Cisco Switching/Routing :: 6509 PBR Configured With Missing ACL
Apr 1, 2012
We have a working PBR route map on a 6509 switch and a 3750 switch, each in different locations.On both devices, the route-map is configured to match on one of multiple ACLs, then set the next hop to a directly-connected IP address, like so: [code]
When copying in the ACL contents for "ACL20", they were accidentally copied in to the ACL1 list, and ACL20 was never created. Shortly after this was done, the next hop router went unreachable in both locations. Pings failed and the 6509 and 3750 each lost the EIGRP adjacency to the 1.1.1.5 router. After troubleshooting, I removed "match ip address ACL20" and connectivity returned.
My question is...if a PBR route-map tries to match on a non-existent ACL, what happens? Does it mark the next hop unreachable (even though it's directly connected) or does it match for ALL traffic and send *everything* there (thus, making it appear unreachable, as if a broadcast storm was happening)?
In the following scenario, how will the 2950/2960/2960S series behave:
- VTP server/domain configured on a 6509 - A access switch (2960) currently configured in transparent mode with all VLAN it requires
Will the switch drop any traffick if we change it from transparent to client mode if the VTP server has the exact same vlans defined as the access switch had when it was in transparent mode?
I currently have a couple of 6509 chassis (router/switches) with the following hardware blades:
x3 48 ports x1 NAM x2 Sup720 Running 12.2(18)SXF3
I am keeping the four Sup720 modules and have purchased new versions of the others blades including two new 6509-E chassis?Can I take my stand-by Sup720 out of the production machine and insert it into the new chassis?
I currently have a couple of 6509 chassis (router/switches) with the following hardware blades:
x3 48 ports x1 NAM x2 Sup720
Running 12.2(18)SXF3.I am keeping the four Sup720 modules and have purchased new versions of the others blades including two new 6509-E chassis. Can I take my stand-by Sup720 out of the production machine and insert it into the new chassis?
we have a cat6509 with FWSM. We pass to the FWSM several VLANs. AllL3 is assigned to the FWs.In the Cat6500 log we have received this message %SVCLC-5-FWTRUNK: Firewalled VLANs configured on trunks ,when we configure 2 vlans in a trunk to an ESX server (these 2 VLANs are alreadyassigned to the FWSM).Idea is to share an interface to a ESX server with several VLANs, some of them are assigned also to FWSM.
I have a few 3560E running Ver 12.2(50)se2. Can these boxes be configured to run VRF. I see a "sho IP VRF" option, but I do not see it available when under config t. Do I need to do a IOS upgrade to be able to configure VRF?
We had an power shutdown activity last week, due to which one of the core switch was turned off and ON .After the core switch was turned ON, we had found some of the ACLs missing which were bounded in VLANs. We had given write command before this power shutdown activity.We need to find the root cause for the same.
I have an 2960S all configured, with vlans, ports configurations and others.Now, I bought other 2960S and two stack modules to create a stack with these 2 switches.We call:
-Switch1 (I have configured and in production) -Switch2 (New switch, no configured)
Can I connect these two switches in stack without lost the configuration of my Switch1 and no turn-off this switch? Does not stop the users access?
I've created the VLAN on the Database but it tells me that there are no VLANs configured when i issue the command. Both VLAN 110 and 111 status are down, down.. Below is my config:
I'm working on my CCNA. I purchased an old router 2610 with two ethernet ports. I configured the IP addresses on the interfaces and added the default gateway. I configured NAT to go out my ATT DSL router to the internet. With the 2610, I'm able to ping the back end or internal DSL router, but I can't ping the front end, external router, or out to any internet site such as google.
I am trying to figure out what is heat dissipation of a C6509-E configured as follows:
1 x WS-C6509-E-FAN 1 x VS-S720-10G-3C 1 x VS-F6K-PFC3C 8 x WS-X6748-GE-TX 8 x WS-F6700-DFC3C 2 x WS-CAC-6000W
I have tried two ways: 1) the power calculator and 2) manual calculation using the C6500 installation guide.
1) The power calculator says 13630 BTU/h 2) Manual calculation says: [code]
The there should be also the two PS in the picture, and the new total should be: [code] Well, 62711 BTU/h looks quite a bit too much and I think that the heat dissipation of the power supply should't be considered in the calculation.Isn't it an item that takes power from the grid and that generates heat according to its efficiency as the other modules?
We are trying to test multicast between VRFs configured on Nexus 7Ks. Two Nexus 7Ks are configured for VPC. Multicast Server is in one VRF where as Receiver is in another VRF. The two VRFs are connected to each other via Checkpoint Firewall (Active/Active cluster in unicast mode). All routes have been established and connectivity tested between multicast server and receiver using ICMP.Using, windows mcast.exe multicast stream is generated from server (in one VRF) intended to be received by receiver (in second VRF). Every time, only one multicast packet is received by the receiver and rest all packets are being dropped. Server and Receiver are VirtualMachines configured on VMWaresame chassis which is connected to two Nexus 5Ks (VPC configured).
I have a switch that I have configured for jumbo packets, but they don't seem to be functioning. I have set system mtu jumbo 9000. The hosts are connected via 2x EtherChannel links. The hosts are jumbo frame enabled, and can ping their own local address using jumbo packets & do-not-fragment flags on the pings. They cannot, however, ping each other or the switch that way - it always says that the packet requires fragmentation. I know the attached machines (they're all VMs) and virtual switches support jumbos because I can ping within the virtual interfaces of the VMs. It's just traffic that goes over the switch that fragments.The switch is a WS-2960G-48TC. Here are the various outputs, with a section of config at the end.
hrnacancwtdevs3#show system mtu System MTU size is 1500 bytes System Jumbo MTU size is 9000 bytes System Alternate MTU size is 1500 bytes Routing MTU size is 1500 bytes
how my switches are configured, a cisco 3750 and a cisco 4506.[code] i can ping the gateway from the 3750 however cannot get anything past that or enything to it.
I have two Cisco 4506's running cat4500-ipbase-mz.122-50.SG3.bin. Periodically, when attaching a new workstation to these switches the Mac Address of the device disappears off the port when the device is connected or the port is configured. The only way to correct the issue is to do a hardware reset on the blade or reboot the switch. After resetting the blade or rebooting the switch the devices will start showing up on the port and connect. This does not effect devices that are already connected to the switch, just newly added devices
Both switches are populated with WS-X4148-RJ45, WS-X4148-RJ45V and WS-X4248-RJ45V blades. It doesn't matter which blade the new device is being connected to. I believe that this may be a "Bug" but have been unable to locate one.
I configured port security on my 2960 switches with the following commands: [code]
The problem is that when I should change someone's PC, first I disable port-secirity, then I clear all the mac addresses learned on the interface, then I plug the new PC and enable port-security. The new PC couldn't connect to the network and it's mac address has not be learned on the interface. Why?Which commands should I use to clear an old mac address and enable port-security with the new mac address.
and i see output "show interface Po4A" up up on switch-1, "show interface Po4B" up up on switch-2
5.- In the show running-config not appear configured Po4A and Po4B. it only show on outputs
6.- Po4A and Po4 was not configured on neither switches, my question is why appear Po4A and Po4B on switch-1 and switch-2 respectively? and why Po4 appear in down down.
7.- I solved this issue by shutdown and not shutdown to the interfaces on both routers, currently all is OK.
I am currently doing an audit at a customer site, i.e. am checking if any IOS upgrades are needed. I have found that alot of IOS versions that the customer is running are not available in the Cisco Software Download area anymore. Taking IOS 12.2(44)SE2 for the 3560 for example: some earlier and later versions are available as downloads, but this exact version is not. It also is not listed as a deferred version.What is Cisco telling us with this exactly? Are these "missing" versions not supported anymore i.e. is an upgrade to a supported version adviseable?
I have a 867VAE-K9. On feature navigator it is listed as supporting OSPF. However when I go into config mode and type "router ?" BGP is there, but OSPF is not. Also, under my tunnel interfaces there is no support for any OSPF commands such as "ip ospf cost" etc. I'm in the process of raising a TAC. I have tried five or six different versions of IOS code that is available for this device, in each, we never see OSPF listed but sometimes see "router odr" or "router lisp"...
I've got two routers, Cisco 2911's with 15.1(4)M1 on one and 15.0(1)M5 on another.
I'm trying to set up ip sla for vrrp tracking but the commands seem gimped? I don't even have an option for ip sla <operation number>. All I've got is ip sla responder/server/key-chain.
I just loaded the web interface IOS on a C3750X. The first thing I noticed was there was basically no web interface. I can look at things, and do default configurations on ports, but it doesn't appear I can configure VLANs or QoS or anything like that.
Am I missing something, or is this just how the web interface functions?
We have a DHCP SERVER implemented in a cisco router 2610.This router is connected to a switch cisco 2960 configured as DHCP SNOOPING. At the switch appear the next log message: [code] The ip address: 10.100.200.1 belongs to DHCP SERVER configured at router cisco 2610. What to do so these log messages does not appear any more? Do I need to do some configuration changes at some switch or router?
i'm trying to type the command (config)#spanning-tree mode rapid-pvst on my Cisco 2950, but (config)#spanning-tree mode ? only shows me one option - pvst. I've checked the Cisco support page which suggests my version of IOS should support rapid-pvst.
Switch_1#sh ver Cisco Internetwork Operating System Software IOS (tm) C2950 Software (C2950-I6Q4L2-M), Version 12.1(13)EA1, RELEASE SOFTWARE (fc1)
I have one VLAN on a 3750 where I do not see any MAC addresses even though it is in use. This is an unrouted VLAN between a WLC on a port- channel /LAG and an access port to an ASA for guest traffic. When I do a show MAC add I get nothing for VLAN 60 (guest DMZ) but all other VLANs seem to be OK. Spanning tree is not showing TC counters incrementing either.
I also was told when put a port on this VLAN the laptop did not get a DHCP address form the ASA, but the wireless guest clients are working fine. I can see the DHCP leases and ARP entries in the ASA and the ASA ARP in the WLC so some traffic is passing fine. I'm not onsite right now so troubleshooting is all remote which limits some options.
I have got a l2 link of 512 kbps from two different ISP. I want to aggegrate the bandwidth of this connection so that I can feel like having 1 mbps connection. I am not actually talking about load balancing, but bandwidth/link aggegration. Can we have the solution of failover with different vlan from different isp ? Can we be able to make the link as a single link.
After deleting configuration with „write erase“ and reloading, our Cisco Catalyst 4503 with version cat4500e-universal.SPA.03.02.00.XO.150-2.XO.bin, and licence ipbase, doesn't recognize any command regarding SSH. We tried configuring SSH key with „crypto key generate“, but that command is not recognized either.
I recently rebuilt the configuration of our Cat6500 multilayer device for use as a user stack. The device is funtioning as it should be, but I am unable to set SSH using the 'crypto key generate rsa' command. The crytop command isn't avaiable at all, which suggests a firmware issue.
I have configured a hostname and Ip domain-name and the image is the only one available.
The show version output is listed below. show verCisco Internetwork Operating System SoftwareIOS (tm) s72033_rp Software (s72033_rp-IPSERVICES_WAN-VM), Version 12.2(18)SXF12, RELEASE SOFTWARE (fc2)Technical Support: [URL] Copyright (c) 1986-2007