I have two 5548's in sync mode: I have an existing ACL and I want to add a new line to it, but after I do and try to commit it states the verify failed. [code]
I have to add access list to both switches not in config sync mode.
I am looking to replace the active supervisor (S720-10G) on our 6509E running in SSO mode. The new module already has the same IOs version as the standby supervisor.Once I have swapped the module how do I know that the config has sync'd correctly other than checking the logs? Is it a case of looking at the "Redundancy Mode (Operational)" state and ensuring is says SSO?Also, is there a command that will force a config-sync if it is running in a mode other than SSO?
View 1 Replies View RelatedTwo 5548 switches running switch profile and it got out of sync (probably because one of the switches lost power before it has chance to save configure). Once the switch profile out of sync, you can't make any change to the switch profile any more, verification will fail.Is there any good way to get the switch profile re-sync without recreating it?
View 2 Replies View RelatedI have 3 3560 switches which are configured with trunks between them. They run vlan 10, 11 & 12. I have a 'core' switch (switch 1) of these 3 to which an MPLS router is connected on vlan12. I in addition have another switch hanging off the 'core' switch via a routed link (switch 4). I have EIGRP configured as a stub and as such the IP address on the routed link at the core switch end is of a /24 from v lan 1 on the other switch. This makes the route directly connected and therefore distributed via EIGRP stubs. Switch 1 is then exchanging routes with the MPLS router (via EIGRP).
The problem I have is that from any sub net on any switch (switch 1, 2 or 3) I can ping 192.168.13.1 (switch 4). When I try and ping switch 4 from over the MPLS I am unable to. If I trace to the switch I see it reaches the outside of the MPLS router, but is then unresponsive. The same applies if I try to ping switch 1 on 192.168.13.2. Any of the other IP addresses of switch 1 respond.
The MPLS network is a managed solution to which I have no access. I'm told that the MPLS provider is able to ping switch 1 & switch 4 on the 192.168.13.x addresses from a remote router (192.168.32.2). I have tried from a switch on the same L2 sub net (192.168.32.1) and I don't get a response.
From switch 4 I am able to ping the switch on 1 of it's interfaces (192.168.19.1), but not the interface I mentioned above 192.168.32.1. There are no access lists in place on the switches and no firewalls between the sites.
We have successfully peered two 5548UP switches together and separately we have successfully peered two 5596UP switches together. Works great and is our standard going forward for data center switching. I've been casting about Google and Cisco looking for an answer to this question:
Is it possible to have more than two 5500 class Nexus switches participate in a peered vPC configuration? For instance, can I connect a single FEX to four 5500 class switches in a vPC configuration? The question is more academic than actionable. Even if the answer is yes we probably wouldn't be in a position to implement something like this for a while.
connecting a 5548 pair to our core 6509s. Just want to be sure we don't introduce any issues into the network.The 6509's are connected and perform all the routing. Essentially, we're moving away from a 3750 stack in the data center and the 5548s are the replacement. We'd want to limit the vlans to the specific server network vlans. Our current setup is a port channel between the 3750 and each of the 2 6509s for redundancy. I'd like to use the same functionality when we connect the 5548's but I'm looking for what the config should look like to ensure no spanning tree loops are introduced and that it is configured optimally.
View 1 Replies View RelatedI know that with the Nexus switches that we must use the management port and the management vrf for services such as NTP, SNMP etc. I have this configured on my 5548 and it still will not sync with NTP. [code]
View 5 Replies View RelatedAt the core of my network I have two Nexus 5548's with the routing/L3 daughter installed. They have a default route that points to my ASA 5520 for Internet access. I have configured a VLAN that I do not want to have access to the Internet. What is the best way of preventing this access? ACL on the Nexus or Firewall rules on the ASA?
View 1 Replies View RelatedI have a small doubt with Nexus 7k,5K,2k & 1K.We want to backup the running config to my desktop through tftp.When i tried to backup from Nexus switches showing like below Nexus 7K. [code]
It's showing two choices which one I have to follow "copy running-config startup-config" or "copy running-config startup-config Vdc-all". [code]
It's showing two choices which one I have to follow "copy running-config startup-config" or "copy running-config startup-config fabric"
It's showing three choices which one I have to follow "copy running-config startup-config" or "copy running-config startup-config fabric" or "copy running-config startup-config vdc-all". [code]
I have two 4506 switches in my organization. Recently the office was relocated and when both the switches were booted they ignored the startup config.The config-reg was set to 0x2101. No boot system command was configured.So I changed the config-reg of SW1 to 0x2102 and gave boot system command as stated below.When reloaded the switch booted to ROMMON and I had to manually boot the IOS.I want them to boot normally with IOS.Config of SW2 is not changed since relocation. I am specifying both configs bor your consideration. [code]
View 12 Replies View Related I have a scenario where 15 c500 switches and 5 2960 8 port switch connected to 4507R core switch. There are 10 dhcp pools created on the 4507.
Eg: ip dhcp pool XXXX
network xxxx.xxxxxxx
default-router x.x.x.x
Now the default router is directed to vlans created on the switch i.e vlan 101, 102, 103 and so on. Now the remaining switches connected are configured to be in the same vlan. So the systems connected to the edge switches will get the DHCP ip automatically, Now my problem is after sometime (may be 2 or 3 hrs) all the edge switches are losing configuration automatically even though it's not restarted, even after saving the config on to nvram, everytime I connect the console and check all the saved config is lost?
If i connected the latop to brand new out of the box ASA 5505 through consloe cable and i have a config file on this laptop from other ASA5505, is there anyway i can upload that config file into startup-config of this new ASA5505 through console cable, without using TFTP or FTP?
View 5 Replies View RelatedI implemented access list on cisco 3560 switch but it never works. I want to block access from network B to Network A and allow from Ato B
Network A. 10.0.12.0/24
Network B 10.0.24.0/24
The configuration is
interface Vlan1
description Data VLAN
[Code].....
I don't have access to my config at the moment and I haven't had a chance to get to the console of this router as of yet.A little background info:This is a Cisco 1941 router in which I have multiple NAT inside interfaces for internal VLANs. Before my current problem I was using one NAT outside interface for Internet access with another NAT outside connecting to our corporate network that was in a shutdown state.The router is performing router on a stick and had layer 3 subinterfaces for each VLAN. I have ACLs filtering on each subinterfaces allowing only the traffic I need through.I also currently only have one static NAT port for an FTP server.The time finally came when I had to connect our corporate network to this router via an access port on a 2950 which trunks to the router.The problem comes when I send any traffic to the subinterfaces on the corporate network which is the second NAT outside interface on the router. The main point for this connection is to do a static NAT from this interface to a web server on another VLAN. Any traffic to this interface including just pinging from the outside causes connection to the router to fail for about 3-4 min.Like I said I haven't ha the chance to get to the console yet Sony cant tell everything that happens. Nothing shows up in the logs after I can get connection back and the router didn't reboot as a "show version" says the router has been up for a long time.The CPU is also usually very low as not that much traffic flows through this router at a time.I built a very similar network in packet tracer and it works just fine.
View 1 Replies View RelatedI'm looking to implement a vlan filter to keep unnecessary stuff off my access-layer. Things like IPv6, IPX etc. I really only want IPv4, ARP and 802.1q on these 4500s. I know on 3750, 3560s etc, when I create the mac access-list, I can do it by ethertype, but on the 4500, I dont have that option.
4th_floor(config)#mac access-list extended Drop-traffic
4th_floor(config-ext-macl)#permit any any ?
protocol-family An Ethernet protocol family
<cr>
4th_floor(config-ext-macl)#permit any any protocol-family ?
appletalk
arp-non-ipv4
decnet
[Code]....
I have an 1800 isr that is running with port forwarding only. It is running a series of ip nat inside source static address port address port commands. It does not have an access list bound to the outside interface. This is working fine, but i am wondering if this is a security concern?
View 1 Replies View RelatedExtended IP access list VLAN20
10 permit tcp any any established
11 permit icmp any any
20 permit tcp any 192.168.20.0 0.0.0.255 eq 80
30 permit tcp any 192.168.20.0 0.0.0.255 eq 443
40 deny ip any any log
[code].....
Above is the network diagram and access list for VLAN 20 and VLAN 30, applied on incoming direction of each valn.But still able to access other port which is not on access list, tried changing the direction with no luck.Inter vlan routing is enabled on CoreSwitch default router is 192.168.10.10
i have one Cisco 3750, am using it as Core Switch where i have 6 more access switches are connected deirectly, and we are using VLANs in our network with the IP reange of 172.16.0.0 , now we had a new Internet connection which is dedicated to Exchange Server only.So we have TWO internet connection One for internet access to all users and another one for only Exchange Server.internet connection for the users is termiated at a Cisco 1700 Series Router and Internet for Exchage Server is terminated at a Cisco ASA Firewall.Now the problem is how can i write an access list, which says that all packets from Exchange server should be routed to ASA Firewall , and all other packets shoulde route to Cisco Router.IP address os Exchange server is 172.16.2.1, 172.16.2.2.
View 13 Replies View RelatedI have one computer connected to the 4506 that management does not want this PC to have access to anything on our network except our DHCP server and the one printer that resides on our network. I created an extended access list as follows. Our network is the 10.10.x.x and the external addresses the PC needs to access is 11.1.x.x. Once this PC is rebooted, it is unable to access DHCP to get the needed IP address it bounces back to a 169.x.x.x address and stops working.
Extended IP access list 2000
permit tcp host 10.10.200.242 host 11.1.200.1 (gateway)
permit tcp host 10.10.200.242 host 11.1.2.151 eq smtp (access from the pc to external server for smtp)
permit tcp host 10.10.200.242 host 11.1.2.149 eq 5721 (access from the pc to external server for remote access)
[ code]...
Then I applied the access-group 2000 on the interface the PC is connected to. What am I missing for DHCP to work and for this PC to always get the ip address that is reserved?
I am trying to harden my Nexus box and I am not able to ACL assigment command. Following are the commands I am trying to add.
interface cmp-mgmt module 5
Ip access-group NETWORK_MANAGEMENT_ACCESS in
I configure multiple static RPs and one of the ACLs denies a source will it move on to the next entry that covers it in another acl? [code] i.e. 1.1.1.1 will be used as the RP for 224 to 238 and 2.2.2.2 will be used as the RP for 239.Will that work correctly, i.e. if a source is trying to register with the router and its for the group 239.1.1.1, will it be denied against the first RP and then permitted against the second RP?
View 2 Replies View RelatedI have a layer 3 switch, 3550.I have several vlans on there just for playing around with. One of the vlans, has a vonage linksys box attached to it with a UK number attached. From time to time telemarketers call at 03:00 in the morning, this as I'm sure you can imagine is not much fun. The linksys box gets 192.168.3.3 as it's ip.The switch is connected to a non cisco router at 192.168.0.1
interface FastEthernet0/24
no switchport
ip address 192.168.0.2 255.255.255.0
I was thinking a time based access list would work best I have tried several variations but the phone still rings. I have tried access-list 1 deny host 192.168.3.3 permit ..... and more extensive lists but the phone still rings. I have not applied the time-range yet, so that's not the problem.I have applied the list to the vlan interface and to fa0/24 but it's not working.
I have a LIII Switch Cisco 3750x ,with diffrent Vlans , Some users are in Vlan 102 (10.10.2.0) and Some Users are in Vlan1 (10.10.1.0) , now i want to restrict the Vlan102 users to access Vlan1 , i am pasting my configuration below , how to create a access list .
interface Vlan1
ip address 10.10.1.36 255.255.255.0
ip helper-address 10.10.1.36
[Code].....
I need to enable/disable a mac access-list on a 2960 scheduled by time. The switch has lanbasek9-mz.122-44.SE6. As the mac access-list can not support time ranges, I tried EEM but seems like it is not supported in this device.
View 1 Replies View RelatedIn my core Switch,there are 2 v LAN(V LAN 1 & V LAN 2)my switch is Cisco 4948,so be default ip routing is enable in it. My all servers (DHCP,HTTP,HTTPS) are in v LAN 1 & internet is also in v LAN 1.
My requirement is that v LAN 1 user should not communicate with the v LAN 2 and vice versa. But the v LAN 2 users need an access of all servers and internet which is in v LAN 1. How to configure the access-list. I have try on Packet tracer which i have attached.
note:v LAN 2 user should get the IP from dhcp server which is in vlan1.
We have a gateway on a 4503, say on port 2/1, and we only want the other devices that are plugged into the 4503 to be able to talk to the gateway and thats it. The other devices are Motorola TUT DSL devices and they plug into the 4503 directly.
Normally "switchport protected" would make this very easy to keep stuff on one port from talking to other ports but with 4500's you are not able to do that command. So we implemented a MAC Access-List Extended ACL. Here is what we did
mac access-list extended BLAH
permit #host 0000.XXXX.YYYY any
interface range fa 2/5 - 20
mac access-group BLAH out
The MAC address 0000.XXXX.YYYY is the MAC address of the gateway that is plugged into Fa2/1 and the DSL TUT devices are plugged into ports Fa2/5-20. We would think that this config would only allow devices on the TUT DSL to talk only to the Gateway but we don't really think this is happening. The TUT devices are learning about MAC addresses that are on other TUT devices.
Not sure why the N7K M1 card doesn't take this command. It works on other N7K at different site. [code]
View 1 Replies View RelatedI am using cisco 1841 LAN router, I need to block MAC address i have applied the command access-list 1102 deny 0000.0000.0000.0000 mac address..... but it does not work.
View 24 Replies View RelatedI have a stack of 8 3750x switches connected via Stackwise. In addition, I have these switches configured as two Powerstacks. When I look at the Powerstacks, they are showing as being in power-sharing mode. When I look at the individual switches, they show as standalone. Right now, I have 1 switch in each powerstack that has two power supplies, and then the other three have a single power supply. Below is the output for "Show stack-power detail" as well as the Powerstack configurations.
Power Stack Stack Stack Total Rsvd Alloc Unused Num NumName Mode Topolgy Pwr(W) Pwr(W) Pwr(W) Pwr(W) SW PS-------------------- ------ ------- ------ ------ ------ ------ --- ---Powerstack_1 SP-PS Ring 2145 45 570 1530 3 3Powerstack_2 SP-PS Ring 2860 60 760 2040 4 4Powerstack_1-1 SP-PS Stndaln 1430 520 190 720 1 2
Power stack name: Powerstack_1 Stack mode: Power sharing Stack topology: Ring Switch 4: Power budget: 700 Power allocated: 190 Low port priority value: 20 High port
[code].....
I'm looking for switches that support single mode fiber connections and would like to know if "WS-C3750-FS-S Catalyst 3750 24 100BaseFX + 2 SFP" and "WS-C3750G-12S-S Catalyst 3750 12 SFP" can serve the purpose?
View 6 Replies View RelatedI faced with a strange behavior of ME3600.For testing purposes I linked Cat3550 and ME3600 switches via trunk mode. All interfaces are in Up state. But I couldn't ping SVI200 of Cat switch from ME3600 and vice versa. [cde]
This scheme perfectly works with another L3 swithes. For example Catalist3750. I know that ME doesn't support VTP, DTP and so on. Also, I've tried latest software.
I am troubleshooting a fiber connectivity issue.Now I have two switches, one is 3750, and another is small biz 300 series switch. Both switch has a single mode smf gbic. Now I have two swtiches face to face and connect with a single mode cable. Do you think if I would get a link light on? Both ports are no shutdown.
View 3 Replies View RelatedI need to support a bunch of security cameras mounted on poles in our parking lot and an IP intercom system mounted on some gates. Because of environmental factors the switches at the poles need to be hardened and the spec from the vendor installing the gear is for GarretCom Industrial unmanaged switches which would make sense.
However when Information Security got wind of this scheme they (probably correctly) are requiring me to secure the ports that these unmanaged switches connect to. I have 2 choices: port security w/ MAC filtering or 802.1x. Because all the devices at the poles and gates support 802.1x and because I may need to go out there to troubleshoot stuff (and will invariably forget to add the MAC of whatever device I am using) I would prefer 802.1X multi-auth mode.
Problem:
When I ran a quick test on a test 3560 running some 15.0.1 code I could get a laptop to connect via 802.1x EAP-TLS successfully if it was directly connected but when I connected the same laptop via a dumb Netgear switch I confiscated from a luser it would not connect. The 3560 error said that the laptop never responded.
Question:
Before I spend a whole lot of time on this, is this something that should work? I don't see any practical use for the feature if it won't however the documentation I am using specifically mentions downstream hubs but I am not sure if they mean real hubs (which I don't think are even made anymore) or if they mean unmanaged switches.
I plan to try a couple of different unmanaged switches tomorrow and digg a little but I would like to know if I am wasting my time on something that will never work or if there is a little gotcha somewhere.