I've set up my 3560 to do routing. Now, I'm looking for a way to apply acl restrictions to the vlan interface ip address itself.
View 1 Repliesconfiguration of NAT on an ASA 5520. On the ASA I have 1 x WAN connection and 1 x Internet Connection as well as the Inside and DMZ. I want to translate traffic from certain subnets on the inside (say 10.1.2.0 255.255.255.0) to an outside address (say 1.2.3.0 255.255.255.0). I'm assuming the ASA using the number after the brackets to distinguish what to translate? So if I had another entry with a '2' after the brackets, any of the '1' entries wouldn't translate to this? I have access-lits inbound on the INSIDE interface, I'm assuming these are applied before any NAT and only items allowed through the access-list are allowed to NAT?
I also have an address I would like to statically NAT with a certain port number, how do I do this? After I've configured this, what are the commands to apply NAT on the interface?
I have a 3560G that I cannot apply a policy route-map to one of the VLAN interfaces. I am running up to date software, c3560-ipservicesk9-mz.150-2.SE2 and it accepts the command, but does not show it in the sh run of the interface. I updated to this code as I had seen previously someone said it needed to be version 15 before you could apply route-maps to VLAN interfaces.
View 4 Replies View RelatedHere is my configuration below , i have upgraded my C-3750 switch IOS from IPbase to IPservices , after upgrading i have tried to apply PBR on my Vlan 4 and failed , when i am tying to apply route-map to Vlan4 the command was taking but i am unable to see the route-map when sh run , i am giving the command as "ip policy route-map TTSL" in my Vlan4 , below is the configuration.
In Vlan2 i have connected one ISP and Vlan4 I have connected one ISP , my local subnets are 192.168.1.x and 192.168.2.x , now i want to route the 192.168.1.x traffic from Vlan2 and 192.168.2.x Traffic from Vlan4 .
sh boot
coreswitch#sh boot
BOOT path-list : flash:c3750-ipservices-mz.122-35.SE5/c3750-ipservices-mz.122-35.SE5.bin
[Code].....
Between our hosting and a customer we have an extended vlan, traveling on a fiber, between two cisco 3560 switches.The thing is, that we want to create one or more vlans inside that extended vlan, in some way if possible?
View 3 Replies View RelatedIs there any way to check if this VLAN is used by somedevice?
Cisco3560#sh ip int b
Vlan55 unassigned YES NVRAM administratively down down
Cisco3560#sh vlan
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active
55 Print active Fa0/5, Fa0/6, Fa0/7, Fa0/8
I have 4 vlan and all has conectivity/access with all (VLAN10,VLAN20,VLAN30 and VLAN40, I use a 3560 Switch for this propose, I need to modificate one vlan (VLAN40) that has access to the rest of the VLAN's BUT the rest of the VLAN's dont have access to VLAN40. I know that it is a problem of access-list BUT I can't undertand how to obtain the result that I like
View 1 Replies View RelatedI have 2 locations, at a distance of 600KM.These two locations are well connected by Point to Point L2 VLAN with a speed of 2 MBPS and supported by CISCO 3560G switches.Location A has a VLAN to communicate to the other VLAN at Location B. Location B has also got 3 VLANS which are inter connected with Location A.Now the hardware in one of VLANs in Location B has moved to Location A for obvious reasons.
For further refernce am giving the VLAN IP address here....
Location A
VLAN1 for communicatng to Location B
IP Range 172.20.44.210
Subnet Mask 255.255.255.0
Default Gateway 172.20.44.210
VLAN2 for the desktops in Location A
IP Range 192.193.194.1-255
Subnet Mask 255.255.255.0
Default Gateway 192.193.194.1
[code]....
I have an environment of 3 X 3560G of which I have 1st switch-CORE(f0/10) connecting to the VPN router(CE) interface-f0/0. Remaining 2 Cisco 3560's(Access) are connected to Gi0/1 and Gi0/2 on the 1st switch-CORE via gi0/1 . On all three switches I have created multiple VLANs and assigned ports to these VLAN. The switch to switch connection is trunk allowing all VLANs created on all these 3 switches. Now the issue is how I am going to have all these VLANs routed through single interface on the routeri-e f0/0, as all these subnets will communicating to remote site over VPN. What should be default gateway on the 2 Access switches and the CORE switch, also what static route should be on router to reach all subnets(VLANs) created on these 3 switches.
I have read inter-VLAN routing i-e creating sub interfaces on router but dont want to proceed with that and looking for any other way to have my VLANs talk on all three switches and then are accessible to remote site ove VPN?
We recently purchased Cisco 3560X Layer3 Switch. We need to perform simple Inter VLAN routing. We have configured VLAN1 (name-server_vlan) and VLAN2 (name- user_vlan). We have also assigned the Ports and IP address to both the VLANs. After assiging this if we plug Laptop A into VLAN1 then it doesnt communicates with Laptop B (btw, Laptop A is able to Ping VLAN2 Gateway ) in VLAN2 but on the other hand Laptop B is able to communicate with Laptop A and ping everything i.e. Gateway of VLAN1.
View 17 Replies View RelatedI am using cisco packet tracer to configure the hsrp on 3560 (c3560-advipservicesk9-mz.122-37.SE1.bin) but the standby ip Command is not available on the interface the problem in that IOS or in config
View 1 Replies View RelatedI have a 3560 switch with 1 VLAN (VLAN 10) where I need to make ports:
1-10 as isolated (can't contact each other)
11-20 as community (need to contact each other like a normal VLAN)
23 as promiscuous (server that ports 1-20 need to get to)
24 as promiscuous (WAN router where ports 1-20 need to get to and the remote servers).
[Code]...
Topology: 3560 <-access-mode-link-> ASA5510 - Internet,3560 has 3 VLANs and 3 corresponding SVIs (default-gateways for VLANs),Just configured RAS VPN on ASA5510 and successfully made connection,Now, from RAS VPN (IPSEC) client workstation CLI, can ping all 3560 SVIs,CANNOT PING host devices plugged into switchports.
View 1 Replies View RelatedIn my lab setup i configured Cisco 3560 switch.
-VLAN 20 and VLAN 30 i configured.
-VLAN 20 interface IP : 192.168.20.1/24
-VLAN 30 interface IP : 192.168.30.1/24.
Inter-vlan communication is happening fine. For testing for purpose i configured extended ACLs.i want stop communication from VLAN 30 to VLAN 20 but not vice-versa. If i ping from one of the IP VLAN 20 to one of the ip of VLAN 30, i was gettng Requested time out. And if i ping from one of the IP VLAN 20 to VLAN 30 interface IP, i was able get pinging.From VLAN 30 to VLAN 20, i was getting destination host unreachable from VLAN 30 ip( Its fine as its my requirement)So, solution needed to communicate from VLAN 20 to VLAN 30.
I have a 3560 switch with the following ports config [code] I would like to use theses ports on a different vlan to connect 4 pc's to them. Can I just remove them from the vlan, remove the trunk switchport and set up on the vlan i want them on with no trunking?
View 5 Replies View RelatedProbably an easy fix but something's weird in my config. I am setting up a new network, so this is not production, Routed environment, down to the access layer using 3560-x l3 switches.
vlan 10: data
vlan 20: wifi
vlan 30: wifi guests
vlan 40: voip
My objective is to allow all traffic OUTBOUND to certain subnets (10.10.0.0/24, 10.10.100.0/24, 10.10.110.0/24 10.10.120.0/24) and block any other 10.0.0.0/8 networks. By doing it this way, after blocking all other internal traffic, I allow everything else to ensure internet traffic can go out.
Extended IP access list VLAN10_TRAFFIC_FLOW 10 permit ip any 10.10.0.0 0.0.0.255 20 permit ip any 10.10.100.0 0.0.0.255 30 permit ip any 10.10.110.0 0.0.0.255 40 permit ip any 10.10.120.0 0.0.0.255 50 deny ip any 10.0.0.0 0.255.255.255 (5 matches) 60 deny ip any 172.16.0.0 0.0.255.255 70 permit ip any any!interface Vlan10description DATAip address 10.104.10.1 255.255.255.0ip access-group VLAN10_TRAFFIC_FLOW outendThe problem is, from the above info, when I ping 10.10.0.5 from a workstation in VLAN 10, it should match rule 10, but instead if matches rule 50 (as shown by the 5 matches)
When did this wonderful feature get introduced? Is it going to moved down to the 3560s/2960s type switches?
View 0 Replies View RelatedI faced the ( receive discard vlan 20 of Cisco switch 3560 ) on my Solarwinds Server .
View 1 Replies View RelatedWas building a small network in Cisco Packet Tracer and ran in to an issue. I have 4 routers running OSPF, and off one of the routers I have 5 3560 Multilayer switches. The router that the switches hang off of, I have a sub-interface with dot1q encapsulation, set for vlan 10 and an IP Address. 10.14.16.1/24. The switches have interface vlan 10 configures, and have IPs in the same subnet. From that router, I can ping/telnet to all the switches without issue. My problem arises when I try and reach those switches from any other router. OSPF is set to redistribute static and connected subnets.The routing table is populated correctly on all the routers. When I ping and trace the packet, it looks like it makes it all the way to the respective switch, but the packet never makes it back. I've played with the default route on the switches to no avail. Am I trying to implement this incorrectly, or am I just missing something?
View 4 Replies View RelatedI am trying to configure 802.1x wired on a 3560 switch and don't see the required commands under the interface. I am running c3560-ipbasek9-mz.122-55.SE6.bin. I was thinking it might not be available on the ipbase image, but I do have the commands on a 3750g running the ipbase image, so I'm not sure about that.
View 4 Replies View RelatedWe have over 30 Cisco 3560 switches and over 10 VLANs on our network. In our example, VLAN 10 on switch IP 10.0.20.150 works fine and VLAN 10 on switch IP 10.0.20.24 doesn’t work. The below are both switches show vlan. url....I can’t tell what causes the problem and how to fix it. VLAN 10 on Switch 10.0.20 24 doesn’t work. [code]
View 8 Replies View RelatedI have enabled IP DHCP snooping on a 24 port 3560 switch (v small office) and let the database fill up, now I have added dynamic arp inspection on the single vlan and I amd getting these errors.
Apr 23 16:15:34: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Fa0/5, vlan 1.([5835.d9b0.b9d1/172.30.5.2/0000.0000.0000/172.30.5.3/16:15:33 BST Tue Apr 23 2013])
Apr 23 16:15:39: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Fa0/8, vlan 1.([0004.f2be.55e4/172.30.5.5/0000.0000.0000/172.30.5.8/16:15:39 BST Tue Apr 23 2013])
Apr 23 16:15:40: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Fa0/8, vlan 1.([0004.f2be.55e4/172.30.5.5/0000.0000.0000/172.30.5.8/16:15:40 BST Tue Apr 23 2013])
[Code] .....
I'm configuring two etherchannel groups (2 ports in each) on a 3560 switch. I need to trunk multiple vlans over each channel group.
I created the vlan trunks and allowed vlans on each physical interface. I notice that I can also configure the vlan trunks on the port-channel interfaces that were created. Should I configure them under those interfaces, or leave them on the physical interfaces? Relevant config is below:
interface Port-channel1
!
interface Port-channel2
[Code].....
We have two Cisco switches with one 3560 and one 3750 we have created a new Vlan 4 with IP 10.1.3.x 255.255.255.0 - no shut then assigne to gi 2/0/46 on the 3560 Vlan 4 ip address 10.1.3.x 255.255.255.0 no shut then assign to FA0/45. All interfaces are up up along with the Vlan up up, we can ping the local IP address bu not able to pint the other switch.
View 2 Replies View RelatedI have a HP Procurve 5406 connected to a Cisco 3560 on a temporary cat5e connection and I have Mitel IP phones needing to go on the Cisco switch.Ive configured the HP Procurve port to TAGGING both VLAN 10 (data) and VLAN 20 (Voice). NO is selected for default VLAN 1.The Cisco is configured on the port with switchport encap dot1q and switchport mode trunk.
Ive configured an IP for interface VLAN 10 and i cannot ping it from across the network. The interfaces are up and happy. I have tried changing the VTP status from transparent to server (VTP pruning is off) ive tried setting allowed vlans 10,20. Still not a think. The worse thing is that i have a working Cisco switch with the HP procurve that i checked the config on and its the same! The only difference is that the media type is SX over SFP in that case.
p.s not that im at this stage yet but i initially configure the FastE ports as trunks with native vlans because i was using non-cisco phones. On a spare port i convigured the voice vlan 20 and i say on the mitel phone that it was looking on vlan20! I didnt expect that, i thought the Voice VLAN ID was carried on CDP enabled devices only.
For many years we've had the following vlan and port security config on our 3560s: [code] This has worked great on 12.2(37)SE1, 12.2(40)SE and 12.2(46)SE. However since 12.2(50)SE, and I've tried all the versions since then, we have a problem with 7900 phones and ATA186s taking upwards of 20 minutes before they can get a valid IP number.The problem on the newer IOSes seems to be related to the inactivity aging.On the older IOS versions the mac address of the voice device appears on the voice vlan straight away.
On the newer IOS versions the mac address of the voice device appears on the DATA vlan and seems to be stuck there until the inactivity aging removes it. It then gets re-learned, sometimes on the voice vlan, and sometimes on the data vlan. If you're unlucky and it gets re-learned on the data vlan you've got to wait until the inactivity time ages the address out again. Repeat until the mac address eventually gets learned on the voice vlan. I don't want to be stuck on 12.2(46)SE forever.
I am setting up a link between buildings that uses wireless links. I'm using Layer 3 routed ports on 2 3560 switches to handle the routing between sites. Normally I would just put these in a /30 and then the switches handle the rest. However, the wireless access points have a web interface for managing them that I want to be able to access, but it's only available on the single NIC that also carries traffic. What would be the best way of making this work? Should I make the link a /29 and give the access points an IP in the same range? If this is the case what do I use for the default gateway for the access points?
I have included a diagram to try to explain the issue clearer. The IP addresses in black are what I would do if this were a standard cable (and indeed this will work, but I wont be able to access the admin interface of the wireless AP) and the red ip addresses are the alternative if I use a /29 (but as I said, I'm not sure what to use for the default gateways).
I need to implement the shaping VLAN only on the trunk link between the 6500 and 3560. [code]
View 8 Replies View RelatedAny way to test in a lab what would happen if a tech mistakingly added "switchport voice vlan XX" to a trunk port? I am try to do some RCA on an issue and this has been identified as a possible cause by one of my techs.
The config is Switch1------Switch2--------Switch3 Each interswitch connection is configured as a dot1q trunk with all vlans allowed. The link between switch2 and 3 is where switchport voice vlan 10 was added. Switch1 is a 3750 and 2/3 are 3560's.
I'm new to networking and was looking for some assistance. First off im using packet tracer to diagram my senario as I will be receiving my equipment next week to deploy.
Hardware to be used:
1. 2 catalyst 3560 switches
2. all connect to a sonic wall router
I have two companies that work in the same office space. I need to keep these companies seperate on their own vlan. They will however need to share the phone system.(Packet tracer file uploaded to give those who have the time to see what I put together.) [code]
i'm using some catalysts 3560 with 10 VLANs and inter vlan routing. we use a windows deployment services server to install our workstations. the pxe boot works fine. the image is loading, and when the windows 7 PE is booting, the dhcp request failes. when i use a small not manageable switch between the computers and the catalysts, it works fine.all other things work fine.
View 9 Replies View RelatedProblem is that at some C65K I have directly connected Unix servers and the don't show MAC address at port, and same has happened at 3560 switched where I have too Unix based equipments connected. When use show mac-address interface XXXX, nothis appears at port and tested them with other equipments that worked fine.
View 2 Replies View RelatedWe have a server connected to a 3560 switch which in turn connects to 6500s. The gateway interface is on the 6500. We will be changing the 6500s so the mac address for the gateway will change, however the IP address will remain the same. As we change out the 6500s the uplink connections to the 3560 will go down. This will flush the old mac address from the 3560.When the 3560 removes a MAC address does it update servers so they have to relearn the correct MAC address?
View 4 Replies View Related