Cisco Switching/Routing :: 3560 Stop Communication From VLAN 30 To 20
Dec 27, 2011
In my lab setup i configured Cisco 3560 switch.
-VLAN 20 and VLAN 30 i configured.
-VLAN 20 interface IP : 192.168.20.1/24
-VLAN 30 interface IP : 192.168.30.1/24.
Inter-vlan communication is happening fine. For testing for purpose i configured extended ACLs.i want stop communication from VLAN 30 to VLAN 20 but not vice-versa. If i ping from one of the IP VLAN 20 to one of the ip of VLAN 30, i was gettng Requested time out. And if i ping from one of the IP VLAN 20 to VLAN 30 interface IP, i was able get pinging.From VLAN 30 to VLAN 20, i was getting destination host unreachable from VLAN 30 ip( Its fine as its my requirement)So, solution needed to communicate from VLAN 20 to VLAN 30.
View 1 Replies
ADVERTISEMENT
May 11, 2012
I've recently segmented my network and part of the process was creating a DMZ VLAN. I'm running ESXi 5 and have created two new VM's to add to this DMZ to begin the process of moving everything public facing to the new VLAN. At this point they new hosts will not communicate with each other, their gateway, and of course not the public internet. To get the first out of the way, they are configured according to VMWare's VLAN guide: I have created a new vSwitch port group on the host and assigned them to the VLAN id 11 for the DMZ VLAN, and have the switchport on the switch (3560) setup as trunk in dot1q mode with all vlans tagged. The management VLAN is also NOT the default VLAN 1, so that is not causing any issues. My other server segment VLAN is working fine on the same ESXi host/s, so this does not seem to be the issue.
On the network side of things I have my ASA connecting to a 3560 with two interfaces, one for "inside", one for "dmz."Is this below correct? I feel like the static route should be route dmz with a gateway to 10.0.1.1..
_ASA_
interface Ethernet0/2
nameif dmz
security-level 50
ip address 10.0.1.1 255.255.255.0
route inside 10.0.1.0 255.255.255.0 192.168.201.2 1 <- (192.168.201.2 is my 3560)
[code]....
View 9 Replies
View Related
Aug 29, 2012
We are trying to figure out how to configure this properly and so far we are stuck. We have a VMWare server with two different vmnics each on a different VLAN. We have each of these vmnics connected into their own switch port on a 3560G along with the appropriate VLAN membership for said ports. We have an additional port on this same switch in trunking mode connected to our firewall to a NIC that has an IP address in the respective VLAN networks. This port is also set for dot1q encapsulation. Each VLAN also has an IP set on the switch that is in the appropriate VLAN. We are having issues in this configuration getting the one VLAN to talk to another.
I know if we were in all Cisco mode then we would use ROAS to do this inter-vlan communication. How to make this happen short of changing hardware?
View 7 Replies
View Related
Dec 18, 2011
I'm using a radius server to authenticate ssh when connecting to my company's switches (a 3560 + several 2960s).
Everywhere I've looked claims that using the line 'transport input ssh' in my switch config should disable telnet access and allow ssh only. But after changing 'transport input ssh telnet' to 'transport input ssh' I can still connect to all of the switches from telnet. I can't block telnet with ACLs either because my company uses a telnet based terminal client to do most of their work.
I don't have much experience with radius. How do I stop telnet connections when using radius to authenticate?
View 5 Replies
View Related
Jan 10, 2012
Between our hosting and a customer we have an extended vlan, traveling on a fiber, between two cisco 3560 switches.The thing is, that we want to create one or more vlans inside that extended vlan, in some way if possible?
View 3 Replies
View Related
Dec 5, 2011
Is there any way to check if this VLAN is used by somedevice?
Cisco3560#sh ip int b
Vlan55 unassigned YES NVRAM administratively down down
Cisco3560#sh vlan
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active
55 Print active Fa0/5, Fa0/6, Fa0/7, Fa0/8
View 18 Replies
View Related
Jul 22, 2012
I have 4 vlan and all has conectivity/access with all (VLAN10,VLAN20,VLAN30 and VLAN40, I use a 3560 Switch for this propose, I need to modificate one vlan (VLAN40) that has access to the rest of the VLAN's BUT the rest of the VLAN's dont have access to VLAN40. I know that it is a problem of access-list BUT I can't undertand how to obtain the result that I like
View 1 Replies
View Related
Sep 15, 2012
I have 2 locations, at a distance of 600KM.These two locations are well connected by Point to Point L2 VLAN with a speed of 2 MBPS and supported by CISCO 3560G switches.Location A has a VLAN to communicate to the other VLAN at Location B. Location B has also got 3 VLANS which are inter connected with Location A.Now the hardware in one of VLANs in Location B has moved to Location A for obvious reasons.
For further refernce am giving the VLAN IP address here....
Location A
VLAN1 for communicatng to Location B
IP Range 172.20.44.210
Subnet Mask 255.255.255.0
Default Gateway 172.20.44.210
VLAN2 for the desktops in Location A
IP Range 192.193.194.1-255
Subnet Mask 255.255.255.0
Default Gateway 192.193.194.1
[code]....
View 3 Replies
View Related
May 8, 2012
I have an environment of 3 X 3560G of which I have 1st switch-CORE(f0/10) connecting to the VPN router(CE) interface-f0/0. Remaining 2 Cisco 3560's(Access) are connected to Gi0/1 and Gi0/2 on the 1st switch-CORE via gi0/1 . On all three switches I have created multiple VLANs and assigned ports to these VLAN. The switch to switch connection is trunk allowing all VLANs created on all these 3 switches. Now the issue is how I am going to have all these VLANs routed through single interface on the routeri-e f0/0, as all these subnets will communicating to remote site over VPN. What should be default gateway on the 2 Access switches and the CORE switch, also what static route should be on router to reach all subnets(VLANs) created on these 3 switches.
I have read inter-VLAN routing i-e creating sub interfaces on router but dont want to proceed with that and looking for any other way to have my VLANs talk on all three switches and then are accessible to remote site ove VPN?
View 9 Replies
View Related
Apr 28, 2012
We recently purchased Cisco 3560X Layer3 Switch. We need to perform simple Inter VLAN routing. We have configured VLAN1 (name-server_vlan) and VLAN2 (name- user_vlan). We have also assigned the Ports and IP address to both the VLANs. After assiging this if we plug Laptop A into VLAN1 then it doesnt communicates with Laptop B (btw, Laptop A is able to Ping VLAN2 Gateway ) in VLAN2 but on the other hand Laptop B is able to communicate with Laptop A and ping everything i.e. Gateway of VLAN1.
View 17 Replies
View Related
Mar 18, 2013
I have a 3560 switch with 1 VLAN (VLAN 10) where I need to make ports:
1-10 as isolated (can't contact each other)
11-20 as community (need to contact each other like a normal VLAN)
23 as promiscuous (server that ports 1-20 need to get to)
24 as promiscuous (WAN router where ports 1-20 need to get to and the remote servers).
[Code]...
View 26 Replies
View Related
Jan 16, 2013
Topology: 3560 <-access-mode-link-> ASA5510 - Internet,3560 has 3 VLANs and 3 corresponding SVIs (default-gateways for VLANs),Just configured RAS VPN on ASA5510 and successfully made connection,Now, from RAS VPN (IPSEC) client workstation CLI, can ping all 3560 SVIs,CANNOT PING host devices plugged into switchports.
View 1 Replies
View Related
Apr 18, 2012
I have a 3560 switch with the following ports config [code] I would like to use theses ports on a different vlan to connect 4 pc's to them. Can I just remove them from the vlan, remove the trunk switchport and set up on the vlan i want them on with no trunking?
View 5 Replies
View Related
Apr 19, 2012
Probably an easy fix but something's weird in my config. I am setting up a new network, so this is not production, Routed environment, down to the access layer using 3560-x l3 switches.
vlan 10: data
vlan 20: wifi
vlan 30: wifi guests
vlan 40: voip
My objective is to allow all traffic OUTBOUND to certain subnets (10.10.0.0/24, 10.10.100.0/24, 10.10.110.0/24 10.10.120.0/24) and block any other 10.0.0.0/8 networks. By doing it this way, after blocking all other internal traffic, I allow everything else to ensure internet traffic can go out.
Extended IP access list VLAN10_TRAFFIC_FLOW 10 permit ip any 10.10.0.0 0.0.0.255 20 permit ip any 10.10.100.0 0.0.0.255 30 permit ip any 10.10.110.0 0.0.0.255 40 permit ip any 10.10.120.0 0.0.0.255 50 deny ip any 10.0.0.0 0.255.255.255 (5 matches) 60 deny ip any 172.16.0.0 0.0.255.255 70 permit ip any any!interface Vlan10description DATAip address 10.104.10.1 255.255.255.0ip access-group VLAN10_TRAFFIC_FLOW outendThe problem is, from the above info, when I ping 10.10.0.5 from a workstation in VLAN 10, it should match rule 10, but instead if matches rule 50 (as shown by the 5 matches)
View 13 Replies
View Related
Aug 6, 2012
When did this wonderful feature get introduced? Is it going to moved down to the 3560s/2960s type switches?
View 0 Replies
View Related
May 21, 2013
I faced the ( receive discard vlan 20 of Cisco switch 3560 ) on my Solarwinds Server .
View 1 Replies
View Related
Apr 17, 2012
We have over 30 Cisco 3560 switches and over 10 VLANs on our network. In our example, VLAN 10 on switch IP 10.0.20.150 works fine and VLAN 10 on switch IP 10.0.20.24 doesn’t work. The below are both switches show vlan. url....I can’t tell what causes the problem and how to fix it. VLAN 10 on Switch 10.0.20 24 doesn’t work. [code]
View 8 Replies
View Related
Apr 22, 2013
I have enabled IP DHCP snooping on a 24 port 3560 switch (v small office) and let the database fill up, now I have added dynamic arp inspection on the single vlan and I amd getting these errors.
Apr 23 16:15:34: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Fa0/5, vlan 1.([5835.d9b0.b9d1/172.30.5.2/0000.0000.0000/172.30.5.3/16:15:33 BST Tue Apr 23 2013])
Apr 23 16:15:39: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Fa0/8, vlan 1.([0004.f2be.55e4/172.30.5.5/0000.0000.0000/172.30.5.8/16:15:39 BST Tue Apr 23 2013])
Apr 23 16:15:40: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Fa0/8, vlan 1.([0004.f2be.55e4/172.30.5.5/0000.0000.0000/172.30.5.8/16:15:40 BST Tue Apr 23 2013])
[Code] .....
View 2 Replies
View Related
Jun 20, 2012
I'm configuring two etherchannel groups (2 ports in each) on a 3560 switch. I need to trunk multiple vlans over each channel group.
I created the vlan trunks and allowed vlans on each physical interface. I notice that I can also configure the vlan trunks on the port-channel interfaces that were created. Should I configure them under those interfaces, or leave them on the physical interfaces? Relevant config is below:
interface Port-channel1
!
interface Port-channel2
[Code].....
View 1 Replies
View Related
Jun 3, 2012
We have two Cisco switches with one 3560 and one 3750 we have created a new Vlan 4 with IP 10.1.3.x 255.255.255.0 - no shut then assigne to gi 2/0/46 on the 3560 Vlan 4 ip address 10.1.3.x 255.255.255.0 no shut then assign to FA0/45. All interfaces are up up along with the Vlan up up, we can ping the local IP address bu not able to pint the other switch.
View 2 Replies
View Related
Jan 12, 2010
I have a HP Procurve 5406 connected to a Cisco 3560 on a temporary cat5e connection and I have Mitel IP phones needing to go on the Cisco switch.Ive configured the HP Procurve port to TAGGING both VLAN 10 (data) and VLAN 20 (Voice). NO is selected for default VLAN 1.The Cisco is configured on the port with switchport encap dot1q and switchport mode trunk.
Ive configured an IP for interface VLAN 10 and i cannot ping it from across the network. The interfaces are up and happy. I have tried changing the VTP status from transparent to server (VTP pruning is off) ive tried setting allowed vlans 10,20. Still not a think. The worse thing is that i have a working Cisco switch with the HP procurve that i checked the config on and its the same! The only difference is that the media type is SX over SFP in that case.
p.s not that im at this stage yet but i initially configure the FastE ports as trunks with native vlans because i was using non-cisco phones. On a spare port i convigured the voice vlan 20 and i say on the mitel phone that it was looking on vlan20! I didnt expect that, i thought the Voice VLAN ID was carried on CDP enabled devices only.
View 9 Replies
View Related
Feb 25, 2013
Say I have a managed switch that supports VLANs. I have two computers and one server connected to the switch (I'll call them PC-1, PC-2, and SRV-1).Without routing, I want both PC-1 and PC-2 to talk to SRV-1 and vice versa, however I don't want PC-1 or PC-2 to talk to each other.I achieve this by making each port a trunk port. I make PC-1 a member of VLAN 2, PC-2 a member of VLAN 3, and SRV-1 a member of VLAN 4. The port that SRV-1 is on I make a tagged member of PC-1 and PC-2 (VLAN 2 and 3 respectively) and make the ports the PCs are on a member of the SRV-1 VLAN (VLAN 4).Everything tests OK (that is, the clients can't talk to each other, however the clients can individually talk to the server)
View 6 Replies
View Related
May 20, 2010
For many years we've had the following vlan and port security config on our 3560s: [code] This has worked great on 12.2(37)SE1, 12.2(40)SE and 12.2(46)SE. However since 12.2(50)SE, and I've tried all the versions since then, we have a problem with 7900 phones and ATA186s taking upwards of 20 minutes before they can get a valid IP number.The problem on the newer IOSes seems to be related to the inactivity aging.On the older IOS versions the mac address of the voice device appears on the voice vlan straight away.
On the newer IOS versions the mac address of the voice device appears on the DATA vlan and seems to be stuck there until the inactivity aging removes it. It then gets re-learned, sometimes on the voice vlan, and sometimes on the data vlan. If you're unlucky and it gets re-learned on the data vlan you've got to wait until the inactivity time ages the address out again. Repeat until the mac address eventually gets learned on the voice vlan. I don't want to be stuck on 12.2(46)SE forever.
View 11 Replies
View Related
Nov 1, 2011
I've set up my 3560 to do routing. Now, I'm looking for a way to apply acl restrictions to the vlan interface ip address itself.
View 1 Replies
View Related
Jan 2, 2012
I need to implement the shaping VLAN only on the trunk link between the 6500 and 3560. [code]
View 8 Replies
View Related
Oct 11, 2010
Any way to test in a lab what would happen if a tech mistakingly added "switchport voice vlan XX" to a trunk port? I am try to do some RCA on an issue and this has been identified as a possible cause by one of my techs.
The config is Switch1------Switch2--------Switch3 Each interswitch connection is configured as a dot1q trunk with all vlans allowed. The link between switch2 and 3 is where switchport voice vlan 10 was added. Switch1 is a 3750 and 2/3 are 3560's.
View 8 Replies
View Related
Oct 25, 2012
I'm new to networking and was looking for some assistance. First off im using packet tracer to diagram my senario as I will be receiving my equipment next week to deploy.
Hardware to be used:
1. 2 catalyst 3560 switches
2. all connect to a sonic wall router
I have two companies that work in the same office space. I need to keep these companies seperate on their own vlan. They will however need to share the phone system.(Packet tracer file uploaded to give those who have the time to see what I put together.) [code]
View 13 Replies
View Related
Dec 7, 2011
I want to give a breif overview of the current setup and what I had planned to do in the future. This is also where a few questions come into play. Currently we have 3 10.x.x.x subnets between three buildings with a wan connection. This connection is invisible to us so it can be seen as just a lan. The speed is 100mb. We have a 2811 router sitting at each building translating their traffic back to 10.3.1.1. We then have a router in the main building which ships the 10.3.x.x traffic to a ASA and then out the door to a ISP.
My plan was to upgrade this 100mb WAN connection to 10g fiber between our buildings as they are in extremely close range of each other. I would need a equipment upgrade as a 2811 won't support 10g traffic. Rather than replacing 3 routers in each of the buildings it seemed logical that I could get something like a catalyst 4500 or 6500 and do int vlan routing making it all one huge campus lan. Creating a vlan for each building to segment the traffic between them. My understanding was that a cat 3500/4500/6500 did not need a router with sub interfaces in a one arm setup to bridge this traffic. This is where the problem comes in.I tested with a cat 3560 and was unable to get the vlans to route correctly. Do I have to have a router to get int vlan routing to work? If so then I might as well get a Router which can handle multiple 10g fiber for the core instead of a cat 4500/6500 since I'd need the router to do the int vlan routing anyway?
View 17 Replies
View Related
Jan 15, 2013
My first question is I have an access layer switch which is a single VLAN and I am trunking that VLAN to a distribution layer switch, I can ping the gateway on the distribution layer switch for THAT VLAN, But cannot ping the gateway address for the second VLAN I have on the distribution layer switch. I know it is simple, But I have forgotten and just need a push
Also I have a third VLAN set to route traffic not bound for those 2 VLANs out to a router is the statement "ip route 0.0.0.0 0.0.0.0 172.16.252.2" good enough and do I actually need to create a VLAN for that traffic? and if so, is an access switchport the best option?
View 2 Replies
View Related
Sep 29, 2011
I have no router inplace that can do trunking (5505 basic license )I have 2 VLANS 10 Data 20 voice I have given both VALNs IPs lets say
-VLAN10 192.168.1.1
-VLAN20 192.168.2.1
Enabled IP routing and set the router as the gateway of last resort.Now becuase the L3 switchis doing the routing I have had to set the default gateway as the VLAN IPs. So PCs on VLAN10 get a gateway of 192.168.1.1 and phones on VLAN20 get a gateway of 192.168.2.1
Any real downside to having the 3560 doing the VLAN routing, is this the "correct "way to do things in the event I don't have a trunkable router?
View 8 Replies
View Related
Jan 3, 2013
I have a customer who has vlan's and SVIs residing on a core 6509. the 6509 is connected to an ASA 5515 then out to the internet/sp edge deviceIP routing is not turned on. there is a static route on the 6509 that routes all ip's to the inside interface of the asa 5515 that the 6509 core is connected to.there is a set of vlans that are apart of a 192.168.128.0/19 subnet and all those vlans can "speak" to each other.
View 8 Replies
View Related
Aug 10, 2012
I have a working environment but wondering if there is just a better way to accomplish what I am trying to do (without a layer 3 or 4 switch). Basically I have a few sub interfaces on my Cisco ASA5510.
Now what I do need is some of the VLANs to communicate with specific devices on the different VLANs. So for example I need computer 1 from VLAN 5 to communicate with 192.168.10.5 from VLAN 10 on ports 80 and 443.
What I am currently doing is settings the security level to 100 on each interface (including the DMZ).
Here is what I have:
interface Ethernet0/1.5
vlan 5
nameif Sub5
[Code].....
View 5 Replies
View Related
Jan 15, 2013
Recently configured one nexus 3048 switch. Create two vlans (Vlan 10 and Vlan 19). Vlan 10 is 10.1.X.X/24 and Vlan 19 is 192.168.X.X/24, connected two pcs one is Vl 10 and second pc 19. But not able to communicate both Vlans.Nexus 3048 are not Support VTP Mode Server, running version 5.0. [code]
View 2 Replies
View Related
