I have created a PBR in 3650 switch to route traffic from a specific IP address to a specific next hop or IP address(Router)
ROM: Bootstrap program is C3560 boot loader
BOOTLDR: C3560 Boot Loader (C3560-HBOOT-M) Version 12.2(44)SE5, RELEASE SOFTWARE (fc1)
SW1 uptime is 6 weeks, 2 days, 16 minutes
System returned to ROM by power-on
[Code]....
We have a 3750 and a 3560 defined as a layer 2 switches. One gig port on each switch is trunked to layer 3 switches, which containall the VLAN definitions etc. The other gig port on the 3650 and 3750 switches are trunked together to provide an alternative path in the event of a failure.
We have added a new device to the 3750 and given it a VLAN 9, and the VLAN added to allowable VLANS on both trunk ports between the layer 3 and layer 2 devices ie:
switch port trunk allowed vlan 9,10,20,30,40,50,60,90,200,202,206,211,212,700.
From either of the 3750 or the 3560 we can ping any device on any VLAN on any switch in this group with exception ofVLAN 9. We can however ping the ip address of VLAN 9 on the layer three switches.
I have a small network using a 24 port 3750 switch. I need to add five computers in another room and only have one Cat 6 cable running there and no room left on the 3750. I got a 3650 to put in the new room with the new computers. The problem is, whenever I plug the new switch into the 3750, it shuts down the port and gives me an err-disable. I can do a shut/no shut and re-enable the port. I searched the web and read about trunking and clusters. I'm not sure which, if either, is appropriate. I see various documentation that shows you can put one switch behind the other. But nothing tells me the configuration which will allow it.
View 9 Replies View RelatedConfiguring a network with Rapid Spanning Tree Protocol. There's a combination of Cisco 3650s, 2950 and 2960 switches. It is a flat Layer 2 network with a single VLAN. CLI configuration?
View 3 Replies View RelatedDoes 3650-X IP Base support Static Load Balancing or i should upgrade to ip service SW ?
View 4 Replies View RelatedI have set up a scenario for a small business and have some questions about how to manage the access between the VLANs. Is there is a better / another way to do it. See the attached picture for the topology / info.
My question is:
My switches is set up with x numbers of VLANs and a routed port (no switch port) to the ASA for internet connectivity. How is the best (or only??) way to manage the access between the VLANs? Is it ACL's on the switch?
And by "managing access" I mean VLAN 50 (public WiFi) only have access to the internet, only management servers have access to management VLAN, Client VLAN only have RDP access to server VLAN and so on. Is there any way to do this in the ASA (or add another (gigabit) router to the topology)) or it the only way to have lots of ACL's on the switch itself? I have thought about "router on a stick", but then I imagine there will be a bottleneck between the switch and the ASA?
(Equipment is 2 x 3650G, ASA5505, AP1252 - see attached file).
I have a question about speed negotiation process between interfaces. I have 3650X Sw and 2960S-48port. All ports of two are GigabitEthernet, however the link between them is only 100Mb/s, Full duplex. I try to set the speed 1000 Mb/s manually in the interface then the interface never up. Its status is down/down. I must set back to speed auto. I show interface Gigabit0/24 in Sw 3650-X and figure out that there are many output drop (over 600000). I clear counter then after two days the output drop is over 70000. This link is trunk link between two switches, all ports of access SW are Gigabit and connect to PC. First, I thinks the 3650X is throttled somewhere in output direction of trunk link. But there is another trunk link (Gi0/23) to another 2960S-48port and no output drop number in this interface. This Giga 0/23 speed is 1000 Mb/s (auto speed, auto duplex)
Does any outside things impact the speed negotiation process between 2 interfaces? And output drop number may caused by abnormal speed between two Gigabit interface?
|_voip PBX___|-----|__3650___|------fiber-------------|__3650_____|------|_voipphone__| I have a case where voipphone is registered on the voippbx but peaple on both end can't hear each other . No ACL on both 3650 , no firewalls between them , distance is about 2 miles . I tried to make telnet x.x.x.x 1720 or 1719 or 1721 (h323 ports) to opposite switch -connection refused . How can test if ports are open on the 3650 ? Is it coorect If I create allowing acl and apply it on both 3650 on the interfaces connected one switch to voippbx "IN" , second switch on the interf connected to voipphone "IN" ?
View 3 Replies View RelatedI configured multidomain on a Cisco 3650 port (12.2(53)SE1), and connected a 7941 Phone and laptop behind it. The phone gets successfully authenticated but the PC does not get fully connected. The PC adapter´s icon shows a "authentication error" message. The same PC, connected to another port (same commands except "authentication host-mode multi-domain") works perfect, including new VLAN and ACL assigned from ACS.
This is the configuration on the switch port where the PC chained to the phone fails:
interface FastEthernet0/6 switchport access vlan 701 switchport mode access switchport voice vlan 123 authentication event fail action next-method authentication event server dead action authorize vlan 704 authentication event no-response action authorize vlan 701 authentication host-mode multi-domain authentication open authentication port-control auto authentication periodic dot1x pae authenticator dot1x timeout tx-period 60 spanning-tree portfast
This is the configuration on the switch port where the PC without a phone works OK (exactly the same config, except for multidomain):
interface FastEthernet0/7 switchport access vlan 701 switchport mode access switchport voice vlan 123 authentication event fail action next-method authentication event server dead action authorize vlan 704 authentication event no-response action authorize vlan 701 authentication open authentication port-control auto authentication periodic dot1x pae authenticator dot1x timeout tx-period 60 spanning-tree portfast When the PC fails to get connected, I see the following messages on the switch:
Sep 17 18:36:18: %DOT1X-5-SUCCESS: Authentication successful for client (0023.aeb8.ce44) on Interface Fa0/6 AuditSessionID 0A01460A000000310080FDFCSep 17 18:36:18: %AUTHMGR-7-RESULT: Authentication
[Code].....
I have a question regarding fabric storage and cisco catalyst switch 3650.My plan is connecta a esxi server to a nexus switch and then to a san storage. I want add a new switch to have a redundant link between esxi and the storage.Can I use a cisco catalyst 3650 with a fiber conecction to connect the HBA esxi server card to 3650 sw and the SAN storage to the 3650 sw ?
View 2 Replies View RelatedHow does the 3550 with enhanced image compare to the 3650 with enhanced image in terms of routing functionality?
View 5 Replies View RelatedI have a Cisco SG 300-20 as the core switch, layer 3. It is 192.168.4.6 on VLAN1 and 192.168.5.1 for VLAN2 (VOIP). All the ports are set in trunk mode. DHCP relay is setup on this switch.
The phones connected into a layer 2, Catalyst 2960-S switch. All ports are set in trunk mode. Default gateway on it is set to 192.168.5.1.
DHCP for both VLANs is provided by a Windows Server 2008 R2 server (the relay IP 192.168.4.15).
There is also an ASA 5510 in the mix which is 192.168.4.1. It has a route added to it for the 192.168.5.0 network to go to the SG 300 (192.168.5.1).
Just the two switches can ping each other on the 192.168.5.x network when I "add vlan 2" to the trunk port that is connected between the SG 300 and the 2960. The phones don't get DHCP on the 2960 switch. And I cannot ping 192.168.5.x from the ASA or anything else on the 192.168.4.x network.
After a bit of reading on intra-vlan routing for the SG 300 switch, I am thinking the SG 300 has to be the "center" of things so I need to make it 192.168.4.1 to be the gateway for both VLANs and change the ASA to 192.168.4.2 for VLAN1, etc. And I really can't do asymmetric routing with this switch.
I am using a cisco 3750 in my network as a gateway, and above it I use a squid machine for caching my internet. My network is like this:
Basically I have two VLANs on my network which are VLAN10 and VLAN100, VLAN10 is the cooperate network of my office. VLAN100 is the management VLAN which i use for the switches. I keep the squid as well the client in VLAN10.
squid (192.168.1.50)---->cisco 3750(192.168.1.123)---->Distribution Switch(cisco 2960)---->client PC (192.168.1.5)
I have done nating on squid and internet is working pretty fine when I use the client gateway as the squid, but when I use the cisco 3750 as my gateway after adding route maps for forwarding the internet traffic coming to the cisco 3750 to squid it disconnects me from internet as well I cannot even reach the switches from the corporate network. These are the only Lines I used for the routing:
!
route-map proxy-redirect permit 10
match ip address 110
[Code]......
We are about to move our IT rack to a data centre and will be adding a new Layer 3 (Catalyst 3560) switch beyond our ASA 5510 which will be providing our existing WAN plus another SVI which will be carrying our HSRP range.
I have never configured a switch to use two SVI's before and can't seem to find the relevant docs online.
My network is like this:
Cisco 3750 (Core Switch)-----> Cisco 2960 (Distribution Switch)-----> Client (PC, Laps, Printers…etc)
Basically I have 3 VLAN’s. Office VLAN (for cooperative usage) which is VLAN 999 which has a defined IP address of 192.168.1.123 and Guest VLAN (for the guests who visits our hotel, most of it are wifi AP’s) VLAN 20 which has an IP address of 10.172.4.1. All these SVI are defined on the core switch.
Is there any way I can introduce a new VLAN lets say VLAN 40 and use PBR to route the packets going to VLAN 40 in the IP range 192.168.1.x to VLAN 999 and 10.172.4.1 to VLAN 20? I have tried this already and it is not working. Here are the configurations I have used.
Access-list 110 permit ip 10.172.4.0 0.0.0.255 any
access-list 120 permit ip 192.168.1.0 0.0.0.255 any
route-map INT_RVLAN permit 10
match ip address 120 110
set ip next-hop 192.168.1.123 10.172.4.1
interface VLAN 40
ip policy route-map INT_RVLAN
Where have I gone wrong?
Seeing very strange behaviour my 2811 Router is sitting behind 3650 switch, when the link between switch and router is trunk the router start rebooting itself, to test i changed to access mode then I can see ip address of router on cdp neig de or else not seeing ip address of router.
View 3 Replies View RelatedI am doing 802.1X for a user on Cisco 3650 and wanted the Radius Server to return an attribute to set the Duplex setting of the port. with the correct Radius Return Attribute.
View 4 Replies View RelatedI want to police the traffic coming from host 10.0.0.10 that is connected to another switch via port-channel interface the port-channel have interfaces G2/049 and G2/0/50 , i have applied below config to the SVI 112 but this is not working, as the host is still able to go beyond the policed rate also in the "sh policy-map interface vlan 112" command everything is showing 0(zero).
class-map match-all CM_FTP_PORT_49
match input-interface GigabitEthernet2/0/49
class-map match-all CM_FTP_PORT_50
[Code]......
We bought a 3560 PoE switch to replace tons of PoE-injectors but when connecting the devices our logs were flooded with
Mar 11 15:09:20.725: %ILPOWER-7-DETECT: Interface Fa0/7: Power Device detected: IEEE PD
Mar 11 15:09:20.725: %ILPOWER-5-INVALID_IEEE_CLASS: Interface Fa0/7: has detected invalid IEEE class: 7 device. Power denied
Mar 11 15:09:20.968: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/8, changed state to down
Mar 11 15:09:20.985: %ILPOWER-7-DETECT: Interface Fa0/7: Power Device detected: IEEE PD
Mar 11 15:09:20.985: %ILPOWER-5-INVALID_IEEE_CLASS: Interface Fa0/7: has detected invalid IEEE class: 7 device. Power denied
While the message seems quite clear im wondering if there's any workaround on the problem?
We are setup like a hotel style workers camp. We have wings full of rooms and residents with 3750 stacks in them. Those switches connect back to our core 6500's. The network is mostly all Layer 3, interfaces are routed with IPs.
When it was built before my time they included an ACL for each wing so that residents couldn't access internal devices (IE SSH to 6500) but I've come to notice it's not working.
I see hits on the ACL for accepts but nothing is hitting the deny rule at the top.Here is the configuration below:
mls qos aggregate-policer INTERNET1 24000000 80000 80000 conform-action transmit exceed-action drop
mls qos aggregate-policer INTERNET2 24000000 80000 80000 conform-action transmit exceed-action drop
mls qos aggregate-policer INTERNET 24000000 80000 80000 conform-action transmit exceed-action drop
[Code] ....
My network card do not work i am sending you the output.
View 7 Replies View RelatedI have an switch 2960 and i have made an SSH connection . But the problem is that whenever i try to open with my teraterm or putty it ask for username and after that password but does take the password. It shows an error of password what should be the problem.
Commands that i entered to make SSH
config# username admin password pankaj
config# ip domain-name home.local
config# crypto key generate rsa
config# 1024
config# ip ssh version 2
I have an switch 2960 and i have made an SSH connection . But the problem is that whenever i try to open with my teraterm or putty it ask for username and after that password but does take the password. It shows an error of password what should be the problem.
View 1 Replies View RelatedI have a 3945 router with two interfaces connected to my firewall, one to the management interface and another to my dmz. I'm running eigrp between all my network devices. The problem I'm running into is when I try to ssh to the management interface of the 3945 the traffice hits the firewall, then goes right to the management interface as it should, but the return traffic is trying to use the dmz interface since that is how the router knows to get back to my computers network. I created 2 route-maps to try and address this issue. [code] I've applied the MANAGE_IN route-map to all interfaces that might have inbound traffic destined for the management network and applied the MANAGE_OUT route-map to the management interface. The MANAGE_IN policy appears to be functioning correctly, the MANAGE_OUT doesn't appear to be functioning correctly. When I look at traffic from my host going to the management interface I see it still trying to return through the dmz interface.
View 11 Replies View RelatedI am having a switch 3750G (WS-C3750G-24TS-S) running a software version (c3750-ipservicesk9-mz.122-55.SE6.bin) and using the PBR with IP SLA.While, i am applying it on interface, it says not supported....
route-map TO-CAS-E0 permit 10
match ip address 125
set ip next-hop verify-availability 10.116.199.200 10 track 100 (if i change this command to set ip next-hop 10.116.199.200, it works)
!
WAN-L3-3750SW01(config-route-map)#interface GigabitEthernet1/0/11
[code].....
6509 - Not working
1 6 Firewall Module
2 8 Intrusion Detection System
3 1 Application Control Engine Module
[Code].....
The Policy applied to the interface is just completely ignoring the configuration.
I am sure it is related to the 6500 architecture in some way. Same config is fine on the switch with the higher version on the sup card.
I'm using 3640 router running on c3640-js-mz.124-25d.bin IOS. I'm using NM-1A-OC3SML= (ATM OC3, long reach single mode) interface card. Now my pc is connected an fast ethernet interface of the router. Need to know the ATM configuration on this cisco 3640 router in order to achieve the ATM over ethernet traffic get success. As of now i've confugred as below but it's not working it seems.
interface ATM2/0
bandwidth 120000
ip address 10.2.2.1 255.255.255.0
no atm ilmi-keepalive
pvc 0/36
protocol ip 10.2.2.10 broadcast
cbr 70000
encapsulation aal5mux ip
let me know the correct encapsulation type for the connectivity.
I have a Cisco 1941 router configured using Cisco Configuration Professional... SSH management works from the LAN IP 10.0.1.254 and 10.0.2.254 Also, SSH management works from the LAN using the external domain name which resolves to the public IP address.
The problem i have is if I try SSH from the internet to the public IP.. nothing happens.
cisco1941#show config
Using 18498 out of 262136 bytes
!
! Last configuration change at 13:57:49 PCTime Tue Feb 14 2012 by admin
[Code].....
I have three Cisco SG300-28 switches. I setup a test lab environment with a core (server) switch in Layer 3 mode and the rest are (clients) in Layer 2 mode. As I understand, these switches doesn't support VTP, only GVRP. And GVRP works the same with VTP. Whenever you create VLANs on the core or main switch, other switches will learn from the core switch and no VLAN creation for the client switches will be made. (Hope I got it right. I guess GVRP is more complicated than VTP). I want to use GVRP to create VLANs on the main switch so that I won't be doing it all over on the other switches. The following is my (so far) configuration through CLI only:I haven't use the web GUI. My SW version is 1.1.2.0.
1. I already enabled the GVRP globally.
2. I configured GE 12 & GE 24 as TRUNK ports for the core switch that connects both switches, I also configured GE 12 ports for both the client switches. All other ports are in ACCESS mode. (I am connected to GE 2 port)
3. I enabled GVRP on the TRUNK ports only for all switches.
4. I allowed all vlans on the TRUNK ports. (#switchport trunk allowed vlan add all)
5. All TRUNK ports registration mode is NORMAL and dynamic vlan creation is enabled on all trunk and access ports.
6. I created 3 VLANs without configuring its IP Addresses:
-vlan 2 = MGT
-vlan 3 = IT
-vlan 4 = MKTG
I don't know if I missed something on the configuration or the connection.
1. Is it necessary to enable all switches to layer 3 mode? Or depends on the network setup? Does this affect the GVRP?
2. Does switching ports to TRUNK mode means they are already 802.1q ports by default? Because I can't configure TRUNK ports to 802.1q (#switchport encapsulation dot1q) config like other switches. [code]
I'm experiencing strange issue with my WS-C3750X-48T-S.
Model number: WS-C3750X-48T-S
System image file is "flash:/c3750e-universalk9-mz.122-55.SE3/c3750e-universalk9-mz.122-55.SE3.bin"
This switch is situated on a remote site and on the 6th of January it was rebooted.
I still do not know the cause, but it might be power outage or smth. We are still checking. After the reboot I've noticed that one port on this cisco switch is in 'notconnect' state, while I'm pretty sure it should be 'connected'.
I've tried to shutdown the port adminstratevly and do the 'no shutdown' but this port remained in 'disable' state.
#sh run interface Gi1/0/5
Building configuration...
!
interface GigabitEthernet1/0/5
[Code].....
SSH has been enabled on our one and only 4507 switch for several months and working fine. A few weeks ago the switch had to be reloaded and when it was back online I couldn't SSH to it. When I connected via the console and typed "show ip ssh" it came back saying I needed to generate the keys. Did that and it starting working again. The same switch had to turned off and on the other day due to a power down in the server room and when it came back the same thing happened again!!
The version of IOS is: cat4000-i5k91s-mz.122.20.EW
My Cisco 871w still stops working once a week.Today I found it frozen, after the weekend, and I have executed few commands from the HyperTerminal .The commands were given by cisco coleagues in previous post :show logshow ip int briefshow interfaces counters errorsshow interface FastEthernet1show interface FastEthernet1 statshow interface FastEthernet1 summaryshow interface FastEthernet1 switching
View 4 Replies View RelatedI have applied below script and i can see the script successfuly exceuted but i cant see the file which should store on the flash.Below is script, event snmp oid 1.3.6.1.4.1.9.2.1.56 get-type next entry-op ge entry-val 60 exit-time 10 poll-interval 1
action 1.1 syslog msg "CPU Utilization is high"
action 1.2 cli command "en"
action 1.3 cli command "show proc cpu sorted | append flash:abc.txt"
action 1.4 cli command "show proc cpu history | append flash:cpu2info.txt"
action 1.5 cli command "show ip inter bri | append flash:cpu3info.txt"
action 1.5 syslog msg "cpu commands verification"
When I do show flash i cnat see the files in the flash.