Cisco Switching/Routing :: 3750G ACLs Not Working
Sep 17, 2012
I am trying to create an ACL that walls off a VLAN and only allows it to the internet. This is on a 3750G, currently the 3750G I am attempting this on is in a stack. I have another 3750G that is a standalone.
The first way I attempted this was to create two access-lists: access-list 101 permit tcp 10.249.1.0 0.0.0.255 any eq 80 access-list 102 permit tcp any 10.249.1.0 0.0.0.255 established
Let's call the 10.249.1.0 VLAN 2. I applied this to the VLAN2 interface, 101 out, 102 in. It didn't work. If I place a deny statement with nothing else, that works.
The second attempt was this: access-list 101 deny ip 10.249.1.0 0.0.0.255 any access-list 101 permit ip any any
I applied this to a VLAN I wanted to block VLAN2's traffic from reaching, let's call that one VLAN 3.
This lets all traffic from any VLAN (including the one I'm trying to block). If I remove the "permit ip any any", then all VLANs are denied. Which I understand is correct due to the implied deny all. What I don't understand is why it isn't applying the ACL to the specific VLAN.
View 3 Replies
ADVERTISEMENT
Oct 8, 2012
I am having a switch 3750G (WS-C3750G-24TS-S) running a software version (c3750-ipservicesk9-mz.122-55.SE6.bin) and using the PBR with IP SLA.While, i am applying it on interface, it says not supported....
route-map TO-CAS-E0 permit 10
match ip address 125
set ip next-hop verify-availability 10.116.199.200 10 track 100 (if i change this command to set ip next-hop 10.116.199.200, it works)
!
WAN-L3-3750SW01(config-route-map)#interface GigabitEthernet1/0/11
[code].....
View 2 Replies
View Related
Jan 15, 2012
Has any come across show ver memory details on 3750G-48PS as below, One of our Catalyst 3750G running software 12.2(44)SE2 shows unexpected DRAM as below:
cisco WS-C3750G-48PS (PowerPC405) processor (revision F0) with 0K/12280K bytes of memory. This would equate to around 11MB memory which does not seem right... Is it a known IOS bug?
View 1 Replies
View Related
Mar 12, 2013
Quick question here. Using 3750E series switches with multiple VLANS configured. These switches serve as our 'core'. I have SVIs configured for the different VLANs and add inbound ACLs in each of the SVIs to control traffic between VLANS. This switch also terminates a P2P Ethernet link which connects to our Colo facility. The port used for this is configured as an L3 port. I noticed today that I was able to send traffic across this L3 link that I thought should have been blocked by an ACL I had in place but it wasn't. So the traffic flowed from a port in say VLAN 20 across this L3 link (assigned with an IP address). Would this traffic flow not cause traffic to be checked against an ACL applied in the inbound direction on the SVI of VLAN 20 (int vlan 20)? Traffic does get checked when routing between SVIs. Why would it not get checked when routing between SVI and L3 interface?
View 2 Replies
View Related
Apr 16, 2013
We are configuring ACLs for a dhcp pool on Sw3750
ip access-list extended Test
permit ip any 192.168.1.0 0.0.0.31
permit ip any host 172.16.1.1
And, here is dhcp pool:
ip dhcp excluded 192.168.1.1 192.168.1.3
ip dhcp pool Name
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
But when a PC try to obtain IP automatically, it doesn't work.
View 3 Replies
View Related
Feb 5, 2013
Any one know when object-group ACLs will be supported in cat4500 IOS-XE ?? Doesnt seem to be supported now.
View 1 Replies
View Related
Feb 3, 2013
We are migrating from Catalyst 6509 IOS platforms to Nexus 7009. There's the normal differences in commands which is well doucumented. We do have some quite large files containing ACLs varying from 10's of lines to several 1000's of lines. Our normal upload would be done using tftp and then issuing the command 'conf net' on the the 6509. This is no longer the way to do this on NX-OS. I've tried copy ftp: running-config which works fine for small files but for big ones it takes a long time, in some cases I've see it takes 20-30 minutes. The initilal tftp uplaod to the 7009 seems OK but the copy into the running-config is the bit that takes time and initially I thought I'd killed the 7009!! It did finally come back to the prompt. Are the 7009's simply not designed for large ACLs? I did try the configure session (Session Manager) but I couldn't see a way of uploading a file. I tried creating a new session and then exiting it, copying in a file of the same format and then commiting it but it didn't seem to acknowledge the file (checksum?).
View 10 Replies
View Related
Nov 4, 2011
How should I configure NX7000 to log acl's hits on a remote syslog server.
View 10 Replies
View Related
Jan 26, 2013
I have a 2960 SI lan lite switch that I am configuring for admin and guest access. I have wireless AP's plugged into trunked ports 2 and 3. I am using two vlan's (in addition to the native VLAN). Vlan 5 for Admin and Vlan 10 for guest access. I have ACL configured on the router preventing guest users from accessing the Admin network. I want to prevent those on the guest network from seeing other hosts in the vlan however the lan lite software does not support port ACL's. Any way to accomplish this with this switch.
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
[Code]...
View 5 Replies
View Related
Mar 21, 2012
I got Two Distribution Switches of Cisco 3750G. Each Distribution have two 3750G switches stacked. I also have one Cisco 3750V2 Access Switch connected to both Distribution. When I am checking for redundancy, I can only get redundancy test pass for one link not atall for other. If I have a link up with Distribution 1 only then its fine; but disappointment with Distribution 2 link. I can see that the switch priorities of Dist 2 is not correct ie. Master's priority is 10 and Member's is 15.
My question is that due to misconfigured priorities on Distribution 2 stack switches I am failing with redundancy if ONLY Dist 2 is up and Dist 1 is down.
View 4 Replies
View Related
Mar 4, 2012
I've one Cisco 3750G-12S with ip routing enable, the swtich is with IP Service firmware, with PRR support.Currently set my default static route 0.0.0.0 0.0.0.0 10.1.18.71 to my Firewall A Currently all of the VLAN for will be routed to 10.1.18.71
I've created a new VLAN 2 for my 10.1.2.0/24 network with the VLAN interface 2 ip address 10.1.2.10, my intention is to route 10.1.2.0/24 traffic to my 10.1.2.1 by creating the access list and route-map.
I've configure my test pc with a static ip and my gateway pointing to 10.1.2.10 (VLAN 2 gateway) , i'm not able to route to 10.1.2.1.
View 7 Replies
View Related
Nov 8, 2012
I have a couple of 3750G-24T-E switches running IOS 12.2 I would like to upgrade to IOS 15.x. Is this possible? Where do I find some information on the required licenses and costs? I must admit that the cisco search function did come up with a few pages but i was not able to extract the required information. I have not used the new software activation features yet.
View 1 Replies
View Related
Jun 7, 2012
I've got a requirement to do Inter-VRF routing (need MP-BGP) using a private AS Number on a stack of 7 x 3750G's, my question ultimately is the performance overhead of doing such a change.
The stack will have no more than 300-400 routes even with the duplicates invoked from doing VRF leaking so I can't see much of an issue myself, we already have 2 VRF's and OSPF running in each VRF just don't have MP-BGP to do the VRF leaking.
Ultimately there will be about 4-5 VRF's (I know there's a Software limit of 26 VRF's on a 3750G).
View 3 Replies
View Related
Oct 2, 2012
I am trying to stack the following -
3750G 12S - 12.2.53(SE2 IP Services) Running EIGRP & OSPF
with
3x 3750X 48P-S - 12.2.53(SE2 IP Base License)
Doing some research, the IP Base does EIGRP on the 3750X, does it do OSPF?
If not I will have to get licence for the 3750X?
View 3 Replies
View Related
Jan 2, 2013
I have one switch 3750G12S I joined the company new, I found that they want to replace it with Alcatel stack switches. I didnt configure this Cisco switch before. how to configure it. I have 4 other new cisco switches in the topology which is not created yet. the 4 switches are all 2960.
View 17 Replies
View Related
Nov 20, 2012
have 2 3750's one is an 3750E the other one is a G... Since they are 2 different versions Do I need to correct ios for each for example my 3750E switch i would have
IP BASE
c3750e-ipbasek9-mz.122-53.SE2.bin and for my 3750G switch should i use
IP BASE
c3750-ipbasek9-mz.122-53.SE2.bin
Which would be 2 separate images
View 4 Replies
View Related
May 26, 2011
I have a 3750G and bought a new 3750X. It possible to stack these two together?
View 5 Replies
View Related
Nov 18, 2008
I have a 3750g on which I am trying to configure the ip policy route-map command on each of the vlan interfaces. However after entering the command it does not appear. I'm not sure what to do at this point. I have changed the SDM template to routing and I am running the IPServices image.
View 2 Replies
View Related
Jan 23, 2013
I have just received a new Cisco 3750G Switch from my parent company. When attempting to install the switch, I discovered that it will not boot to CLI, only to the bootloader. After using the command boot, the switch attempts to boot the most current IOS version, but fails, stating "error loading XXXXXXXXXX.bin".
Obviously, I just need to get a functional version of the IOS onto the switch to boot, but the problem is exactly how can I do that? All (or most) the commands with which I am familiar are unavailable in the bootloader, so all methods known to me fail. Is there a simple way (maybe using the copy command?) to put the .tar or .bin file onto the flash?
View 2 Replies
View Related
Jun 2, 2013
I have a 3750G that used to be a Stack Master of a stack comprised of 2 identical switches. Since then, we have removed the stack from production, and I factory defaulted the stack MEMBER and that went fine. I just held the "Mode" button on the front until the lights all lit up and then issued the reload command and the switch came back with no configuration OTHER than the vlan database I issued the "del vlan.dat" command to no avail. I just manually removed all the vlans.
The stack MASTER on the other hand will NOT go back to factory defaults, and will also NOT erase the vlan database. Everything I try will NOT work. I've tried the following
1) Hold mode button & issue a reload after the lights start flashing
2) issue "Write Erase" then issue "reload"
3) issue "Write Erase", then issue "Write", then issue "reload"
4) issue "erase start" then issue "reload" (just in case the "write erase" command is being depriciated or something weird)
5) issue "erase start" then issue "copy run start" then issue "reload"
Is there a special way to reset a StackMaster back to factory defaults?
View 6 Replies
View Related
Apr 22, 2013
I have one 3750X with C3KX-NM-10GT, I need to interconnect using stackwise to 3750G-24TS. The 3750X needs IOS 15.0(1) to use C3KX-NM-10GT, and the latest IOS for 3750G-24TS is 12.2.55. How can I interconnect them using diferent IOS?
View 2 Replies
View Related
Jan 29, 2013
I have a 3750G switch that can't detect another switch or be detected through its stack ports. I tried the recommended test; looping a cable between the ports and rebooting. I get the following message as the switch boots: SM: Detected stack cables at PORT1 PORT2. However, if I connnect another switch, it won't detect it and can't form a stack.
View 4 Replies
View Related
Feb 20, 2012
I'm trying to upgrade the IOS ver on a 3750G stack (2 switches), but the img on the switch is too old.The stack is running IOS c3750-i9-mz.121-19.EA1d.bin, and when I tried to upgrade to a newer version, I tried to go to IOS ver c3750-advipservicesk9-mz.122-35.SE5.bin since I need to enable ssh on the switch, but the switch did not reload.
Here's a prtscreen of the switch ver:
Cisco Internetwork Operating System Software
IOS (tm) C3750 Software (C3750-I9-M), Version 12.1(19)EA1d, RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2004 by cisco Systems, Inc.
Compiled Mon 05-Apr-04 22:40 by antonino
Image text-base: 0x00003000, data-base: 0x007CBC3C
[code]...
what IOS ver can I upgrade to that is not already deferred?
View 1 Replies
View Related
Jun 17, 2012
have one 3750G stack with 4 switches and this stack is presenting the follow log message:
%PLATFORM_UCAST-4-PREFIX: One or more, more specific prefixes could not be programmed into TCAM and are being covered by a less specific prefix, and the packets may be software forwarded.
In this stack we are using the layer 3 with OSPF routing, and the current sdm prefer is default:
switch-01-3750#sh sdm prefer
The current template is "desktop default" template.
The selected template optimizes the resources in
the switch to support this level of features for
8 routed interfaces and 1024 VLANs.(code)
View 2 Replies
View Related
Feb 7, 2011
I have two 3750G switches that are in a stack, and I am seeing these errors in the log:
002258: Feb 4 17:06:06.355 UTC: %PM-3-INTERNALERROR: Port Manager Internal Software Error (vlanid >=0 && vlanid < PM_MAX_VLANS: ../switch/pm/pm_vlan.c: 1279: pm_vlan_get_vlan_data) (CBAC01-3750-2)
-Traceback= 190F078 19729A0 1972A64 1963764 110BC24 195F2F8 110BB9C 196D2C8 195ECD4 110BC24 19658B0 110BB9C 196D1D8 194C2B8 195D24C 110BC24 (CBAC01-3750-2)
002259: Feb 4 17:06:06.355 UTC: %BIT-4-OUTOFRANGE: bit 4096 is not in the expected range of 0 to 4095 (CBAC01-3750-2)
-Traceback= 10273BC 1027478 1972B50 1963764 110BC24 195F2F8 110BB9C 196D2C8 195ECD4 110BC24 19658B0 110BB9C 196D1D8 194C2B8 195D24C 110BC24 (CBAC01-3750-2)
002260: Feb 4 17:06:06.355 UTC: %PM-3-INTERNALERROR: Port Manager Internal Software Error (vlan > 0 && vlan < PM_MAX_VLANS: ../switch/pm/pm_vlan.c: 773: pm_vlan_set_portlist) (CBAC01-3750-2)
[code]....
View 9 Replies
View Related
Jul 17, 2012
Any one try to form a stack with mixed 3750-X and 3750G? Is there any prerequisites in hardware and software?
View 5 Replies
View Related
Nov 19, 2012
I am currently having performance issues running a 3 x stack 3750G (different models) as a core for a network of roughly 12 x distribution switches. [code] As above, I have a 12 port Fibre switch and 2 x 3750G-48 port switches. [code] I tried to change the SDM to route but hit another issue where the 3750g-48 does not support SDM route so I had to revert back to desktop VLAN.Could the SDM Template be the reason for slow performance? If so which SDM Template should i use as this is the Core L3 switch.
View 5 Replies
View Related
Feb 27, 2013
I currently have a stack of 3750G switches with a cross stack etherchannel connected to a 3750E stack in the distribution layer.The 3750G stack is running 15.0-2SE IP Base. I began noticing the Mac flap issue when I was Re-enabling dot1x on the switchports. As first I thought dot1x maybe have contributed to this so I removed it from the stack temporarily.I am still seeing Mac flap logs usually when a machine reboots or re-connects back to the network. These are all wired desktops.I started looking at the etherchannel configuration which is using LACP. The 3750E stack looks fine with all ports in mode active. On the problematic 3750G stack I noticed 3 of the ports in the etherchannel set to mode active and 1 port set to mode passive. The port shows as bundled but I can't imagine this is ok.The only other difference on this one port is there is no mls qos commands like on the other 3 interfaces in the port channel.I mainly need to know what the Mac flapping is about. Whether it is a bug or related to the current etherchannel configuration.
View 9 Replies
View Related
Jun 12, 2012
I have a 48-port 3750G switch (model # WS-C3750G-48TS-S). How do I determine which ports are grouped per ASIC on the 3750G switch? For example, is the grouping ports 1-8 is serviced by ASIC 1, ports 9-16 is serviced by ASIC 2, ports 17-24 is serviced by ASIC 3, etc. If it exists, what is the IOS command to show the mapping of ports to ASIC?
View 2 Replies
View Related
Feb 6, 2012
I'm troubleshooting interface drops. However the output of the following show commands don't match number of drops. Based on the output, can you find out what is causing the drops? the G1/0/28 is the uplink. Is that just the port got overrun by the traffic?
#show int g1/0/28
GigabitEthernet1/0/28 is up, line protocol is up (connected)
Hardware is Gigabit Ethernet, address is 0019.5667.191c (bia 0019.5667.191c)
[Code].....
View 7 Replies
View Related
Apr 8, 2013
I'm due to replace a stack of 2 x 3750 switches very soon with 2 x 3750Gs. These 2 current switches are the VTP server for a small domain. I have put the config on the new switches switches and I made it a server and used the same VTP domain and password etc and got the VLAN info ported over.Now I did this a while back and noticed the switches are in transparent mode with a revision number of 0, I need to set this back to server and swap the switches out but the revision will be lower than the client switches (around rev 200), what do I need to do?
View 7 Replies
View Related
Feb 20, 2013
We have 3 VLAN in our cisco 3750G switch. VLAN 1 10.1.0.0/24 for domain network, VLAN 2 10.2.0.0/24 for student and VLAN 3 10.3.0.0/24 for public. We have one printer 10.3.0.206 in the VLAN 3 and want to allow student server 10.2.0.253 in the VLAN 2 to access the printer. How can we configure access-list? Here is current configuration.
ip access-list extended publicaccess
permit icmp any any
permit ip any host 10.2.0.253
permit tcp any any established log
deny ip 10.3.0.0 0.0.0.255 10.1.0.0 0.0.0.255
deny ip 10.3.0.0 0.0.0.255 10.2.0.0 0.0.0.255
View 9 Replies
View Related
Mar 7, 2013
I am having an issue bypassing a switch 3750G series. How i can bypass the old configuration in the switch.i have tried the CTRL+BREAK at startup but it wont work.
View 2 Replies
View Related
