Cisco Switching/Routing :: 5520 Configure Traffic Flow Between Computers Inside VLANs And Routed Port
Jul 7, 2012
How to configure traffic flow between computers inside VLANs and a routed port? Here is the setup details:
1. Switch 3750-X
2. VLAN 100 - ( SVI IP address 192.168.100.1 /24)
3. VLAN 200 - ( SVI IP address 192.168.200.1 /24)
4. routed port gi1/0/48 (IP address 192.168.150.1 /24). Note: this port is directly connected to a firewall ASA 5520 port IP 192.168.150.100 /24
Ip routing is enabled on the switch and inter vlan traffic is flowing ok. I can ping the routed port gi1/0/48 from any computer connected in the VLAN 100 or 200. For example computer with IP 192.168.100.25 can ping the routed port 192.168.150.1. Switch can ping firewall port 192.168.150.100 and the 'sh ip route' command shows the network 192.168.150.0 /24 as directly connected network.
any computer in the two VLANs CANNOT ping firewall ASA port 192.168.150.100 Is it because inter VLAN routing does not work with a routed port on L3 switch? I looked up fallback bridging, but it is meant for non IP traffic.The goal is I am trying to set the ASA port as an internet gateway for VLANs.
View 4 Replies
ADVERTISEMENT
Apr 26, 2013
I want to know if is it possible to configure QoS on a 4500 Sup7 on a Layer 3 routed port like the following example (Similar to CBWFQ on IOS Router)?
View 3 Replies
View Related
Nov 27, 2012
I want to know what is the best way to black traffic inside the same VLAN, this VLAN is a user VLAN, it means that I am talking about access layer.I wanted to use private vlan, but C2960S doesn't support this feature. Any other way to prevent any to any traffic in the user vlan, this vlan only have to speak at the Layer 3.
View 2 Replies
View Related
Feb 9, 2012
We have 20+ VLANs on our main network, we have an offsite connected by metro GIG fiber ethernet. Right now, we have a layer 2 connection to there with the core at the main site as the gateway. We have had problems occationaly with the metro ethernet's spanning tree which then we would see our own network and cause an outage, not only for the offsite, but since the VLAN would see itself (not on our equipment but the metro ethernet carrier's) it would effect the main network as well.
What I was going to do to resolve this was change the connection to a routed network, however I need to still send some VLANs over the routed network (there are some applications that require to be on the same subnet as the server). Is there a way to Map the Vlan 10, and 11 at the main site to a vlan 10, and 11 at the remote site using a routed network? I noticed there is something about bridging, would I bridge the VLAN accross the routed MAN connection? Then would I bridge back the other way as well?
Main site has a 6506E
and offsite has a 3750E
View 3 Replies
View Related
Nov 21, 2011
I'm receiving multicast traffic (400Mbps) on port 9/38 and sending it out on port gi9/48. I'm trying to achieve that traffic will stay within the card without using the switchfabric,
View 2 Replies
View Related
Nov 28, 2012
I want to see net flow data.I have configured this command on the c6500.but I can to see data only below...How can I configration ip cache flow on the C6500? what is the problem?
int gi4/31
ip add x.x.x.x
ip route-cache flow
c6500# show ip cache flow
Displaying software-switched flow entries on the MSFC in Module 5:
[code].....
View 1 Replies
View Related
Nov 27, 2011
We have a pair of 6509 working in a VSS configuration (IOS 12.2(33)SX5). The 6509s connect to a pair of ASAs (7.2 code) running in an Active/Standby setup. These ASAs in turn connect to routers going to remote sites. I have configured Netflow on the following VLANS,
VLAN 10 - Servers Vlan
VLAN 9 - Transit/ASA VLAN (connects ASAs to 6509s). All traffic originating from any VLAN on the 6509 crosses this VLAN in order to reach remote sites and vice versa
I configured the netflow source VLAN 11 although I am not collecing any netflow from it.Although I have been getting lots of Netflow info, I noticed that netflow for traffic originating from any user VLAN on the 6509s going to any remote site via TRANSIT/ASA VLAN(9) does not get reported, I even tested with 4 GB traffic but no result. Only reverse traffic (i.e. from remote site to user VLAN) is reported as it traverses the Transit VLAN (9).
I read somewhere that egress netflow is not supported in 6500, but isnt traffic originating from a user vlan to a remote site via the transit VLAN (9) considered ingress with respect to the transit VLAN (9)? I would like to know whether bidirectional Netflow is supported on 6500 VLANS. I have mimimum control on routers beyond the ASAs, and since these ASAs run 7.2 code netflow is not supported, and Monitoring this Transit Vlan gives me extremely useful info.
I do get netflow biderectional traffic from the Server Vlan 10, but I think it is correlated by the netflow collector from vlans 9 and 10. [code]
View 9 Replies
View Related
Feb 21, 2012
On a router I can use IP Accounting or Netflow to see what kind of traffic is moving over an interface. Are there any tools on a 3750 switch with a routed interface which would tell you who is hogging the bandwidth on that interface?
View 2 Replies
View Related
Feb 16, 2012
I am looking for the way to define an idle timeout for specific flows on an ASA5580 by using Cisco security manager. For ex I needed to define a specific idle timeout for connections beetween specific devices (Devices in vlan1, Device2 in vlan2).To test it I did following changes by CLI and it works fine. access-list L1 extended permit ip <@IP1> <mask1> host <@IP2> class-map CM1 match access-list L1 policy-map PM1 class CM1 set connection timeout idle 02:00:00
I try do do the same configuration with CSM in order to be able to manage each changes only by using CSM.So I defined Access control list, Traffic flow and then I define timeout in CSM --> PIX/ASA/FWSM Platform --> Service Policy Rules --> IPS, QoS and Connections Rules -> connections settings -> Traffic flow idle time-out. The problem is that each time I deploy the configuration with CSM I loose the timeout config line which is the most important for my application..
View 2 Replies
View Related
Feb 13, 2013
I have some questions about how to configure my Cisco 1941 with a routed subnet from my ISP to forward them to 1 or more servers in my LAN.1 Routed subnet /29 from my ISP (over a fiber connection).In my LAN I have (at the moment) 3 servers, and about 15 clients.I would like to use the first ip address from the routed subnet for internet traffic from all the clients in the LAN.I would like to use the second ip address from the routed subnet for server1 so that server1 accept some allowed connections and that server1 connects to the internet with the second ip address from the routed subnet
I would like to use the thirth ip address from the routed subnet for server2 so that server2 accept some allowed connections and that server2 connects to the internet with the thirth ip address from the routed subnet.I would like to use the fourth ip address from the routed subnet for server3 so that server3 accept some allowed connections and that server3 connects to the internet with the fourth ip address from the routed subnet.[code]
View 13 Replies
View Related
Apr 18, 2012
I have a collapsed core design with routed ports between all components. Access layer switches, data center switches, core/aggregation. All routed (no spanning-tree at all).Now...I have to add an IBM BladeCenter with a BNT layer 3 switch to my topology. However, those nasties don't seem to support routed ports.How can I have a routed port on my cisco switch and a standard access port on the BNT and still establish an adjacency with an SVI? I am running OSPF, but I am labbing this in my home lab with 2 x 3550s and EIGRP.
On SW2:
*Mar 1 00:57:00.711: EIGRP: Received HELLO on Vlan100 nbr 10.1.1.1
*Mar 1 00:57:00.711: AS 999, Flags 0x0, Seq 0/0 interfaceQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/1
*Mar 1 00:57:02.303: EIGRP: Sending UPDATE on Vlan100 nbr 10.1.1.1, retry 9, RTO 5000 tid 0
*Mar 1 00:57:02.303: AS 999, Flags 0x1, Seq 17/0 interfaceQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/1
[code].....
View 10 Replies
View Related
Mar 14, 2012
We are looking for a solution that to use Sub-interface on a routed port on 6509, instead of using a SVI on it.Are there any different when using Sub-interface?
View 3 Replies
View Related
Apr 12, 2013
Actually i have 7600 router and all trafic passes through Gi0/1(Routed port) interface to 6500 series switch. I need to create a vlan on this router eg. vlan 10 Any how it is possible assign a vlan to routed port and traffic of wan interfaces and the vlan traffic passed together.
View 2 Replies
View Related
May 25, 2013
I have made a routed port on 3560G Switch and defined a pool 172.28.4.62 255.255.255.192 and connected to E1 converter RAD (4E1 to 4 FE) the E1 media is through Microwave on the other end same E1 converter is connected through layer 2 switch and defined a pool as of routed port configured in 3560G switch.
The port is generating lot of giants and after a while it also distrubs other routes ( Port1 to Port 16), configured with Vlan11 and port 22 as routed port.I have checked the routed port through wireshark the maximum frame size is 1514 and configured the MTU to 1514, giants are not showing any more but after 10 to 12 hours switch gets hang. Either to shut the port or to reload the switch to get switch and other layer routes to be normal.
I have checked speed and duplex settings same as E1 converter. Full duplex. 100 Speed. Why switch is not behaving normal. If I shutdown the routed port it is normal.
1. interface GigabitEthernet0/22
no switchport
ip address 172.28.4.62 255.255.255.192
flowcontrol receive on
end
[code]....
View 5 Replies
View Related
Nov 15, 2012
What should the duplex mode to be set on a routed port gi0/21 that are running HSRP ? I try setting the gi0/21 to full, but it caused the port to be down. The only way for the port to be up is setting it to half duplex.
Cisco 3750 Switch
==============
interface GigabitEthernet0/21
no switchport
ip address 10.200.104.34 255.255.255.248
[Code].....
View 2 Replies
View Related
Mar 2, 2011
I am setting up a pair of 5520 in A/S mode but the traffic from inside to outside seems blocked somehow.
asa01# sh run : Saved
ASA Version 8.3(1)
host name asa01
enable password LFJ8dTG1HExu/pWQ encrypted
password 2KFQnbNIdI.2KYOU encrypted
names
[code]......
Base on the above configuration, I still cannot ping or HTTP.
View 10 Replies
View Related
Nov 7, 2012
I have an ASA 5510, with Ethernet0 connected to Internet via a T1 line, Ethernet1 connected to LAN1, and Ethernet2 connected to LAN2. LAN1 & LAN2 are independant, but share the Internet connection, via the T1 line. On LAN2, I have another router that connects to the Internet, via a Comcast line. I wish to route some of the traffic on LAN2 (10.38.77.0) to the other Router, on LAN2 (10.38.77.12) (connected to the Comcast line). I have entered the following lines:
route inside2 10.11.0.0 255.255.0.0 10.38.77.12 1
route inside2 10.252.0.0 255.255.0.0 10.38.77.12 1
route inside2 172.22.6.0 255.255.255.0 10.38.77.12 1
I can trace the routes from the ASA 5510 (1st hop is to 10.38.77.12), but not from anything else on LAN2.
View 7 Replies
View Related
Jun 11, 2012
We have an ASA 5520 and it's inside interface is currently plugged into a fast ethernet port on a 3750. I have just bought a 1gig SFP module and have copied the fast ethernet port config to the gigabit port, but the port seems to be flapping
The port conf gi is this:
interface GigabitEthernet1/0/4
description Link to Inside ASA
switchport access vlan 2
switchport trunk encapsulation dot1q
View 1 Replies
View Related
Nov 27, 2011
I am trying to make a basic config on my 5520. The first goal is to make trafic from inside to outside.The internet address is 64.28.29.200 and the default internet gw is 64.28.20.193What am I missing since I can not get trafic from inside to the internet? [code]
View 10 Replies
View Related
Apr 29, 2012
I have a Cisco 3560X 48 port Ip base switch with v lan configured and ip routing. Ports 1 and 2 are in ether channel and routed ports to ASA and have their own network of 192.168.22.49/30. The ASA is configured with the same config for ports 1 and 2. The channel group ip address on the 3560X is 192.168.22.49/30 while the other end of the up link is the ASA and its configured with .50/30.
I have 6 v lans plus the one native v lan. They are all configured with ip addresses. Each V lan should be able to talk to one another other than DMZ v lan which is trunk and routed directly in the ASA. On the switch I can ping the IP address on the ASAs up link .50/30 but I cannot ping the ASA from any host on any of the V lans. My switch config file is posted below. The ASA seems to be able to ping any host in the VL ANS due to static routes that are in place. Why I'm not able to communicate to other v lans or even ping the ASA?
Config for 3560X
L3Switch#sh run
Building configuration...
Current configuration : 8056 bytes
! Last configuration change at 00:45:43 UTC Mon Mar 8 1993
version 15.0
no service pad
[code]....
View 2 Replies
View Related
Apr 6, 2011
I have a handheld device that will be used for inventory outside of our office. It has 3g capabilities. Is there anyway I can permit traffic from this device from the outside world coming into my network? I need to open a couple of ports so it can hit the server. But I have no intention to open these ports up to the entire world. I use an ASA 5520 with a managed router from our provider. I looked around on the Cisco site and the only information I found was for permitting and denying traffic from devices that are within the network.
View 2 Replies
View Related
Apr 9, 2013
I have a ASA 5585 and a Nexus 5596, and i need a sugestion to configure this cenário:
My users in the Vlan 10 need access on the network in the Vlan 20, but this traffic must be filtered for firewall. In the firewall a received a trunk port for Nexus 5596, and i created subinterfaces to receive the Vlans for this trunk.
The gateway for my users is the address for the ASA subinterfaces.
What i do to filter the traffic between the Vlans?
View 3 Replies
View Related
Sep 20, 2012
I need to configure my ASA 5520 version 7.3 firewall to translate our SMTP server residing in local LAN to use different IP address from the outside interface which is used by all other computers to access Internet.
Under NAT section, i have NATted this internal SMTP server with different IP address(eg x.x.x.1) and also translated the remaining IP addresses in the LAN to the outside interface(eg x.x.x.2)
my problem is, Whenever i check the header for message coming from the smtp server it shows that, the SMTP server is also translated by using the same outside interface public ip address(i.e x.x.x.2) which is used by other client machine to access internet instead of the x.x.x.1.
how i can get my SMTP server to use separate IP and avoid to be blacklisted by some domain.
View 3 Replies
View Related
Mar 21, 2012
I am desperate to make some kind of translation which convert an outside IP Address of our web server to its inside ip address so that requests can be routed internally to the server.
This is what we have: A wireless network with an SSID to serve visitors. We also have an in-house web server which can be accessed internally and externally. We have a ASA 5520 that protects the internal network, including the Web server, and also routes all traffic from the all visitors connected to the public SSID to the outside. The DHCP server for the wireless network for visitors is configured to give the 8.8.8.8 as dns server. The problem with that is that the www.ourwebserver.com is resolved by Google's dns server to the public IP Address of our web server! The traffic then is sent to the outside interface of the ASA 5520. The visitor who wants to access our web server cannot connect!
How can I configure the ASA to route that traffic to our web server with the public ip address to the inside ip address of the web server?
View 2 Replies
View Related
Jan 23, 2012
Currently, we have a Cisco router (28xx), ASA 5520, and a core switch 4500. We have different vlans. We also have Auto QoS running for our Cisco IP Phones.My manager just asked me to see if I can either reserve some certain bandwidth for one vlan, or give that vlan higher priority on internet traffic than the others.
1.) Anyway we can reserve some more bandwidth for one vlan than other vlans?
2.) If #1 cannot be done, how can we provide higher priority on the internet traffic to one vlan than the others?
3.) Is #1 or #2 the same config? If not, which one would be easier (without changing our current QoS settings)?
4.) If 1 or 2 can be done, which device I should config the settings on?
5.) This question may be duplicate, but do we need to reset our current QoS to achieve the goal?
View 6 Replies
View Related
Jul 4, 2012
upgrading our small office network. We currently have about 75 employees with probably 125 devices on the network. I'd like to create about 10 vlans for the different departments and then configure intervlan routing as needed. Currently we have all unmanaged switches and it's just a huge broadcast storm on the network. We are upgrading our Cisco 800 router to an ASA5505 sec. Plus license. I need some recommendations on switches. Of course, this needs to be done as cheap as possible.... Is there a way to use the ASA to configure all the vlans and intervlan routing and access lists and use a cheaper switch to provide the access layer to hosts?
View 4 Replies
View Related
May 30, 2012
I have a device which will be sending voice and data packets and is able to mark the packets with DSCP values. Voice, 18 and Data 42.If this was a straight through network, I'd be clear on how to handle this, but.....I will be putting this traffic into a VLAN to isolate it from some other traffic on the network. What is the best way to prioritize this traffic inside the VLAN? Will the Cisco switch look at and respect the DSCP values inside the VLAN and prioritize accordingly inside the VLAN? Or, do I need to do some sort of DSCP to 802.1p mapping? Another option I would be fine with would be mapping the DSCP values for voice and data to two different VLANs and then giving the voice VLAN priority over the data VLAN .... I'm using 3750E switches.
View 7 Replies
View Related
Nov 24, 2012
We already have a subnet defined to inside interface and is in produciton. the default gateway is this interface ip. In that setup now I have to add one more subnet and as the first subnet is been defined in ASA indside interface, I have to assign secondary Ip to the inside interface so that new subnet users can easily reach here and go outside.
View 1 Replies
View Related
Sep 21, 2011
make a couple of SF300 switches to work properly with a C2960S-48TS-L that acts as core switch/basic router. I can't seem to figure out how to assign VLANs correctly in trunk and access mode on the SF300. The 2960S are a no brainer with IOS commands but the webgui in the SF300 is a pain.
I've configured the 2960S with 3 VLANs and I would like to have the SF300 switches connect to the C2960S-48TS-L through VLAN trunk and then configure the ports on the SF300 switches to belong to the assigned VLANs of my choosing. I would also like to have all the SF300 switches management interface in VLAN 50.
I've partially described the enviroment below.
VLANs
Data VLAN 10: 192.168.10.0
Management VLAN 50: 10.20.30.0
Voice VLAN 100: 10.10.10.0
[Code].....
View 5 Replies
View Related
Aug 3, 2012
I have a Cisco C3560CG which is running C3560c405ex-UNIVERSALK9-M), Version 12.2(55)EX2.The switch has vlan 1 and vlan 50 configured, vlan 50 should have access to a limited number of host in vlan 1.The following acl has been applied on the inbound to vlan 50:
10 permit tcp 10.16.30.0 0.0.0.255 host 192.168.15.243 eq 137 138 139 445
20 permit udp 10.16.30.0 0.0.0.255 host 192.168.15.243 eq netbios-ns netbios-dgm netbios-ss 445
25 permit icmp 10.16.30.0 0.0.0.255 host 192.168.1.243
26 permit ip 10.16.30.0 0.0.0.255 host 10.16.30.254
30 permit ip 10.16.30.0 0.0.0.255 host 192.168.15.254
[code]....
I sure the above would work, but for some reason some of the packet counter are not incrementing but the traffic is being blocked. But I would like to see the counter increment.Also I have that I may beed to use VACL wouls this be the case?
View 26 Replies
View Related
Oct 3, 2012
I have an ASA 5520 Cisco Adaptive Security Appliance Software Version 8.4(2)8 Device Manager Version 6.4(5)206. I am trying to add a nat for outside x.x.x.77 port going inside x.x.x.22 port 80 . the wan interface is .74 with subnet of 255.255.255.248 the rule will add but traffic wont pass in.
View 14 Replies
View Related
Mar 5, 2013
I have problem with IPV6 connectivity, i have two Cisco 3550 switch and they are connected over a trunk link. The ios is c3550- ipservicesk9-mz. 122- 44.SE6 , I have configured vlans on both switches and i numbered one vlan to vlan 91 ,they can ping each other when i configure ipv4 on both vlans so trunk link is functional, but when i m using IPV6 they can't ping each other!! they can only ping their own ip address not each other. [code]
View 11 Replies
View Related
Oct 16, 2011
I have a asa 5520 with an outside and backup interface. I am trying to configure two static nat statements from the inside to the outside and backup interface. Here is what I have configured so far.
object network obj-10.1.1.254
host 10.1.1.254
object network obj-10.1.1.254
nat (inside,outside) static 172.25.10.3
I want to also use nat (inside,backup) static 172.25.10.3
View 3 Replies
View Related
