Cisco Switching/Routing :: 6500 - Route-map Not Used / ACL Not Matching Traffic
Jan 12, 2012
I'm performing tests with following desired scenario: We have several remote offices, connected to our HQ via MPLS. In these remote offices, we have several vlan's. Each vlan has it's own ip-range. The MPLS cloud is routed, so we cannot switch our HQ vlan's to the remote offices. In this case, the client pc is in a guest vlan which allows him internet access. The uplink for this internet access is hosted in our HQ datacenter.
basic scheme:
client pc --> MPLS cloud (managed by ISP) --> 6500 switch LAN --> Checkpoint Firewall --> 6500 switch DMZ --> ASA Firewall
My test scheme:
Client pc is in a subnet A (guest vlan range office).
We receive this traffic on our first LAN 6500.
[Code].....
View 29 Replies
ADVERTISEMENT
Feb 19, 2013
I have an issue with my setup of a 6500 switch (12.2(33)SXI9).We have a 6500 switch with several VRF's. For a certain VRF I would like to redistribute a static route in EIGRP. After doing so I don't see the static route on my eigrp neighbor.
This is a overview of my config. I'm basically redistributing only my static route for this vrf in eigrp.
I found a similar case in which the solution was adding a metric to the static route. (eg. redistribute static route-map static-eigrp-pp metric 10000 100 255 1 1500). But the strange thing is that we don't have this issue on a similar machine (same IOS, same config setup). [code]
View 2 Replies
View Related
Nov 1, 2011
We have a Cisco 3640 router running c3640-is-mz.123-3g.bin Switching ports are devided into several VLans. Each VLan has its own IP subnet. We can't ping IP address X in subnet A from subnet B unless we log into the router and ping it from there first. (and then the IP address will show up in "show ip arp" command. Then we can ping X in subnet A from subnet B, and browse web on device X from subnet B, etc. )
View 6 Replies
View Related
Feb 23, 2013
We have a lot of IPX traffic flowing through a switched network and we are being asked to filter it from a network standpoint. At one point they were using IPX in their network, but no longer need to, so they still have a lot of machines spewing out IPX traffic. We have removed the IPX routing commands from our distribution switches, (Cisco 6500), but after running a short 10 minute Wireshark capture I'm still getting a good bit of IPX traffic from a lot of different devices.
View 2 Replies
View Related
Jun 3, 2013
Actually i have a design from my customer who have ( Cisco core switch 3750 (allports fiber ports) which is connected to L2 switches , these switches carry servers and end users .the only routing protocol on the access switches is static route ,
My question how can i route the traffic from the server to the end user , as the the server is not direct connect to the core switch.
View 6 Replies
View Related
Jan 16, 2012
does 6500 with SUP-720 support nat on multicast traffic?
i know it support Multicast service reflection based on SXI4 which can facilitate me on destination address nat.
but if i need only source nat, does the defualt NAT feature supported on multicast traffic ?
View 1 Replies
View Related
May 15, 2012
I am trying to remove a static route I added: [code]
I was practicing setting up static routing on three routers r2 (2600xm) connected to r1(2600xm) via T1 module cards on the serial ports. connected to r1 is an old 2500 router called PC.
I removed the static routes off r2 and PC but when I get to r2 which I am connecting to via console cable from another 2500 that I use for an access server I get the above error. all the IPs are just generic subnets I created to play around with static routing. I
View 4 Replies
View Related
Jan 31, 2012
On a Catalyst 6500, we configured a SPAN session with VLAN 300 as a source. We configured the session bi-directional ("both" keyword). We connect a sniffer on the SPAN destination port.
Strangely enough, we only see the traffic from the VRF to the firewall, but not the reverse traffic ! What can be the problem ?
View 2 Replies
View Related
Jan 24, 2012
I have catalyst 6500s with two VS-S720-10Gs, one is in Active and one is in Hot state. Both Sup cards have two 10G uplink ports. How does the traffic forwarding works in this case on the uplink ports? Do these uplink ports actively forward traffic or it is only the uplinks ports on Active that forward traffic? I see CDP neighbors on both Active and Hot SUPs uplinks ports - it indicates that packets are flowing on both cards.
I want all uplink ports on both SUPs to actively forward traffic. Does it work? What is the config for this?
View 1 Replies
View Related
Jan 14, 2012
i have a strange issue with an HSRP Setup. I have two (S1+S2) 3560 as Core/Distribution Layer. Inter-vlan routing are enabled on both Switches. S1 and S2 are connected with an ether channel over four fibre ports. S3 -S5 are the (L2) access layer.
Gi0/1 on S1 and S2 are L3 ports, connect to a Linux Firewall.
HSRP is enabled, S1 is the active router and the STP root bridge.
But, my monitoring via cacti show me, that the Gi0/1 on S2 is active, too! But it should not be active? Only if S1 fails, should S2 the active switch.A client from the access ports on S3 - 5 gets traffic from the Internet via Gi0/1 from S2. Gi0/1 on S1 is active too, but will send mostly traffic to the Internet. Why is S2 active and why route it traffic from the Internet to the client?
View 15 Replies
View Related
May 30, 2012
We want to get L2 traffic amount (bit/byte) passing through a cisco switch (6500/3560 ...) for a specific VLAN. it can be via SNMP or CLI ...How can we do that?
note: there is no L3 interface on swtiches.
View 2 Replies
View Related
Mar 22, 2012
I've been looking into IGMP snooping and have read that a L2 switch will forward multicast traffic to all ports connected to an interested receiver AND all mrouter ports. In a L2 'V' topology this results in all multicast traffic routed onto a VLAN being forwarded to the 2nd distribution switch. My question is how should a 6500 Sup720 deal with this unwanted multicast traffic? Both a Local SPAN of the RP and a Netdr capture suggest that this traffic is punted to the RP and ultimately dropped. Is this expected behavior or should the traffic be dropped in H/W?
View 2 Replies
View Related
Sep 18, 2012
My company is composed of three different campuses, all with a similar network topology. We currently are experiencing high bandwidth on our serial interface at one of the campuses in particular. The network is composed of about 20 VLANS routed internally using a Cisco 6509. Traffic to the outside is PAT’d by an ASA 5510 and then forwarded through our edge router interface. Each VLAN is PAT’d to a specific public address.Due to the PAT, how would you recommend determining what specific private addresses are consuming our resources on the serial interface. When I look at our NMS, it reports the public address, but that only narrows it down to a VLAN. For example, all the devices in VLAN 6 are translated to 146.34.118.245, and 146.34.11.245 is a top talker.
View 1 Replies
View Related
Jun 5, 2013
I'm fairly new to Cisco products am in the process of developing my network knowledge on a deeper level. I have a 3825 with a HWIC-4ESW and I'm struggling to fully understand how the two "see" each other. I've setup a V LAN with a layer 3 address on the HWIC and added the switch ports to it. This seemed to allow devices connected to the switch ports to talk to the built-in router ports. I thought this was all making sense until i applied an access-list to the router port. It's a simple ACL i'm just using for testing and the only thing it does is blocks telnet from anywhere. I know the ACL is setup properly because if I connect a device directly to the router port i cannot telnet to the port. However, if i connect a device to one of the switch ports, i am able to telnet to the router port successfully.
It seems that I'm missing something with how traffic flows from the switch port to the router ports and how the two "see" each other.
View 2 Replies
View Related
May 6, 2013
I have a route-map on a 6500 thats is very definitely no longer required. 2 attempts to remove it have been a disaster.
[Code]...
The route-map and access-list ae not being used at all. Anyny tips for how I can get this removed - for info the process is mush easier on 7206 VXRs.
View 7 Replies
View Related
Dec 21, 2011
how can we upgrade 6500 non modular ios to normal 6500 ios?
View 5 Replies
View Related
Feb 16, 2012
I have a new MPLS circuit being stood up for my site; it’s going to replace a site to site VPN connection to our "Headquarters." I want to test this without affecting my production networks. Without getting into alot of details, the admin at the remote site is not very cooperative and basically doesn't want to set this up and I don't have access to his switching/routing. He is prepared to do minimal tasks if necessary. Ultimately, I am looking to test the new Vlan, once successful, route the traffic away from the Site to Site VPN connection to the MPLS circuit. Here is what I plan on doing, I need to determine if it is going to work.
LAN in my office uses EIGRP for routing. MPLS (10.1.1.253) uses OSPF (area 0) and BGP. Currently, traffic destined to headquarters (10.10.1.1/24) uses the default route on a CAT3750 pointing to the firewall (ASA5520) (10.1.1.254).Create new VLAN/DHCP scope to use as a test Vlan to test the new MPLS circuit. 10.1.199.0/24Create static routes on 3750 destined for headquarters for L2L VPN traffic pointing to firewall so traffic to headquarters remains on the L2L connection. ip route 10.10.1.1 255.255.255.0 10.1.1.254 (once I share routes with OSPF, routes to Headquarters will be advertised over the MPLS)Create OSPF instance on the 3750 advertising only the new subnet so that the MPLS network knows to route this traffic over the MPLS for return traffic from headquarters. (this is where it is grey as I don’t know OSPF at all) The switch has a L3 interface which the MPLS router uses as its gateway, so there is direct communication.router-ospf 0 network 10.1.199.0 0.0.0.255 area 0 4. On 3750 create a PBR for the new subnet so that it is routed over the MPLS, (imagine test PC is 10.1.199.100), the remaining production subnets will use the static routes and ignore the OSPF routes because of the shorter administrative distance.Will the PBR route win over the static route for that one subnet? Is that all I need in the OSPF configuration? I see some configs that have neighbor statements with costs, authentication types etc..
View 3 Replies
View Related
Apr 22, 2012
we have applied route-map on vlan interface in the form:
ip access-list extended TEST
permit ip 172.16.1.128 0.0.0.127 172.16.0.0 0.0.255.255
route-map TEST permit 10
match ip address TEST
set ip next-hop 172.16.111.1
interface Vlan11
ip policy route-map TEST
The problem is in the traffic matching by the rule - there is matches not only for 172.16.0.0/16 prefixes but for the whole traffic in that VLAN.
View 1 Replies
View Related
Feb 19, 2012
I am very new to high end Cisco devices.(like 7600/6500 or ASR9K).
Why do we log in on RP. What actions we can perform after logging-on RP (route processor) or Why they are required ? Cant we make those by normal router mode (router#) .
View 2 Replies
View Related
Jun 20, 2011
Since the ACE supports only static routing, when pointing a default route from the ACE what is your preferred method when using multiple 6500s with an ACE in each in a failover scenario to prevent just pointing at one 6500? Static route to an HSRP address? Multiple static routes on the ACE, etc?
View 2 Replies
View Related
Feb 25, 2013
We have two catalyst 3560 switches running c3560-ipbasek9-mz.122-58.SE2.bin They are connected using etherchannel using gi 0/21 - 24 interfaces.
on 3560-1 switch, there isn't any ip-default gateway or ip route configured. It only have 1 interface vlan configured.
on 3560-2 switch, there is ip default gateway configured along with 1 interface vlan.
What i dont understand here is that, i can reach out to other subnets from 3560-1 switch in which the routing is not enabled?
View 4 Replies
View Related
Jan 21, 2012
As per my understanding 6509 all slots are dual channel, so 9 slot * 40 per slot (20 g in and 20 g out) = 360 GB How cisco claim the 720 ?? What about the 6513 chassic switch fabric connection?
View 5 Replies
View Related
Sep 20, 2012
I am seeing a strange situation on my 6500 switch?By having snmp walk on '1.3.6.1.4.1.9.9.109.1.1.1.1.3' (== cpmCPUTotal5sec), I came to know that there are two processor and the cpu util for switching processor is gone to 88 % and some time creeps to 99 %.
snmpwalk -v2c -c "removes" sw6500 '1.3.6.1.4.1.9.9.109.1.1.1.1.3'
SNMPv2-SMI::enterprises.9.9.109.1.1.1.1.3.1 = Gauge32: 12 (--- this is for CPU of Router Processor )
SNMPv2-SMI::enterprises.9.9.109.1.1.1.1.3.3 = Gauge32: 99 (--- this is for CPU of Switching Processor )
but when I do sh process cpu on the console, all looks normal as it shows cpu utilization of RP. why the value is so high on the switching processor ?
View 1 Replies
View Related
Jan 24, 2013
For intervlan routing, Is 'IP routing' command enabled by default on a 6500 series switches based on the IOS?and on 3750 switches, do we need to enable the "ip routing" command manually for intervlan routing?
View 1 Replies
View Related
May 9, 2013
I'm looking to restrict Inter-VLAN routing through L3 switch (cisco 6500) and wanted to know best possible way to do it. I used VACL and achieved success to some extent, but my config is making clients take up to 5-6 mins to authenticate IP address from the DNS (bootps).My VACL config was as follows:
Subnet to restrict is 10.100.15.0 (VLAN 15)
STEP 1: Created extended ACL to allow bootpc/bootps through DNS
ip access-list extended EACL_DNS
permit udp any eq bootps any
permit udp any eq bootpc any
STEP 2: Created standard ACLs to allow only relevant subnet, server VLANs & some IPs from other subnets for printers/scanners etc.
ip access-list standard SACL_VLAN_15
permit 10.100.15.0 0.0.0.255 (the subnet I'm restricting)
permit 10.100.50.0 0.0.0.255 (server VLANs)
permit 10.100.25.45 0.0.0.0 (printer in another VLAN which has to have access in VLAN 15)
STEP 3: Created VLAN access list
vlan access-map VACL_15 10
match ip address EACL_DNS
action forward
vlan access-map VACL_15 20
match ip address SACL_15
action forward
STEP 4: Applying VLAN Access list on VLAN 15 vlan filter VACL_15 vlan-list 15 Though the above works, below is noted:
1. I'm still able to PING 10.100.15.2 (the switch virtual interface) from outside the subnet, which I don't intend to do so. Howeve all cients in the subnet have no connectivity from outside the VLAN 15.
2. As mentioned its taking quiet some time to negotiate with the DNS server at system boot time.
View 3 Replies
View Related
Jun 2, 2012
I used to "ip routing" command in order to enable inter-vlan routing, for example with 3750 cisco. I have a 6503 cisco with SUP720 MSFC3. I was able to create some vlans but I can not configure inter-vlan routing.
sw#conf t
Enter configuration commands, one per line. End with CNTL/Z.
swsur(config)#ip routing
[Code]....
View 3 Replies
View Related
Oct 30, 2011
For intervlan routing, Is 'IP routing' command enabled by default on a 6500 series switches based on the IOS?hes, do we need to enable the "ip routing" command manually for intervlan routing?
View 2 Replies
View Related
Nov 15, 2012
Configured cisco 881, WAN has static IP address and LAN is nothing fancy. I can ping out to url... or anywhere from the router but cannot from LAN client computers. [code]
View 4 Replies
View Related
Mar 16, 2013
Where is the "ip routing" command in Cisco switch 6500 series?
is the ip routing enable by default accoridng to the: [URL]
View 3 Replies
View Related
Apr 19, 2010
I have a 2821 router with two T1 WICs and have the need to route FTP down one T1 and all other TCP traffic down another T1. All traffic is going to the same remote IP address. The remote sites are in different states, and I assume that the remote subnet is being bridged between the states. It's kind of a weird set up, but it's not my design.
Anyway, can I use a route map to split off FTP traffic to host A and send it down one T1 and have the rest of the IP traffic to host A go down the other T1? I also need to be able to have all traffic use one T1 in case the other T1 goes down.
My first thought was to static all IP down T1-1, then route map FTP traffic down T1-2, then have a floating static for all IP traffic down T1-2 with a higher metric. But something would have to track the T1 interfaces and I'm not sure if route maps or static routes can do that. Any thoughts on this?
View 2 Replies
View Related
Jan 22, 2012
I haven't got time to test different configurations yet. Just want to quickly ask here about the fall-over route-map configuration. I saw lots of example using pip prefix-list to specify the next-hop for tracking. Is that the only way you can do it? Can you just use a standard ACL to specify that host like permit host 10.2.2.2? ip prefix-list will do like ip prefix-list seq 5 permit 10.2.2.2/32. And you apply the prefix-list to route-map then. ACL will work?
View 2 Replies
View Related
Nov 18, 2008
I have a 3750g on which I am trying to configure the ip policy route-map command on each of the vlan interfaces. However after entering the command it does not appear. I'm not sure what to do at this point. I have changed the SDM template to routing and I am running the IPServices image.
View 2 Replies
View Related
Apr 3, 2012
I have a router with two interfaces what i need to filter the HTTP traffic from one interface and the rest of the traffic through the other on my cisco router 2800.
View 3 Replies
View Related
