Cisco Switching/Routing :: 3560 - MAC ACL / Address Will Change When Packet Routed
Nov 8, 2012
I have Cisco 3560x layer 3, but there is one problem with MAC ACL. Here is sample scenario:
I have two V LANS 2 & 3. There is one device (D1) on V LAN 2 and three (D2,D3,D4) devices on V LAN 3. D1 can talk only to D2 and D3. D4 can talk only to D2 and D3. D1 and D4 cannot talk at all. I got the IP access list all set, but I was asked to get the MAC ACL on it. The problem is that as soon as packet is routed, its MAC addresses will change, correct? Is there way of preventing device with same IP but different MAC from talking to device it should not to, keeping in mind that the packet will be routed?
i have made a topology in packet tracer related to etherchannel configuration.i am using 2 3560 switches and 1 2950 switch. Now what i want is to bundle up the redundant links between these 3 switches. The links fa0/1-3 between 2950_1 and 3560_1 switches have been bundled up but when i try to bundle the links fa0/4-6 of 3560_1 to fa0/4-6 of 3560_2 it wont work. i am using channel-group 1 mode desirable between the 3560 switches. secondly if i want to assign ip to port channels then it has to be of same subnet between 2 3560 switches right and it must be same between 2950_1 and 3560_1. But these 2 subnets should be different from one another.
I am using Packet Tracer to simulate Cisco networking.As the existing IOS of the 3560 and 2960 switch are in older version which has no new feature in new IOS, how to upgarde the IOS of Cisco switch at Packet Tracer?
Most of the 4500 Switches in our network are giving the similar error for so many ports
%C4K_L2MAN-6-INVALIDSOURCEADDRESSPACKET: (Suppressed 1 times)Packet received with invalid source MAC address (00:00:00:00:00:00) on p t Gi2/6 in vlan 100
Its impossible to do a wireshark packet tracing for all the ports.
Issue I am having with a Cisco 4507? Below is the error i am receiving.
Feb 14 10:06:09 EST: %C4K_L2MAN-6-INVALIDSOURCEADDRESSPACKET: (Suppressed 508 times)Packet received with invalid source MAC address (00:00:00:00:00:00) on port Po10 in vlan 112 Feb 14 18:44:06 EST: %C4K_L2MAN-6-INVALIDSOURCEADDRESSPACKET: (Suppressed 119 times)Packet received with invalid source MAC address (00:00:00:00:00:00) on port Po10 in vlan 112 Feb 15 00:51:06 EST: %C4K_L2MAN-6-INVALIDSOURCEADDRESSPACKET: (Suppressed 366 times)Packet received with invalid source MAC address (00:00:00:00:00:00) on port Po10 in vlan 112
i'm using some catalysts 3560 with 10 VLANs and inter vlan routing. we use a windows deployment services server to install our workstations. the pxe boot works fine. the image is loading, and when the windows 7 PE is booting, the dhcp request failes. when i use a small not manageable switch between the computers and the catalysts, it works fine.all other things work fine.
Problem is that at some C65K I have directly connected Unix servers and the don't show MAC address at port, and same has happened at 3560 switched where I have too Unix based equipments connected. When use show mac-address interface XXXX, nothis appears at port and tested them with other equipments that worked fine.
We have a server connected to a 3560 switch which in turn connects to 6500s. The gateway interface is on the 6500. We will be changing the 6500s so the mac address for the gateway will change, however the IP address will remain the same. As we change out the 6500s the uplink connections to the 3560 will go down. This will flush the old mac address from the 3560.When the 3560 removes a MAC address does it update servers so they have to relearn the correct MAC address?
we have a 3560 switch configured with EIGRP with dhcp. We have a user that we cannot ping, however the interface show up / up and no errors on interface. the ip address is 10.2.0.199 - however we have dhcp configured to exclude the range from dhcp ip dhcp excluded-address 10.22.0.1 10.22.0.200 how can this work station get a dhcp address if we have that ip range excluded from the dhcp pool?
The user is off a different switch that is a uplink to this distribution switch. Traceroutes shows that the problem is with the distribution switch.
I have some Ethernet-connected cameras that all have the same Ethernet MAC address FF:FF:FF:0A:0A:0A. They were originally designed to directly connect to a Windows PC, but they can also connect through a simple unmanaged switch.A Catalyst 3560 switch won't forward packets to or from anything with that MAC address, at least not by default. Is there a way to convince the switch to do so?
It was my hope to replace the dedicated connections we have for these cameras with a separate VLAN for each camera, and switch them through our existing switch network. Given that all of the cameras use the same MAC address, putting them on the same network is out of the question, but different VLANs, where the only two devices on each VLAN were the camera and the PC that uses it, would be fine.
The switches run IOS 12.2(55) SE through SE3. I learned the camera MAC address from the PC's ARP table while the camera software runs; it turns out the cameras don't have a full IP stack either and don't even do ICMP.
I have 2 3560 switches that are running 12.2(25)SEE2. Port security is enabled on some of the ports. Whenever there is a power failure, when power is restored, 1 port on each switch goes to err-disabled. The mac address that causes this is a valid address for that port. Below is the configuration on one of the ports.
1 x 4500 and 1 x 3560?They are gateways of 8 Vlans?They are doing HSRP in each of those Vlans?The 4500 is the Active?There is a DHCP Pool for each of those Vlans on both gateways using "ip dhcp excluded-address" I ensured that the range of provided ips by each DHCP server will not be overlapped Obs.: Reducing the lease time, I ended with the calls bringing related problems.
OK, every thing is blue, every thing is fine.But the network diagram is realy complex(41 switchs, 89 uplinks), and depending of how is the network flow, one or other server answer first or latter.
For many reasons I would like that the secondary DHCP server would answer only if the primary DHCP server goes down.To me, the bigger reason is that DHCP database would be only in one DHCP server.But there is other reasons.
I passed by many frustrated solutions:Try to force a delay on the answer on one of the servers. - Impossible.Try to disable DHCP server, and, using EEM, enable it only if router became active in HSRP. - I couldn't do It.
What I'm thinking now is use the HSRP resource to resolve it.On both routers I would put a "ip helper-address" pointing to an Virtual_HSRP_IP.And depending on which router is the active, him will answer the request.
My first doubt is:Would it work?The second doubt is:Could I use the same Virtual_HSRP_IP that exists on that Vlan(see example 1),or I would need to point it to a Virtual_HSRP_IP in a different Vlan(see example 2)?
Example 1 ----------------------------------- | 4500 | ----------------------------------- interface Vlan1 ip address 10.10.0.2 255.255.0.0 ip helper-address 10.10.0.1 standby 1 ip 10.10.0.1
Quick question here. Using 3750E series switches with multiple VLANS configured. These switches serve as our 'core'. I have SVIs configured for the different VLANs and add inbound ACLs in each of the SVIs to control traffic between VLANS. This switch also terminates a P2P Ethernet link which connects to our Colo facility. The port used for this is configured as an L3 port. I noticed today that I was able to send traffic across this L3 link that I thought should have been blocked by an ACL I had in place but it wasn't. So the traffic flowed from a port in say VLAN 20 across this L3 link (assigned with an IP address). Would this traffic flow not cause traffic to be checked against an ACL applied in the inbound direction on the SVI of VLAN 20 (int vlan 20)? Traffic does get checked when routing between SVIs. Why would it not get checked when routing between SVI and L3 interface?
I have a collapsed core design with routed ports between all components. Access layer switches, data center switches, core/aggregation. All routed (no spanning-tree at all).Now...I have to add an IBM BladeCenter with a BNT layer 3 switch to my topology. However, those nasties don't seem to support routed ports.How can I have a routed port on my cisco switch and a standard access port on the BNT and still establish an adjacency with an SVI? I am running OSPF, but I am labbing this in my home lab with 2 x 3550s and EIGRP.
On SW2: *Mar 1 00:57:00.711: EIGRP: Received HELLO on Vlan100 nbr 10.1.1.1 *Mar 1 00:57:00.711: AS 999, Flags 0x0, Seq 0/0 interfaceQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/1 *Mar 1 00:57:02.303: EIGRP: Sending UPDATE on Vlan100 nbr 10.1.1.1, retry 9, RTO 5000 tid 0 *Mar 1 00:57:02.303: AS 999, Flags 0x1, Seq 17/0 interfaceQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/1
We are looking for a solution that to use Sub-interface on a routed port on 6509, instead of using a SVI on it.Are there any different when using Sub-interface?
I would like to do the following architecture with the same C3750 : network X,Y,Z connected to 3750 in VRF D the 3750 uses a routed interface on subnet E for the default route in VRF D on this routed interface a BYPASS EQUIPMENT the other BYPASS EQUIPMENT interface is connected also to another routed interface on subnet E "also" this routed interface is in another VRF C with other network A and B.do you know if it will work because of 2 routed interfaces on the same IP subnet or is there a way to do that ? the only goal for me is to catch traffic from network X,Y,Z on SYN and ACK.
I'm trying to configure a SPAN session on a Cisco 3725 router, but it won't let me complete the command. The router has two Fast Ethernet interfaces: 0/0 and 0/1. I'm trying to configure a SPAN session with Fa0/0 as the source interface and Fa0/1 as the destination interface. [code] But when I try to configure the session, it seems like it's giving me the option to configure the SPAN session, but in the end the router won't let me: [code] When I type "?", why would it give me the option of using the Fast Ethernet interface as source port, then when I try to execute the command, it doesn't like it?
Actually i have 7600 router and all trafic passes through Gi0/1(Routed port) interface to 6500 series switch. I need to create a vlan on this router eg. vlan 10 Any how it is possible assign a vlan to routed port and traffic of wan interfaces and the vlan traffic passed together.
I have made a routed port on 3560G Switch and defined a pool 172.28.4.62 255.255.255.192 and connected to E1 converter RAD (4E1 to 4 FE) the E1 media is through Microwave on the other end same E1 converter is connected through layer 2 switch and defined a pool as of routed port configured in 3560G switch.
The port is generating lot of giants and after a while it also distrubs other routes ( Port1 to Port 16), configured with Vlan11 and port 22 as routed port.I have checked the routed port through wireshark the maximum frame size is 1514 and configured the MTU to 1514, giants are not showing any more but after 10 to 12 hours switch gets hang. Either to shut the port or to reload the switch to get switch and other layer routes to be normal.
I have checked speed and duplex settings same as E1 converter. Full duplex. 100 Speed. Why switch is not behaving normal. If I shutdown the routed port it is normal.
1. interface GigabitEthernet0/22 no switchport ip address 172.28.4.62 255.255.255.192 flowcontrol receive on end
I have some questions about how to configure my Cisco 1941 with a routed subnet from my ISP to forward them to 1 or more servers in my LAN.1 Routed subnet /29 from my ISP (over a fiber connection).In my LAN I have (at the moment) 3 servers, and about 15 clients.I would like to use the first ip address from the routed subnet for internet traffic from all the clients in the LAN.I would like to use the second ip address from the routed subnet for server1 so that server1 accept some allowed connections and that server1 connects to the internet with the second ip address from the routed subnet
I would like to use the thirth ip address from the routed subnet for server2 so that server2 accept some allowed connections and that server2 connects to the internet with the thirth ip address from the routed subnet.I would like to use the fourth ip address from the routed subnet for server3 so that server3 accept some allowed connections and that server3 connects to the internet with the fourth ip address from the routed subnet.[code]
I've got a bunch of 3750-X switches all running IP Base and acting as a routed access layer. They run OSPF in a totally stubby area with the distribution layer (Nexus 7K) as the ABR. We also have a physically separate management network into which the fa0 management interface of the 3750-X is connected. The management network itself runs OSPF and has multiple subnets and external access.
On the 3750-X, I'd ideally like to be able to run some sort of separate OSPF process for the management network or at the very least have a static default route for management traffic pointing out the fa0 interface, but clearly not have it interfere with the main default route for data traffic coming from the N7K ABR. Normally I'd just create a management VRF, sling the fa0 interface into it and run a separate OSPF process in that VRF. The problem is you can't create VRFs in IP Base! Surely there must be a way to do this? Cisco don't really expect customers to upgrade to IP Services just to have a working OOB Management network, do they?!
I have a Cisco 2801 with a 4 port Layer2 switch card installed (HWIC-4ESW).
How do I bridge Ethernet0/1 to the 4ESW so if you were to plug a computer into the 4ESW, it would be on the same network as Eth0/1? see my config below:
interface FastEthernet0/1 description Internal Interface ip address 10.1.2.1 255.255.0.0
What should the duplex mode to be set on a routed port gi0/21 that are running HSRP ? I try setting the gi0/21 to full, but it caused the port to be down. The only way for the port to be up is setting it to half duplex.
Cisco 3750 Switch ============== interface GigabitEthernet0/21 no switchport ip address 10.200.104.34 255.255.255.248
We have 20+ VLANs on our main network, we have an offsite connected by metro GIG fiber ethernet. Right now, we have a layer 2 connection to there with the core at the main site as the gateway. We have had problems occationaly with the metro ethernet's spanning tree which then we would see our own network and cause an outage, not only for the offsite, but since the VLAN would see itself (not on our equipment but the metro ethernet carrier's) it would effect the main network as well.
What I was going to do to resolve this was change the connection to a routed network, however I need to still send some VLANs over the routed network (there are some applications that require to be on the same subnet as the server). Is there a way to Map the Vlan 10, and 11 at the main site to a vlan 10, and 11 at the remote site using a routed network? I noticed there is something about bridging, would I bridge the VLAN accross the routed MAN connection? Then would I bridge back the other way as well?
On a router I can use IP Accounting or Netflow to see what kind of traffic is moving over an interface. Are there any tools on a 3750 switch with a routed interface which would tell you who is hogging the bandwidth on that interface?
We have a number of sites which have high-speed L2 links which terminate on our L3 switches at each site. The ports are between the sites are placed in routed mode.
I would like to use Jumbo frame between two of the network which will communicate across sites and 1500 mtu on the rest, is this something which is possible?
From my understanding is the mtu is set on the interface therefore if I set the mtu on the L2 link ports on both sites to 9000 then would this cause a problem for the 1500?
I have been getting notifications of large packet loss and latency for itnernal traffic going to servers. I have a simple setup of nagios who pings servers and will notify me of large packet loss or complete packet loss. I have implemented this L3 switch a few hours ago, I am currently running a constant ping to my servers, but I am not niticing packet loss right now.This packet loss happened 4 time spans within the last hour of many large packet losses to all my servers within all subnets. It is now stopped.
I am not sure why this would be happening, the predessor of the internal router was just a normal linux box with 3 NICs on it. Nothing crazy going on since the business is closed.
