Cisco Switching/Routing :: 2960s / Marking The Traffic Between Two Hosts (Data Replication)
Feb 6, 2013
in switch 2960s ( c2960s-universalk9-mz.122-55.SE5 ) , i want to marking the traffic between two hosts (Data replication), i choose to use " mac access-list" to classify my trafic before apply the policy marking . but did'nt work . c
! my mac ACL
mac access-list extended test
permit host 000a.1a41.aa52 host 000a.1a41.1bc2
!
class-map match-all test
match access-group name test
How can I collect the data about the traffic on my Cisco 2960S? Have I use only the snmp? Any workaround for simulate a netflow? The IOS c2960s-universalk9-mz.150-1.SE2.bin.
i did on cisco 2960S switch at user ingress interface. but the marking is not showing in show policy-map interface gig 1/0/10 interface and ACL is not showing any match.
I also had a config reference from 2960S cisco guide.
access-list 103 permit tcp any any eq 80 access-list 104 permit tcp any any eq 23 access-list 105 permit icmp host 172.24.68.4 any
Multicast is not working between our two datacenter, we have catalyst 2960S (two stacked) as the internal lan switch, and catalyst 3560E as the external switch, same configuration for both datacenters.The two sites are connected using metro, the external switch (3560) is doing qinq and encapsulate the data from the internal switch with the metro vlan (611).
IGMP snooping is disabled for all switches, although we prefer to enable it for the internal switches.For each datacenter there is a different firewall which also act as the router, we are using fortigate as the firewall.Following is the important configuration section:
Port 43 in the internal switch is connected to the external switch (both sites):
I have two switches (2960S's) both with IP Phones on VLAN100..We need to monitor voice traffic via a monitor port on SW1 of all VLAN100 traffic on both switches.The following is what we have configured, but we cannot see VLAN100 traffic on SW1
According to Cisco doco you cannot have a SPAN and RSPAN on the same session, however since these are two sessions on SW1, I would have thought it to be OK.
I have 2 Exchange 2010 servers and when I enable the DAG and start replication I see both servers NIC cards reach 100% utilization periodically. I normally don't see this on any of my servers but I figure what the heck it'll be really fast in completion. However, when it peaks at 99-100% for short bursts I see packet loss from other systems on the network.
A minute or two into it I start getting alerts of packet drops on the switch these are connected to (catalyst 2960S). It's not across the board but it's enough to wreak other havoc with processes running. I'm curious as to whether this is the 2 servers having a problem or is this switch not up to it?
I believe the last snapshot I took showed most of the active ports on the switch having a 40-50% transmit status when those 2 servers peaked, which didn't make any sense to me. Is there something on the switch triggering other ports to lose packets or is it broadcasting something it shouldn't?
In more detail:-I'm seeing immediate/more packet loss on the network from the 8 or so APC PDU's that are connected to the same switch at 100/half or 100/full (haven't looked into why that is yet some are coming up at half.
-Couple of sql servers were failing over because they could not reach network resources, timeouts exceeding a few seconds. Really just bizarre for just replication files.
Lastly - any way to throttle the throughput on the Exchange replication via powershell or anything?
but on interface gi 1/0/1 i want to have data from vlan 10 tagged as VLAN 20. At this time i have solved this issue very primitively
I have set up gi 1/0/2 as int mode acces, acces vlan 20 and i have connected gi 1/0/2 with gi 1/0/3 with eth cable. int gi 1/0/3 is switchpor mode acces, switchport acces vlan 10
I am trying to connect a Control network that can not have access to the Internet, or any other network for that matter, to my Admin network so that I can retrieve trend data about the plant that goes into a database. Right now the process is print information, hand jam into excel spreadsheet, print again, and hand jam into another excel spreadsheet on the other network. Reports are printed automatically once a day, but would like a simplified way of getting data from one network to the other without having to re-enter data several times. Current policies stipulate no USB drives connected to Control systems. Even if we could loosen that, personnel needed to transfer data is not available and going to each individual machine would take more time than current system.Now that background is laid, I have two 2911 ISR routers with EIGRP configured, each with a 4 port EHWIC card. The 3 L3 ports on the router are setup as follows: interface G0/1 to the internet, interface G0/2 to a wireless back haul, and interface G0/0 for IT network. I then have 3 VLANs setup on the EHWICs for our Admin network. We will move the IT network to a VLAN on the remaining EHWIC port and connect the two 2911's through the G0/0 interface. I am going to have one computer on my Administration network dedicated to receiving the information and have a program that will take that data and import it to a database. I need to allow only that computer to receive traffic from the Control network and I need no traffic to flow back into the Control network. In other words I will transmit data from the control network to the admin computer using one protocol (TFTP more than likely) and block any other traffic coming out of and going into the Control network.
I am looking for any assistance with an issue I am having. Within my network, I have two Net App enclaves that replicate with each other. These hang off of separate switches, one at our primary site and one off of our secondary site, just a few miles away. I can replicate from the primary site to the secondary site at 8GB per minute. From the secondary site back to the primary site, however, the replication passes at about 17MB per minute.
The configuration is exactly the same on both ends. The primary Net App enclave hangs off of a 6513 switch and the secondary Net App enclave hangs off of a Nexus5000. Trace routes and pings all show correct paths and connectivity. I have troubleshoot this for a few days and I have been unable to figure out what is causing the replication issues. The fact that this is bi-directional traffic and I am having problems one way is really throwing me off. There are no ACLs or firewalls present between the two switches.
I have a Cisco 3725 router with IOS version "Cisco IOS Software, 3700 Software (C3725-ADVIPSERVICESK9-M), Version 12.4(12)". And this router is serving as a CE route for our MPLS connection to the service Provider. We do also have multiple VRFs ( around 10) and the WAN interface is DS3. So we created point-to-point subinterfaces and we put them in different vrfs. We have now transitioned to a new ISP and the ISP requested us to mark all of our outgoing traffics with DSCP AF31. So I have created the following policy-map
policy-map TRAFFIC-OUT-WAN-AF31 class TRAFFIC-OUT-WAN set ip dscp af31 class-map match-any TRAFFIC-OUT-WAN match any
Now we do have multiple GRE tunnel interfaces sourced from one of the WAN subinterface ( which is a member of VRF A). So the moment I applied the the policy-map on this WAN sub-interface (using the syntax "service-policy out TRAFFIC-OUT-WAN-AF31"), most of the GRE tunnels went down. And there is eBGP running on top of these GRE tunnels.
I want to mark traffic on Cisco 3020 switch entering to interface gigabitEthernet 0/1 ingress direction with DSCP values. interface gigabitEthernet 0/1 is in access mode and in vlan 10.
I have a pair of Nexus 7K's running 5.1(3). I have a handful of edge devices that I need to mark ingress traffic, and need to mark both DSCP and CoS. Right now, I have a working config that marks DSCP appropriately.While that works dor DSCP, the MQC will not allow me to mark both DSCP and COS in the same class, and unlike IOS, it appears that Nexus does not have a default DSCP-to-COS mapping. My understanding is this can be solved using table maps, but I don't see how that can solve my problem in this specific scenario (it appears I can do marking or table-map mutation, but not both?). How I can accomplish both?
We have a NETAPP nas box having two interfaces connecting to two fex's on 5ks. The 5ks are inturn connected to nexus 7k boxes. We have a 100mbps man link (LAN Extension). The netapp's two nics are grouped together to form a teaming type of environment. SNAPMirror replication is very poor at the rate 10mbps though the WAN speed is 100mbps and also the wan link is utilized only about 60mbps. What could be the problem. We tried removing storm unicast control 10 but with no effect.
We have recently started as Internet service provider in an open metropolitan.
We use a Cisco 3560G Layer 3 switch, where we have all our vlan where we have konfiguerat ex. Switch (config) # interface vlan 150, an interface for each VLAN capabilities such as int vlan 1 - 10/10 int vlan 2 to 30/10, int vlan 3 100/10 and so on. Our int vlan is configured as follows:
dhcp relay information trusted ip address <x.x.x.x> <x.x.x.x> ip helper-address <x.x.x.x> Ports (ex. int Gigabit Ethernet 0/1) are configured as follows: description Uplink switchport access vlan x
[Code].....
Now the problem; we have a customer in ex. vlan 3 who needs to access a server provided by another customer in the same vlan (vlan 3), and access to each other in the same vlan is not possible. You can access the server from any other vlan, but when it comes to access to another host in the same vlan, you will not reach it.
We suspect that the energy company has configured with pvlan isolated. If we use the command ip local-proxy-arp on each vlan, it works to reach each other, but it seems that our 3560 becomes overloaded when ip local-proxy-arp is enabled and it streaming and use IP telephony it doesn't work. The response time at ping is longer and the loss of packets increase with ip local-proxy-arp enabled. The other operators in the metropolitan also uses Cisco 3560G so the hardware should be sufficient.
We have also tried to add no split-horizon, but it made no difference. How do we get around this without negative consequences? Probably need something that makes you allow to send out the same interface that it came from, because it works as long as you are in another vlan.
I've set up a simple lab network of two cisco routers 2611XM and to each router I've attached a computer (host). I have set up a dhcp ip addresses for each host. I've set up a correct routing as well on each router. There are 3 networks: 192.168.1.0/24 192.168.2.0/24 192.168.3.0/24 The first network between the first host and first router, second is between two routers and third is between the second router and second host. If I use first host (192.168.1.20) I can ping to any ip address (192.168.1.1 (router 1), 192.168.2.1 (router 1), 192.168.2.2 (router 2), 192.168.3.1 (router 2)) except the second host ip address which is 192.168.3.20. When I sit on the second host (192.168.3.20) i can ping to 192.168.1.1 (router 1), 192.168.2.1 (router 1), 192.168.2.2 (router 2), 192.168.3.1 (router 2) but i can't ping to the first host which is 192.168.1.20. I've even tried with attaching a switch to a router and assign it an ip address of 192.168.1.3 and the ping was echoing to it.
Currently have a setup where we have multiple SVI interfaces in a VRF on a Catalyst 6500 Switch. All these SVI belong to the same VRF. In order to achieve connectivity for hosts within the VRF to access hosts outside the VRF (Hosts reachabe via the Global Routing Table (GRT)) I am thinking I need to configure 2 things
1. Creating a summary route for all the subnets within the VRF in the Global Routing table. <Config on 6K in Global Routing Table> Note: 10.10.10.10 is the ip address of loopback 10 and this loopback 10 is in VRF Red ip route 172.16.0.0 255.255.0.0 loopback10 10.10.10.10
2. Create a couple static routes within the VRF for networks that reside in the Global Routing table but which are not local to this 6K. <Config on 6K within the VRF Routing Table>
Note: 1.1.1.1 is the ip address of loopback 1 and this loopback 1 is in the GRT or not assigned to a VRF ip route vrf Red 172.32.32.0 255.255.255.0 loopback1 1.1.1.1 global ip route vrf Red 172.32.40.0 255.255.255.0 loopback1 1.1.1.1 global ip route vrf Red 172.32.50.0 255.255.255.0 loopback1 1.1.1.1 global
I have read through some posts and it seems to indicate that I cannot point to a loopback interface as it is not a point to point interface. How this solution can be achieved. The reason I was pointing to a loopback was so that I am not tied to a particular physical interface and for the summary route that was created in step 1 really not sure what L3 interface I could point to since I have multiple SVI's that are in the same VRF. Would I also need to create that same summary within the VRF. I don't intend to since I am assuming that once within the VRF the more specific connected interfaces would take affect and forward respectively.
In addition to the above I also need determining the forwarding behavior when there is a ip helper address configured under the SVI's which are in a VRF but the ip address for that helper is not part of the VRF. I would think if a static route is configured under the VRF for that helper address network pointing it to the Global Routing table it should work. The config for that would be
ip route vrf RED 172.32.52.5 255.255.255.255 loopback1 1.1.1.1 global
I have recently split the voice vlan (10) from the data network (1), and am wondering why my catalysts and router do not require an interface Vlan10 statement. In the past I used OpenBSD boxes to do the routing, and I first needed to configure vlan 10 on the interface before I could get inter-vlan communication to work. With these Cisco devices it works, and I am wondering if it is because of VTP, for the fact that the ports maybe just pass all traffic, or is there some other explanation? Below is the setup, and firmware is up-to-date on all of the devices.
When I plug a phone into the POE SGE, the phone turns on, obtains an address on the proper subnet, and conversations are clear (whereas without the ip nat inside on the new subnet the calls had a lot of static). Possibly the reason that it works is because the phones properly create the tcp/ip packet, and it hops over the trunks and creates the states so that traffic routes back properly. I will install wireshark to see exactly what is going on, but is there a simple explanation that I am overlooking?
I have, what I believe to be, a simple issue - I must be missing something. Site to Site VPN with Cisco ASA's. VPN is up, and remote hosts can ping the inside int of ASA (10.51.253.209). There is a PC (10.51.253.210) plugged into e0/1.
I know the PC is configured correctly with Windows firewall tuned off. The PC cannot get to the ouside world, and the ASA cannot ping 10.51.253.210.
I have seen this before, and I deleted VLAN 1, recreated it, and I could ping the local host without issue. Basically, the VPN is up and running but PC 10.51.253.210 cannot get out
I have C2960S-48FPS-L and C2960S-24TS-S both of them are using C2960S-UNVERSALK9-M image with version 15.0(2)SE on both I run "mls qos"
and on 48FPS-L I run "mls qos map cos-dscp..."on 24TS-S I cannot run it. there is no such command. there is just "mls qos rewrite..." and "mls qos srr-queue..." variants.
I thought that one image give the same set of commands...?
I'm working on setting up a template configuration for the Cisco ASA 5505 device that we'll use to configure more routers for various client needs. One of the requirements requested of me is the following: Internal hosts assigned a DHCP address are blocked from the internet Internal hosts with a static IP are permitted access to internet All internal hosts can communicate regardless of state
Now, I'm fairly new to this and I'm certain my terminology isn't correct so googling the problem has been fruitless. I have followed basic configuration guides and have configured the device to hand out DHCP addresses to hosts plugged in ports 1-7. If I'm plugged in and specify my address manually in the OS I am blocked from any access so I can only assume there is an access policy or some rule preventing me from authenticating against the router despite having set up VLAN1 to be the entire class C subnet. What sort of steps would I need to do to configure this? New access lists. For the record, the dhcp addresses are in the range of 10.100.31.64-10.100.31.95. VPN users are assigned an address from 10.100.31.220-10.100.31.240 and there seems to be no issues with that configuraiton. I don't wish to constrain what addresses a user can use should they specify a static IP (10.100.31.5 should be just as valid as 10.100.31.100).
I've a big problem with a loss of packets ICMP sent by different hosts in differents VLAN. Here my architecture:
Core Switch : 2 Switch's C6509 (Version 15.0 (1) SY1)- Mode VSS - One lien VSL , the other link is defective.Access Switch: C3750 , Connected to Core Switch through 2 fibre optique wires.Topology: redundant ring
When I send consecutive ping message I found always a missing of packets . Furthermore When I insert the "show ip traffic" command., the parameter "bad hop count" increase after a loss of packets. I've 2 hosts connected in my network and they send packets with TTL =127.
In the Core Switch I haven't configured the MEC because it gave me troubles with the packets multicast.
while i am configuring a port on switch .The switch reloads.After reload the show version says,System returned to ROM by bus error at PC 0x458F6C, address 0x0,show version from the effected switch is,Cisco IOS Software, C3750E Software (C3750E-UNIVERSALK9-M), Version 12.2(58)SE2, RELEASE SOFTWARE (fc1).
I am currently having an issue with connecting a Catalyst 2960-S switch to a Small Business SG300 switch. When I connect them they are unable to form a link. When I do a show spanning-tree it says the mst link is in dispute.
I read some papers about QoS. The thing is that I have to implement 30 switches with QoS to connect to a lot of Cisco IP phones. The switches are Cisco 2960S with code image "C2960S Software (C2960S-UNIVERSALK9-M), Version 12.2(55)SE3". Should I use autoQoS feature or manually configure them?. How should I treat uplinks between access switchs and core/distribution? I have a lot of doubts regarding queueing, because all the info I had read its for another model/image.
I'm looking at the WS-C2960S-48TD-L and have a question about the uplink ports. Is it possible to mix 10G on one uplink and 1G on the other? The datasheet says 2x10G SFP+, 2x1G SFP so I am thinking mixing is not possible.
just got new hardware and decided to try the newer USB port for IOS upgrades. I could not get the switch to recognize my 2gig flash drive. Do I need a proprietary stick or special format?
I also noticed when I removed it the switches crash dump and rebooted?
I am just setting up a simple scenario with a 1841. Server @ 172.31.1.1 cannot ping 172.31.0.254 or 172.31.0.105. It can ping 172.31.1.250. The router can, on the other hand, ping devices on both networks. This is just for testing routing theory so I don't know why hosts on either side of the network cannot ping each other.
I am only using the FastEthernet interfaces on Router 1841.
When using dynamic configuration tools, if I choose 2960 (not 2960s), I have the option to choose RPS2300 as redundant power, but when I choose 2960s, I cannot choose RPS2300. However, in a document describe both 2960 and 2960s, it said that RPS2300 can be used. Does RPS2300 support 2960S?
Recently I'm working with my client to setup their network and he want me to limit user access internet bandwidth to 2 Mbps and the topology show below.Users ---> Switch ---> NAT Router ---> (int gi1/0/24 - qos apply) Edge Switch ---> INTERNET ROUTER (12Mbps) --->> INTERNET,This is my configuration, but it doesn't work, the end user still able to get more than 2Mbps internet speed.Access-list 100 permit ip any any dscp default,class-map match-all QoS_Floor_Limit, match access-group 100.
I would like to enable port security to hardcode the MAC address on the ethernet switch. There are 5 ethernet ports in the same ethernet switch to be assigned for one person (one note book), e.g. port 5, 6, 15, 16 and 23. The model of ethernet switch is cisco 2960S and one MAC address is configured on 2960S.
1. Does 2960S support this requirement to allow input the same MAC address to 5 different port?
2. If yes, can ethernet switch "smart" enough to forward the packages to "active" ethernet port which is connected to notebook and the rest of four ports are inactive.
3. if no, any solution or any work around to achieve this requirement
