I have tried renaming the config.text file without success. I have also tried the steps mentioned here: [URL]
View 1 Replies View RelatedI have found that the Catalyst 2955 series switches do not use an external MODE button for getting a switch into the switch: prompt, but they use a break sequence like routers do to get into Rommon state URL
So I was wondering if there is a similar mecanism that applies to other kind of Catalyst switches, like 2960, 3560 or 3750.
One of my clients is using Cisco catalyst 2955 industrial switch.I am doing the configuration for them and come across one setting of FCS Error Hysterasis Threshold. I know FCS is Frame Check Sequence.
I do not understand is what is the meaning the setting of Hysteresis in term of percentage stand for what purpose?For example, the default is 10 percent. If I set the value to be lower 5% and what is the impact on that? Is this more stringent than default of 10% or less stringent than default of 10%?
I have a cisco 878 router and I can’t assign ip address to it’s fast Ethernet interface. When I assign ip address give me this message: “you can not assign ip address to layer 2 interface”.
But I can not understand why give me this alert when I use a layer3 device?!
I have a Cisco 2811 with fa 0/0 as my bearer, and a switch module for internal clients.
I have an issue with my fa 0/0 flapping, I want to move that ip configuration to fa 0/1
as this is a branch office I am reliant on the bearer port to give me coms so changing the IP addresses is difficult.
Has any one tried this with a TCL script?
I always though that sh mac address table dynamic interface xx/xx/xx was a subset of "sh mac address table" 6590 Version 12.2(33)SXI I have two mac addresses on downstream switches that will only show up when using
sh mac address-table dynamic interface Te4/10
* 903 0050.77a9.6e3c dynamic Yes 0 Te4/10
* 903 0050.77a9.5766 dynamic Yes 0 Te4/10
when using "old faithful"
sh mac address-table | inc 6e3c
*nothing*
or
sh mac address-table dynamic | inc 6e3c
*nothing*
nothing shows up?this vlan has no layer three interfaces
Having 2 router with 2 sub interface configured with HSRP. The server sending the data have the route default gw xxx.xxx.xx.252 HSRP address. But on of the routers did got HW problem so we did shut it down, R2 with IP xxxx.xxxx.xxxx.251, problem so the traffic didn't go there correct when was using the HSRP address some packaged went there but not all of them no blocks in the logs. But then we did change the server direct to to the working router R1 xxxx.xxxx.253 everything did start working fine again. was working fine. Logs i got in the router was max tcp half-open connections.
I am wondering if something wrong in the configuration below and why the traffic didn't got there correct when using the HSRP address. Its working fine when using R1 IP address. The devices are 2 Cisco 2620 routers.
R!1
interface FastEthernet0/0.192
description Prod_Inside
encapsulation dot1Q 192
ip address xxx.xxx.xxx.253 255.255.255.192
ip access-group Inside_Outside in
ip verify unicast reverse-path
no ip redirects
[code]...
I've set up my 3560 to do routing. Now, I'm looking for a way to apply acl restrictions to the vlan interface ip address itself.
View 1 Replies View RelatedI have just updated a VLAN interface on my router. I have two 6500's with GLBP configured. The particular interface had a primary and secondary IP address. I shutdown the interface on one router and deleted the secondary address then assigned the orignal secondary address to be the be the only address associated with the interface and enabled the interface and it came right back up...all looks good. I proceeded to do the same thing to the other router and once again all looked good. Now, I am able to PING the devices in the subnet from router, but am unable to ping them from any place else. [code]
View 2 Replies View RelatedI have voice Bandwidth on Cisco Router 7200 and catalyst 3750.Now i want to sell some BW ( 15MB ) to any cleint. How to do that .We have Ethernet connectivity with my cleint.How i restrict client to 15MB. Will i have to form any VLAn or just port limit with bandwidth and which is better way?
View 8 Replies View RelatedWe have a network of 30 VLANS and currently all the vlans have access to everything. We are using Cisco 6509 switch for Layer3 routing.I would like to prevent some VLANs accessing the server VLANs. How can i resrict access to the server VLANs? Do i need to implement access-lists on the 6500 switch? or do i need to create VLANS on the firewall so that all traffic i filtered?
View 3 Replies View RelatedOn a small Bording School we have the students living in several small houses, each equipped with an AP.Each Ap serve 4 Vlans.I want to restrict the switch for these AP, in a way to keep the students from removing the AP and connecting their own equipment.I tried using the secure port feature on the SG300, but that had the result of allowing the AP but denying all the users connected to the AP.The switch is a SG300-28P placed in L3 mode.
View 3 Replies View RelatedI´m facing to one issue with VACL. i have a network lan with 10.40.X.X/16 . in this network i have a Production v LAN 10 with 10.40.10.X/24 and i have created one vlan103 for Guest´ user as 10.40.103.X/24
My goals is to restrict the v LAN 103 to reach or access the v LAN 10, better to restrict Guest user access to the production v LAN. So i try to put this script with VACL method, but does n´t work.
Extended IP access list Restriction-Guest
10 permit ip 10.40.103.0 0.0.0.255 any
vlan access-map Guest 10
action drop match ip address Restriction-Guest
vlan filter Guest vlan-list 10
After that i still able to ping or access to the v LAN 10 form v LAN 103.
I have a Cisco 887M router which I wish to restrict the devices allowed to be connected/allocated an IP address to two, and *only* two.
I can't, for the life of me, find out how to allow these two devices to connect to ANY port - I can configure a MAC restriction on a single port, but I don't know how to make it so that I can allow JUST these two devices to connect to any port in the 4 port switch/VLAN (VLAN 1 is used because the mongrel who set this up was lazy). I know the MAC addresses I want to allow
How I can do this? I *can* restrict any given port to the two MAC addresses - but if I try to add the MAC addresses to another port, they get removed from the initial one. I need to be able to have them connect to ANY port and work, but allow NOTHING else to work.
For those wondering, this is to counter a user who is utilising company resources for purposes not approved - and costing us quite a bit of money in the process.
ISP assigned us the following:xxx.yyy.zzz.32/30 as the outside interface network.This means .33 is the next hop, gateway, or default route.This means .34 is the outside interface on the ASA.xxx.yyy.zzz.64/26 as the ip address pool.This means xxx.yyy.zzz.65 to xxx.yyy.zzz.127 is the address pool.xxx.yyy.zzz is identical in all cases.Addresses .35 through .63 are owned by other parties and are not usable to us.The 33-34 setup works using static routing - IPSEC VPN is setup and functioning properly using these addresses.
[ie. Route outside 0.0.0.0 0.0.0.0 xxx.yyy.zzz.33]
After NAT and ACL entries are created to provide altnernate external IP address on the outside interface [ie. static (inside,outside) [external ip] [name] netmask 255.255.255.255 and access-list [name2] extended permit tcp any host [alternate outside ip] eq https], attempting to browse to an internally hosted website from an external IP address results in the following messages in the ASDM log.
6 Apr 14 2011 17:58:51 110003 [redacted external IP Address] 37763 [Internal Website Name] 80 Routing failed to locate next hop for TCP from Outside:[redacted external IP Address]/37763 to Inside:[Internal Website Name]/80
How do I setup routing for this non contiguous address range?
We have a network of 30 VLANS and currently all the vlans have access to everything. We are using Cisco 6509 switch for Layer3 routing.I would like to prevent some VLANs accessing the server VLANs. How can I restrict access to the server VLANs?Do i need to implement access-lists on the 6500 switch? or do i need to create VLANS on the firewall so that all traffic i filtered ?
View 9 Replies View RelatedWe will be opening a shop with a number of computers available to the public connected to the Web via one ISP with fixed IP using a RV220W router.
We wish to restrict web access to our company's web site only, say 'OurCompany.com'; how can we code this in the router?
I bought a sf300 48 and made 4 vlans.
How can I restrict the mac address of device can be connect each vlan ? I just want allow the macs for vlan, dont need join the pc to a vlan.
I have a Cisco ASA 5505 and I have my internal and external interfaces configured but I currently cannot ping from the inside to an IP Address on the outside. I had this setup and working and I have another set of equirement that I am replacing that is working with my service provider so I know it is a configuration issue. When I ping 4.2.2.2 for example I get:
Destination host unreachable
Do I need to add a static route from my inside interface to my outside interfaces?
: Saved
:
ASA Version 8.2(5)
!
hostname pxasa
[Code].....
I have a Cisco 881 router in my office and I would like to do port forward for port 5060, and 10000 - 20000 to my PABX(192.168.1.61). After I did some research from internet, understand that we need to NAT by using following command to do port forward for port 5060. ip nat inside source static udp 192.168.1.61 5060 XXX.XXX.XXX.XXX(WAN IP) 5060 extendable However, now I'm facing an issue to perform port forward for a huge range of ports like 10000 to 20000.
View 9 Replies View RelatedI have a 1941 router tt needs to be setup with the range of WAN ip addresses ip nat inside outside don't allow me to use it..How can i configure on the router to ensure from outside i'm able to access to firewall (129.2.1.2) ?
View 4 Replies View RelatedI have a Cisco 881 router in my office and I would like to do port forward for port 5060, and 10000 - 20000 to my PABX(192.168.1.61).After I did some research from internet, understand that we need to NAT by using following command to do port forward for port 5060.
ip nat inside source static udp 192.168.1.61 5060 XXX.XXX.XXX.XXX(WAN IP) 5060 extendable.However, now I'm facing an issue to perform port forward for a huge range of ports like 10000 to 20000.It is impossible to ask me add one by one?