dont seem to be able to get policing working inbound on a port 3750X v 15.0(2)
Config is below:
ip access-list extended SMB
permit tcp host 192.168.1.14 host 172.16.1.30
permit tcp host 192.168.1.14 host 172.16.1.31
[Code]....
I want to configure accesslists on my Catalyst 3750X-switches to protect different VLANs/networks. Any best-practices about inbound versus outbound accesslists? In my head it is more readable and easier to understand the config when accesslists are assigned outbound on the VLAN to protect instead of assigning them inbound on all possible source-VLANs. But of course, from a performance point-of-view it is better to use inbound access-lists to avoid un-necessary routing etc.
View 1 Replies View RelatedI have a non-cisco router with a public WAN address. This is conencted to a 3750 switch internally. The switch is the default gateway for all VLANs, and the gateway router has static routes back to the 3750. The Router provides NAT, no NAT is done on the switch.My requirement is to port forward port 29 000 so that I can access a server on VLAN4 via this port.
So, I have: Router: Port 29000 map to 192.168.4.1 (Switch VLAN4 address)
The question is, how do I route port 29000 from the 3750 to the server on 192.168.4.42 ? what exactly I should add in order to port forward port 29000 incoming form my router, to my server on 192.168.4.42.
is it possible to shutdown a specific port on my 3750x and monitor this port at the same time .for example , im dealing with a mac authenticated network using port security , i want to shut down all the ports that are not used at the moment , however , if some one gets connected to the one of the shutdown ports i want to know the mac address of the user or atleast to know that i have someone who is just plugged in to the one of the shutdowned ports .
View 4 Replies View RelatedI'm intending to purchase a switch for work,and I need to limit the bandwidth of one of the ports to 25 Mbit upload and 25 Mbit download (we have 100/100 Mbit connection and the customer is only paying for 25). I been trying to find information on how this could be "properly" done and what kind of switch I need to buy. As far as I have understood, most L2+ switches support outbound rate limiting, but not inbound, and as I only want the customer to have 25 mbit up and down, I need both.
I been looking at a Cisco Catalyst 3560 switch, and I'm first and foremost wondering if I can limit the inbound AND outbound bandwidth on this switch? Perhaps it can even be done on a simpler, cheaper, switch - as I rather not spend more money then necessary?
Lastly, how to do it, limit the inbound and outbound bandwidth on a single port (perhaps on the above mentioned switch, if possible), to 25 Mbit?
What is the point of it? It is not a remote console. If i reboot the switch i cannot get back to the out of band management port unless the switch is fully running. Is this only for security purposees? so all telnet/ssh is from an Out of band network?
View 15 Replies View RelatedAssume I had Catalyst 3560X/3750X with 24 ports. The partnumber is WS-C3560X-24P-LI would like to how is the numbering defined if the switches have a C3KX-NM-10G installed with 4 SFP-GE-L.
View 1 Replies View RelatedI would like to know if it possible to create a policy map in order to redirect the traffic ( 80 , http, 8080) to a proxy.
My current equipment its a 3750X using a IP Service License ,I was reviewing some options but i want to be sure before implement in production.
I want to limit the bandwidth going to remote site on the switch connecting to our netapp.We have a 4 port channel group setup on our 3750x switch going to our netapp storage. We have a Wan 100mb link to our remote site and we want only 60MBs of that link to be used for Netapp traffic all other local traffic needs to use the full amount of the bandwidth to the netapp.
Is possible to allocate bandwidth in this way and how would I go about this? We dont have access to the routers for the link and they plug directly into a port on our cisco.
We purchased a number of 3750X 48 and 24 port switches for the College Campus. Am finally getting around to getting them inserted on the network. Working with a WS-3750X-48PF-S and a WS-3750X-24P-L. Have them stacked with the 10Gb uplink on the 48 port switch. Have not been having fun.In the boot sequence, the switches recognize they are stacked, but as soon as they finish boot, I get the message on the 48 port switch: “Stack Port 1 Switch 1 has changed to state down.” Then “Stack Port 2 Switch1 has changed to state down.” Am noticing that I have a message preceding that: “Major version mismatch with stack neighbor.”The 48 port is running c3750e-universalk9-mz.150-1.SE3, HBOOT 12.2(53r)SE2.The 24 port is running c3750e-unversalk9-mz.122-55.SE3, HBOOT 12.2(53r)SE2Most of our 3750X and older switches are running 122-55 or 122.58 code. IP base or Universal. There is speculation that the problem is the 24 Port is Lan base, as the part number might indicate. (WS-C3750X-24-P-L.... I think that is the part number) and the 48 is IP base. Both switches are Universal, and my understanding is that they don't care about LAN or IP Base until you enable a function that falls in the IP Base domain. Then I have to call Cisco Licensing.For these switches, LAN Base is fine, based on the boot message, I feel the real problem is 122-55 versus 150-1 in the stack. So.. the question is: Do I downgrade the 48 port to match what we have in our environment, and what is on the 24 port switch. Or... Upgrade the 24 port switch to match the 48 port switch and have an installation that is not consistent with our environment? I do have two more edge closets to install with this purchase of 3750X 48 port switches.
View 2 Replies View RelatedWhat I am attempting to achieve is to aggregate trunk ports out of a VMware server into a single logical connection to give as much bandwidth as possible, the switches are 3750X and are three stacked together with the server connections spread across the stack. What I am not sure about is if two port channel load balance protocols can happy co-exist on the switch, by default the switch is using MAC address load balancing and Vmware wants to use IP Source load balancing. As other trunks and channels exist on the switch I don't want to make a change that will affect the other live connections if changing this is a global setting and not local on the channel.
View 2 Replies View RelatedPossible to configure multichassis port-channel between a VSS and 3750X (Port-channel not in the same switch on the 3750X stack). I got it using LACP but I need Pagp to get VSL redundancy “dual-active detection pagp trust channel-group 1”. I am using the last VSS IOS version 15.0(1)SY. I can’t get the option “switch 1 preempt”, has it changed with other option?
View 2 Replies View RelatedI'm trying to get an IP_ADDR set on the management port in SWITCH: mode but for some reason the port seems disabled. PC shows connection unplugged. MGMT_INIT is not a valid command (not listed under '?' ). Bootloader version is 12.2(53R)SE2 FC1.
View 4 Replies View RelatedI need to tear down an existing port-channel on a 3750X running c3750e-universalk9-mz.150-1.SE3.bin. This port channel is currently down down. It has three ports in it that will be added one each to three existing port-channels, I am assuming as long as the "channel-group" command is exactly the same as it is on the three existing port-channels I should be ok just adding the new port. One point to note is that the three existing port-channels all have three ports so this will be adding the fourth port to each port-channel. I know after reading that it is a best practice for load balancing to use either 2, 4, or 8 ports for a port-channel. Also what is the command to see all ports that are in a port channel?
View 1 Replies View RelatedIs it possible to connect 3750X with C3KX-NM-10G to X2 10G port on sup2t in 6500E switch.There is Cisco OneX Converter Module, but I could not find that it is supported on sup2t.
View 2 Replies View RelatedI have two stacks 3750X on two different sites with two links L_2_L, and I want to configure the port channel to aggregate the two links.
Site A Site B
3750X -A1 --------------------------------------( )--------------------------------------- 3750X -B1
( L-2-L )
3750X -A2 --------------------------------------( )--------------------------------------- 3750X -B2
Below the configuration that I have put the two stacks.
site A
interface Port-channel5
description Etherchannel group entre le stack 3750X-A et Switch Lan_2_Lan
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 11,12,999
switchport mode trunk
switchport nonegotiate
speed 100
But the problem is only one link is Bundeled in channel group, see below
Group Port-channel Protocol Ports
------+-------------+-----------+-----------------------------------------------
5 Po5(SU) LACP Gi1/0/15(I) Gi2/0/15(P)
Any way of policing traffic on the Nexus 3k platform? I can't find a reference to say policing/shaping is supported.
View 5 Replies View RelatedI have two servers on one subnet that each need to replicate to a single server on another subnet. They also need to replicate to each other. This replication is unidirectional so I will refer to the 2 server subnet as the source subnet and the single server subnet as the destination subnet. In order to keep this replication running without killing the MPLS links on either end, we are trying to use a policy-map that limits bandwidth from the source subnet.The Problem:We have created a policy that polices traffic during specific times of day and limits the bandwidth as prescribed, however, bandwidth is also being limited between the 2 servers on the source subnet which is not needed or desired.Class 512K set dscp ef police 1024000 bps 1024000 byte conform-action transmit exceed-action dropClass Map match-any 512K (id 4) Match access-group name DAGExtended IP access list DAG 10 permit ip host 10.20.0.3 host 10.20.0.10 time-range DAG-REP (active) (22793 matches) 20 permit ip host 10.20.0.4 host 10.20.0.10 time-range DAG-REP (active) (14156 matches)The service policy is applied on the input side of the 2 interfaces on which our devices are connected.As you can see, the access list identifies the interesting traffic as traffic from two specific hosts to one specific host. The problem we are having is that bandwidth is also being throttled between the two source hosts even though it is not defined to do so.What can I do to limit traffic from the two source devices to the single destination device without limiting bandwidth between the two source devices?
View 1 Replies View RelatedI would like to apply policing on a C3750 interface, for all traffic matching 10.0.0.0 / 8, except for sub net 10.0.0.0 / 24. I plan to apply the following configuration, with an ACL that denies 10.0.0.0 / 24 then accept 10.0.0.0 / 8. I am quite sure of the answer but need a confirmation about the following configuration correct ? (10.0.0.0 / 24 will be not blocked, and no policing will be apply on it?)
ip access-list extended TEST
deny tcp 10.0.0.0 0.0.0.255 any eq 5000
permit tcp any 10.0.0.0 0.255.255.255 any eq 5000
[code]....
I have a customer who requires to identify and police traffic on egress on a 3560 trunk link. I cannot use ingress classifications because we do not know what route the traffic will take yet. The egress interface connects to multipoint wireless equipment with 4 different bandwidth point to point links. So the ingress traffic may be routed via any one of 4 point to point wireless links connected to the single egress interface. Am I correct in assuming we cannot mark on the egress direction then put the traffic in a SRR shaped egress queue based on the marking ? So we would only have the option to egress queue based on markings applied or trusted on the inbound direction ? I had thought of some kind of policy map/aggregate policer configuration based on the exit VLAN but it seems we can only apply this type of config inbound. From reading the 3560 configuration guides it seems the 3560 cannot deploy the kind of requirements this customer needs. Perhaps they should have deployed some kind of Metro switch ?
View 1 Replies View RelatedTrying to control capacity utilization for guest users connecting to a 2960 switch. No problem for IPv4 users, but IPv6 is giving me fits. What I've found out by trial and error so far implies that there is just enough IPv6 smarts in a WS-C2960-24TT-L running c2960-lanbasek9-mz.150-1.SE to make it impossible to control IPv6 traffic. Blocking IPv6 would be sufficient short term, but MAC filtering on type 0x86DD does not appear to work either. Here are the results I've gotten so far:
What "works":
* Protocol ipv6 or an IPv6 ACL in a class map.
* Using a class map referencing ipv6 protocol or an ipv6 ACL in a policy map.
* IPv4 inbound filters and policing.
* Blocking of IPv4 traffic by a MAC ACL blocking type 0x0800 (IPv4) - note that the docs explicitly state that MAC filters do NOT filter IP traffic, except for on this box on this release they do.
What does not work:
* Applying a policy map referencing a class map referencing protocol ipv6 or an IPv6 ACL to an interface. The service policy is accepted by the parser, but is not inserted into the running configuration.
* "class-default" in a policy map only matches IPv4 traffic, not all other traffic.
* Blocking of IPv6 traffic by a MAC ACL blocking type 0X86DD. No problem applying the access-group to the interface, it just doesn't do anything.
I am aware that this box is not supposed to support IPv6 other than for multicast, but as implemented, this is a hole an abuser could drive a MAC truck through.
My questions:
Is this situation unique to this particular 2960 switch or SW release (I also tried 12.2(58)SE2) or does it afflict all 2960's running LANbase?
Assuming the answers to the first two question are negative, what is the minimum requirement to get working IPv6 policing in an edge switch?
I am configuring a 3560 to provide internet access for our customers and I need to make sure they don't use more bandwidth than they have contracted for.I see that the 3560 supports the rate-limit command, but was told that I should use traffic shaping and policing along with access lists to manage the bandwidth.Is there a reason that I should avoid using the rate-limit command - it looks much simpler.
View 10 Replies View Relatedi have a VSS core that has 4 downstream links to 4 stacked switches. I connected each of the 4 links to different switch in the switch stack. I then created a port-channel that combines all the links from each switch. Is there any issues associated with this setup?
View 9 Replies View RelatedI have two Cisco 7606 routers using BGP to connect our customers to the internet. Recently we added a new 1G circuit in addition to an existing 1G circuit and all traffic inbound is now on this new 1G circuit. We would like to shift some of the inbound traffic over to the other 7606. Our Tier provider has the same AS number for both paths. One path goes directly to New York and the other goes to Boston then New York.
View 1 Replies View Related6509 - Not working
1 6 Firewall Module
2 8 Intrusion Detection System
3 1 Application Control Engine Module
[Code].....
The Policy applied to the interface is just completely ignoring the configuration.
I am sure it is related to the 6500 architecture in some way. Same config is fine on the switch with the higher version on the sup card.
ON switch 6500 i have configured an interface vlan x and applied policies on inboud and outbound directions as per below: [code] But the problem i am facing is that the policy outbound works ok , but the policy inbound doesnt work at all. specifically it doesnt match anything. [code]
View 1 Replies View RelatedI have 5x Cisco 2960 and 1x Cisco 2960G. All of them are using IOS Version c2960-lanbasek9-mz.122-55.SE6.bin I'm having poor inbound speed with ALL of the Cisco 2960 (except 2960G) although the outbound speed is normal. The port is 100Mbps Full-Duplex, but the max inbound speed on a single connection is around 35Mbps. With the 2960G, I can get max 1Gbps inbound speed on a single connection.
I checked everything and still not know why the 2960 switches can't get max 100Mbps inbound.
I have a VPN on my ASA 5510 between (A)192.168.255.0/24 and (B)172.20.2.0./24. The purpose of the tunnel is to send kerberos tickets from our domian controller on the A side, across to a server at B, and receive a respose. I want to lock down inbound traffic to the A network, but not sure of best method.
I initially tried using an ACL filtering on ports, but soon realised the incoming traffic uses a wide range of ports so this is not really possible.Seeing as the A side will always be initiating the conversation, I was wondering if I could use the 'established' option on the inbound ACL for the ASA at A side, so that it would block any flows that are not initiated by the A side.
How filter inbound routes in Cisco ASA OSPF? Because Cisco ASA has no "distibute-list" command for OSFP process configuration, I try to use "filter-list" command in area definition. So, I try to use next configuration:
R1 (Cisco 3660):
skip
!
router ospf 1
[Code].....
We are using Cisco 3750 switches in our environment as distribution switches.We currently use to police inbound traffic, but we need to find a solution to limit inbound traffic per IP.Something like this “Inbound traffic for each IP can be maximum 1 Mbps” This can be done having, one ACL and one class-map for each IP, but in my situation is not a practical solution, because we have more than 500 IP’s on that site.
Is any way to accomplish this without writing 500 ACLs and 500 class-map?
My management has tasked me to give them a high level overview of the different switching we can choose for our new building.
This is what I know so far.4 Closets, each closet has 450 ports,One MDF room that is will contain one UCS Chassis and a Nimble iSCSI SAN.
I am working on the spreadsheet and it looks like this (Not totally filled):
2960s3560x3750x45064510Approx cost (Each, 48PORT, POE+, 10G uplink, Dual PS, IP BASE)
6K7K8K45K75KMax Capacity192432432192384Backplane speed206464520520ProLeast ExpensiveStackable to 9Stackable to 9ProDual PSDual PSDual PSDual PSDual PSProLayer 3 opt
Layer 3 optDual SupsDual SupsConExpensiveExpensiveConNo Dual PSConLayer 2 OnlyCannot stack more than 4
For the MDF I would like to use 2 Nexus 5548's with FEX's, and the layer 3 daughter board. For the IDF's I was thinking of two 4010's.
i cant find any difference in these two devices when i am trying to compare throughput.I need upgrade our new POP and there will be around 4900 MAC adresses in VLAN 150 and 130 MAC adresses in vlan 200.Uplink is 1 gig routed internet connection and there is 14 downlinks to separate villages.i found a few differences for eg stack interface on 3750x but i dont need it.
View 2 Replies View RelatedI have a stack of 2 x 3750X switches these are running 12.2(55)SE5. I needed to add some static IP routes and found that the ‘ip routing’ command is not supported. I came across a document that stated “On switches running the LAN base feature, static routing on VLANs is supported only with Cisco IOS Release 12.2(58)SE and later.” So I have upgraded to 12.2(58)SE2, but ‘ip routing’ is still not a valid command.
The release notes state:“On the Cisco Catalyst 3560-X and 3750-X Series, it adds support for 16 static IPv4 routes in the LAN Base image.”
I have read other posts that talk about running the ‘sdm prefer routing’ command which I have done, but I am still unable to add any routes or run the ‘ip routing’ command.
