Cisco Switching/Routing :: 4503 Blocking Usage Of Duplicate Default Gateway IP By Rogue Attacker
May 16, 2012
We had a core switch (4503), distribution switches and access in our network and consists of many vlans. Almost all vlans uses DHCP Pools. But for few vlans DHCP is not yet configured. Recently one of the rogue user in vlan 1 gave the corresponding interface vlan ip of core switch (gateway) as his ip and caused a prolonged network outage for the vlan. Any way we are going to seggregate vlan 1 into different vlans, but before that we need a temporary plan to block such kinds of attack.What are the possible ways we can avoid the network outage problem even if a user gave the gateway ip to the machine?
View 3 Replies
ADVERTISEMENT
Nov 7, 2011
We have a gateway on a 4503, say on port 2/1, and we only want the other devices that are plugged into the 4503 to be able to talk to the gateway and thats it. The other devices are Motorola TUT DSL devices and they plug into the 4503 directly.
Normally "switchport protected" would make this very easy to keep stuff on one port from talking to other ports but with 4500's you are not able to do that command. So we implemented a MAC Access-List Extended ACL. Here is what we did
mac access-list extended BLAH
permit #host 0000.XXXX.YYYY any
interface range fa 2/5 - 20
mac access-group BLAH out
The MAC address 0000.XXXX.YYYY is the MAC address of the gateway that is plugged into Fa2/1 and the DSL TUT devices are plugged into ports Fa2/5-20. We would think that this config would only allow devices on the TUT DSL to talk only to the Gateway but we don't really think this is happening. The TUT devices are learning about MAC addresses that are on other TUT devices.
View 1 Replies
View Related
Oct 18, 2012
imagine I want to make VLAN200 workstations communicate like the show in the attachment. What would be the default gateway to be configured in the workstation? If I configure 192.168.1.1 as the default gateway (R1 interface fa0/0) is this right?That could be possible because the switch should be configured with command "ip default-gateway 192.168.1.1"?
View 4 Replies
View Related
Mar 6, 2012
I have two ISPs. Each is on it's own subnet connected to the 6509 MSFC/Switch. FW1 is on 100.1.100.0/30 and FW2 is on 200.1.200.0/30 subnet. My goal is route all traffice going to the Internet from subnet 10.133.3.0/24 to FW1 and all other subnets across the organization to FW2. I am not sure if I need to use ACL / Static route combo, or just a static routes or ACLS?
View 5 Replies
View Related
Feb 25, 2013
We have two catalyst 3560 switches running c3560-ipbasek9-mz.122-58.SE2.bin They are connected using etherchannel using gi 0/21 - 24 interfaces.
on 3560-1 switch, there isn't any ip-default gateway or ip route configured. It only have 1 interface vlan configured.
on 3560-2 switch, there is ip default gateway configured along with 1 interface vlan.
What i dont understand here is that, i can reach out to other subnets from 3560-1 switch in which the routing is not enabled?
View 4 Replies
View Related
May 3, 2012
This would probably sound like a stupid question but it took at least 2 hours of my time so far. I have a 3750 switch where a router and a server is connected. From the switch I can ping the router and server with no issue (directely connected). But from the server I am not able to ping the router. The router and the server are in the same subnet. The router is configured as the default router for the server. I am not able to ping the server from the router either. Here's the output of the ip route from the router. The server IP address is 10.1.200.21 and the router IP address is 10.10.200.1
10.0.0.0/8 is variably subnetted, 8 subnets, 3 masks
C 10.1.30.0/24 is directly connected, FastEthernet0/0.30
C 10.1.20.0/24 is directly connected, FastEthernet0/0.20
[Code].....
View 14 Replies
View Related
Jan 24, 2013
I have a Cisco 2960 ( WS-C2960-8TC-S) running 12.2(46)SE C2960-LANLITEK9-M image.I would like to set an ip route 0.0.0.0 0.0.0.0 87.101.156.97 but the current image does not allow.Will ip default-gateway 87.101.156.97 work or do I need ip routing ?The ISP has provided a /30 address and we are using an additional /29 for our network devices. I dont think this image can be upgraded. I need to forward routes directly out to ISP. [code]
View 5 Replies
View Related
Apr 10, 2013
I have a bit of a mystery on my hands. I had a whole campus of Cisco 3750's cache a new default gateway. Example
Cisco3750#sh ip redirects Default gateway is 10.10.10.1
Host Gateway Last Use Total Uses Interface172.16.0.5 10.10.101.179 0:00 185749 Vlan1172.16.0.76 10.10.101.179 0:01 47254 Vlan1192.168.0.154 10.10.101.179 0:00 183090 Vlan1
My question is what generates a IP Redirect packet or how does the switch know what to change the gateway to? As in my case the changed gateway was a dead IP address. So I am at lose how this happened. I this case the Host IP's are network management servers conducting polling.
View 3 Replies
View Related
Aug 9, 2012
I have a 3500 XL switch with the following default gate IP address that i need to clear from the switch but not quite shore how to remove it.
I've removed the customer original Ip for security reason as this is an open discussion forum and just replaced with 1.1.1.1
switch#show ru
Building configuration...
Current configuration:
!
[Code].....
View 2 Replies
View Related
Oct 15, 2012
I have created two vlans, vlan 1 data and vlan 200 voice. the issue is that when an on one vlan i cannot ping the default gateway of the othe vlan from my PC. An using sge 2010p switches.
below is my configuration
p route 0.0.0.0 0.0.0.0 192.168.0.1
ip dhcp relay address 192.168.0.100
ip dhcp relay enable
ip dhcp information option
interface vlan 1
ip dhcp relay enable(code )
View 3 Replies
View Related
Feb 12, 2012
I'm trying to configure an IPSEC VPN + tunnel for multicast data. When the default gateway is set on the router (1841) it works fine but if I only set a route to the IPSEC peer via our gateway then the tunnel fails to come up. The end point is to a 3rd party. [code]
I found that if I add a static route for the tunnel destination via fa0/0, the public facing interface, the tunnel comes up..ip route 10.23.4.2 255. 255. 255. 255 FastEthernet0/0
and I can then ping the tunnel IP at the far end - 10.23.0.5.Why would that be? Is there a better way to do this without using a default route??
View 4 Replies
View Related
Jul 25, 2012
I have a design hurdle that I cannot seem to cross. I have two sites and I need the same VLAN to span both sites. I have accomplished this using L2TP but my issue is that I can no longer assign a gateway for this VLAN on the router. The 2 routers are 2821's and are connected with a dedicated fiber run.
Ant recommendation for how this could be accomplished? It would be great if I could have the same gateway at both sites by leveraging some sort of bridged interface (BVI so I've heard) but I am at a loss as to where I should start with this. Also, this is not the only VLAN that needs to traverse the link.
View 2 Replies
View Related
Sep 19, 2012
Recently we observed that newly installed WS-C3560CG-8PC access switches are able to communicate without a default route or default gateway.The 3650 switches are used as a layer2 access switch behind a layer3 distribution/core. They have only the management VLAN configured for IP with a single address.
The ARP table looks like there is an implicit proxy-ARP request sent for any IP address.
We definitely have no configuration whatsoever which would explain this.
Is this a new feature? We don't observe that with the older 2960-series...
Here is a brief trace of what's happening (debug arp):
host41#ping 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
Sep 20 14:44:06.706: IP ARP: sent req src 10.1.8.41 1833.9dc9.wxyz,
dst 1.1.1.1 0000.0000.0000 Vlan1
Sep 20 14:44:06.711: IP ARP: rcvd rep src 1.1.1.1 2c54.2dd3.wxyz, dst 10.1.8.41 Vlan1..
[code]....
The mac address if of course the mac address of the layer 3 interfaces of the distribution switch, no surprise here (proxy ARP is turned on by default).
Why is the 3560 sending out proxy arp requests without being told to? As far as I understood proxy ARP on Cisco IOS it only means it will reply to a proxy ARP request but will not send out proxy ARP requests by default.
View 3 Replies
View Related
Apr 1, 2013
Using Network Assistant in XP, plugged ethernet cable to first front port and keep getting "Failed to get Default Gateway. Check your security settings to make sure the current Java Virtual Machine is not prevented from running commands.", I have tried reducing secruity to nothing but I still get the same problem.
I also have an official cisco console cable and tried that, but Hyperterminal just does not pick it up when plugged in. I have left the IP dynamic, turned off all netowork adapters apart from ethernet, set the baud rate etc... correctly, still no joy.
View 5 Replies
View Related
Oct 26, 2011
We have a Cisco Catalyst 4506 running: "Cisco IOS Software, Catalyst 4000 L3 Switch Software (cat4000-I9K91S-M), Version 12.2(25)EWA14, RELEASE SOFTWARE (fc1)" I have configured the default gateway as: ip default-gateway X.Y.116.65, However, when I do, "show ip route", it only shows the 3 connected networks and states "Gateway of last resort is not set". The Command "ip classless" is not set. I read on some blogs that this might explain the issue. However, when I go into config mode (config t), I get the following output.
View 9 Replies
View Related
Apr 11, 2012
I have a 3560G and an ASA FW, for which I am trying to use PBR to append the next hop. The gateway is the switch VLAN address and the amended net hop is the same VLAN interface on the ASA. Trouble is, I can ping the FW from a client, but not the switch. If I remove the route map, I can ping both. Even more strange is this is the case for some VLANs, but not all!
Config:
HOST ON VLAN 96
IP 10.11.120.99
S/M 255.255.255.240
[Code].....
View 2 Replies
View Related
Aug 25, 2012
I had setup a lan infrastructure with 5 3750 stack swithes. In these 3 of them are in one stack which is acting as access switch, 2 of them in another stack which is as core switch where all the SVI is configured. Now, when i tried to ping from our edge pc which is connected in access switch to default gaeway, which is configured in core switch, the ICMP is getting delayed . But when try to ping from the same edge pc to another user PC, it is getting less tahn 1 millisecond icmp replies.
why icmp is delaying to default gateway , but working with another edge to edge pcs without any delays?
View 1 Replies
View Related
May 21, 2012
We have two MPLS circuits managed by two different suppliers, one carries VOICE the other DATAWe are to decommision the VOICE MPLS and have increased the bandwith of the DATA MPLS to carry VoIP traffic too.
At both of our sites A & B ,devices connected to the LAN have a default gateway of the VOICE providers Cisco 2600 router , which then goes into the LAN switching. (see diagram)So what I am trying to achieve is toto simply replace these 2600 routers from the VOICE MPLS provider with our own so we dont have to change the default gateways at both sites.
Testing
Our Cisco 2600 routes are plugged into each LAN switching environment with two subinterfaces configured, one for voip and the other for dataThe problem is from the router and respective subinterfaces we can get to the other sites destination without any issue, but if for example a user is at site A with Ip address 10.16.11.12/16 they cant ping the VOIP subnet at site B 10.3.11.0/24. But If a ping is issue from the Site A test router then the 10.3.11.0/24 subnet is reachable but only on the 10.3.12.0/24 configured subinterface.So i guess what Im saying is 10.16.0.0/16 from the LAN needs to be able to get to 10.3.11.0/24Note at site A 10.16.0.0/16 & 10.3.12.0/24 can communicate no problem and at site B 10.207.0.0/16 & 10.3.11.0/24 can communicate no problem.We are using IP routing, should we be using route-maps?
View 15 Replies
View Related
Mar 5, 2013
We have a 6509 series of core switches and 3750 series of L2 switches, There is no default gateway or any static routes to any IP.VLAN 1 is made admin down and another vlan is used for all communication here in this environment
Attached is configuration for reference But still I am able to take telnet or SSH. I want to know how telnet or SSH or tacacs authentication happens without any static or default route.
View 4 Replies
View Related
Sep 10, 2012
i am facing a problem when the client vlan is commmunicating with the default gateway on the core 3750-x.
ios in 3750-x core is 3750e-universalk9-mz.150-2.SE.bin. But, client to client communication is happening without any dealy and icmp is less than 1 ms always.
When try to ping default gateway of client vlan, it is getting delayed (variable icmp delays). Is this an ios bug?
View 2 Replies
View Related
Aug 14, 2012
4500 switch is connected to 2960 switch.
4500 config
Vlan 10
name Data
It has ip helper configured that points to DHCP.From 4500 switch port - port x connects to 2960 port.Port x is configured as trunk between 4500 and 2960.
2960 config
vlan 10
name data
All user ports are configured under vlan 10 and as access ports.Port x is trunk port connected frpm 2960 to 4500 switch allowing vlan 1 and 10 only.This switch has no default gateway configured.
We connected user PC on 2960 switchports and they were able to get the IP from DHCP server and were able to access the network? My question is how users on 2960 switch are able to access the network without ip default-gateway configured on 2960 switch?
View 6 Replies
View Related
Jan 18, 2012
There is some way to increase the speed of changing the interface state from DOWN to UP when the cable is connected. I need to configure a port of Cisco 4503 in a way that when a cable is connected the port goes immediatly UP.
A solution can be to keep Cisco interface always UP and I remember that with "no keepalive" command to the interface configuration it was possible. But I tried and nothing happens.
View 12 Replies
View Related
Sep 16, 2012
I need to implement over an ethernet link L2 tunnel because I want to isolate another VLANs domain.On the first side I can use the command : sw mo dot1q-tunnel on a new C4503 on the other side I cannot configure the command : sw mo dot1q-tunnel.
the other side is an old C4503 we upgrade the flash with a compact flash to upgrade to a new IOS v15 but the command doesn't exist also.I red the cisco feature navigator feature and I am sure the dot1Q-tunnel is available on my image : cat4500-ipbasek9-mz.150-2.SG.binso I don't know why I can use it.
View 1 Replies
View Related
Mar 4, 2012
i'm performing configuration PBR on catalyst 4503, but it doesn't work. [code]
View 21 Replies
View Related
Feb 9, 2013
We have microsoft servers and other application servers (around 12 in nos) which should have gig connections to the access switch. In turn this access switch will be connected to our distribution switch 4503. Which model of access switch best fits from the below 3 models. It should be cost effective as well.
WS-C2960 S-24PS-L
WS-C2960-24TS-L
WS-C3560G-24TS-S
View 8 Replies
View Related
Feb 23, 2011
I was about to portforward to be able to make an minecraft server. but i can't connect to the default gateway 192.168.1.1 so for the moment i use hamachi but i would wannt to portforward it to make it easier for others to join.
View 3 Replies
View Related
Jan 11, 2012
I am installing a connection between Brocade MLX and Cisco 4503 using SE and SVI's. Below is the config for each. Am I missing anything like MTU Ignore or something along that nature?
*** Cisco 4503 (v15.01) Config ***
VLAN 35
name EOC_Gi1/2
[Code].....
View 3 Replies
View Related
Sep 2, 2012
I am trying to connect a 6509 switch to a 4503-E switch using single mode dark fiber over a distance of less than half a mile. Although a routine task, it does not work..We have a care 6509 switch where we concentrate all of our dark fiber connections for our remote sites. The 6509 switch already has 30 remote sites, most of them with 4503-E switches, connected in this way therefore it is a tested scenario. For the connections we use the GLC-LH-SM SFPs on both switches. Out of these 30 sites we had a similar problem with two of them, which we solved with the use of CWDM SFPs. With the CWDMs the fiber came up right away. However, I cannot keep using this solution because it is way too expensive! I had the losses of the fiber measured end-to-end and they are negligible (>0.5 dB).
In this latest case, like I said, we could not bring the connection up between the core 6509 switch and the 4503-E switch using the GLC-LH-SM SFPs. I then replaced the 4503-E switch with a 3560 and the link came up! Then I tried using a CWDM-SFP in the 4503-E, while keeping the GLC-LH-SM SFP in the 6509 and the link came alive again! Of course we already tried replacing the fiber patch cords with no luck. [code] I find it very weird for the link to work with the 3560 or with a CWDM in the 4503 but NOT with the SFP in the 4503!
View 6 Replies
View Related
Jul 8, 2012
I have a 4503 switch (in L2 mode) running 12.1 hooked into a C2950 running 12.1, using regular 4 pair Cat5e cables to connect between them. The 4503 has Gigabit port 2/1 trunking to the 2950's Fa port 0/13.
When I set the duplex mode to DUPLEX FULL and SPEED to SPEED 100 on both switches (for their trunk ports) the link fails, and my 4503 loses connectivity (since it gets it from the 2950).
Here is my config from the switches (per description):
The 4503:
interface GigabitEthernet2/1
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,2,100-140
[Code].....
Note, this is the only mode that works (which seems to work fine, but I get TERRIBLE throughput for anything that goes over the 2950.
View 5 Replies
View Related
Jan 9, 2012
Currently we have cisco 4503 switch in one of our location without redundancy which servers below,
300 user (desktop & ip phones)
5 vlans
15 access switches are connected
one L3 connectivity.
Actually i want to understand is it really necessary to have 4503 or we can go for 4900 series as we are planning to have redundancy in distribution segment.
Which is the best L3 switch in the above scenario and how to measure the overall performance of the current 4503 switch...
View 4 Replies
View Related
May 18, 2013
After deleting configuration with „write erase“ and reloading, our Cisco Catalyst 4503 with version cat4500e-universal.SPA.03.02.00.XO.150-2.XO.bin, and licence ipbase, doesn't recognize any command regarding SSH. We tried configuring SSH key with „crypto key generate“, but that command is not recognized either.
View 1 Replies
View Related
Sep 13, 2011
We have Cisco 4503-E switch and software version is cat4500e-universal.SPA.03.01.01.SG.150-1.xo1.bin. Now i have uploaded cat4500e-universal.SPA.03.02.01.SG.150-2.SG1.bin IOS-XE software in the switch and want to boot the switch from this image.
View 17 Replies
View Related
Nov 30, 2011
I need a 10G support on 4503 chassi with SUP II plus TS.Is any of the 10G line cards i.e. 4712 or 4606 supported on SUP II plus TS on 4503?
View 4 Replies
View Related
