We have a network of 30 VLANS and currently all the vlans have access to everything. We are using Cisco 6509 switch for Layer3 routing.I would like to prevent some VLANs accessing the server VLANs. How can I restrict access to the server VLANs?Do i need to implement access-lists on the 6500 switch? or do i need to create VLANS on the firewall so that all traffic i filtered ?
View 9 RepliesWe have a network of 30 VLANS and currently all the vlans have access to everything. We are using Cisco 6509 switch for Layer3 routing.I would like to prevent some VLANs accessing the server VLANs. How can i resrict access to the server VLANs? Do i need to implement access-lists on the 6500 switch? or do i need to create VLANS on the firewall so that all traffic i filtered?
View 3 Replies View RelatedIs it possible to have multiple dhcp pools for multiple VLANs? The switch is a 6509 and/or 4506 catalyst. I don't want to use server-based products.
View 5 Replies View RelatedI have a small cisco switch cluster (seven different 2924, 3524cisco switches) with 3550 as a cluster control which does all the inter vlan routing that works fine.
This cluster is in semi production PBX interop testing lab. This is a closed network without internet access and not connected to our corporate network.However now I have to add this capability so some equipment in the lab can get Microsoft updates over the internet.
I've created a port on a 3550 (fa0/19) and connected it to another network that has internet access. It picked an ip address and when I'm logged in to the 3550 I can ping hosts on the outside network. However I can't ping any hosts on that network from any hosts that are connected to my vlans.I've tried a few different things, but still can't make it to work.
Here is a short version of my 3550 configuration:
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log datetime
no service password-encryption
[code]....
If I dual connect my access switch to my 6509s running vss, what will happen, will spanning tree still block one of the ports if I don't set up an etherchannel?
View 1 Replies View RelatedWe have the need to create a large number of VLANs on one of our networks. We're talking about 60! These will all terminate on a pair of 6509-E switches (building core). We use MSTP as a standard on our network so I'm going to stick with that so that we can dramatically reduce the number of STP instances needed. However, regarding the SVIs (default gateways) is there any reason why creating 60 of these guys would be considerd a big no-no? Or would you expect the 6509s to deal with them like a boss?
View 4 Replies View RelatedConfiguring FWSM in a 6509. When I set "firewall vlan-group 40 40-42,251", it results in: "No more than one svi is allowed. Command rejected.".
I had "firewall multiple-vlan-interfaces" set for a previous use of this module, but took that off with the "no" command. Suspect that is the issue, but do not see how to resolve. Seems similar to bug CSCsr48563, but I am at the fixed code for that bug.
On a small Bording School we have the students living in several small houses, each equipped with an AP.Each Ap serve 4 Vlans.I want to restrict the switch for these AP, in a way to keep the students from removing the AP and connecting their own equipment.I tried using the secure port feature on the SG300, but that had the result of allowing the AP but denying all the users connected to the AP.The switch is a SG300-28P placed in L3 mode.
View 3 Replies View Related3945 is running c3900e-universalk9-mz.SPA.151-4.M2
3560e is running c3560e-universalk9-mz.150-1.SE
I've got brand new 3945's with onboard 16-port 3560e switches. On the first power up I see that there are several new vlans added that appear to be default vlans..
vlan 2 name fst2
vlan 3 name fst3
vlan 4 name fst4
vlan 5 name fst5
vlan 6 name fst6
vlan 20 name VLAN0020
vlan 21 name VLAN0021
vlan 22 name VLAN0022
vlan 23 name VLAN0023
vlan 99 name VLAN0099
I deleted the vlan.dat and reloaded the switch but these vlans come back. What these vlans are intended for and is there a better way to get rid of them? What does "fst" stand for?
I am using a catalyst 2970 switch for 2 vlans. Corporate data and a separate VLAN for backups. What I want to do is create an LACP etherchannel to the switch and also trunk these ports so the server is part of both VLANS.Due to fact that some of these servers are on totally separated networks, they really shouldn't be able to talk to the backup server. Creating the VLAN for backups works to achieve this. I plan to create inbound ACLs on each port to allow only the ports and IPs for the backup network and allow everything we need for corporate data.I read somewhere that you can't have ACLs on an etherchannel and I just want to get it all straightened out. I notice I can't add an access group to the port-channel itself but I can on the port- channel member ports. Is this all I need to do or does this not work?
View 1 Replies View RelatedI'm trying to setup a port on a catalyst 3750 so it will pass traffic for 2 vlans. It connects to a (watchguard) firewall which I've configured with a primary IP (for vlan 27) and a secondary IP (for vlan 29).
However I can't seem to find the correct commands to enter on the cisco switch port (I've tried a variety).
FYI the current configuration is...
interface FastEthernet1/0/38
description ## Connection to WG vlan27 and vlan 29 ##
switchport trunk encapsulation dot1q
[Code].....
I have 6500 with this STP configuration:
spanning-tree mode rapid-pvst
no spanning-tree vlan 1-4094
I need to enable STP on vlan 100 and vlan 103.
When I do "spanning-tree vlan 100,103 root primary" and then "show spanning-tree".I see that STP is not enable on these vlans (100,103).
I tried to do "no spanning-tree vlan 1-99,101,102,104-4094" and it is not work.
There is a way to enable STP on vlans 100,103 without to do "spanning-tree vlan 1-4094"
Is it possible to configure both Catalyst WS-C2960-24PC-L and Switch Cisco SG300-28 to work together for VLANs for voice and data ? If yes, can you give me the resources which I can refer to ?
View 4 Replies View RelatedI am trying to use a Tekradius Windows2008 server to aaa authenticate switch admin logins. The Radius server and 6509 loop0 are in a management VRF "netman". I can happily ping to and from the Server and loopback0 interface without issue. I have also tested the radius server account using RadiusNT on a workstation. I get an accept reply with the following variables..
shell:priv-lvl=15
NAS-Prompt
Here are the relevant parts of my config as far as I can see..
aaa new-model
aaa group server radius SRADIUS
server-private 192.168.1.101 auth-port 1812 acct-port 1813 key cisco
ip vrf forwarding netman
ip radius source-interface Loopback0
!
aaa authentication login default group SRADIUS local
[code]...
Im having a strange problem on a 6509 switch. I am trying to use a Tekradius Windows2008 server to aaa authenticate switch admin logins. The Radius server and 6509 loop0 are in a management VRF "netman". I can happily ping to and from the Server and loopback0 interface without issue. I have also tested the radius server account using RadiusNT on a workstation. [code]
View 8 Replies View RelatedI have a 6509 running catOS that i had to do some routing changes on this weekend. I guess i forgot to set the default route so now I can't login or ping from outside the local subnet and because of acl restrictions on the vty lines can't login from a device within the local subnet. I can login to the sup module so i'm trying to figure out if there is way to get to the switch from the sup like you would access the sup from the switch by inputting the command session 15 or session 16, is there a way to do the reverse to get to the switch from the sup?
View 1 Replies View RelatedI have number of 6500 switches and we are in the process of getting support contract renewed now when i buy support for my 6500 series switches i have to inform main module serial numbers (Only this one). or do i also have to inform about sub module serial numbers to my support vendor?
View 1 Replies View RelatedSuffered a big outage on the network, the fix was to reload the module 3 on the 6509 switch, we had these errors on the log %CONST_DIAG-SW1_SP-3-HM_PORT_TEST_FAIL: Switch 1 Module 3 TestUnusedPortLoopback Port(s)[24,46] failed. System operation continues.in the end, we reloaded the card and it was all ok. is there anything I can do to check the card / or any deeper logs? would that error cause the card to crash?
View 1 Replies View RelatedI have a 6509-E chassis that was prevoius in a VSS configuration. Due to some VSL failures I had to cobvert it to a standalone chassis but would like to bring it back to a virtual system.
Whenever I try to convert it by using the command "switch convert mode virtual" I get the msg %Please configure local switch number first". After doing so by entering the CLI cmd "switch set switch_num 1 local" I still get the same message.
in my 6509 switch while i checked is showing some thing like this RDCCI65F0#sh environment
environmental alarms:
no alarms
backplane:
operating clock count: 2
[Code].....
I have configured cisco 6509 to do nating and its not working. Static nat is perfectly working fine below is the config.
View 6 Replies View RelatedI have one CISCO 6509 Switch in my store. I tired to login in that switch but couldnt.. Once it's booted it's asking me: rd: . Find the attachment. I recover the password by changing confreg value but that also failed.
View 8 Replies View RelatedHow a 6509 pair handles the loss of the other vss switch, and what happens when the other comes back on ?
View 1 Replies View RelatedI have a 6509 that has dual SUP32's.Just want to make sure and give a reason(if there is one). Slot 6 always becomes the active hot on a full reboot. Meaning from no power to the whole switch to powered on. What is the election process for Supervisors?
View 5 Replies View RelatedI am doing a deployment of a cat 6509
Any checklists that they fill in pre deployment, ie card failover tests etc ?
I am confused on how acl's respond on normal cisco switch (eg.6500) when applied on respective vlans. this is my scenario:on a 6506, i have 2 main vlans in question: Vlan 100 ( vendor1 - 172.16.100.0/24 ) & Vlan 200 ( vendor2 - 172.16.200.0/24 ). the requirement is,
- vendor1 should be able to access/ping vendor2 end points
- vendor2 should not be able to access/ping vendor1 end points
Now, if i ping from a host 172.16.100.11 in vlan 100 to another host 172.16.200.21 in vlan 200, will i be able to get a successful response ?
I was trying to uplink a switch today on a 1500m run of SMF. I have a 6509 core switch with a 16 port GBIC module. On that end I have a WS-G5486-LX with a 3m SC to LC patch cable.On the other end I have a 3750G with a GLC-LH-SM SFP. I have checked my fiber path and it seems good, (by sight, did not have an OTDR avialable).I can't get the link up at all. Tried swapping Tx Rx at one end, Tried different transceivers. Tried different patch cables. Nothing worked. At about the mid-point of my fiber run the cable passes through another network closet with a core switch for a separate network. If I break my fiber path there and try to connect in either direction it works. The only differences are the length of the fiber run and that the core switch on the other network has a CLC-LX-SM SFP.Is it the distance? Or is there some issue connecting a GLC-LH-SM to a WS-G5486-LX?
View 7 Replies View Related i have one of my switch modules that shows PwrDown when i issue the command show mod.
Mod Ports Card Type Model Serial No.
--- ----- -------------------------------------- ------------------ -----------
1 9 Supervisor Engine 32 8GE (Active) WS-SUP32-GE-3B SAD09120263
2 48 48 port 10/100/1000mb EtherModule WS-X6148-GE-TX SAL1029VWZ5
[Code]....
i tried disabling the diagnostic monitor for the module, did a power enable module command and then reset it but it still fails. this is the third blade that i am replacing in a few weeks and i still get the same error. i am persuded that it is not a hardware since it is the third blade in a matter of weeks. after the module reset, i receive this error % module 3 is operationally off (FRU-power failed)
could an ios upgrade solve this issue? are there any ios related bugs?
My problem is that I have a Cisco 300 series small business switch with multiple VLANS each one with an IP address and two or three ports assigned to each VLAN. I have an E3200 wireless router that I want to use to use to share internet on the switch. All of the VLANs are reachable from the other VLANs and I've put a static route on the E3200 so that I can reach the VLANs from a machine connected only to the router. But I can't reach machines on the otherside of the router or get to the internet from the switch.
View 3 Replies View RelatedWe have a cisco catalyst 6509 with Supervisor Engine . After power outage, the switch always start in Rommon mode. Configuration register is 0X2102, we want to it always start in normal mode. What should i do?
View 3 Replies View RelatedI need to replace a faulty fan unit on the catos WS-6509 switch. this Catos switch does not support show inventory so any other catos commands which will show me this part id?
View 2 Replies View Relatedi'm already has one internet connection is conecting directily to the Core Switch 6509, and the Switch is route any internet request with default route:
SW6509-conf)# ip route 0.0.0.0 0.0.0.0 10.170.10.10
10.170.10.10 is --> Next hop for the DSL router internal IP, and it's working fine.
We have a new internet connection with another ISP/ with another DSL router, how to connect both of them to exit from the Core Switch 6509.
is it ok if i make another default route to the Next hop to the new DSL router as:
SW6509-conf)# ip route 0.0.0.0 0.0.0.0 10.80.10.10
10.80.10.10 is --> Next hop for the new DSL router internal IP.
I recently ran an upgrade on my 6509-E's and when the first switch came back up, 3 of the 10/100 switches that were in the chassis did not power on. After further investigation, these models are not supported by this latest IOS version. The module # is : WS-X6248-RJ-45
We have one WS-X6348-RJ-45 and since it was a few weeks ago I did this I can't remember for sure but I believe this one came up.
Where can I found the information regarding this being unsupported but I know it is out there and any page that showed me that this was unsupported with the latest stable IOS of 12.(33).
In addition to this question, I have approval to purchase some newer gigabit switches that will be supported by this new IOS version and hopefully at least the next few over the next few years. Which specific gig models are currently and hopefully should be supported for the next few years? I don't need PoE or anything spectacular, just regular switches that are attached to either servers or virtual hosts. I've been looking at the lists of what is out there and it seems like there are hundreds of different models and it is becoming difficult to determine what is what.