Cisco Switching/Routing :: 3750 - Restrict VLan 103 With VACL Method
Feb 7, 2012
I´m facing to one issue with VACL. i have a network lan with 10.40.X.X/16 . in this network i have a Production v LAN 10 with 10.40.10.X/24 and i have created one vlan103 for Guest´ user as 10.40.103.X/24
My goals is to restrict the v LAN 103 to reach or access the v LAN 10, better to restrict Guest user access to the production v LAN. So i try to put this script with VACL method, but does n´t work.
Extended IP access list Restriction-Guest
10 permit ip 10.40.103.0 0.0.0.255 any
vlan access-map Guest 10
action drop match ip address Restriction-Guest
vlan filter Guest vlan-list 10
After that i still able to ping or access to the v LAN 10 form v LAN 103.
View 4 Replies
ADVERTISEMENT
Feb 20, 2012
i have a catalyst 3750, in this switch i have 3 vlan, i need to secure trafic between vlans but im confused ,should i use ACL or VACL to secure ?which is the best ?if i use ACL to secure and limit ports between vlan, which is the best practice to apply the acl ( on th inside or outside of interface)
View 2 Replies
View Related
Dec 8, 2011
I have used stack wise 3750 for a long time. Now,I have a new stack of 3750. Both of them are trunking together. If I have a VACL running in the old stack, do I need also implement in the new one.
View 1 Replies
View Related
Jan 9, 2012
Any method of forcing a non connected switch port LED to blink for a certain number of times regardless if there is anything connected.The purpose of this is we have remote 3750 switch stacks and quite often have to tell non technical staff to patch to a certain port. It would be much easier if we could say "Connect it to the empty port which just started blinking orange" as the port numbers are difficult for them to see in these locations.A similar feature is available in the ethtool package for linux which makes it really easy for identifying ports on servers. It would be great if a similar feature is available on Cisco switches.
View 2 Replies
View Related
Jan 10, 2013
I have two networks at two sites with a dot1q trunk between the two L3 switches at both sites (no routers involved)
SITE A - Cisco 3750 L3 - VLAN ID 50
10.10.50.0/24
SITE B - Cisco 3750 L3 - VLAN ID 50
10.20.50.0/24
I would like to extend the SITE A VLAN to SITE B so that I can move hosts from SITE A to SITE B without needing to change their IP address but the vlan ID is already in use. Obviously the easy solution is to change the VLAN ID for one or other of the sites but both sites contain hosts that run 24/7. Is there a way to join two VLANs with different IDs together.So for example I create a new VLAN 60 at SITE B and associate it with VLAN 50 at SITE A.
View 4 Replies
View Related
Nov 20, 2012
We have a low bandwith (15-20 Mbit/s) to the ASA from our Client vlan. If i connect the Client to the same vlan as the ASA is, the bandwith (90 Mbit/s) is good.
Here are the Layer 3 Design:
Client -> vlan 2 - Switch - vlan 7 -> vlan 1 - ASA 5505 -> ISP
The Layer 2 Design:
Client -> Gig2/0/13 - Switch - Gig4/0/43 -> Eth0/1 ASA5505 -> ISP
IP Address:
Client: 172.16.2.10Vlan2: 172.16.2.1Vlan7: 172.16.7.1ASA: 172.16.7.2
I assuming the switch has a problem with routing ?It is a stacked Switch with following members:
switch 1 provision ws-c3750g-12sswitch 2 provision ws-c3750g-24tsswitch 3 provision ws-c3750g-24tsswitch 4 provision ws-c3750x-48
And we have following error message in the log from the switch:
%PLATFORM_UCAST-4-PREFIX:
One or more specific prefixes could not be programmed into TCAM and are being covered by a less specific prefix, and the packets may be software forwarded I first get the idea that the switch is overloaded with router traffic. Thats why i assuming i have to check the sdm templates, but i'm not sure if this resolves the issue.
Here are the relevant config:
ASA Interface on the Switch:
interface GigabitEthernet4/0/43description ASA-inside LANswitchport access vlan 7switchport mode accessspanning-tree portfast
Client Interface on the Switch:
interface GigabitEthernet3/0/1switchport access vlan 2switchport mode accessswitchport port-securityswitchport port-security aging time 2switchport port-security violation restrictswitchport port-security aging type inactivitymacro description cisco-desktopspanning-tree portfastspanning-tree bpduguard enable
[code]...
View 2 Replies
View Related
Apr 2, 2013
I have switch Cisco 3560 and I would like to filter multicast traffic. Short explanation. This are multicast addresses from provider on VLAN 888 :
I expect that streams from acl Streamfrom888 will be dropped and the rest of streams will be forwarded. Unfortunately traffic from all streams passs through.how to configure VACL or where in my configuration is mistake?
View 5 Replies
View Related
Mar 4, 2013
We have a Nexus 7018 with NX OS 5.2(1), and we were trying to understand somehow the steps to do a VACL, we know that in IOS it would be:
interface GigabitEthernet9/33
description Puerto. Captura
switchport
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 19,20
[Code]...
View 2 Replies
View Related
Aug 1, 2012
Is there a way to configure a VACL capture on 3560-x, we need more than 2 SPAN sessions. Feature navigator indicates that this feature is supported but it seems like it's not implemented in the IOS yet.
View 1 Replies
View Related
Oct 24, 2012
I have a network with a Catalyst 3750 as the main switch and then some Catalyst 2960 switches that are plugged in to that. I have a server running windows server 2008 with a couple of virtual machines running in Hyper-V. I created 4 VLANS listed below and gave the 3750 the following IP Address.I would like the 3750 to only be configurable from VLAN 40 but currently every VLAN can connect to it, I noticed in the standard web page settings there was a setting for "Management VLAN" but it was set to 1 and would not let me change it, I kinda assumed that was for the management port in the back.-Now the tricky part, I was trying to set up routing between the VLANs and so far I have only been able to get a sort of "all or nothing" routing to work. I can turn IP routing on and add two or more VLANs to the routing and it works fine. But what I was hoping to do is create a couple of "junction vlans" that would only route to one or two other vlans. For instance, I wanted to create a VLAN 100 that routed to VLAN 20 and 30 but nothing else. I also want to route VLAN 1 just to VLAN 30, and so on. I am able to do each one of the cases but only one, it seems like the switch only supports one "routing table" am I missing something or is this just a limitation of the switch?
View 2 Replies
View Related
Oct 28, 2012
I have a network with several catalyst 2960 switches and one catalyst 3750. I have created two VLAN and set up the proper routing and everything is working fine there. I have a client/server application that used multicast in the initial start up for the client to determine available servers, the issue is one of my clients is on a different VLAN then the server. I am able to route the multicast using MVR as long as both the server and the client are plugged into the 3750 by creating a static route, making the server a source port and the client a receive port. Unfortunately I need the client and the server plugged in to different 2960s. My question is how do I establish multicast routing between the two and perferably do it dynamically (always route multicast traffic from one VLAN to another).
View 2 Replies
View Related
Dec 17, 2011
I have been looking into this for a while and I can't seem to figure out why my 2nd vlan is not able to connect properly to the net.
My switch has 12 ports where my devices connects directly, they are all on Vlan 1 and they all work perfectly. on Port 12 I have a dlink router that is connected to a cable modem. the dlink router has an Ip address of 192.168.0.20
I created a second vlan (vlan2) and enabled dhcp relay on it. then I assigned port 9 on the switch to (vlan2)my laptop which is connected to port 9 seems to get an ip address fine and able to ping only some devices on my network (vlan1) and is not able to go out to the internet. I think it has to do with the routes. [code]
View 4 Replies
View Related
Mar 24, 2013
In 3750 switch,I have configured intervlan routing.I have three vlans Vlan 10,vlan 20,Vlan 30 and I have assigned IP address for that Vlan.In vlan 10,I have connected one systen gigabitethernet 0/1 interface.From my system I am able to ping vlan 10 ip address but I can't able to ping other vlan ip address (vlan 20,vlan 30).Is it possible to up the protocol for all that time.
View 2 Replies
View Related
Jan 1, 2012
I have a Cisco 3750 with private VLANS configured.. VLAN 2 is the "primary", VLAN 3 is "isolated" and VLAN 4 is "community". This is all working correctly, however I now have the need to another VLAN called "production". I need the production VLAN to be able to reach all the private VLAN hosts (community and Isolated), and vice versa
View 2 Replies
View Related
Dec 8, 2011
I have a quick query which i need ratified before proceeding. I have the following scenario -
Two Cisco 3750v2 switches with stackwiseISP allocated block of /26 (64 addresses)8 customers each with a VLAN and SVIInternet facing VLAN and SVIDefault route to ISP router Lets say the ISP has given me the network range 10.10.10.0/26 (we'll assume this is routable on the internet for the purposes of this example) and a default gateway to the internet of 10.10.10.1 within this range. I have configured a public facing VLAN as follows -
VLAN 300
name PUBLIC
int VLAN 300
IP Address 10.10.10.2 255.255.255.252
I have then created a default route as follows -
ip route 0.0.0.0 0.0.0.0 10.10.10.1
With this configured, the switch can successfully route upstream to the internet with no problems. I have then moved onto the customers and depending on what service they have purchased, I have subnetted the 10.10.10.0/26 range into smaller subnets. See as follows -
Customer A - 10.10.10.4/30
Gateway IP - 10.10.10.5
Useable IPs - 10.10.10.6
Customer B - 10.10.10.8/29
Gateway IP - 10.10.10.9
Useable IPs - 10.10.10.10 - 10.10.10.14
This continues for each customer depending on how many IP's the have purchased. I have then assigned these IP ranges to a customer VLAN and SVI as follows -
Customer A
VLAN 10
name CUST-A-VLAN
int VLAN 10
ip address 10.10.10.5 255.255.255.252
[code].....
It is then up to the customer as to what equipment they use and how they NAT or firewall their internal networks.
View 5 Replies
View Related
Nov 15, 2011
Does one can use a Vacl to monitor network traffic on a nexus 3064 much like you can on the 6500s? If so, any performance tradeoffs or caveats to be aware of ?
View 2 Replies
View Related
Oct 10, 2012
Have a quick question regarding inter-vlan routing on a 3750. Overview of network is ISP --> ASA --> 3750 (acting as my core and default gw). I have 5 vlan interfaces on my 3750, all w/ 192.192.x.x subnets, a 6th w/ 192.168.100.x, and a 7th w/ 192.168.200.x. I have enabled "ip routing" on the switch and can successfully ping from subnet A to subnet B as long as both devices are using the correct DG for their vlan, which is the switch. I have a few ports that are trunked as well that go to ESX hosts which break out the vlans according to the subnet the vm should be attached to. The ASA is set to nat internal traffic for all the vlans.
Now my question: short of applying an ACL to each vlan interface to block traffic from other 192.192.x.x subnets is there a better way to accomplish this? I want my 192.168.10.x subnet to be able to reach all the subnets, but don't want 192.192.10.x to be able to talk to 192.192.20.x for example. I was thinking to create an acl like this:
access-list 120 permit ip 192.192.10.0 0.0.0.255 access-list 120 deny ip 192.192.0.0 0.0.255.255 192.192.10.0 0.0.0.255access-list 120 permit ip any 192.168.100.0 0.0.0.255 192.192.10.0 0.0.0.255
and then applying this to the interface for the appropriate vlan.
View 4 Replies
View Related
Jan 18, 2012
I have one VLAN on a 3750 where I do not see any MAC addresses even though it is in use. This is an unrouted VLAN between a WLC on a port- channel /LAG and an access port to an ASA for guest traffic. When I do a show MAC add I get nothing for VLAN 60 (guest DMZ) but all other VLANs seem to be OK. Spanning tree is not showing TC counters incrementing either.
I also was told when put a port on this VLAN the laptop did not get a DHCP address form the ASA, but the wireless guest clients are working fine. I can see the DHCP leases and ARP entries in the ASA and the ASA ARP in the WLC so some traffic is passing fine. I'm not onsite right now so troubleshooting is all remote which limits some options.
View 4 Replies
View Related
Jul 1, 2012
I have setup both Vlans on 3com and cisco. but it seems they cant talk to each other.ive setup both on trunking mode?
View 6 Replies
View Related
Feb 29, 2012
I have a 3750 switch which has the command 'spanning-tree vlan **'. I am struggling to remove this command, as this particular VLAN is one I want to distribute across our network.I have so far, set the switch to VTP Transparent mode and removed the VLAN from the database, this removes the command. If I then put the switch back to VTP client mode (or manually add the VLAN, while in in VTP transparent mode) then the command comes back. Submitting the command 'spanning-tree vlan **' command has no affect.
View 1 Replies
View Related
Nov 8, 2012
I have 3 VLANs here that need to be on the same network segment. They are going to be used by our Wi-Fi network (with Aironet APs), bound to 3 different SSIDs (as Aironet APs doesnt allow multiple SSID per VLAN), each one with a different authentication method and server.Is there a way to bridge those VLANs together with a Catalyst 3750 switch? I tryed configuring an IP address on one of the VLAN interfaces, then configuring a bridge with the vlan-bridge protocol (Catalyst 3750 doesnt have the "ieee" bridge protocol type) and put all 3 VLAN interfaces on the same bridge-group, but it didnt work (even with "bridge x route ip").I also tryed configuring IRB bridging, with the 3 VLAN interfaces on the same bridge-group and an IP address on the BVI interface (the way I used to do with old 2600 routers). Same result.(actually, I didint test to see if the interfaces are actually being "bridged", but I see neither of them can reach the router)
View 1 Replies
View Related
Apr 24, 2011
One of my VLANS on my 3750 gives a status of act/lshut. I've tried no shut commands on the interface to no avail. From my reading it seems like this means the VLAN is active but shut down locally.
View 8 Replies
View Related
Dec 12, 2012
Cannot set route map on interface vlan. which in non default vrf on Cisco 3750.IOS c3750-ipservicesk9-mz.122-55.SE.bin sdm prefer route in enable ip vrf users rd 200:0 route-target export 200:0 route-target import 200:0 interface Vlan201 description Users 1 ip vrf forwarding users ip address 10.31.76.1 255.255.252.0 ip helper-address 10.31.4.57 route-map fromuser permit 10 match ip address fromuser set ip next-hop 10.31.128.155 When I enter "ip policy route-map fromuser" to interface Vlan 201 I heve the message:
% Remove VRF configuration from interface Vlan201 first
View 5 Replies
View Related
Apr 14, 2013
I have installed a Catalyst 2960-S and a 3750-X-12S and I am trying to setup a VLAN 51 for some VoIP phones. I have added the VLAN as an interface on both switches, but the 3750 is not showing VLAN 51 as active when i do a show vlan. Also, it omitts showing Gi1/0/1 & Gi1/0/3 which are uplinks to 2960-S switches plugged in and working on VLAN1.
Catalyst3750SFP#show vlan
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Gi1/0/2, Gi1/0/4, Gi1/0/5
[Code].....
View 2 Replies
View Related
Jun 25, 2012
I have 3750 series with GIBICs ports I want to create 10 vlans with its sub-net and enable all vlans to access internet.
View 4 Replies
View Related
Feb 16, 2013
I config vlans 21-23 on 3750 A and B switches.I config B switch to be Root Bridge for all vlansspanning-tree vlan 1,21-23, priority 4096 sh span tree on B switch 3750B# sh spanning-tree.
View 18 Replies
View Related
Mar 24, 2012
I have a network with the following structure
internet ---- cisco2911 ----cisco3750 --- internal lan
I have two email servers on different vlan
192.168.0.1 ----- 1.1.1.2 (public ip)
10.1.1.65 ---- 1.1.1.3 (public ip)
Before these servers were directly connected to the internet with two nics (Nightmare, I know). The Public IP on internet facing NIC and private ip on LAN facing nic. I'm in the process of changing this.I'm able to access internet from my vlans and also able to send emails but cannot receive emails on these servers.
My router congif is as follows:
Building configuration...
Current configuration : 6234 bytes
!
version 15.1
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
[code]....
View 1 Replies
View Related
Nov 8, 2011
Currently we have a 6513 core (running IOS and doing limited routing) with VLAN Trunking to about a dozen 3560 edge switches, with various VLANs going to each of the edge switches. All works well. We are downsizing and replacing the 6513 core with a 3750G stack. We have the stack up and running in the lab, and want to slowly (as we move floors) migrate all of the edge switching to the 3750 stack.
The plan is to connect the 3750 stack to the 6513, then slowly migrate the edge switches to the stack (from the 6513). I would like to put in place 4 x 1GB trunk links between the 6513 and the 3750 stack before I start moving edge switches to ensure adequate bandwidth. Once all of the edge switches are on the new 3750 stack, I will start to decommission the 6513.
What is the best way to configure the links between the cores (old 6513 and new 3750 stack)? I can easily get the edge switches configured to the 3750, but am worried about the core links. I really want to avoid having to perform an all-at-once cutover of the cores. Another question is when do I try and migrate the VTP server role from the 6513 to the 3750 stack? I could simply make everything transparent, and ditch server-based VTP, as we rarely change or creat VLANs.
View 3 Replies
View Related
May 27, 2013
I'm having some trouble getting my head round the following but I think it's routing related?
I have a Cisco 3750 switch with the following configured:
interface Vlan1
ip address 192.168.0.223 255.255.254.0
no ip route-cache
[Code].....
The 3750 is connected to a firewall which handles the routing. From the 3750 I can only ping remote networks from the vlan1 interface not from vlan6,8 or 10 i.e ping 10.34.37.101 (remote network) source 192.168.0.223 (vlan1) works but ping 10.34.37.101 source 10.74.10.1 (vlan10) does not? I can ping 10.34.37.101 from computers on the various vlans but not from the 3750 it self.
I looked at setting a default gateway for the various vlan interfaces
View 3 Replies
View Related
Dec 20, 2012
My architecture is the same as show on the link with some difference.I use the router 1841 for inetrnet connexion instead of 7200VXR, this router 1841 is connected on the catalyst 3750 port G1/0/1.I use catalyst 2960 instead of catalyst 2950 or 2948.I use ASA 5510 for conexion on remote branche(I have 5 remote site), This ASA is connected on the catalyst 3750 port G1/0/37
Result of the test:
-I can ping devices in the same Vlans
-I can ping devices in different VLANs
-I can ping all device from the catalyst 3750
I cannot ping the router 1841 or ASA 5510 from the any devices (computer)The gateway of each computer is the correpondant VLAN IP address configured on the catalyst 3750.Why I cannot ping the router 1841 or ASA 5510 from the any devices (computer)
View 19 Replies
View Related
Sep 15, 2012
I recently upgraded my network to have two 3750x core, one interface on the Cisco is connecting to a Net gear switch via a fiber converter. I am keep getting the vlan flapping error message in my log as below.
003396: Sep 17 01:46:16.328: %SW_MATM-4-MACFLAP_NOTIF: Host 5c0e.8ba7.0a5c in vlan 2 is flapping between port Gi2/0/15 and port Gi2/0/13
003397: Sep 17 01:46:19.843: %SW_MATM-4-MACFLAP_NOTIF: Host 5c0e.8ba7.0a5c in vlan 2 is flapping between port Gi2/0/15 and port Gi2/0/13
003400: Sep 17 01:49:58.769: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet2/0/17, changed state to down
[Code] .....
After my research i think this is a looping issue but I'm unsure how to address it.
View 2 Replies
View Related
Jan 3, 2012
I would like to apply a policy-based route on one of our L3 switches (Cisco 3750) to change the next-hop of a couple of servers only. The VLAN where those servers reside got WCCP enabled on it. When I want to apply the route-policy to that VLAN interface it doesn't let me. When I try to apply the same policy to a VLAN interface without WCCP it does work. Is there any Cisco IOS limitations that would prevent me from doing that?
Configuration:
route policy config:
access-list 70 permit ip host x.x.x.x (server IP)
route-map PBR1 permit 10
[Code].....
View 1 Replies
View Related
Feb 7, 2013
Currently have two routers inside our network.
One is the default GW 10.1.1.13
One is Jump Router for ATT 10.1.1.12
Both connected to HP Procurve L2 switch
The ATT Router is 10.1.1.2Want to replace GW and Jump with one 3750 L3 switch.icomplish this with only one port g0/1 connected to HP Procurve?Can I make the switchport 10.1.1.13 and then create a ip vlan999 10.1.1.12?route all to 10.1.1.2Or do I just connect two ports, and hardcode them with an ip?
View 1 Replies
View Related
