Cisco Switching/Routing :: 3750 How To Write Access List
Jan 15, 2012
i have one Cisco 3750, am using it as Core Switch where i have 6 more access switches are connected deirectly, and we are using VLANs in our network with the IP reange of 172.16.0.0 , now we had a new Internet connection which is dedicated to Exchange Server only.So we have TWO internet connection One for internet access to all users and another one for only Exchange Server.internet connection for the users is termiated at a Cisco 1700 Series Router and Internet for Exchage Server is terminated at a Cisco ASA Firewall.Now the problem is how can i write an access list, which says that all packets from Exchange server should be routed to ASA Firewall , and all other packets shoulde route to Cisco Router.IP address os Exchange server is 172.16.2.1, 172.16.2.2.
I'm creating an access-list that will contain all networks and host that will be redistribute into EIGRP.Till now, this access-list contains 72 entries but this number can increase anytime.
I'm using a 3750-x layer 3 switch, and I'm wondering how big this access-list can be, regarding CPU and memory utilization and performance.
I implemented access list on cisco 3560 switch but it never works. I want to block access from network B to Network A and allow from Ato B Network A. 10.0.12.0/24 Network B 10.0.24.0/24
The configuration is interface Vlan1 description Data VLAN
I'm looking to implement a vlan filter to keep unnecessary stuff off my access-layer. Things like IPv6, IPX etc. I really only want IPv4, ARP and 802.1q on these 4500s. I know on 3750, 3560s etc, when I create the mac access-list, I can do it by ethertype, but on the 4500, I dont have that option.
I have an 1800 isr that is running with port forwarding only. It is running a series of ip nat inside source static address port address port commands. It does not have an access list bound to the outside interface. This is working fine, but i am wondering if this is a security concern?
Extended IP access list VLAN20 10 permit tcp any any established 11 permit icmp any any 20 permit tcp any 192.168.20.0 0.0.0.255 eq 80 30 permit tcp any 192.168.20.0 0.0.0.255 eq 443 40 deny ip any any log
[code].....
Above is the network diagram and access list for VLAN 20 and VLAN 30, applied on incoming direction of each valn.But still able to access other port which is not on access list, tried changing the direction with no luck.Inter vlan routing is enabled on CoreSwitch default router is 192.168.10.10
I have one computer connected to the 4506 that management does not want this PC to have access to anything on our network except our DHCP server and the one printer that resides on our network. I created an extended access list as follows. Our network is the 10.10.x.x and the external addresses the PC needs to access is 11.1.x.x. Once this PC is rebooted, it is unable to access DHCP to get the needed IP address it bounces back to a 169.x.x.x address and stops working.
Extended IP access list 2000 permit tcp host 10.10.200.242 host 11.1.200.1 (gateway) permit tcp host 10.10.200.242 host 11.1.2.151 eq smtp (access from the pc to external server for smtp) permit tcp host 10.10.200.242 host 11.1.2.149 eq 5721 (access from the pc to external server for remote access) [ code]...
Then I applied the access-group 2000 on the interface the PC is connected to. What am I missing for DHCP to work and for this PC to always get the ip address that is reserved?
I configure multiple static RPs and one of the ACLs denies a source will it move on to the next entry that covers it in another acl? [code] i.e. 1.1.1.1 will be used as the RP for 224 to 238 and 2.2.2.2 will be used as the RP for 239.Will that work correctly, i.e. if a source is trying to register with the router and its for the group 239.1.1.1, will it be denied against the first RP and then permitted against the second RP?
I have a layer 3 switch, 3550.I have several vlans on there just for playing around with. One of the vlans, has a vonage linksys box attached to it with a UK number attached. From time to time telemarketers call at 03:00 in the morning, this as I'm sure you can imagine is not much fun. The linksys box gets 192.168.3.3 as it's ip.The switch is connected to a non cisco router at 192.168.0.1
interface FastEthernet0/24 no switchport ip address 192.168.0.2 255.255.255.0
I was thinking a time based access list would work best I have tried several variations but the phone still rings. I have tried access-list 1 deny host 192.168.3.3 permit ..... and more extensive lists but the phone still rings. I have not applied the time-range yet, so that's not the problem.I have applied the list to the vlan interface and to fa0/24 but it's not working.
I have a LIII Switch Cisco 3750x ,with diffrent Vlans , Some users are in Vlan 102 (10.10.2.0) and Some Users are in Vlan1 (10.10.1.0) , now i want to restrict the Vlan102 users to access Vlan1 , i am pasting my configuration below , how to create a access list .
interface Vlan1 ip address 10.10.1.36 255.255.255.0 ip helper-address 10.10.1.36
I need to enable/disable a mac access-list on a 2960 scheduled by time. The switch has lanbasek9-mz.122-44.SE6. As the mac access-list can not support time ranges, I tried EEM but seems like it is not supported in this device.
In my core Switch,there are 2 v LAN(V LAN 1 & V LAN 2)my switch is Cisco 4948,so be default ip routing is enable in it. My all servers (DHCP,HTTP,HTTPS) are in v LAN 1 & internet is also in v LAN 1.
My requirement is that v LAN 1 user should not communicate with the v LAN 2 and vice versa. But the v LAN 2 users need an access of all servers and internet which is in v LAN 1. How to configure the access-list. I have try on Packet tracer which i have attached.
note:v LAN 2 user should get the IP from dhcp server which is in vlan1.
We have a gateway on a 4503, say on port 2/1, and we only want the other devices that are plugged into the 4503 to be able to talk to the gateway and thats it. The other devices are Motorola TUT DSL devices and they plug into the 4503 directly.
Normally "switchport protected" would make this very easy to keep stuff on one port from talking to other ports but with 4500's you are not able to do that command. So we implemented a MAC Access-List Extended ACL. Here is what we did
mac access-list extended BLAH permit #host 0000.XXXX.YYYY any interface range fa 2/5 - 20 mac access-group BLAH out
The MAC address 0000.XXXX.YYYY is the MAC address of the gateway that is plugged into Fa2/1 and the DSL TUT devices are plugged into ports Fa2/5-20. We would think that this config would only allow devices on the TUT DSL to talk only to the Gateway but we don't really think this is happening. The TUT devices are learning about MAC addresses that are on other TUT devices.
I have 3 3560 switches which are configured with trunks between them. They run vlan 10, 11 & 12. I have a 'core' switch (switch 1) of these 3 to which an MPLS router is connected on vlan12. I in addition have another switch hanging off the 'core' switch via a routed link (switch 4). I have EIGRP configured as a stub and as such the IP address on the routed link at the core switch end is of a /24 from v lan 1 on the other switch. This makes the route directly connected and therefore distributed via EIGRP stubs. Switch 1 is then exchanging routes with the MPLS router (via EIGRP).
The problem I have is that from any sub net on any switch (switch 1, 2 or 3) I can ping 192.168.13.1 (switch 4). When I try and ping switch 4 from over the MPLS I am unable to. If I trace to the switch I see it reaches the outside of the MPLS router, but is then unresponsive. The same applies if I try to ping switch 1 on 192.168.13.2. Any of the other IP addresses of switch 1 respond.
The MPLS network is a managed solution to which I have no access. I'm told that the MPLS provider is able to ping switch 1 & switch 4 on the 192.168.13.x addresses from a remote router (192.168.32.2). I have tried from a switch on the same L2 sub net (192.168.32.1) and I don't get a response.
From switch 4 I am able to ping the switch on 1 of it's interfaces (192.168.19.1), but not the interface I mentioned above 192.168.32.1. There are no access lists in place on the switches and no firewalls between the sites.
I have two 5548's in sync mode: I have an existing ACL and I want to add a new line to it, but after I do and try to commit it states the verify failed. [code]
I have to add access list to both switches not in config sync mode.
I am using cisco 1841 LAN router, I need to block MAC address i have applied the command access-list 1102 deny 0000.0000.0000.0000 mac address..... but it does not work.
I'm getting this error message on syslog server (Kiwi syslog)access-list logging rate-limited or missed XXXX packets i did the following commands but still I'm getting the error :logging buffered 16386 debugginglogging rate-limit all 5000no logging consoleno logging monitorip access-list logging interval 30000ip access-list log-update threshold 30000 i don't want to report to the console or monitor i want to report direct to syslog server, because I'm monitoring all the traffic (permit ip any any log) !
After I added the 3rd 3750E to my stack on Sunday I can no longer save my configs with 'copy run start' or 'write mem':
#copy running-config startup-config Destination filename [startup-config]? Building configuration... nv_done: unable to open "flash:/config.text.new" nv_done: unable to open "flash:/private-config.text.new" nv_done: unable to open "flash:/multiple-fs.new"[OK]
I have a stack of 3750x switches running 15.0 (2) SE2 IOS. When I reload the switch stack, I am seeing the following message in the logs: IPv6 user port trust TCAM write failed.
I am trying to write an extended ACL for the voice vlan.My scenario is the following:I have two PBXs with two Catalyst 4505 L3 switches.The C4505 are connected trough a trunk link.I have a VTP domain configured.
Voice VLANs are Vlan 100 and Vlan 101 with networks 10.2.0.0/16 and 10.4.0.0/16 Voip telephones are communicating between them self and everything is working fine.I want to secure both voice VLANs with an ACL to allow only couple of IPs to administer the phones.The PCs are connected trough a integrated switch via VOIP telephone.Here is the sample configuration of the dhcp pool for the PC VLAN:
ip dhcp pool PCs network 10.1.0.0 255.255.0.0 default-router 10.1.1.1 dns-server 10.10.10.1 option 43 hex 010a.5369.656d.656e.7300.0000.0204.0000.0064.0000.0000.00ff
I had to implement the 43 hex option because the PCs did not get the ip from the DHCP because of the vendor specific information.The thing that worries me is will the DHCP forward the ACKs for the PCs if I implement this test ACL:
ip access-list extended VLAN100 permit ip 10.2.0.0 0.0.255.255 10.4.0.0 0.0.255.255 permit ip 10.4.0.0 0.0.255.255 10.2.0.0 0.0.255.255 permit ip 192.168.2.0 0.0.0.255 10.2.0.0 0.0.255.255 permit ip 192.168.2.0 0.0.0.255 10.4.0.0 0.0.255.255 permit udp host 0.0.0.0 eq bootpc host 255.255.255.255 eq bootps (this I am not sure do I need) permit udp host 255.255.255.255 eq bootps host 0.0.0.0 eq bootpc (also this) deny ip any any
I only want to allow the network 192.168.2.0/24 and maybe some other hosts to access the web based http gui to adiminister the IP phones.All PCs are connected trough the VOIP terminals. I do not want to deny the traffic to PCs.
I am trying to configerate static switchports on our nexus 5548 (nx-os 5.1(3)N1(1)) over snmp.The support-list url... states that the CISCO- VLAN- MEMBERSHIP- MIB is supported.I can read the information, but if i try to set vmVlan or vmVlanType i get the message: "SET failed. ("ip-address"). Information: Not Writable."I can use set_request in general (e.g. CISCO-CONFIG-COPY-MIB). how to set the vlan and vlan-type over snmp?
I am facing issue with http login after IOS upgrade on 3750 switches. I upgrade IOS from c3750-ipbase-mz.122-35.SE5.bin to c3750-ipbase-mz.122-53.SE2. bin Any other command I have to run.
We have a Cisco 3750 stack connecting to the MPLS router, able to ping 8.8.8.8 - [URL], the internal users on their own Vlan can ping the default gateway the 3750 switch but no further, trace route from the PC/Servers stops at the 3750 stack.We have the switch configured to ip route 0.0.0.0 0.0.0.0 to the public interface in the MPLS router, from the switch I'm able to ping the internet.
Today when we run one applcation to access a target server with IP address 10.2.2.13, the application cannot run through and appearing error message related networking.The target server has two network ports whereby another one with IP 10.2.2.14 is running OK with the same application. All these two connections are connected to the same Cisco switch 3750, after the switch then go to Cisco ASA firewall which has no access control rule for this 10.2.2.13 and its subnet, and then the firewall connect directly to the application server.We can ping, remote desktop access and telent port for the application to the target server by using 10.2.2.13.We swapped the cable connection of the ports from one another and try the application again, the IP with 10.2.2.13 is still fail and IP with 10.2.2.14 is OK.We then change the IP from 10.2.2.13 to 10.2.2.12 or 10.2.2.155, all are OK. We changed back to 10.2.2.13, it is failed again.The switch is in running real time production and so we cannot power cycle or reload the switch.
I need to confirm internet access from remote network through MPLS cloud to another site. Let me explain. We have a MPLS network with Wind stream as listed in the visio drawing; site 1 has internet access through the Time-Warner cloud for all users. Site2 has internet access through the Wind stream MPLS router. Site three has no internet access, and only has LAN access layer2 through Windstream routers to Site1 for networks 192.168.0.0/24, 10.1.1.x/24. My question is can we give everyone at Site 3 internet access through the MPLS network down into Site 1 using the Time-Warner ISP cloud.
I placed routes on the Site 3 3750 stack IP route 192.168.50.x 255.255.255.0 to the interface of the MPLS router at site3, then at site 1 we have IP route 192.168.50.x 255.255.255.0 to the MPLS interface, and able to ping all anything on the 192.168.50.0 network. I added the IP route 0.0.0.0 0.0.0.0 192.168.50.x the MPLS router interface, we do not have internet access at Site 3 using Site 1 network.
I confirmed at Site 1 from the Cisco 3750 switch we can ping 4.2.2.2 = Google. How to confirm this will work and what’s required to complete this connection to give everyone at site 3 internet access through Site 1 Time-Warner.
I've got a bunch of 3750-X switches all running IP Base and acting as a routed access layer. They run OSPF in a totally stubby area with the distribution layer (Nexus 7K) as the ABR. We also have a physically separate management network into which the fa0 management interface of the 3750-X is connected. The management network itself runs OSPF and has multiple subnets and external access.
On the 3750-X, I'd ideally like to be able to run some sort of separate OSPF process for the management network or at the very least have a static default route for management traffic pointing out the fa0 interface, but clearly not have it interfere with the main default route for data traffic coming from the N7K ABR. Normally I'd just create a management VRF, sling the fa0 interface into it and run a separate OSPF process in that VRF. The problem is you can't create VRFs in IP Base! Surely there must be a way to do this? Cisco don't really expect customers to upgrade to IP Services just to have a working OOB Management network, do they?!
My colleague and I have been having a discussion about using rapid spanning tree in the access layer. Most of our infrastructure has been migrated to a routed access layer with 3750s.
The idea was brought up to configure the switches with rapid PVST. On the surface, it seems like a better idea, faster convergence, in the event that spanning tree ends up being used for some reason. My colleague prefers sticking with standard PVST. His argument is that, in the event of a layer 2 loop, some consumer-level switches filter out BPDUs and if the control plane is overwhelmed, the shorter timers of rapid PVST just puts that much more of a burden on the CPU trying to regain control, whereas with standard PVST it will have around 20 seconds before it starts to engage. (It may still be overwhelmed, but the longer timer delays the additional burden.) He says he's seen this problem with rapid PVST and that his opinion is backed up by our Cisco rep. (I haven't spoken to him yet.)
In our model, it should be very rare -- pretty much never -- that we would layer 2 span another switch off of our access stack.
One suggestion I saw is to use BPDU Guard, which is a good suggestion as well.
But we have had experiences with overloading the control plane on a 3750. I believe that concern is valid. If the CPU can't service spanning tree. But I'm interested in hearing about other experiences people have had in terms of rapid spanning tree in the access layer, end users plugging in unauthorized devices and creating loops, and the effects when using rapid spanning tree vs standard spanning tree.
I configure 3750 stack switch as core and 2960 stack switches as access layer switches.I connected my laptop to one of my core stack in VLAN 10 and I am pinging to one of my server in VLAN 1. What will be the minimum latency at the time of inter VALN routing
