Cisco Switching/Routing :: 2960 What Can Block ARP
Feb 23, 2012
We recently updated a site2site link to metro ethernet, ISP call it 100mbps LAN Extension, but to me it is just QinQ over fibre connection. Most went well, one thing (annoying to me) is we can not ping our switches on both ends anymore.
We have a 3750 in headend and another 2960 on the other end. I used to be able to ping/telnet to the management IP from one to the other. Now we can not. I think the ISP is applying some configuration on ports of their customer-premises equipments (both are Cisco switches) but agent in ISP told me no. I thought there is some configuration on Cisco switch to block "MAC discovery" but i just can not remmenber what was that and google also failed me this time.
View 3 Replies
ADVERTISEMENT
Apr 16, 2013
Is there a way to block lan to lan traffic (except lan to gateway/gateway to lan traffic of course) on a Cisco 2960?
View 9 Replies
View Related
Feb 7, 2012
I have an existing stack of 4 x 2960-S switches connected by stack cables.I would like to add another 2960-S switch to the stack but am unable to as the 2960-S will only allow 4 x 2960-S switches per stack.how I would add the 5th 2960-S switch to the existing stack of 4 x 2960-S switches.
View 12 Replies
View Related
Feb 11, 2013
I have a 24 port 2960-S that is not communicating with a 2960-LST that it is directly connected to over fiber. The link is up on the LST but will not come up on the -S. What command should I use to bring up this link? I have tried no shut from the (Config-if)# prompt.
View 3 Replies
View Related
Aug 2, 2012
is it possible to block outgonig multicast L2 frames on an Ethernet port in outgoing direction on a 2960 Switch?
I tried the "switchport block multicast" command, but the description of this feature relates to only "unknown" multicast!?
But what means "unknown multicast"? Even if activated, I see a lot of multicast traffic going out that port: IGMP, PIM, SSDP, HSRP, OSPF, .. and also pings and VLC streams to multicastaddresses (ip igmp snooping disabled).
I also tried to map a "mac access-list" to that port, but the "mac access-group" interface command is restricted to only incoming traffic.
Reason: we assume, that there are a couple of specific enddevices, that might react strange to some multicast. Therefor we would like to block outgoing multicast on that specific ports.
I tested it on a 2960 12.2(53)SE2
View 10 Replies
View Related
Aug 22, 2012
I have a Ciso L3 switch with 4 VLANs and all host computer connected to rest of 8 cisco 2960 switch's:
VLAN 1 : 192.168.1.0/24
VLAN 10: 192.168.10.0/24
VLAN 20: 192.168.20.0/24
VLAN 50: 192.168.30.0/24
There are list of my some Questions about Extended ACL serialwise :
1. For Restrict traffic from VLAN 10 to VLAN 20, I am using only one ACL is : Access-list 100 deny ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255.\ What will happen in this scenerio if we talk about traffic from VLAN 20 to VLAN 10. Will it communicate or not ???
2. How to Block the traffic from VLAN 10 to VLAN 20 but allow the traffic from VLAN 20 to VLAN 10 ?
View 16 Replies
View Related
Jan 17, 2013
My management has tasked me to give them a high level overview of the different switching we can choose for our new building.
This is what I know so far.4 Closets, each closet has 450 ports,One MDF room that is will contain one UCS Chassis and a Nimble iSCSI SAN.
I am working on the spreadsheet and it looks like this (Not totally filled):
2960s3560x3750x45064510Approx cost (Each, 48PORT, POE+, 10G uplink, Dual PS, IP BASE)
6K7K8K45K75KMax Capacity192432432192384Backplane speed206464520520ProLeast ExpensiveStackable to 9Stackable to 9ProDual PSDual PSDual PSDual PSDual PSProLayer 3 opt
Layer 3 optDual SupsDual SupsConExpensiveExpensiveConNo Dual PSConLayer 2 OnlyCannot stack more than 4
For the MDF I would like to use 2 Nexus 5548's with FEX's, and the layer 3 daughter board. For the IDF's I was thinking of two 4010's.
View 12 Replies
View Related
Nov 21, 2012
I am using a 3750 as a default gateway for multiple Vlans on a few 2960 switches. The trunk lines are configured and working and I have assigned ip addresses to each of the Vlan interfaces on the 3750. My issue is that I can only ping the ip address on the Vlan interface of the 3750 if I have a working computer plugged directly into the Vlan on the 3750. I only have 3 vlans on the 3750 that have hosts directly connected (vlans 2, 10 and 40) the other vlans ( 20 and 70) don't have any clients plugged into them on the 3750 but the hosts reside on 2 different 2960s that connect via trunk ports. How do I keep the vlan interface on the 3750 switch pingable when I don't have hosts directly connected in that vlan on the 3750? (yes, I have enabled ip routing on the 3750)
View 5 Replies
View Related
May 21, 2013
I have a Cisco SG 300-20 as the core switch, layer 3. It is 192.168.4.6 on VLAN1 and 192.168.5.1 for VLAN2 (VOIP). All the ports are set in trunk mode. DHCP relay is setup on this switch.
The phones connected into a layer 2, Catalyst 2960-S switch. All ports are set in trunk mode. Default gateway on it is set to 192.168.5.1.
DHCP for both VLANs is provided by a Windows Server 2008 R2 server (the relay IP 192.168.4.15).
There is also an ASA 5510 in the mix which is 192.168.4.1. It has a route added to it for the 192.168.5.0 network to go to the SG 300 (192.168.5.1).
Just the two switches can ping each other on the 192.168.5.x network when I "add vlan 2" to the trunk port that is connected between the SG 300 and the 2960. The phones don't get DHCP on the 2960 switch. And I cannot ping 192.168.5.x from the ASA or anything else on the 192.168.4.x network.
After a bit of reading on intra-vlan routing for the SG 300 switch, I am thinking the SG 300 has to be the "center" of things so I need to make it 192.168.4.1 to be the gateway for both VLANs and change the ASA to 192.168.4.2 for VLAN1, etc. And I really can't do asymmetric routing with this switch.
View 1 Replies
View Related
Nov 16, 2011
Does the Model "WS-C2960-24PC-L" Supports IP Routing or not?
View 9 Replies
View Related
Jul 14, 2010
Got servers in vlan 10 ip range 10.0.0.0 and servers in vlan 20 ip range 20.0.0.0 at the same layer 3 switch. (c6509 sup720)I would like to block TCP traffic initiated from Vlan 20 to Vlan 10. But the servers in Vlan 10 needs to be able to open an TCP connections to Vlan 20 did test with the ACL thats blocking (ack/established/syn) but unable to get it to work.Or it works both directions or is works non directions.
View 4 Replies
View Related
Jul 22, 2012
I have 4 vlan and all has conectivity/access with all (VLAN10,VLAN20,VLAN30 and VLAN40, I use a 3560 Switch for this propose, I need to modificate one vlan (VLAN40) that has access to the rest of the VLAN's BUT the rest of the VLAN's dont have access to VLAN40. I know that it is a problem of access-list BUT I can't undertand how to obtain the result that I like
View 1 Replies
View Related
Nov 26, 2012
I have a 2800 router and tried so many ways to block the unwanted sites on my office network.Like access list ip based, null0 routing and policy map. Faced issues with below config
1. Creating Access-list. very difficulty to block the sites with https those sites will be opend, and we cant block all the IPs
2. Creating null0 routing. it also a bit deficult the block maximum sites because we can't fiend all IPs for those sites
3. Policy map.. with policy map we can only 1site we can block, but not more than one..
I heard that port based routing or port based access-list are the best ways to stop the websites in my local network..for this one i need to map the site to unsued ports then i need to null rouging or need to create the access-list.
View 3 Replies
View Related
Nov 23, 2012
I have a cisco 2800 router.. (flash:/c2800nm-advsecurityk9-mz.151-4.M4.bin, Version 12.4(13r)T11) configured DHCP, DNS, NATING and Bandwidth restriction...And to stop some social network [URL] i configured ip route 66.220.144.0 255.255.240.0 Null0 (rang of facebook address) But still i am able to open facebook.com in my network...
ADMIN-II_2811#sh run
Building configuration...
Current configuration : 1812 bytes
!
! Last configuration change at 17:26:33 UTC Sat Nov 24 2012
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
[code]....
View 1 Replies
View Related
Sep 9, 2012
In cisco documentation for the 3560 it is mentioned that blocking appletalk will not work .It shows up in command line but it is not working due to hardware limitation.Is there any other way to block appletalk on 3560 swiitches.
View 3 Replies
View Related
May 20, 2013
I have arequirement where in I need to allow only specific vendor made desktops/laptops to be connected to the switch and block the rest. Say I want only the HP made Laptops to be connected on the Network. and block all other vendors. such as dell, ibm etc.
I am having Catalyst 4500 switches in My network. i tried using the mac access list using the permit and deny statement and then mapping the access list to the vlan access map and then filter using the vlan id. But this doesnt work on cat 4500....the same I tested for 2950 switch and it works perfectly. are there any restrictions on 4500 or any extra configuration has to be done.
View 2 Replies
View Related
Jan 14, 2012
I want to understand - if 10G ports of 4948E (4 x 10Gb) they are block or non-blocks? I want to connect this switches with 20 GB (lag) to my BB switches and i need to prepare my infrastructure to 17.5GB troughput of video traffic.
View 9 Replies
View Related
Jan 30, 2012
I wish to block some url that users have access through my LAN .That's i wish to block icmp,access towards such sites, i wish to block icmp because dns will resolve the domain and they can access through ip address.what i have in place is a cisco 2800 series routers,
View 7 Replies
View Related
Dec 26, 2012
I'm having a strange problem where I'm not able to get through a Cisco 2960-S L2 switch when connected through vpn, while LAN-WAN traffic is working fine.The situation on site is the following:When inside the network I'm able to get to the internet without a problem. The problem is within a vpn-session. When this session is succesfully started I can ping and manage the Cisco 2960-S switch, but I can't ping or manage the Dell switch from my laptop. I can however ping the Dell from the Cisco-switch. [code]
View 7 Replies
View Related
May 15, 2012
set up my QoS on two 2960
-------------------- ------- ------- ------------
PBX Asterisk |----|2960-1 |------|2960-2 |-----|Voip client2|
-------------------- ------- ------- ------------
-------------- |
[Code].....
This will be this configuration for all input interface right ? For the Output part I'm lost, what do I have to do ? And for the 2960-2 do I have to put the same configuration ?
View 5 Replies
View Related
Jun 4, 2012
I use Nexus 7010 as our layer 3 router.I have ssh feature turned on so I can manage it from the management interface. I just found out that users can use putty to ssh to the local SVI interface of the NEXUS. Although they still need username and password to login but we dont want them even able to bring up the welcome screen.Example, user's IP is : 172.16.25.100 , they can ssh to 172.16.25.1 which is the NX SVI interface.
View 1 Replies
View Related
Mar 14, 2013
I have an alcatel 6850 switch connected to a 3750. Two connections (cables) are used between the switches. The two connections from the alcatel are in different vlans 10 and 60 , but the cisco ones are in the same vlan ie 1 (I know not best practice but keep with it ). The cisco cables are connected into port 1 and 4. Port 1 is forwarding and 4 is blocking. The 3750 is configured with basic default pvst configuration.The alcatel is the root bridge. As can be realised traffic from alcatel on vlan 10 cannot pass traffic to the 3750, This was established by the spt seeing the same mac from the root bridge therefore blocking port 4.To stop this from blocking in this scenario I was going to use bpdufilter.
View 1 Replies
View Related
Nov 16, 2011
I need to block this mac address in my 3550 switch.i enable port security but this mac address comes and do the violation and port is shut down.
View 3 Replies
View Related
Jan 10, 2012
I have two 3560x Catalyst switches setup between two different locations. They link via a PTP line (Layer 2). I have setup Intervlan routing between the switches and that works fine.Each location has a separate subnet and a Windows DHCP server for each subnet.I want to block any DHCP requests to be sent from hosts on one subnet to the DHCP server on the other side (i.e across the PTP link) What is the best method to do this?
View 5 Replies
View Related
Feb 5, 2013
I am trying to connect a Control network that can not have access to the Internet, or any other network for that matter, to my Admin network so that I can retrieve trend data about the plant that goes into a database. Right now the process is print information, hand jam into excel spreadsheet, print again, and hand jam into another excel spreadsheet on the other network. Reports are printed automatically once a day, but would like a simplified way of getting data from one network to the other without having to re-enter data several times. Current policies stipulate no USB drives connected to Control systems. Even if we could loosen that, personnel needed to transfer data is not available and going to each individual machine would take more time than current system.Now that background is laid, I have two 2911 ISR routers with EIGRP configured, each with a 4 port EHWIC card. The 3 L3 ports on the router are setup as follows: interface G0/1 to the internet, interface G0/2 to a wireless back haul, and interface G0/0 for IT network. I then have 3 VLANs setup on the EHWICs for our Admin network. We will move the IT network to a VLAN on the remaining EHWIC port and connect the two 2911's through the G0/0 interface. I am going to have one computer on my Administration network dedicated to receiving the information and have a program that will take that data and import it to a database. I need to allow only that computer to receive traffic from the Control network and I need no traffic to flow back into the Control network. In other words I will transmit data from the control network to the admin computer using one protocol (TFTP more than likely) and block any other traffic coming out of and going into the Control network.
View 1 Replies
View Related
Jan 9, 2012
I have a layer 3 switch, 3550.I have several vlans on there just for playing around with. One of the vlans, has a vonage linksys box attached to it with a UK number attached. From time to time telemarketers call at 03:00 in the morning, this as I'm sure you can imagine is not much fun. The linksys box gets 192.168.3.3 as it's ip.The switch is connected to a non cisco router at 192.168.0.1
interface FastEthernet0/24
no switchport
ip address 192.168.0.2 255.255.255.0
I was thinking a time based access list would work best I have tried several variations but the phone still rings. I have tried access-list 1 deny host 192.168.3.3 permit ..... and more extensive lists but the phone still rings. I have not applied the time-range yet, so that's not the problem.I have applied the list to the vlan interface and to fa0/24 but it's not working.
View 3 Replies
View Related
Nov 29, 2012
I've configured an ASA 5510 FW with asa901-k8 ios. on it's "inside" port there is 10.90.0.0 network. there is another network (10.190.0.0) in my system that can be reached via another router which has 10.90.0.253 ip address. when a client in the 10.90 network wants to reach the 10.190 network the fw redirects the request to the router (10.90.0.253) because the fw is my gateway. there is no problem so far... but... while i can ping and traceroute a 10.190... user from 10.90... network, i can't use any non-icmp appliactions. for example i can't use rdp programs, http web interfaces of some devices on remote network (10.190.0.0). what can cause that? is there any rule in asa that blocks these protocols?
View 4 Replies
View Related
Jun 5, 2012
some recommendations for product selection and overall infrastructure setup for our datacenter: We have an old, legacy setup, and are looking to replace equipment, improve performance, enhance security, and implement hardware redundancy (if cost effective).
1) We now have (2) IP blocks from our provider, and need to support both (because we have mailers on older IPs with a good reputation rating).
2) We have (2) aged Sonicwalls, one for each IP block, each connects to multiple internal subnets (some internal subnets need connectivity to eachother, some don't).
3) We have (mostly) public facing web servers (Linux/Apache), as well as database servers (with no external access).
Questions-
1) Should we implement a Cisco ASA 5520 w/ or w/o SSM modules for the new IP block (for webservers)?
1a) Should we implement a Cisco ASA 5510 or 5505 for the existing IP block (for mailers)?
1b) Or, can we have multiple public IP blocks connected to a single ASA 5520 (or 2 ASA's w/ failover)?
2) Can we connect both firewalls (5520 and 5510/5505) to a single Catalyst 3550 (or similar) using VLANs, and have 6 - 10 VLANs for webserver subnets, with ACLs controlling which subnets/servers can connect to eachother?
2a) Should we implement a second Catalyst 3550 (or similar) for redundancy (webservers have multiple network cards).
3) From our provider, we only have (1) dmark which both IP blocks connect through. Currently we have a switch connected to the dmark in order to 'splice' the connection, and have both existing firewalls connected. Is there a better approach to this?
4) We would like to implement SSL-VPN, and possibly site to site IPSec VPN, but only if there will not be significant performance degredation.
5) Other thoughts/recommendations for new features, enhanced security, or redundancy?
View 1 Replies
View Related
Mar 23, 2013
I am trying to block all dhcp packets through 2960S lan base IOS. But when i set no trust interface for dhcp snooping, the dhcp packet source port will be err-disabled. Is there any other solution to block any DHCP packet through switch without interface or other service outage?Is possible to block DHCP packet through specific VLAN?
View 6 Replies
View Related
May 22, 2012
I have a LAN with 6 vlans and a 2821 router. By default, intervlan routing is enabled for all vlans, however, I want specific vlans to be denied access to others, though all should still be able to use the Internet being served from GE/0.
View 6 Replies
View Related
Nov 7, 2012
we hava a couple of 2960 switches and we are logging to a syslog server. Ports keep going up and down is it normal severity (error) ?
View 2 Replies
View Related
Apr 20, 2013
I have got two links from the same ISP, primary and secondary and connected to two different switch. The ISP have passed the trunk vlan of 30, 31 and 32 on both of the links. The ISP can't provide stp. I have got another managed 2960 series switch. How can I obtain failover on switch level.
View 2 Replies
View Related
Feb 21, 2013
I have IP phones connected to 2960 i want to segregate traffic traffic comming from IP phones which has a COS value of 5 and want to allocate a band width of 200 MBPS for those traffic .
Can any one share sample QOS configuration for achiving this in 2960 ?
View 2 Replies
View Related
