Cisco Switching/Routing :: 6500s / VLANs - Where To Put Promiscuous Port
Apr 25, 2013
We have a typicaly environment, access, distribution, core, all switches are 6500s.I have a lab environment where machines should not talk to each other, so I think private vlans would be good for this. The problem is that the access connects to the distribution with a 802.1q trunk, while the distribution connects to the core with an 802.1q trunk. See the attached image for reference.
In this case, I would configure the primary vlan (888) on the two access switches, as well as the isolated (886) and the community (887), and set the associations.
vlan 886
name Isolated_PVLAN
private-vlan isloated
vlan 887
name Community_PVLAN
private-vlan community
vlan 888
private-vlan primary
private-vlan association 886,887
exit
My question is where to I put the promiscuous port? Is it on the uplink between the access and distribution? And If I configure it as I have below, what about the other VLANs that are needed at the access switch? Do they still pass through the trunk as normal, even with the private-vlan configuration? Or would every other VLAN need to be configured as a secondary private-vlan on the promiscuous port?
I have 2 Vlans with seperate networks and want to create a route between one server in vlan 465 to another server in vlan 436 via port 80.Vlan 465 has a ASA 5505 inside that IP address 89.254.12.35 will be initiating the connection to address 10.200.1.213.
-Vlan 465: server address 10.200.1.213 -Vlan 436: server address 89.254.12.35
However for extended security I would like to restrict the firewall opening to an IP to IP opening.
I have came across this topic, and I am wondering if this images can be uploaded to any 2900 series switches or not, and if this will work as access port for more than vlans. URL...
I'm trying to setup a port on a catalyst 3750 so it will pass traffic for 2 vlans. It connects to a (watchguard) firewall which I've configured with a primary IP (for vlan 27) and a secondary IP (for vlan 29).
However I can't seem to find the correct commands to enter on the cisco switch port (I've tried a variety).
FYI the current configuration is... interface FastEthernet1/0/38 description ## Connection to WG vlan27 and vlan 29 ## switchport trunk encapsulation dot1q
I got a Cisco 2800 router and am planning to use FastEthernet 0/1 to trunk in 802.11Q VLAN's to cater for some of our radio links. speed and operation of the sub-interface that will be created. Or explain it here. We got a radio link that we want to trunk into this Cisco 2800 and it is suppose to be connecting at 100Mbps but currently operating at around 80Mbps. Reports shows that the max in and out traffic for this link this year till today is 25Mbps. Will it not fail teh CPU etc ?
I would like to configure a 3750 switch port to be able to use two vlans. I know you can do this with a voice and data vlan, but what about two data vlans ? Say I have two devices, one on a 10 subnet and the other on a 172 subnet, but i only have one wall jack for both devices to plug into. So I use a mini switch to connect both devices and connect the switch to the wall jack; and of course this all leads back to one switch port. When I go to enter the switchport access vlan 172 cmd, how would I also make it so the device on the 10 subnet could route out ?
I am a bit confused by the output of 'show run' and 'show run switch-profile' that pertains to a port-channel interface configured in a switch-profile. My main gaol is to find out how can I add/remove the allowed vlans the port-channel (configured as trunk) carries. The setup is like this. I have 2 N5k in vPC domain and Etherner1/11 on both switches is configured as trunk vPC that connects to a core switch. When I issue ‘show run’ for the port-channel and physical interface I get the following output. [code] From above it seems the switch-profile configuration is missing the 'switchport trunk allowed vlan' in the port-channel interface. If want I to remove vlan 30 from the allowed vlan, should I go under the switch-profile mode and remove vlan 30 from the allowed list even though the switch-profile configuration seems to be missing this.
I'm running a couple of nexus 7000 to aggregate a building full of 3750Xs.In the past few weeks I have noticed that the vlans I added to the port-profile never got propagated.So I looked at port-profile sync information and here is what comes up: [code] Why the commands are getting cached?
How to configure traffic flow between computers inside VLANs and a routed port? Here is the setup details:
1. Switch 3750-X 2. VLAN 100 - ( SVI IP address 192.168.100.1 /24) 3. VLAN 200 - ( SVI IP address 192.168.200.1 /24) 4. routed port gi1/0/48 (IP address 192.168.150.1 /24). Note: this port is directly connected to a firewall ASA 5520 port IP 192.168.150.100 /24
Ip routing is enabled on the switch and inter vlan traffic is flowing ok. I can ping the routed port gi1/0/48 from any computer connected in the VLAN 100 or 200. For example computer with IP 192.168.100.25 can ping the routed port 192.168.150.1. Switch can ping firewall port 192.168.150.100 and the 'sh ip route' command shows the network 192.168.150.0 /24 as directly connected network.
any computer in the two VLANs CANNOT ping firewall ASA port 192.168.150.100 Is it because inter VLAN routing does not work with a routed port on L3 switch? I looked up fallback bridging, but it is meant for non IP traffic.The goal is I am trying to set the ASA port as an internet gateway for VLANs.
I am trying to finish a project and i now have a very un-natural networking question, but i figure that this is the correct place to ask it.
Tools: Routing Device = Router. Test App = Creates and Sends Packets through my machine's NIC via NDIS Driver. WAN = Internet. VPN = Connected over WAN.
I am trying to route/forward/nat promiscuous packets "TO" the Internet to finish my project. The packets are not addressed to my routing device, but it must take them and forward them on to a VPN connected over the WAN. The packets are actually created by my NDIS test app. This means that the packets will be generated on my local LAN, but will not contain the MAC or IP of the routing device. So they will only enter my routing device while it is running in a promiscuous mode.. how would you try to route promiscuous packets out to the internet?
upgrading our small office network. We currently have about 75 employees with probably 125 devices on the network. I'd like to create about 10 vlans for the different departments and then configure intervlan routing as needed. Currently we have all unmanaged switches and it's just a huge broadcast storm on the network. We are upgrading our Cisco 800 router to an ASA5505 sec. Plus license. I need some recommendations on switches. Of course, this needs to be done as cheap as possible.... Is there a way to use the ASA to configure all the vlans and intervlan routing and access lists and use a cheaper switch to provide the access layer to hosts?
I have the following config using a Cisco 1921. I am trying to get devices on the the native VLAN to get internet access via the gateway x.x.x.73.Any thing being routed from the other Vlans 15/20/30 can get access, but nothing from an internal IP address. Is there something I am missing.
The Xs replace the same 3 octets for each interface.I am trying to route from VLANs 15/20/30 to see VLAN 5. I have tried a few things, in terms of adding extra ip routes, but can't get anything to work. Each of those Vlans have another router on the other side of them, which I have also tried adding ip routes too, but nothing. One of the routers (Vlan15 is a Draytek 2830). [code]
I have purchased these two switches from ebay as a test lab, I plan to connect them up via a gigastack modulecable and enable ip routing on the c3550 and vlans to talk to each other.
I'm very much a procurve person and really need to get into the cisco switching.I will want to trunklacp between the switches - whats the process is setting that up on cisco switches?
I have a 3560E with 2 vlans that I want to route between. one device with 2 vlans and route between.Interfaces are configured as such:
int g0/11 switchport mode access switchport access vlan 10 int g0/12 switchport mode access switchport access vlan 11
[code]...
Laptops on each port with 10.10.10.2 and 10.10.11.2 configured on them. I can ping from 10.10.10.2 to 10.10.11.1, but not to 10.10.11.2.What do I have to configure to be able to get the 2 laptops to talk to each other?
I am setting up a vm environment for a customer in my lab off site. I have two stacked 3750-x switches, a san, and threes UCS c220 M3S servers for hosts. I am trying to separate the lan traffic, san iscsi traffic, and san management traffic using vlans. The problem is i'm unable to communicate cross vlan with my current config, which I have attached to this post. The only noteworthy things in my conifg is that the ip route 0.0.0.0 0.0.0.0 192.168.83.6 is referring to a switch stack they have on site, that I will connect this stack to using the first two trunk ports on each switch, that I do not have here in the lab. I don't want to cause any confusion in why I have things set a certain way.
The situation include 2 cisco routers an 2 switch 3550
so we have Router A in Vlan x access ----->Sw1----Trunk----Sw2<------Vlan y Access Router B I 've to enable rip1 on guys A and B ONLY !!! Avoiding any kind of tunnel I though it was all around fallBAck bridging ... but after days of tries ...
I have tried to test copy tftp: numerous time with no success. I believe the reason it is failing is my laptop to Ethernet port is in vlan 62 and the tftp process operates in a different IP space.I am using gig 7/1 and configuring my laptop nic for x.x.x.254 mask 255.255.255.0. I can ping from laptop to gateway) and I can ping from the switch to my laptop using ping vrf production x.x.x.254. Can you tell me what vlan I need to set my laptop connection in or if there is something else I need to change to make tftp work on vlan62?Does TFTP only work in vlan1 or can it be changed?
I recently set up a Cisco 881 to cover a small business network. The router is currently set up and working as expected. We recently decided to move to VoIP phones and here is where I'm running into some issues.
First an overview: We run a network with a cable internet WAN connection, this connection is DHCP, however we have a static IP through our ISP. We also have a block of 30 additional IP addresses for one to one mapping as we need them. The new VoIP system is being run over T1 lines throughout the township (we are a municipal organization) and the VoIP system is being run to about 5 buildings in the township.
This brings me to the topic of VLANs. As the phone engineer explained it to me, there is a network set up over the T1 that allows the VoIP equipment to talk to one another and operates all of the VoIP phones on one network. The equipment that is being installed at our building connects to the network over the T1 and "talks" to the other equipment on the network. The engineer wants to create a VLAN and run it on ports fa1 and fa2, with the fa2 port being connected to the actual "MPLS" (their term) that connects to the T1 and into the cloud, and the fa1 port connected to the internal phone switch.
TLDR; The problem is this: When we attempt to set up the VLAN on ports fa1 and fa2, we have no connectivity with the other units in the external VoIP cloud. Pinging while directly connected to the "MPLS" yields successful pings, while pinging from the router with the "MPLS" connected to fa2 yields failures. I'm going to post the running config below, I feel like what we're doing should be working. I asked around about subinterfacing, but others seemed to think this was not necessary.
ROUTER CONFIG Building configuration...
Current configuration : 4909 bytes ! ! No configuration change since last restart version 15.1
I am working on getting my CCNP. The first exam I plan to take is the switching test BCMSN 642-812. Using the 4th Edition Self-Study Guide from Froom, Subraniaman, and Frahim.In Ch-4 it talks about End-to-End VLANs and Local VLANs. I read that section 4 or 5 times and still did not understand the difference between them two.I know one spans across the entire network and the other is local. What do they exactly mean by that?
I have the need to filter multicast between vlans as described below. PIM Sparse-Mode is being utilized for this multicast network and changing any Vlan to PIM Dense mode is not an option.
- Vlan 217 and Vlan 4 should not be communicating on mcast with any other vlan, including eachother (each vlan isolated).
-Vlan 64 and Vlan 80 are able to communicate witch each other on mcast but not with any other vlans (isolated vlan group).
-All other vlans can communicate mcast freely.
What I've created thus far is below. It does not appear to be the most elegant solution and would be difficult for the administrators to adjust as new requirements come along. Yes, I will be adding the appropriate link-local multicast addresses so as to not break routing and other dependent technologies.
ip access-list ext ANY_CONN permit ip any any ip access-list ext MCAST_INTRA_217 permit ip 224.0.0.0 15.255.255.255 133.106.197.32 255.255.224.0 permit ip 133.106.197.32 255.255.224.0 224.0.0.0 15.255.255.255 ip access-list ext MCAST_ISOLATE
We have the need to create a large number of VLANs on one of our networks. We're talking about 60! These will all terminate on a pair of 6509-E switches (building core). We use MSTP as a standard on our network so I'm going to stick with that so that we can dramatically reduce the number of STP instances needed. However, regarding the SVIs (default gateways) is there any reason why creating 60 of these guys would be considerd a big no-no? Or would you expect the 6509s to deal with them like a boss?
I have 10 2950 switches on my network that support only 64 vlans on each one. I actualy have requrement to cleate around 100 vlans acros them, can I switch off vtp and create required vlans manualy? I will have more or less following set up:
I'm unable to pass the required vlans networks to my firewall I have different vlans configured for each floor of the building, All these floors have Nortel switches which are connected to the core switch through fiber link.
I have a Cisco 4507R-E core switch. Config for the core switch below: what else has to be done in order to pass the vlans to my firewalls.
Is this supported on a 3750X ?? A router has two VRFs and its lan interface is a trunk with 2 VLAN IDs, let say VLAN 10 and VLAN 20. The ip address subnet of these two vlans is the same (therefore , they are in different VRFs)
fa0/1 VLAN 10 = 10.15.4.9 (VRF A) VLAN 20 = 10.15.4.10 (VRF B)
This router is connected on a 3750X switch. There is a firewall connected to this switch also, which is default gateway for several VLANs including VLAN 10 (10.15.4.1)
The goal is that VRF B ip can talk to 10.15.4.1 and VRF A can talk to 10.15.4.1 but VRF B can't talk to VRF A (10.15.4.9 <-> 10.15.4.10)
I have a stacked Cisco Catalyst 3750 configuration that currently has one V LAN configured. VLAN 192 - 10.192.0.0/16
The Catalyst has an ip on this range of 10.192.0.1. I would like to configured a few more V LAN's to be able to run some more network ranges through this device. Would it be a case of just adding the V LAN's to the master and then configuring an IP for each V LAN within the inter-v lan routing section? Some V LAN's will require access to each other but not all.
3945 is running c3900e-universalk9-mz.SPA.151-4.M2 3560e is running c3560e-universalk9-mz.150-1.SE
I've got brand new 3945's with onboard 16-port 3560e switches. On the first power up I see that there are several new vlans added that appear to be default vlans..
vlan 2 name fst2 vlan 3 name fst3 vlan 4 name fst4 vlan 5 name fst5 vlan 6 name fst6 vlan 20 name VLAN0020 vlan 21 name VLAN0021 vlan 22 name VLAN0022 vlan 23 name VLAN0023 vlan 99 name VLAN0099
I deleted the vlan.dat and reloaded the switch but these vlans come back. What these vlans are intended for and is there a better way to get rid of them? What does "fst" stand for?
Switch: SG500 VLANS: 1 (default) xxx.xxx.0.0/24 network, 150 (device management vlan) xxx.xxx.150.0/24 network I am plugged into port 1. This is a trunk port with VLANs assigned as follows: VLAN 1 (Default) - UntaggedVLAN 150 (dev mgmt) - Tagged Device is plugged into port 2. This is an access port with the following VLAN assigned: VLAN 150 - Untagged Why is it I cannot communicate with the device on port 2?
Recently purchased 5 SGE2010P 48-port switches to replace older L2 switches. I have 4 switches in single stack and one as a standalone. Both the stack and standalone will connect to at least 1 Dell 2724 switch. Both the stack and the standalone Cisco are in Layer 3 mode.
I have created several VLans on the Cisco switches, and am trying to assign an IP address to the VLan, but cannot seem to figure out the web gui. Each time I try to use Systems > System Management > IP Addressing > IP Interface, then click Add, it simply changes the existing IP of the management interface. So, I'm not sure how to go about assigning an IP Address to an Vlan.
