At the core of my network I have two Nexus 5548's with the routing/L3 daughter installed. They have a default route that points to my ASA 5520 for Internet access. I have configured a VLAN that I do not want to have access to the Internet. What is the best way of preventing this access? ACL on the Nexus or Firewall rules on the ASA?
View 1 Replies
I have a SG 300-28 switch with the latest firmware installed running in Layer 3 mode.
I configured this router with 4 VLAN's where VLAN 1 is connected to the network router. All VLAN's call all communitcate with one another. How do I go about configuring VLAN's so that they can only communicate with the router and the internet and not each other?
I want to know what is the best way to black traffic inside the same VLAN, this VLAN is a user VLAN, it means that I am talking about access layer.I wanted to use private vlan, but C2960S doesn't support this feature. Any other way to prevent any to any traffic in the user vlan, this vlan only have to speak at the Layer 3.
View 2 Replies View RelatedI have a 2232 dual homed to 2 5548's via a port-channel/ vpc. I have one 5548A and configure the port for the 2232 with a vlan, plug into that port and it doesn't come up (inactive). I go to 5548b (Primary) and configure the port and it comes up.
View 3 Replies View RelatedI have a Nexus 5548 installed (layer 2 device only) with several 10G ports supporting IBM P770 systems and a TSM (Tivoli Storage Manager) system on a single VLAN. All of the Nexus 5548 ports are configured for jumbo frames. I was ask to install a new server on the same VLAN as the others but as 1G port without jumbo frames to allow communications with the TSM server. I'm assuming that the 1G port for this new server without jumbo frames configured on the Nexus 5548 will not be unable to communicate with the TSM server that is on the same VLAN with it's Nexus 5548 10G port configure using jumbo frames.
View 5 Replies View RelatedI currently have two Nexus 5548UP switches in my environment running the latest code (n5000-uk9.5.1.3.N1.1a.bin). Both of these switches are connected via a VPC Peer Link (two ports on each switch in an Ether Channel) and a VPC-Keep Alive Link (a dedicated port). Hosts connect to each switch via a VPC for both IPV4 and FCOE.
As of right now, everything works. I currently have a stack of two 3750 switches that each Nexus is connected to. This stack is doing all the Intra-VLAN Layer 3 Routing for the Nexus Switches. However, I plan to get rid of the 3750s, and move the Layer 3 Routing the Nexus 5548's, so the backplane is 10 Gig instead of 1 Gig.. I have the Layer 3 Daughter Card installed in both switches, as well as the LAN_BASE license.
So, at the moment, I am trying to find the best way to accomplish Layer 3 Routing on these two switches. Since the Nexus switches are not stacked, and the FCOE portion of HA is taking care of by the Multipathing agent on each host, I believe am just concerned with providing Intra-VLAN routing in an HA build where if one switch goes down, VLANs still route through the other switch.
Again, since the Nexus switches are not stacked, I am guessing the best way to handle this is with HSRP, but my experience with that has always been with routers that have a switch in the middle. Can I make HSRP work without having a switch between the Nexus switches? Can I track the VPC peer link, or how do I do it? I guess I am looking for a sample config.
Let's pretend I had two VLANs:
VLAN 20:
10.20.20.254 - GW and 10.20.20.0/24
VLAN 40
10.40.40.254 - GW and 10.40.40.0/24
And I wanted the Nexus switches to route these VLANs regardless of which switch was up / down..
I am trying to configerate static switchports on our nexus 5548 (nx-os 5.1(3)N1(1)) over snmp.The support-list url... states that the CISCO- VLAN- MEMBERSHIP- MIB is supported.I can read the information, but if i try to set vmVlan or vmVlanType i get the message: "SET failed. ("ip-address"). Information: Not Writable."I can use set_request in general (e.g. CISCO-CONFIG-COPY-MIB). how to set the vlan and vlan-type over snmp?
View 3 Replies View RelatedI have two 5548's in sync mode: I have an existing ACL and I want to add a new line to it, but after I do and try to commit it states the verify failed. [code]
I have to add access list to both switches not in config sync mode.
i have router 1841 have 2 interface.i make routing between vlan by subinterface in router and in switch trunk but vlan 5 cannot access internet
View 3 Replies View RelatedI am using a Cisco SG-300 28 port switch in layer 3 mode as my default gateway for all my devices. I have two vlans on the switch, vlan 1 and vlan 4. Both are pulling valid IP addresses in their scope from the DHCP server, and both have valid DNS settings. I set a static route to the Internet on the switch to our firewall (192.168.5.254). All devices connected to vlan 1 are able to access the Internet, however all devices connected to vlan 4 cannot get past the switch. A tracert from one of these devices shows it hits the switch as the gateway, but gets no further. [code]
View 4 Replies View RelatedI have a 2960-S running the lastest software for testing on my bench:
[code]
Switch Ports Model SW Version SW Image
------ ----- ----- ---------- ----------
* 1 24 WS-C2960-24-S 15.0(1)SE2 C2960-LANLITEK9-M
[/code]
I have set up VLAN 2 on 192.168.2.0/24 with the switch as the DHCP server. The switch is connected to an RV082 router which is at 192.168.1.65/27. Once I figure out what I doing I'll eventually shift that to 192.168.1.0/24 or something similar. So I have my switch acting as the DHCP server for VLAN 2 but I can't figure out how to get it to access the internet.
I found this example to set up the DHCP server:
[code]
###################################
this works to get vlan 2 to serve ips
conf t
[Code].....
The RV082 doesn't support trunks AFIK and I'm pretty much a newb at this stuff. TIA. I guess I should get a real router and I most likely will but I'd like to get this working if possible before taking the next plunge.
I often have to change switch ports to different VLANs. Regardless of whether I find the ports myself or if someone tells me what the ports are, I'll always perform additional verification steps to make sure that the port I'm changing doesn't connect to a switch, a router, a server, or something else that's equally important. But mistakes happen, and I have accidentally changed the wrong port to a different VLAN, thereby disconnecting the end node.
Is there a way to configure a port so that it will not allow you to change its VLAN (or make any configuration changes to it)? I'm imaging a command that when applied to a port would not allow you to make config changes to the port until you remove that command from that port, at which point you'll be able to change its VLAN, shut it, etc. If there isn't such capability, what strategy do you use to minimize the possibility of accidentally changing trunks, routed ports, or important access ports to different VLANs (other than labeling and verify)?
i just need to know is is there any way to prevent network from MACflap.The best way will be when switch will disable the interface where the macflap was detected.I need to set this security feature on 2960s.
View 7 Replies View RelatedWe have a couple of switches with a L3 Vlan 238 interface which runs PIM SM and OSPF, and HSRP. We have connected to this same segment telemetry processors which have raw socket interfaces configured - which means it picks up all IP packets which hit the interface and forwards them along.So we dont want the processor to recevie any of the 224.x.x.x switch housekeeping traffic? is there anyway to prevent that ?
View 1 Replies View RelatedRegion : Others
Model : TD-W8968
Hardware Version : V1
Firmware Version : 0.6.0 1.1 v0005.0 Build 120926 Rel.27100n
ISP : Telkom
I haven't played with network and firewall configs for a number of years now, but I want to configure my new TD-W8968 to block all unsolicited internet traffic/hacks.
is it possible to prevent the users with static IP's to connect the Network?We use Cisco sw 4500 series as an access and distribution switches.Is there any features on the switches that fit my request?
View 3 Replies View RelatedI have Nexus 5548UP, Version version 5.0(3)N2(2b), with a flat configured network. Customer has put several IP subnets on one Vlan. In one subnet is an Siemens SPS wich connects to a Server. This SPS is not reachable since I send a ping from the N5k, then everything works fine. Sniffering that port no arp requests from the N5k are captured. That hapens with every device (Siemens SPS) in the network. Every other clients and server are working fine and there are no problems.
View 1 Replies View RelatedI am trying to get our DCNM to discover the 5548. When I put my credentials for that appliance. I get this error .Failed Device x.x.x.x OS Version 5.1(3)N1(1) is not supported . The DCNM version we have is 5.2(1)S74.
View 1 Replies View RelatedI have a Nexus 5548 Recently restart itself for no reason I ran the command:
sh system reset-reason
----- reset reason for Supervisor-module 1 (from Supervisor in slot 1) ---
1) At 469203 usecs after Sat May 11 14:02:07 2013
Reason: Reset triggered due to HA policy of Reset
Service: eth_port_sec hap reset
Version: 5.1(3)N1(1a)
sh processes log details
Start type: SRV_OPTION_RESTART_STATELESS (23)
Death reason: SYSMGR_DEATH_REASON_FAILURE_SIGNAL (2)
Last heartbeat 6.09 secs ago
RLIMIT_AS: 189894144
System image name: n5000-uk9.5.1.3.N1.1a.bin
I've been searching in Google/Cisco about the eth_port_sec hap reset and cannot find any reason, just something about the same error but in different technology:
[URL]
CSCub36000 #SNMP polling on eth_port_security objects no longer causes an eth_port_sec hap reset.I just to want to be sure, is the same reason...Or do you know something than can cause it on a Nexus Switch?
We have just purchased and installed the L3 daughter card for our 5548UPs and have also installed the L3 Enterprise Services pkg. The problem is, I cannot enable the EIGRP feature even though we have the Ent Svc lic. After doing a little more research, I see that the Lan Base lic is required to enable the L3 card and many of the L3 features (the card is currently in an "offline" state).
From what I have read on this board, the Lan Base lic is a free license that should be included with the L3 daughter card -- however, Cisco licensing will not issue me that license without a sales order (even though a Nexus engineer said it was included, the licensing group will not issue with an official sales order). Well, our vendor ordered the card and the Ent Svcs lic but for some reason we were never sent a PAK for the LAN Base lic.
We have one core switch and we are planning to add a 6509. Both are none VSS.All the access switches are Catalyst 3560 series.
We plan to have all 3560s to have a link to each of the core. Without VSS, it is not possible to etherchannel to both core switches correct?What protocol should I configure to prevent in case one core fails? HSRP, VRRP, GLBP?
Do I need to run spanning tree protocol? if so which one?What is the best way to connect from each Catalyst 3560 for load balancing and redundancy? One to each core?
using the 55xx as a L3 Distribution switch or even as a Core. By enabling the L3 features does it allow you enabled L3 SVI's for VLAN interfaces or are there interfaces on the daughter card that are used for routing instead?
View 5 Replies View RelatedThe Nexus 5548 is running 5.1.3.N2.1a and has the L3 daughter card (N55-D160L3)I have the EIGRP feature enabled. By the way, when doing a 'sh feature' four EIGRP features show up like this: [code] To create the L3 SVI, I go into config mode and attempt to type 'interface vlan 10'. but this doesn't work. These are the only options under the keyword 'interface':
- ethernet
- loopback
- mgmt
- port-channel
I must be missing something simple but can't seem to see what that is. What do I need to do in order to create an L3 SVI on this 5548?
I want to configure management for some Nexus 5548's?I wanted to manage the switches via an SVI. I have read the following document which gives details about the Management SVI but doesn't answer all questions.[URL]I am not running any layer 3 functionality on the switch, no layer3 license (which it mentions in the above link) Will I still be able to create a management SVI. I know I will need to enable the feature 'interface-vlan' to setup a Management SVI, does that require a license?
View 6 Replies View RelatedI encountered problem while trying to copy file from Nexus 5548 to my ftp server (proteus - 192.168.12.220 - the Nexus switch is able to resolve name proteus correctly to 192.168.12.220). See below the working and not working scenarios. I have serached through Cisco Bug Database but unable to find any related bug associated to this problem. This Nexus is running the following NX-OS version.
n5000-uk9-kickstart.5.1.3.N1.1a.bin
n5000-uk9.5.1.3.N1.1a.bin
Working (without specifying the username and full path)
[Code].....
We have two 5548 switches connected to a pair of 6509 running in VSS mode. I am trying to understand the benefit of having bridge assurance on the uplink ports.
If we have the command spanning-tree port type network enabled we cannot do a non disruptive upgrade. If there is bridge assurance on the uplink it warns you of this. Yet if I do not run bridge assurance on the uplinks I can do a upgrade without any disruption.
Why in god would I enable bridge assurance on this VPC link if I cannot do a non disruptive upgrade?
I need to upgrade the code on our two Nexus 5548's in order to facilitate the installation of a few FEX's, but due to the fact that seemingly all of my port-channels are in the STP DESG forwarding state, an ISSU upgrade is not possible. Everything connected directly to our 5548's are utilizing VPC's, including an HP Blade chassis, and several Netapp devices. If I follow the normal upgrade route, should I experience an outage, or should the secondary switch just continue passing traffic?
View 1 Replies View RelatedI'm trying to setup SNMPv3 on a Nexus 5548. We are using SNMPv3 on 3750's without any issue, but haveing issues getting it setup on the Nexus.I have been using the following link for the setup following it line by line. [URL]The part that I'm having issues with is when I try to enforce SNMP message encryption on a per user basis. When I issue snmp-server user (username) enforcePriv, I get warning: unable to update CLI users database. reason: role does not exist grounp not found.
View 1 Replies View RelatedI am using cisco Nexus5548 and trying to enter a snmp community, but it doesn't accept it. I enter a community name that is less than 32 characters, with symbols, numbers and letters.
View 2 Replies View RelatedI am setting up a new environment with 2 5548's and some 2248TP-1GE Fex's and Im running into an issue. I have the peer link and peer-keepalive link that appear to be good. When I configure the fex and vpc for the fex manually on each switch without pre-provisioning the slot the fex comes online and everything appears to be good. I can see all the ineterfaces when doing a sh int br and the sh fex detail shows all good. When I do the exact same thing but pre-provision the slot the fex stays in an offline state. Ive tried disabling the port(s) connected to the fex while configuring everything then enabling them but same thing. [code]
View 5 Replies View Relatedregarding PVLANs and the Nexus, my understanding is that we cannot configure Private VLANs on a FEX trunk port with a NX-OS release older than 5.1(3)N2(1) for the Nexus5548... Is there any known workaround for this limitation (appart from performing a SW upgrade)?
View 2 Replies View RelatedI am working for an Air Force client and am adding a handful of 5548s into their network. My question is how Tacacs+ is configured. My hands are tied in regards to testing in an operational environment so I want to ensure the configs are correct prior to deployment/maintenance window and avoid any remote issues.
I have read the "Cisco Press - TACACS+" config guide and it was somewhat vague in regards to operational deployment.
My basic NX-OS configs are as follows:
- feature tacacs+- tacacs-server key 7 "002A52xxxxxxxxxxxxxxxx8"- tacacs-server host 128.xx.xx.xx timeout 10- tacacs-server host 128.xx.xx.xx timeout 10- tacacs-server directed-request
When I try to set the following command string, aaa authentication login default group tacacs+ local, the NX-OS asks me the input a "server group name". There are no server groups configured. Do I need them? Can I get by without configuring a group name because the client probably will not.
The Cisco IOS devices are configured with normal aaa authentication/authorization parameters. Also, do the VTY ports default to sshv2 and the correct tacacs+ parameters with the "transport input ssh" command (not available)?
I am trying to install SFP-GE-T module on Nexus 5548UP Switch, but is giving the ‘SFP validation Failed’ error. The details of the switch is given below
Model : N5K-C5548UP-FA
The interface is configured with speed 1000 before inserting the module, still we are getting the same error. PFA logs for more details We have 8 Nos of SFP-GE-T modules , all are giving same error. We tried to insert the module on onboard as well as expansion module.
The same module is working fine on Cisco 3750X-24T-L Switch As per the Hardware installation guide , SFP-GE-T transciever is supported on N5K platform. Please extend your support in configuring SFP-GE-T module on N5K platform? We tried with SFP-GE-S module on the same switch , and the same is found working fine.
