Cisco Switching/Routing :: 3560 - No Access List On Switches And No Firewall Between Sites
Jul 15, 2012
I have 3 3560 switches which are configured with trunks between them. They run vlan 10, 11 & 12. I have a 'core' switch (switch 1) of these 3 to which an MPLS router is connected on vlan12. I in addition have another switch hanging off the 'core' switch via a routed link (switch 4). I have EIGRP configured as a stub and as such the IP address on the routed link at the core switch end is of a /24 from v lan 1 on the other switch. This makes the route directly connected and therefore distributed via EIGRP stubs. Switch 1 is then exchanging routes with the MPLS router (via EIGRP).
The problem I have is that from any sub net on any switch (switch 1, 2 or 3) I can ping 192.168.13.1 (switch 4). When I try and ping switch 4 from over the MPLS I am unable to. If I trace to the switch I see it reaches the outside of the MPLS router, but is then unresponsive. The same applies if I try to ping switch 1 on 192.168.13.2. Any of the other IP addresses of switch 1 respond.
The MPLS network is a managed solution to which I have no access. I'm told that the MPLS provider is able to ping switch 1 & switch 4 on the 192.168.13.x addresses from a remote router (192.168.32.2). I have tried from a switch on the same L2 sub net (192.168.32.1) and I don't get a response.
From switch 4 I am able to ping the switch on 1 of it's interfaces (192.168.19.1), but not the interface I mentioned above 192.168.32.1. There are no access lists in place on the switches and no firewalls between the sites.
We are having two sites seperated by half a mile and we are using dedicated 100 Meg link at the moment for intranet traffic, and now we got new 1 gig link and I am working to set it up, Service Provider came on site installed two circuits on both sites and fiber connectivity is tested succesfully betweeen sites, now I need to connect the circuits to our network and make the 1 gig link active to make traffic flow between sites and as well bring 100 meg as standby.
So to brief the issue:
Connectivity at the moment SiteA: Switch1(3560)------100Meg--------.SiteB: Switch 2(3560)
I Want to configure SiteA: Switch 3(4507)------1gig (Active)--------.SiteB: Switch 4(3560) SiteA: Switch1(3560)------100Meg(Standby)--------.SiteB: Switch 2(3560)
simple as connecting a fiber or ethernet link from external circuit on both sites to respective switches on their interfaces and configuring hsrp to enable redundancy. A
MY ISP installed one router in my lab.for internet connectivity they mail me steps :connect your Laptop directly to gi0/3 port to check internet connectivity with public ip 1.1.1.x and Gateway 18.104.22.168 with subnet mask 255.255.255.240 after connection I surprised because I am able to access only google sites like gmail,google search etc. but I am able to ping/traceroute all sites.from browser I am able to access only google sites only.In Router no firewall no such access list.
Is it possible to have ether-channel across 2 switches? As an example, having a server with 2 ports connect, 1 port to Switch-A and the other to Switch-B and then use those two links on the sepatate switches but to the same server to form an Etherchannel.
Was building a small network in Cisco Packet Tracer and ran in to an issue. I have 4 routers running OSPF, and off one of the routers I have 5 3560 Multilayer switches. The router that the switches hang off of, I have a sub-interface with dot1q encapsulation, set for vlan 10 and an IP Address. 10.14.16.1/24. The switches have interface vlan 10 configures, and have IPs in the same subnet. From that router, I can ping/telnet to all the switches without issue. My problem arises when I try and reach those switches from any other router. OSPF is set to redistribute static and connected subnets.The routing table is populated correctly on all the routers. When I ping and trace the packet, it looks like it makes it all the way to the respective switch, but the packet never makes it back. I've played with the default route on the switches to no avail. Am I trying to implement this incorrectly, or am I just missing something?
whether VSS technology support on 3560 switches.I'm planning to intergrate new Cisco 2x6509 with VSS and all the access swtiches 3560's uplink to core 6509..if not support, what will be the solution or any bug fixing or new IOS releasing
In cisco documentation for the 3560 it is mentioned that blocking appletalk will not work .It shows up in command line but it is not working due to hardware limitation.Is there any other way to block appletalk on 3560 swiitches.
I'm looking to implement a vlan filter to keep unnecessary stuff off my access-layer. Things like IPv6, IPX etc. I really only want IPv4, ARP and 802.1q on these 4500s. I know on 3750, 3560s etc, when I create the mac access-list, I can do it by ethertype, but on the 4500, I dont have that option.
I have an 1800 isr that is running with port forwarding only. It is running a series of ip nat inside source static address port address port commands. It does not have an access list bound to the outside interface. This is working fine, but i am wondering if this is a security concern?
OSPF normally only comes with IPservices image and not IP Base image. The 3560-C series data sheet says that it only suport IP Base image, yet it mentions that support for OSPF in included. Are there any restictions in the OSPF support?.
I have a 5K with 5 downstream 3560's. I now have a new 5k that I would like to add to the existing 5K as a HA peer. What is the best way to accomplish this with the least amount of downtime for the downstream switches.On the 3560's, i plan setting up port-channels once HA is setup on the 5k's.
We have 7 3560's in 7 different locations connected to our providor for wan access. Our provider has given us a copper cable at each point and we have connected it directly to our 3560 switch at each location. Each port is configured the same way at each location. Each switch is running eigrp.All of the switch ports on each switch are configured as a trunk and vlan 299 had the ip address for the eigrp connection: [code] This setup is working as each switch see's all of the other switches as an eigrp neighbor. We have also made sure that the switch at our head office has spanning tree priority for vlan 299.
So the problem is, if there is a change in the topology at one of the locations it usually causes one or more of the other connections to go down for some reason. We just cannot pinpoint what is causing this change. There are no log's or anything other than an eigrp hold time expired message.?
We have a couple of Cisco switches and connected a (Windows 7) laptop to one of them and it gets its IP address from a DHCP server.I can now ping the IP from all of the switches, no problem, also not when I log on to the core switch in the same VLAN as both notebooks. But from my (Windows 7) laptop, which is in the same VLAN as the target laptop, I cannot ping it.
I checked, default gateway is good on both sides, as are DNS servers.
I have a Cisco 3560 connected via fiber to a Nortel 1612G. The connection is up/up, the V LAN's on the switch work as needed, but I can not ping the switch from the Nortel, and as a result I can not remote into the Cisco for management. I see in the configuration for the trunk that it is configured for a native v LAN, but I don't see it defined which v LAN's are allowed, could this be the issue? I will provide some of the config information for the Cisco side, I understand the issue may be on the Nortel end but if the Cisco part looks OK?
Port config for the trunk:
interface GigabitEthernet0/49 description port_6_1612G switch port trunk encapsulation dot1q switch port trunk native v LAN 120 switch port mode trunk
We have two Cisco switches with one 3560 and one 3750 we have created a new Vlan 4 with IP 10.1.3.x 255.255.255.0 - no shut then assigne to gi 2/0/46 on the 3560 Vlan 4 ip address 10.1.3.x 255.255.255.0 no shut then assign to FA0/45. All interfaces are up up along with the Vlan up up, we can ping the local IP address bu not able to pint the other switch.
Extended IP access list VLAN20 10 permit tcp any any established 11 permit icmp any any 20 permit tcp any 192.168.20.0 0.0.0.255 eq 80 30 permit tcp any 192.168.20.0 0.0.0.255 eq 443 40 deny ip any any log
Above is the network diagram and access list for VLAN 20 and VLAN 30, applied on incoming direction of each valn.But still able to access other port which is not on access list, tried changing the direction with no luck.Inter vlan routing is enabled on CoreSwitch default router is 192.168.10.10
i have one Cisco 3750, am using it as Core Switch where i have 6 more access switches are connected deirectly, and we are using VLANs in our network with the IP reange of 172.16.0.0 , now we had a new Internet connection which is dedicated to Exchange Server only.So we have TWO internet connection One for internet access to all users and another one for only Exchange Server.internet connection for the users is termiated at a Cisco 1700 Series Router and Internet for Exchage Server is terminated at a Cisco ASA Firewall.Now the problem is how can i write an access list, which says that all packets from Exchange server should be routed to ASA Firewall , and all other packets shoulde route to Cisco Router.IP address os Exchange server is 172.16.2.1, 172.16.2.2.
I have one computer connected to the 4506 that management does not want this PC to have access to anything on our network except our DHCP server and the one printer that resides on our network. I created an extended access list as follows. Our network is the 10.10.x.x and the external addresses the PC needs to access is 11.1.x.x. Once this PC is rebooted, it is unable to access DHCP to get the needed IP address it bounces back to a 169.x.x.x address and stops working.
Extended IP access list 2000 permit tcp host 10.10.200.242 host 22.214.171.124 (gateway) permit tcp host 10.10.200.242 host 126.96.36.199 eq smtp (access from the pc to external server for smtp) permit tcp host 10.10.200.242 host 188.8.131.52 eq 5721 (access from the pc to external server for remote access) [ code]...
Then I applied the access-group 2000 on the interface the PC is connected to. What am I missing for DHCP to work and for this PC to always get the ip address that is reserved?
We are in the process of rolling out iPads to our offices. As part of this implementation, we need to print from the iPads to our network printers. Our network printers are mostly HP and Xerox and do not have native Apple AirPrint capabilities. As such, we have been using the FingerPrint software to share out the network printers as Apple AirPrint printers. We have a mixture of switches at our offices. Most offices utilize a 3550 PoE switch. In these offices the AirPrint traffic is being transferred successfully and everything works great. In the offices which are using 3560 PoE switches, the traffic is never seen at the iPads. We are using EnGenius EAP300 access points connected into the Cisco switches to provide wireless access to the iPads. Both 3550 and 3560 switches are running iOS 12.2(25). What might be stopping/blocking the AirPrint traffic on the 3560 switches?
I have a couple of 3560 switches running c3560-advipservicesk9-mz.122-44 and they are randomly experiencing the following:
- The switch locks up with no preceding error message in the log (I am forwarding syslog to Splunk).
- Upon reboot, the switch goes through the normal startup sequence with no error messages, then for some reason reloads the flash and starts all over again. (refer to doc)
This could happen after days or weeks. Sometimes they will go through two of these reloads on boot and be fine for awhile, and other times they will be stuck in the loop infinitely. I am using this same image with all of our 3560s, but am only having this issue with two of them.
I have 3560's in my current environment, operating in the core/distro/access layers. The switches are in a star configuration, performs only layer 2 switching, and utilizes copper (no plans on moving to fiber).
With a fairly limited budget, I've been contemplating on upgrading the central node to a stacked 3750X to eliminate that single point of failure, and trunk the rest of the 3560's to the stacked switch. I wanted to be sure that the 3750X switches will be right for my environment (90-100 hosts), and if what I explained above is a good solution.
I'm also looking like to upgrade 6-7 of my servers (and SAN) with 10GB network cards. Do the ports on the 3750X have port densities capable of 10GB? If not, what switches provide that capability?
I need to support a bunch of security cameras mounted on poles in our parking lot and an IP intercom system mounted on some gates. Because of environmental factors the switches at the poles need to be hardened and the spec from the vendor installing the gear is for GarretCom Industrial unmanaged switches which would make sense.
However when Information Security got wind of this scheme they (probably correctly) are requiring me to secure the ports that these unmanaged switches connect to. I have 2 choices: port security w/ MAC filtering or 802.1x. Because all the devices at the poles and gates support 802.1x and because I may need to go out there to troubleshoot stuff (and will invariably forget to add the MAC of whatever device I am using) I would prefer 802.1X multi-auth mode.
Problem: When I ran a quick test on a test 3560 running some 15.0.1 code I could get a laptop to connect via 802.1x EAP-TLS successfully if it was directly connected but when I connected the same laptop via a dumb Netgear switch I confiscated from a luser it would not connect. The 3560 error said that the laptop never responded.
Question: Before I spend a whole lot of time on this, is this something that should work? I don't see any practical use for the feature if it won't however the documentation I am using specifically mentions downstream hubs but I am not sure if they mean real hubs (which I don't think are even made anymore) or if they mean unmanaged switches.
I plan to try a couple of different unmanaged switches tomorrow and digg a little but I would like to know if I am wasting my time on something that will never work or if there is a little gotcha somewhere.
I configure multiple static RPs and one of the ACLs denies a source will it move on to the next entry that covers it in another acl? [code] i.e. 184.108.40.206 will be used as the RP for 224 to 238 and 220.127.116.11 will be used as the RP for 239.Will that work correctly, i.e. if a source is trying to register with the router and its for the group 18.104.22.168, will it be denied against the first RP and then permitted against the second RP?
I have a layer 3 switch, 3550.I have several vlans on there just for playing around with. One of the vlans, has a vonage linksys box attached to it with a UK number attached. From time to time telemarketers call at 03:00 in the morning, this as I'm sure you can imagine is not much fun. The linksys box gets 192.168.3.3 as it's ip.The switch is connected to a non cisco router at 192.168.0.1
interface FastEthernet0/24 no switchport ip address 192.168.0.2 255.255.255.0
I was thinking a time based access list would work best I have tried several variations but the phone still rings. I have tried access-list 1 deny host 192.168.3.3 permit ..... and more extensive lists but the phone still rings. I have not applied the time-range yet, so that's not the problem.I have applied the list to the vlan interface and to fa0/24 but it's not working.
I have a LIII Switch Cisco 3750x ,with diffrent Vlans , Some users are in Vlan 102 (10.10.2.0) and Some Users are in Vlan1 (10.10.1.0) , now i want to restrict the Vlan102 users to access Vlan1 , i am pasting my configuration below , how to create a access list .
interface Vlan1 ip address 10.10.1.36 255.255.255.0 ip helper-address 10.10.1.36