Cisco Switching/Routing :: 3750X / Restricting Access To A IP
Jan 12, 2013
This is my scenario. I have my IP as 172.16.1.1 (aaaa.bbbb.cccc.dddd) which has full internet access. Now when i am not available in the office, i noticed some one assigning my IP in to his workstation and gaining full internet access. How do i restrict such things? i.e. even if some one assigning my IP on the network, they shouldnt access LAN or WAN.I tried 'arp 172.16.1.1 aaaa.bbbb.cccc.dddd arpa' configuring on my L3 Cisco 3750X switch assuming i can acheive, but that did not work.
View 8 Replies
ADVERTISEMENT
Jan 17, 2013
My management has tasked me to give them a high level overview of the different switching we can choose for our new building.
This is what I know so far.4 Closets, each closet has 450 ports,One MDF room that is will contain one UCS Chassis and a Nimble iSCSI SAN.
I am working on the spreadsheet and it looks like this (Not totally filled):
2960s3560x3750x45064510Approx cost (Each, 48PORT, POE+, 10G uplink, Dual PS, IP BASE)
6K7K8K45K75KMax Capacity192432432192384Backplane speed206464520520ProLeast ExpensiveStackable to 9Stackable to 9ProDual PSDual PSDual PSDual PSDual PSProLayer 3 opt
Layer 3 optDual SupsDual SupsConExpensiveExpensiveConNo Dual PSConLayer 2 OnlyCannot stack more than 4
For the MDF I would like to use 2 Nexus 5548's with FEX's, and the layer 3 daughter board. For the IDF's I was thinking of two 4010's.
View 12 Replies
View Related
May 29, 2013
I have started to use ip extended access-lists on several 3750X-switches to filter inbound and outbond traffic on the VLANs. But it seems that the use of object-groups is not supported, is this correct? Is it really no way to group different ip-addresses into groups and then use these groups in the access-lists?
I am running sw version 15.0(1)SE2.
View 1 Replies
View Related
Feb 6, 2013
I have a LIII Switch Cisco 3750x ,with diffrent Vlans , Some users are in Vlan 102 (10.10.2.0) and Some Users are in Vlan1 (10.10.1.0) , now i want to restrict the Vlan102 users to access Vlan1 , i am pasting my configuration below , how to create a access list .
interface Vlan1
ip address 10.10.1.36 255.255.255.0
ip helper-address 10.10.1.36
[Code].....
View 2 Replies
View Related
Mar 19, 2013
I have one issue on Vlan in Cisco 3750X switches , I have 2 Offices , I am sitting at corp OFfice and i have one 3750 ( 10.10.1.36)Switch at my location , in my remote office i have one more switch 3750 ( 10.10.33.1) and i am able to access the both vlan IPS with out any issue , now i have some network components in Vlan33 ( 10.10.33.1) at my remote office . i am able to ping 10.10.33.1 IP from my corp office , but i am not able to ping any network devices in 10.10.33.5 example : 10.10.33.5 is my Cyberoam IP at remote location and i am not able to ping , i have taken a trace route and not able to find the issue as i am not much femilar , ping 10.10.33.5 at remote location devicec
I am giving the Configuration for both locaitons below :
10.10.1.36 - Corp Office 3750 Switch:
sh run
L3-#sh running-config
Building configuration...
[Code].....
View 1 Replies
View Related
Mar 18, 2013
I've got a 3750x stack set up as my core switch (only a small-ish environment) - I'm shortly going to be deploying an enterprise wireless network with Corporate and Guest SSID's. I'm going to be putting all traffic from the Guest SSID in VLAN 244, and don't want it to have access to any of the other VLANs (1 (Legacy Eqpt), 4, 8, 12, 16, 20, 24, 28, 32, 248 & 252).
IP ranges for all the main VLANs are:
1: 10.0.0.x/22
4: 10.0.4.x/22
8: 10.0.8.x/22
12: 10.0.12.x/22
16: 10.0.16.x/22 etc etc (you get the pattern)
I'll probably give Guest traffic (VLAN 248) the IP range 192.168.10.x/22 (not because I NEED that many addresses, but it's easier for everyone to remember/understand if I keep the subnet masks the same all round). However I also have a CCTV VLAN (252) which already has the range 192.168.0.x/24, which some people in other VLANs WILL need access to.
So my question is: What is the syntax for the ACL on my 3750x (IP base - 15.0.2) to prevent traffic from VLAN 244 gaining access to any of my other VLANs. I'm making a broad assumption here that a layer 3 switch is perfectly capable of supporting that function? I need ALL the syntax for setting up ACL's - I've never done it before
My gateway device by the way is 10.0.4.1, and I do have inter-VLAN routing set up on the core switch (obviously).
View 3 Replies
View Related
May 9, 2013
I'm looking to restrict Inter-VLAN routing through L3 switch (cisco 6500) and wanted to know best possible way to do it. I used VACL and achieved success to some extent, but my config is making clients take up to 5-6 mins to authenticate IP address from the DNS (bootps).My VACL config was as follows:
Subnet to restrict is 10.100.15.0 (VLAN 15)
STEP 1: Created extended ACL to allow bootpc/bootps through DNS
ip access-list extended EACL_DNS
permit udp any eq bootps any
permit udp any eq bootpc any
STEP 2: Created standard ACLs to allow only relevant subnet, server VLANs & some IPs from other subnets for printers/scanners etc.
ip access-list standard SACL_VLAN_15
permit 10.100.15.0 0.0.0.255 (the subnet I'm restricting)
permit 10.100.50.0 0.0.0.255 (server VLANs)
permit 10.100.25.45 0.0.0.0 (printer in another VLAN which has to have access in VLAN 15)
STEP 3: Created VLAN access list
vlan access-map VACL_15 10
match ip address EACL_DNS
action forward
vlan access-map VACL_15 20
match ip address SACL_15
action forward
STEP 4: Applying VLAN Access list on VLAN 15 vlan filter VACL_15 vlan-list 15 Though the above works, below is noted:
1. I'm still able to PING 10.100.15.2 (the switch virtual interface) from outside the subnet, which I don't intend to do so. Howeve all cients in the subnet have no connectivity from outside the VLAN 15.
2. As mentioned its taking quiet some time to negotiate with the DNS server at system boot time.
View 3 Replies
View Related
Mar 17, 2013
I want to configure accesslists on my Catalyst 3750X-switches to protect different VLANs/networks. Any best-practices about inbound versus outbound accesslists? In my head it is more readable and easier to understand the config when accesslists are assigned outbound on the VLAN to protect instead of assigning them inbound on all possible source-VLANs. But of course, from a performance point-of-view it is better to use inbound access-lists to avoid un-necessary routing etc.
View 1 Replies
View Related
Jan 17, 2012
I have a 2900 router at branch office. This router has a 4 port switch card and two gigabyte ports. The gigabyte port is use for wan connection and the 4 port switch card is use for lan connection. I have two separate networks on my lan side. (network 1 and network 2)
I have assigned port 0,1 of the switch card to vlan1 for network 1 Ports 2,3 of the switch card is assigned vlan 20 for network 2
My problem is I would like to applied a bandwidth restriction for all data coming out from vlan20 capping same to 384 kb.
Note I do not want use QOS because this will only kickin when saturation occurs,
View 8 Replies
View Related
May 14, 2013
We want to permit certain mac addresses on the cat 4506 switch wherein only those mac addresses will get access to network.
Configuration Planned: For testing purpose we have created mac access list on cat 4506 and deny laptop mac address in this access list. The mac access group is applied to the port where the laptop is connected to cat 4506.Even after applying the mac access group on the port, the laptop is able to ping the vlan ip of cat 4506 [code]
laptop with ip address 192.168.10.2/24 connected to port 2/1 is able to ping 192.168.10.1 even after applying the mac access-group
Note-we have tested same configuration on cat 3560 and its working fine. We apply the mac access-group command on interface and clear the arp-cache and we are not able to ping vlan interface ip. The moment we remove the mac access-group,ping starts again.
View 4 Replies
View Related
Dec 4, 2012
I am trying to block access to facebook and twitter on my router, to a certain range of ips, 192.168.1.8 - 254. I have been digging around and trying stuff but all I do seems to restrict everyone access to the internet.
View 5 Replies
View Related
Jan 13, 2011
Not sure If I am asking this correct. I want to install a wireless access point into a switch and out the WAN. Going to PW access into the wireless access point. Can I restrict the user from entering the LAN from wireless access point? Change subnets, what to do? Would not mind resticting speed, etc. I think I can through my switch.
View 19 Replies
View Related
Oct 9, 2012
I have installed a video security system into my home/office and several IP cameras are connected via my wired cat5 network which connects to my router and switcher into a PC with internet access. This will allow me to record any break ins and alert me of this event and view it in real time.I would like to restrict access to these devices for anyone else on the network, with either dedicated access or password protection.
View 1 Replies
View Related
May 28, 2011
got myself the Netgear internal PCI wifi adapter today & it works just fine on my Windows XP SP3 desktop.
The only problem I have is the question of restricting complete internet access to kids @ home. If it was an external USB adapter, I could have just taken it away but the concern is the device being an internal & always available one.
The user configuration on the PC is such that there is 1 main administrator (The actual windows "administrator" account) that no one uses. Apart from that,
- 1 user with admin privileges (me)
- 1 limited account for the kid
- 1 admin privilege account for the kid again (for purposes like installation of games which require an admin account as mandatory)
I would like for the wifi PCI card to work only when I login to my user account. There must be someway by which I could disable the device or make the internet inaccessible in the other accounts,, (but pls bear that 1 of the account that the kid uses also has admin privilege)
I tried disabling the device from control panel but in vain.. (tried something like the sys admins do in corporates ..) disabling the usb ports on the PC's in my office..!
View 4 Replies
View Related
Oct 29, 2012
I have Configured a WLAN with WiSM2 Controller installed on a 6500 series, Aironet 3600series APs and ACS 5.3 for userauthentication. The ACS is connected to Active directory so users are authenticating using the AD (802.1x is used and not a pre-shared key) on SSID A. I have created a separate SSID B for guest users. I have put restrictions on this SSID. Guest users are also created on the same AD where internal users are created. How can I force Guest users to connect to SSID B and not be able to connect to SSID A? Currently they can connect to both.
View 3 Replies
View Related
Nov 6, 2012
I have an ASA firewall and I have never configured an FTP server for a large scale network (well large in my opinion). I want to ensure we have the highest level of security available for the FTP and to limit only the specific users designated by an ACL. Would SFTP be the best available option for security measures? Should I only use Passive FTP and what range of ports above 1023 should I open for only 1 or 2 FTP clients at a time? Also if I use Passive mode do I need to use protocol inspection for FTP?Also, Currently I'm unsure of what files need to be accessed on our network but should the SFTP Server always only be installed within the DMZ?
View 4 Replies
View Related
Apr 19, 2011
I have a Cisco 2901 Terminal server with AAA authentication via ACS server. I create twoaccounts on the acs server, cciesec2011 and vendor. Both accounts can log into the Cisco 2901 Terminal Server without any issues. By the way, I am NOT using AAA authorization on the Cisco Terminal Server. Once cciesec2011 or vendor accounts are authenticated, theseaccounts can access all the async line on the Cisco Terminal Server.
Now I have a new requirements. I would like to allow cciesec2011, once this account is successfully authenticated, this account has access to ALL async line on the Terminal Server. The "vendor" account, I want to restrict this account access only to async line 35 (there are 32 async lines available on the Cisco Terminal Server) and nothing else.
How can I accomplish without using AAA authorization on the Cisco Terminal Server?Is it possible to use "privlege level" to accomplish this? if so, how?
View 5 Replies
View Related
Mar 3, 2011
We have recently ordered a laptop along with a docking station with the intention of connecting it with the desktop PC in the office. We want the documents folders of both computers to be synchronized and to that end we want to share the folders between each computer. However, to do so we will have to connect the laptop to the larger network in our office. Given the sensitive nature of the documents we only want the desktop PC and the laptop to be able to access these files and synchronize them.
Is there anyway in Windows 7 to specify exactly which computers are allowed access to shared folders on a computer? What's the best way to achieve the file synchronization between the two?
View 2 Replies
View Related
Mar 6, 2013
i cant find any difference in these two devices when i am trying to compare throughput.I need upgrade our new POP and there will be around 4900 MAC adresses in VLAN 150 and 130 MAC adresses in vlan 200.Uplink is 1 gig routed internet connection and there is 14 downlinks to separate villages.i found a few differences for eg stack interface on 3750x but i dont need it.
View 2 Replies
View Related
Dec 27, 2012
I have a stack of 2 x 3750X switches these are running 12.2(55)SE5. I needed to add some static IP routes and found that the ‘ip routing’ command is not supported. I came across a document that stated “On switches running the LAN base feature, static routing on VLANs is supported only with Cisco IOS Release 12.2(58)SE and later.” So I have upgraded to 12.2(58)SE2, but ‘ip routing’ is still not a valid command.
The release notes state:“On the Cisco Catalyst 3560-X and 3750-X Series, it adds support for 16 static IPv4 routes in the LAN Base image.”
I have read other posts that talk about running the ‘sdm prefer routing’ command which I have done, but I am still unable to add any routes or run the ‘ip routing’ command.
View 4 Replies
View Related
Dec 9, 2012
I have an 1811 with several subnets connected to it.I recently installed a 3750x plant and want to bring my interior routing back to it.
All the routing is handled by the 1811 via secondary interfaces on vlan1?
I have 192 ports, and subnets show up on almost all of them. None of the ports are assigned to any specific vlans. Most ports have several subnets on them.
What is the best approach to getting the 3750x to handle the routing?
View 18 Replies
View Related
May 22, 2013
my company pay a switch 3750 X. WS-C3750X-24T-E. It uses IP services basically but I failed to configure InterVLAN routing. why interVLAN routing doesn't work on my switch?
View 10 Replies
View Related
Jan 24, 2013
I am setting up a vm environment for a customer in my lab off site. I have two stacked 3750-x switches, a san, and threes UCS c220 M3S servers for hosts. I am trying to separate the lan traffic, san iscsi traffic, and san management traffic using vlans. The problem is i'm unable to communicate cross vlan with my current config, which I have attached to this post. The only noteworthy things in my conifg is that the ip route 0.0.0.0 0.0.0.0 192.168.83.6 is referring to a switch stack they have on site, that I will connect this stack to using the first two trunk ports on each switch, that I do not have here in the lab. I don't want to cause any confusion in why I have things set a certain way.
View 1 Replies
View Related
May 27, 2011
Is there a way to restrict wireless access to my router from wireless pc's in my home. Two grandsons are off from school now, and are playing online games to the wee hours of the morning. Can I do something to have the routher shut off their connection at a certain time? Is that possible. If I have to go back to dd-wrt to do that, fine. I have lynksis wrt54g with their 4.2.1 firmware.
View 5 Replies
View Related
Mar 20, 2011
The following diagram represents my current network.
I would like for the Phone and the Laptop both on wireless to have internet access but not access to the other PCs/shares.
I have access to routing tables in both the cable router 10.0.0.1 and the wireless router
wired : ASUS RX3042H
wireless : Linksys WRT54G (default Firmware)
View 2 Replies
View Related
Mar 28, 2012
Why does my 3750x-12s switch say it's not supported in CNA??? I upgraded to CNA 5.7.1 and still says unsupported. This device is supported or I'm just missing something.I use CNA heavily to manage our MANY vlans.
View 1 Replies
View Related
Mar 4, 2013
I want to confirm this is a licensing issue. On a 3750X with ipbase, I cannot create a vrf. So I would need the universal image, and that is a seperate license, correct?Is there a link that describes the difference bewteen ipbase and univeral images?
View 6 Replies
View Related
May 22, 2013
I have a query regarding attached Network Design
PC---2960---3750(One Routed Port and All Switched Port)------------------------ 3750(One Routed Port and All Switched Port)-----2960------Internet
I have many Vlans on left side of image , Right Side of Image is having internet connection via Modem, and local connectivity between VLAN works fine but Other Vlans Except Vlan1 is able to Access Internet.Note that 3750X did not have NAT Feature ,How should I able to get Internet on Other Vlans (10,20)
View 4 Replies
View Related
Jan 5, 2013
scenario A
A site .
PBX --->
Data ---> other brand router ----> 3750X ---> wan
[Code]....
How to know whether QoS work on the 3750X or not ? Is it correct about the config in scenario A ?
View 2 Replies
View Related
Feb 3, 2013
I have a one question. I am using Cat3750x-48 switch. Suddenly it has occurred following high CPU log message in Cat3750x-48 switch.
%SYS-1-CPURISINGTHRESHOLD: Threshold: Total CPU Utilization(Total/Intr): 62%/0%, Top 3 processes(Pid/Util): 162/40%, 156/10%, 74/1%
What is meaning of PID 162 ?
View 1 Replies
View Related
Jan 1, 2013
There seems to be a lot of conflicting information on what can and can't stack together in the 3750X range.
I know that LAN Base can only stack with other LAN Base switches.
Can IP Base stack with IP services in 3750X? I have also heard that the 15.x.x IOS restricts mixed feature set stacks?
I know that Cisco recommends that all switches in a stack have the same IOS and feature set but having all IP Services in a stack can get too expensive.
View 6 Replies
View Related
May 7, 2013
I'm trying to review a QoS setup, and I'd like to make sure I fully understand the current setup before I change anything. I'm seeing output drops on two different queue-thresholds, but not sure how packets are making it to one of the queues.
Switch Version
CORE#show ver
Cisco IOS Software, C3750E Software (C3750E-UNIVERSALK9-M), Version 15.0(2)SE, RELEASE SOFTWARE (fc1)
System image file is "flash:/c3750e-universalk9-mz.150-2.SE/c3750e-universalk9-mz.150-2.SE.bin"
cisco WS-C3750X-24 (PowerPC405) processor (revision A0) with 262144K bytes of memory.
Switch Ports Model SW Version(code)
I can find queue4-threshold3 in the mappings, but how are packets getting mapped to queue2-threshold1? The priority queue is disabled for this interface, so I'm not sure how this queue is dropping packets, according to the maps nothing is mapped to 02-01.
View 3 Replies
View Related
Mar 21, 2013
I am building a switch stack using 4 48 port 3750X switches that will also have the power stacked. If I install a single 715W power supply in each switch will the stack support 802.3af accross all 48 ports on each switch? My calculations are 48 ports x 15.4W which gives me almost 740W needed which is over hte 715W power supply. I was reading somewhere were it mentioned that in a powerstack additional power can be drawn from the stack. I know this will not work if you are trying to support power on all switches accross all ports but would it if say 2 of the 4 switches are needing to provide PoE accross all 48 ports? If I say we can only use 24 ports per switch for PoE that drops the power need down to 370W which I believe should work. Just trying to get a better understanding of PoE consumption. Would the best solution be to just add a second power supply to each switch?
View 8 Replies
View Related
