Cisco Switching/Routing :: 2960 SI Lan Lite ACLs - Configuring For Admin And Guest Access
Jan 26, 2013
I have a 2960 SI lan lite switch that I am configuring for admin and guest access. I have wireless AP's plugged into trunked ports 2 and 3. I am using two vlan's (in addition to the native VLAN). Vlan 5 for Admin and Vlan 10 for guest access. I have ACL configured on the router preventing guest users from accessing the Admin network. I want to prevent those on the guest network from seeing other hosts in the vlan however the lan lite software does not support port ACL's. Any way to accomplish this with this switch.
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
[Code]...
we have inserted into a network with VTP a Cisco Switch 2960-S, not knowing that had installed IOS LAN lite.Now I discovered that it can handle up to 64 vlan. In the network there are currently configured 62 VLAN: what happens when we exceeded the max number (64) of VLAN for that switch?
We ordered 4x cisco 2960 switch with LAN Lite software by mistake. Can we upgrade them to Lan Base?When I change boot image I get Error: hardware not supported by firmware.
I have some 2960 switches with Lan Lite ios in my infrastructure.And I try to configure them to support "trust device cisco-phone" and "switchport priority extend cos 0" on ports with cisco phones.But LAN Lite image does not support "mls qos trust device cisco-phone".can I use any workaround to trust cos of cisco phone and to remark PC traffic with cos 0?
I have IP phones connected to 2960 i want to segregate traffic traffic comming from IP phones which has a COS value of 5 and want to allocate a band width of 200 MBPS for those traffic .
Can any one share sample QOS configuration for achiving this in 2960 ?
I have two SSIDs on an Autonomous Access Point, that goes to a 2960 switch, that connects to a L3 3560. I have a vlan for admin/private internal access that uses the native vlan (1) and guest vlan (50). I have configured both and I am trying to get both to go out the same Internet connection.
I cannot get the guest access to access the Internet. It looks like my computer will go, but it just comes up saying no Internet access.All interfaces are trunking this vlan properly. I can communicate from the laptop to the 3560 but I just can't get to the Internet.
I'm screwing around with HSRP running between two L3 interfaces of routers. I placed an inbound and outbound ACL on the same interface on both of these routers specifying to "permit ip any host 224.0.0.2" Why am I only seeing counters ticking for the inbound ACL of both of these routers? Is it an order of operations thing?
I have 2 APs, Cisco Aironet 1040, and 2504 WLC.Is it possible to configure guest access (Guest SSID/VLAN and Corporative SSID/VLAN) without dedicated guest WLC in DMZ?
VLAN 20 and VLAN 30 i configured. VLAN 20 interface IP : 192.168.20.1/24 VLAN 30 interface IP : 192.168.30.1/24. Inter-vlan communication is happening fine.
For testing for purpose i configured extended ACLs. Here is my requirement: I want to stop communication from VLAN 30 to VLAN 20 but not vice-versa.
Here i configured like this:
access-list 111 deny ip 192.168.20.0 0.0.0.255 192.168.30.0 0.0.0.255 access-list 111 permit ip any any applied ACL in VLAN 30 interface 'in' direction. ip access-group 111 in
In this scenario, communication is stopping in both directions. If i ping from one of the IP VLAN 20 to one of the ip of VLAN 30, i was gettng Requested time out. And if i ping from one of the IP VLAN 20 to VLAN 30 interface IP, i was able get pinging.
From VLAN 30 to VLAN 20, i was getting destination host unreachable from VLAN 30 ip( Its fine as its my requirement). So, solution needed to communicate from VLAN 20 to VLAN 30.
Thinking of getting one of those 8-port 2960 for a CCNP study. Is the difference between the C2960-8TC-S and the C2960-8TC-L models in Hardware, or in IOS? or both? And if it's in IOS, is the S upgradable to L?
I want to restrict outgoing traffic. Currently the deafault any, any IP allows all traffic from the inside to the outside.
So I created some rules to only allow HTTP and HTTPS. First I configured a rule to allow all DNS (TCP 53) traffic out. Then I added a rules to allow HTTP (TCP 80) and secure HTTP (TCP 443) out.
When I apply and try to surf out to the internet from a box on the inside network I cannot. Remove the rules which returns the default any, any IP and traffic flows.
Packet tracer shows that the traffic should flow. And I have had minor traffic flowing but slow.
how to only allow web surfing from the inside to outside using the ASDM (5.1) to configure? I realize this is probably a very simple thing, but I only configure the ASA about once every year!
My management has tasked me to give them a high level overview of the different switching we can choose for our new building.
This is what I know so far.4 Closets, each closet has 450 ports,One MDF room that is will contain one UCS Chassis and a Nimble iSCSI SAN.
I am working on the spreadsheet and it looks like this (Not totally filled):
2960s3560x3750x45064510Approx cost (Each, 48PORT, POE+, 10G uplink, Dual PS, IP BASE) 6K7K8K45K75KMax Capacity192432432192384Backplane speed206464520520ProLeast ExpensiveStackable to 9Stackable to 9ProDual PSDual PSDual PSDual PSDual PSProLayer 3 opt Layer 3 optDual SupsDual SupsConExpensiveExpensiveConNo Dual PSConLayer 2 OnlyCannot stack more than 4 For the MDF I would like to use 2 Nexus 5548's with FEX's, and the layer 3 daughter board. For the IDF's I was thinking of two 4010's.
Quick question here. Using 3750E series switches with multiple VLANS configured. These switches serve as our 'core'. I have SVIs configured for the different VLANs and add inbound ACLs in each of the SVIs to control traffic between VLANS. This switch also terminates a P2P Ethernet link which connects to our Colo facility. The port used for this is configured as an L3 port. I noticed today that I was able to send traffic across this L3 link that I thought should have been blocked by an ACL I had in place but it wasn't. So the traffic flowed from a port in say VLAN 20 across this L3 link (assigned with an IP address). Would this traffic flow not cause traffic to be checked against an ACL applied in the inbound direction on the SVI of VLAN 20 (int vlan 20)? Traffic does get checked when routing between SVIs. Why would it not get checked when routing between SVI and L3 interface?
We are trying to setup a new configuration with 2960S as access switchs and a 4507 as a core switch.I want to protect the management IP VLAN of the swich using vrf on the 4507 so we :
SHUT VLAN 1 on every switch (2960 + 4507) CREATE A NEW VLAN 289 (management vlan) -> IP network : 10.32.126.192/26 L3 VLAN on every switch VLAN 289 in the VRF XXX on the 4507 create tunk between the switch and the 4507 : switch mode trunk allowed vlan 200-230 sw trunk native vlan 289
so with this configuration on the 2960 the vlan 289 is UP/DOWN and UP/UP on the 4507 I can access to the 4507 using the IP in the VLAN 289 but i cannot access to the 2960 behind the 4507 CDP connectivity is ok?
A quick one because I'm scratching my head trying to figure the difference between the 2960 LAN Base and LAN Lite IOS installs. I want to put a 2960 into a site which has as layer 2 link on dark fiber taking it elsewhere. This part I'm not concerned about - the WS-C2960--24TC will do what I need without issue - but I don't know if I can get away with LAN Lite, or if I need LAN Base.
I basically need V LAN's with associated SVI's, and a routed link on the up link port (I don't care if it's a switch port with an associated SVI or a no switch port and IP address), but it's got to be able to run OSPF. Can I do this with LAN base on this series switch? Or do I need to go for a higher series (3560?). I *could* get away with static routes, but my boss is walking death on them unless I can 100% prove they're necessary, so I'd rather not right that fight!
i got some problem configuring my cisco 887VAW internet access point.I want to be able to manage it thru ssh console with the service-module wlan-ap0 session mode. And i want to access thru http but it's not working too I show you my config
This is my config :
Current configuration : 3281 bytes ! ! Last configuration change at 21:43:11 UTC Fri May 18 2012 by jon ! NVRAM config last updated at 21:46:05 UTC Fri May 18 2012 by jon ! NVRAM config last updated at 21:46:05 UTC Fri May 18 2012 by jon version 15.1
I am trying to create an ACL that walls off a VLAN and only allows it to the internet. This is on a 3750G, currently the 3750G I am attempting this on is in a stack. I have another 3750G that is a standalone.
The first way I attempted this was to create two access-lists: access-list 101 permit tcp 10.249.1.0 0.0.0.255 any eq 80 access-list 102 permit tcp any 10.249.1.0 0.0.0.255 established
Let's call the 10.249.1.0 VLAN 2. I applied this to the VLAN2 interface, 101 out, 102 in. It didn't work. If I place a deny statement with nothing else, that works.
The second attempt was this: access-list 101 deny ip 10.249.1.0 0.0.0.255 any access-list 101 permit ip any any
I applied this to a VLAN I wanted to block VLAN2's traffic from reaching, let's call that one VLAN 3.
This lets all traffic from any VLAN (including the one I'm trying to block). If I remove the "permit ip any any", then all VLANs are denied. Which I understand is correct due to the implied deny all. What I don't understand is why it isn't applying the ACL to the specific VLAN.
I have a 2960-S running the lastest software for testing on my bench:
[code] Switch Ports Model SW Version SW Image ------ ----- ----- ---------- ---------- * 1 24 WS-C2960-24-S 15.0(1)SE2 C2960-LANLITEK9-M [/code]
I have set up VLAN 2 on 192.168.2.0/24 with the switch as the DHCP server. The switch is connected to an RV082 router which is at 192.168.1.65/27. Once I figure out what I doing I'll eventually shift that to 192.168.1.0/24 or something similar. So I have my switch acting as the DHCP server for VLAN 2 but I can't figure out how to get it to access the internet.
I found this example to set up the DHCP server: [code] ################################### this works to get vlan 2 to serve ips conf t
[Code].....
The RV082 doesn't support trunks AFIK and I'm pretty much a newb at this stuff. TIA. I guess I should get a real router and I most likely will but I'd like to get this working if possible before taking the next plunge.
setting up VRF-lite on redundant 6509-E chassis to account for chassis failure? Let's say I have 2x 6509-Es configured with HSRP for 2 vlans, ServerA and ServerB. So
6509-A# ! interface Vlan10 description ServerA VLAN ip address 10.10.10.2 255.255.255.0 ip flow ingress standby 1 ip 10.10.10.1 standby 1 priority 105
[code].....
I now need to create an environment where the Server VLANs can be provided for two customers and they need to be wholly separate. On 6509-A, I make VRF CustomerA and VRF CustomerB and I assign Vlan10 to VRF CustomerA and Vlan20 to CustomerB. Do I create the SAME VRFs on 6509-B with the same logic?
I have 2960 switch and i can't access it using my console cable .I can access other switches in my network ( 3560 & 2960 ) but i can't access only this switch.may be the console port in the switch damaged? or it's a bug ?? !!! although the switch is worked normally.
I need to enable/disable a mac access-list on a 2960 scheduled by time. The switch has lanbasek9-mz.122-44.SE6. As the mac access-list can not support time ranges, I tried EEM but seems like it is not supported in this device.
We are migrating from Catalyst 6509 IOS platforms to Nexus 7009. There's the normal differences in commands which is well doucumented. We do have some quite large files containing ACLs varying from 10's of lines to several 1000's of lines. Our normal upload would be done using tftp and then issuing the command 'conf net' on the the 6509. This is no longer the way to do this on NX-OS. I've tried copy ftp: running-config which works fine for small files but for big ones it takes a long time, in some cases I've see it takes 20-30 minutes. The initilal tftp uplaod to the 7009 seems OK but the copy into the running-config is the bit that takes time and initially I thought I'd killed the 7009!! It did finally come back to the prompt. Are the 7009's simply not designed for large ACLs? I did try the configure session (Session Manager) but I couldn't see a way of uploading a file. I tried creating a new session and then exiting it, copying in a file of the same format and then commiting it but it didn't seem to acknowledge the file (checksum?).
