Cisco Switching/Routing :: 2960 SI Lan Lite ACLs - Configuring For Admin And Guest Access
Jan 26, 2013
I have a 2960 SI lan lite switch that I am configuring for admin and guest access. I have wireless AP's plugged into trunked ports 2 and 3. I am using two vlan's (in addition to the native VLAN). Vlan 5 for Admin and Vlan 10 for guest access. I have ACL configured on the router preventing guest users from accessing the Admin network. I want to prevent those on the guest network from seeing other hosts in the vlan however the lan lite software does not support port ACL's. Any way to accomplish this with this switch.
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
[Code]...
View 5 Replies
ADVERTISEMENT
Jun 6, 2013
we have inserted into a network with VTP a Cisco Switch 2960-S, not knowing that had installed IOS LAN lite.Now I discovered that it can handle up to 64 vlan. In the network there are currently configured 62 VLAN: what happens when we exceeded the max number (64) of VLAN for that switch?
View 6 Replies
View Related
Feb 6, 2012
We ordered 4x cisco 2960 switch with LAN Lite software by mistake. Can we upgrade them to Lan Base?When I change boot image I get Error: hardware not supported by firmware.
View 3 Replies
View Related
Feb 10, 2013
I need to buy a cheap Cisco switch with DHCP server.Can you confirm that 2960-24-S, 2960-24TC-S and 2960-48TC-S be a DHCP server?
View 3 Replies
View Related
Jun 20, 2012
I have some 2960 switches with Lan Lite ios in my infrastructure.And I try to configure them to support "trust device cisco-phone" and "switchport priority extend cos 0" on ports with cisco phones.But LAN Lite image does not support "mls qos trust device cisco-phone".can I use any workaround to trust cos of cisco phone and to remark PC traffic with cos 0?
View 1 Replies
View Related
Mar 28, 2012
1)For 3650X I found some contradiction in the Q&A about feature set LAN Base vs IP Base:
LAN Base: Can I do static IP routing ?
LAN Base: SVI => is this for intervlan routing ?
2)For 2960, there are 2 flavors (LAN lite and LAN BASE) Q: Can I do static routing on one of these flavors ?
View 2 Replies
View Related
Nov 9, 2012
Unable to access switch from outside the local network. Can get to all routers and PC's
View 2 Replies
View Related
Feb 21, 2013
I have IP phones connected to 2960 i want to segregate traffic traffic comming from IP phones which has a COS value of 5 and want to allocate a band width of 200 MBPS for those traffic .
Can any one share sample QOS configuration for achiving this in 2960 ?
View 2 Replies
View Related
May 9, 2012
I have two SSIDs on an Autonomous Access Point, that goes to a 2960 switch, that connects to a L3 3560. I have a vlan for admin/private internal access that uses the native vlan (1) and guest vlan (50). I have configured both and I am trying to get both to go out the same Internet connection.
I cannot get the guest access to access the Internet. It looks like my computer will go, but it just comes up saying no Internet access.All interfaces are trunking this vlan properly. I can communicate from the laptop to the 3560 but I just can't get to the Internet.
View 10 Replies
View Related
Apr 2, 2012
How do I tell if my cisco 2960 has the Lan Base or Lan Lite image?
View 11 Replies
View Related
Feb 13, 2013
I'm screwing around with HSRP running between two L3 interfaces of routers. I placed an inbound and outbound ACL on the same interface on both of these routers specifying to "permit ip any host 224.0.0.2" Why am I only seeing counters ticking for the inbound ACL of both of these routers? Is it an order of operations thing?
View 3 Replies
View Related
Mar 28, 2012
upgrade IOS in cisco 4948 switch, I do not have admin right and network access
View 22 Replies
View Related
Apr 3, 2012
I have 2 APs, Cisco Aironet 1040, and 2504 WLC.Is it possible to configure guest access (Guest SSID/VLAN and Corporative SSID/VLAN) without dedicated guest WLC in DMZ?
View 4 Replies
View Related
Dec 27, 2011
In my lab setup i configured Cisco 3560 switch.
VLAN 20 and VLAN 30 i configured.
VLAN 20 interface IP : 192.168.20.1/24
VLAN 30 interface IP : 192.168.30.1/24.
Inter-vlan communication is happening fine.
For testing for purpose i configured extended ACLs. Here is my requirement: I want to stop communication from VLAN 30 to VLAN 20 but not vice-versa.
Here i configured like this:
access-list 111 deny ip 192.168.20.0 0.0.0.255 192.168.30.0 0.0.0.255
access-list 111 permit ip any any
applied ACL in VLAN 30 interface 'in' direction.
ip access-group 111 in
In this scenario, communication is stopping in both directions. If i ping from one of the IP VLAN 20 to one of the ip of VLAN 30, i was gettng Requested time out. And if i ping from one of the IP VLAN 20 to VLAN 30 interface IP, i was able get pinging.
From VLAN 30 to VLAN 20, i was getting destination host unreachable from VLAN 30 ip( Its fine as its my requirement). So, solution needed to communicate from VLAN 20 to VLAN 30.
View 1 Replies
View Related
Jul 1, 2012
Thinking of getting one of those 8-port 2960 for a CCNP study. Is the difference between the C2960-8TC-S and the C2960-8TC-L models in Hardware, or in IOS? or both? And if it's in IOS, is the S upgradable to L?
View 7 Replies
View Related
Sep 25, 2011
I want to restrict outgoing traffic. Currently the deafault any, any IP allows all traffic from the inside to the outside.
So I created some rules to only allow HTTP and HTTPS. First I configured a rule to allow all DNS (TCP 53) traffic out. Then I added a rules to allow HTTP (TCP 80) and secure HTTP (TCP 443) out.
When I apply and try to surf out to the internet from a box on the inside network I cannot. Remove the rules which returns the default any, any IP and traffic flows.
Packet tracer shows that the traffic should flow. And I have had minor traffic flowing but slow.
how to only allow web surfing from the inside to outside using the ASDM (5.1) to configure? I realize this is probably a very simple thing, but I only configure the ASA about once every year!
View 3 Replies
View Related
Jan 17, 2013
My management has tasked me to give them a high level overview of the different switching we can choose for our new building.
This is what I know so far.4 Closets, each closet has 450 ports,One MDF room that is will contain one UCS Chassis and a Nimble iSCSI SAN.
I am working on the spreadsheet and it looks like this (Not totally filled):
2960s3560x3750x45064510Approx cost (Each, 48PORT, POE+, 10G uplink, Dual PS, IP BASE)
6K7K8K45K75KMax Capacity192432432192384Backplane speed206464520520ProLeast ExpensiveStackable to 9Stackable to 9ProDual PSDual PSDual PSDual PSDual PSProLayer 3 opt
Layer 3 optDual SupsDual SupsConExpensiveExpensiveConNo Dual PSConLayer 2 OnlyCannot stack more than 4
For the MDF I would like to use 2 Nexus 5548's with FEX's, and the layer 3 daughter board. For the IDF's I was thinking of two 4010's.
View 12 Replies
View Related
Mar 12, 2013
Quick question here. Using 3750E series switches with multiple VLANS configured. These switches serve as our 'core'. I have SVIs configured for the different VLANs and add inbound ACLs in each of the SVIs to control traffic between VLANS. This switch also terminates a P2P Ethernet link which connects to our Colo facility. The port used for this is configured as an L3 port. I noticed today that I was able to send traffic across this L3 link that I thought should have been blocked by an ACL I had in place but it wasn't. So the traffic flowed from a port in say VLAN 20 across this L3 link (assigned with an IP address). Would this traffic flow not cause traffic to be checked against an ACL applied in the inbound direction on the SVI of VLAN 20 (int vlan 20)? Traffic does get checked when routing between SVIs. Why would it not get checked when routing between SVI and L3 interface?
View 2 Replies
View Related
Jan 4, 2012
We are trying to setup a new configuration with 2960S as access switchs and a 4507 as a core switch.I want to protect the management IP VLAN of the swich using vrf on the 4507 so we :
SHUT VLAN 1 on every switch (2960 + 4507)
CREATE A NEW VLAN 289 (management vlan) -> IP network : 10.32.126.192/26
L3 VLAN on every switch
VLAN 289 in the VRF XXX on the 4507
create tunk between the switch and the 4507 :
switch mode trunk allowed vlan 200-230
sw trunk native vlan 289
so with this configuration on the 2960 the vlan 289 is UP/DOWN and UP/UP on the 4507 I can access to the 4507 using the IP in the VLAN 289 but i cannot access to the 2960 behind the 4507 CDP connectivity is ok?
View 14 Replies
View Related
Jul 18, 2012
A quick one because I'm scratching my head trying to figure the difference between the 2960 LAN Base and LAN Lite IOS installs. I want to put a 2960 into a site which has as layer 2 link on dark fiber taking it elsewhere. This part I'm not concerned about - the WS-C2960--24TC will do what I need without issue - but I don't know if I can get away with LAN Lite, or if I need LAN Base.
I basically need V LAN's with associated SVI's, and a routed link on the up link port (I don't care if it's a switch port with an associated SVI or a no switch port and IP address), but it's got to be able to run OSPF. Can I do this with LAN base on this series switch? Or do I need to go for a higher series (3560?). I *could* get away with static routes, but my boss is walking death on them unless I can 100% prove they're necessary, so I'd rather not right that fight!
View 5 Replies
View Related
May 17, 2012
i got some problem configuring my cisco 887VAW internet access point.I want to be able to manage it thru ssh console with the service-module wlan-ap0 session mode. And i want to access thru http but it's not working too I show you my config
This is my config :
Current configuration : 3281 bytes
!
! Last configuration change at 21:43:11 UTC Fri May 18 2012 by jon
! NVRAM config last updated at 21:46:05 UTC Fri May 18 2012 by jon
! NVRAM config last updated at 21:46:05 UTC Fri May 18 2012 by jon
version 15.1
[code]....
View 1 Replies
View Related
Apr 4, 2013
Do I need to run any special license (like IP SERVICES) on the Cisco Catalyst 4900M in order to run VRF lite?
View 4 Replies
View Related
Sep 17, 2012
I am trying to create an ACL that walls off a VLAN and only allows it to the internet. This is on a 3750G, currently the 3750G I am attempting this on is in a stack. I have another 3750G that is a standalone.
The first way I attempted this was to create two access-lists: access-list 101 permit tcp 10.249.1.0 0.0.0.255 any eq 80 access-list 102 permit tcp any 10.249.1.0 0.0.0.255 established
Let's call the 10.249.1.0 VLAN 2. I applied this to the VLAN2 interface, 101 out, 102 in. It didn't work. If I place a deny statement with nothing else, that works.
The second attempt was this: access-list 101 deny ip 10.249.1.0 0.0.0.255 any access-list 101 permit ip any any
I applied this to a VLAN I wanted to block VLAN2's traffic from reaching, let's call that one VLAN 3.
This lets all traffic from any VLAN (including the one I'm trying to block). If I remove the "permit ip any any", then all VLANs are denied. Which I understand is correct due to the implied deny all. What I don't understand is why it isn't applying the ACL to the specific VLAN.
View 3 Replies
View Related
Apr 16, 2013
We are configuring ACLs for a dhcp pool on Sw3750
ip access-list extended Test
permit ip any 192.168.1.0 0.0.0.31
permit ip any host 172.16.1.1
And, here is dhcp pool:
ip dhcp excluded 192.168.1.1 192.168.1.3
ip dhcp pool Name
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
But when a PC try to obtain IP automatically, it doesn't work.
View 3 Replies
View Related
Feb 6, 2012
I have a 2960-S running the lastest software for testing on my bench:
[code]
Switch Ports Model SW Version SW Image
------ ----- ----- ---------- ----------
* 1 24 WS-C2960-24-S 15.0(1)SE2 C2960-LANLITEK9-M
[/code]
I have set up VLAN 2 on 192.168.2.0/24 with the switch as the DHCP server. The switch is connected to an RV082 router which is at 192.168.1.65/27. Once I figure out what I doing I'll eventually shift that to 192.168.1.0/24 or something similar. So I have my switch acting as the DHCP server for VLAN 2 but I can't figure out how to get it to access the internet.
I found this example to set up the DHCP server:
[code]
###################################
this works to get vlan 2 to serve ips
conf t
[Code].....
The RV082 doesn't support trunks AFIK and I'm pretty much a newb at this stuff. TIA. I guess I should get a real router and I most likely will but I'd like to get this working if possible before taking the next plunge.
View 7 Replies
View Related
May 15, 2013
setting up VRF-lite on redundant 6509-E chassis to account for chassis failure? Let's say I have 2x 6509-Es configured with HSRP for 2 vlans, ServerA and ServerB. So
6509-A#
!
interface Vlan10
description ServerA VLAN
ip address 10.10.10.2 255.255.255.0
ip flow ingress
standby 1 ip 10.10.10.1
standby 1 priority 105
[code].....
I now need to create an environment where the Server VLANs can be provided for two customers and they need to be wholly separate. On 6509-A, I make VRF CustomerA and VRF CustomerB and I assign Vlan10 to VRF CustomerA and Vlan20 to CustomerB. Do I create the SAME VRFs on 6509-B with the same logic?
View 1 Replies
View Related
Feb 5, 2013
Any one know when object-group ACLs will be supported in cat4500 IOS-XE ?? Doesnt seem to be supported now.
View 1 Replies
View Related
Dec 27, 2012
I have 2960 switch and i can't access it using my console cable .I can access other switches in my network ( 3560 & 2960 ) but i can't access only this switch.may be the console port in the switch damaged? or it's a bug ?? !!! although the switch is worked normally.
View 11 Replies
View Related
Dec 11, 2011
I need to enable/disable a mac access-list on a 2960 scheduled by time. The switch has lanbasek9-mz.122-44.SE6. As the mac access-list can not support time ranges, I tried EEM but seems like it is not supported in this device.
View 1 Replies
View Related
Aug 22, 2012
What is the difference between sdm prefer access & sdm prefer default & sdm prefer lanbase-routing? When do we use these options?
View 2 Replies
View Related
Jul 7, 2012
What all the catalyst models support VPC with Nexus ? I knew Cat6K and 3750. Any other model supports VPC ? Can I configure vpc between 2960 and N7K ?
View 3 Replies
View Related
Feb 3, 2013
We are migrating from Catalyst 6509 IOS platforms to Nexus 7009. There's the normal differences in commands which is well doucumented. We do have some quite large files containing ACLs varying from 10's of lines to several 1000's of lines. Our normal upload would be done using tftp and then issuing the command 'conf net' on the the 6509. This is no longer the way to do this on NX-OS. I've tried copy ftp: running-config which works fine for small files but for big ones it takes a long time, in some cases I've see it takes 20-30 minutes. The initilal tftp uplaod to the 7009 seems OK but the copy into the running-config is the bit that takes time and initially I thought I'd killed the 7009!! It did finally come back to the prompt. Are the 7009's simply not designed for large ACLs? I did try the configure session (Session Manager) but I couldn't see a way of uploading a file. I tried creating a new session and then exiting it, copying in a file of the same format and then commiting it but it didn't seem to acknowledge the file (checksum?).
View 10 Replies
View Related
Nov 4, 2011
How should I configure NX7000 to log acl's hits on a remote syslog server.
View 10 Replies
View Related
