Why the below configuration does not work? BGP exchanges routes without a problem all the time the distribute list is removed from the config. When I apply the distribute list it blocks all routes, not just those intended in the prefix list.
[CODE]....
I'm trying to create a route-map for an EIGRP Distribute list on a N7K, the goal is to not advertise a 10.0.0.0/8 and 172.31.30.20/32 networks out a link to a remote site while permitting all other traffic to the internet (default). I configured the ACL/route-maps below and applied them outbound on the N7K interface but no subnets at all are being received on the remote site router.
ip access-list DENY_10.0.0.0
10 permit ip any 10.244.244.20/30 <<--WAN interface network
20 deny ip any 10.0.0.0/8
25 deny ip any 172.31.30.20/32
30 permit ip any any
[code]....
Difference between prefix-list and distribute list?
View 6 Replies View RelatedIn my core Switch,there are 2 v LAN(V LAN 1 & V LAN 2)my switch is Cisco 4948,so be default ip routing is enable in it. My all servers (DHCP,HTTP,HTTPS) are in v LAN 1 & internet is also in v LAN 1.
My requirement is that v LAN 1 user should not communicate with the v LAN 2 and vice versa. But the v LAN 2 users need an access of all servers and internet which is in v LAN 1. How to configure the access-list. I have try on Packet tracer which i have attached.
note:v LAN 2 user should get the IP from dhcp server which is in vlan1.
Recently I'm working with my client to setup their network and he want me to limit user access internet bandwidth to 2 Mbps and the topology show below.Users ---> Switch ---> NAT Router ---> (int gi1/0/24 - qos apply) Edge Switch ---> INTERNET ROUTER (12Mbps) --->> INTERNET,This is my configuration, but it doesn't work, the end user still able to get more than 2Mbps internet speed.Access-list 100 permit ip any any dscp default,class-map match-all QoS_Floor_Limit, match access-group 100.
View 1 Replies View RelatedWe have a 14 offfice MPLS network. All offices have Cisco 3750s running OSPF which replicate route tables via our providers BGP peers. I am introducing a new network in our SF office which is not directly connected so in SF we have a static route "ip route 172.16.20.0 255.255.255.0 192.168.100.1. I want our other offices to learn this route route via OSPF so that they know how to get to the new network. My problem is that of course remote sites do not see our static routes and i have tried to add this via ospf but the switch will not propagate this route because it is not directly connected to the switch in SF.
router ospf 1
log-adjacency-changes
network 10.2.0.0 0.0.0.255 area 2.2.2.2
[Code]......
my client to setup their network and he want me to limit user access internet bandwidth to 2 Mbps and the topology show below.
Users ---> Switch ---> NAT Router ---> (int gi1/0/24 - qos apply) Edge Switch ---> INTERNET ROUTER (12Mbps) --->> INTERNET
This is my configuration, but it doesn't work, the end user still able to get more than 2Mbps internet speed.
access-list 100 permit ip any any dscp default
class-map match-all QoS_Floor_Limit
match access-group 100
!
!
policy-map QoS_Floor_Limit
[Code]......
I can't figure out how to get the config right for the 802.11n channel to work.
View 4 Replies View Relatedwe've been using IOS for a long time, but are relatively new to NX-OS. We've got a central syslog server that all our devices log to. No matter what we do, we can't get our Nexus switches to log there. Here's my current attempt:
Nexus 7009, NX-OS 6.0(1)
# sh logging server
Logging server: enabled
{redacted}
server severity: debugging
server facility: local7
server VRF: default
[code].....
The default VRF is working. I see log entries in the logfile, but nothing arrives at the syslog server. It's not a config issue on the server, because tcpdump shows that no packets arrive from the IP for loopback 0.
provide a sample Voice Vlan configuration for the Cisco 2960 POE switch to work with the Non-Cisco IP Phones?
Will these commands work? Vlan 2 is the new voice vlan, Vlan 1 is the data vlan.
mls qos
interface fastethernet 0/1mls qos trust cos switchport nonegotiateswitchport mode trunkswitchport trunk encapsulation dot1qswitchport voice vlan 2priority−queue outspanning-tree portfastspanning−tree bpduguard enable
vlan 2name voice
i have new project in hospital with the bellow product :
20 X WS-C2960-24TC-S
2 X WS-C3750X-48T-S
2 X WS-C2960S-24TS-S
i need to configure this switch in order to work first the 2 core switch for redundancy then each catalyst switch 2960 connected to the core with 2 uplink each uplink for each core switch that way i have rendundancy in the connection then i need one vlan ?i need to configure this switch to work perfectly with each other in best redundancy mode?
After adding the below Extended Access-List Entry into my 1841 Router, access-list 102 permit ip host 192.168.1.1 any. I can access the Internet from this client but cannot connect to this client from another branch through vpn tunnels. I can access all other clients that do not have this access-list entry.
View 5 Replies View RelatedI've goggled and searched here, and I can't seem to find what I'm looking for. I need to make a couple changes to a clients Cisco 800 series router, enable ping replies add ip addresses to the ssh ACL.I can't seem to find any basic commands for CLI anywhere.
View 2 Replies View RelatedOur clients claims the problem of loss startup configuration with power outage especially with 877 series , all the router are configured to store configuration in NVRAM ( confreg = 0x2101),
View 5 Replies View RelatedI have just installed and configured a new RVS4000 with VPN (currently running firmware V2.0.0.3), and have enabled the DHCP Server service. I wanted to be able to distribute a search domain in addition to the IP address and DNS Server information (as I have done with other devices that include a DHCP Server), but cannot seem to locate where or how I might do that with the RVS4000.
View 4 Replies View RelatedI implemented access list on cisco 3560 switch but it never works. I want to block access from network B to Network A and allow from Ato B
Network A. 10.0.12.0/24
Network B 10.0.24.0/24
The configuration is
interface Vlan1
description Data VLAN
[Code].....
I want to send a particular data stream (source-A destination-B) through only one of two WAN routers to a remote site. The remote site also has two WAN routers. Traffic from source-A will travel through a core and distribution layer of 6500 L3 switches, running 12.2(33)SXH8, to the WAN routers which are two ASR1006s. The remote end is the same - two ASR1006 WAN routers to 6500 distribution and Core L3 switches. All 6500s are L3 uplinked to each other and to the WAN routers. All traffic from the local site to the remote site routes throuh only one of the two WAN routers. I want to move only traffic from source-A to source-B to the second WAN router to the remote site.
Would it be best to use policy-based routing or an offset list of some sort to accomplish this? I've done PBR before where you just hand off traffic described in an ACL to a particular outbound port and basically hand carry the traffic to a point in the network where EIGRP prefers the route you want.
I am using 1841 LAN router. Recently some broadcast is happening in our network when some users are connected. I need to block them automatically by detecting who are they.
I can block them manually but i want router to detect them and block.
I have a 1921 K9 with a 4 port 10/100/1000 EHWIC switch.
Interface 0/1 = 192.168.1.0
EHWIC = 192.168.5.0
I have Active Directory setup on the 192.168.1.0 network. When I attempt to join the domain from 192.168.5.0 it joins but I get errors. After some troubleshooting using portqry I have found that the services related to class map DomainTrafficUDP are being reported by portqry as being filtered regardless of policy map settings (currently set to allow).
Building configuration...
Current configuration : 18833 bytes
!
! Last configuration change at 11:20:25 NewYork Thu Apr 19 2012 by dave
! NVRAM config last updated at 13:56:45 NewYork Wed Apr 18 2012 by dave
!
[Code].....
We have a group of computers on their own VLAN. A router allows internet access while keeping them sandboxed. We don't want them accidentally connect to our production network. We blocked their wireless MACs in unauthorized WAPs. I'd like to do the same thing for their ethernet MACs on our switches, (a mixture of 2950,2960 and 2960G currently testing on C2960-LANBASE-M, Version 12.2(25)SEE2). I've been unable to locate the correct method on google, by searching these boards or in the command reference.
What is the best practice for blocking a group of MACs from accessing a particular VLAN on a network consisting of several Layer 2 Switches?
Blocking Ports don´t send BPDUs, but they can receive them from designated ports.Blocking ports, can it hold BPDUs?
I think that Blocking Ports only receive, analyse and then discard the BPDU.But, what happen if the blocking port receive a better o worse BPDU? in this case, must be the bpdu stored?
I'm looking to implement a vlan filter to keep unnecessary stuff off my access-layer. Things like IPv6, IPX etc. I really only want IPv4, ARP and 802.1q on these 4500s. I know on 3750, 3560s etc, when I create the mac access-list, I can do it by ethertype, but on the 4500, I dont have that option.
4th_floor(config)#mac access-list extended Drop-traffic
4th_floor(config-ext-macl)#permit any any ?
protocol-family An Ethernet protocol family
<cr>
4th_floor(config-ext-macl)#permit any any protocol-family ?
appletalk
arp-non-ipv4
decnet
[Code]....
I have an 1800 isr that is running with port forwarding only. It is running a series of ip nat inside source static address port address port commands. It does not have an access list bound to the outside interface. This is working fine, but i am wondering if this is a security concern?
View 1 Replies View RelatedWe've got 5 remote offices with cisco 881 routers, Win Clients behind them and all routers connected via vpn site-to-site to central software router.
Mostly all clients recieve ip addresses from routers in their subnets 192.168.x.024
We have Win DHCP Server in subnet 192.168.181.024
The problem is that some of clients,physically sutuated in 192.168.10.024 subnet, recieve ip addresses from Win DHCP server from 192.168.181.024 subnet.
Here's part of cisco cfg:
interface FastEthernet0
no ip address
!
interface FastEthernet1
[Code].....
I've run into an odd problem - I have connected two 2960s together with copper on FastEthernet interfaces, and STP on the new switch immediately puts that port into blocking mode. I don't understand why this would be, since there is only one connection between the two, in fact, there is only one connection at all on the switch that is blocking.
View 6 Replies View RelatedI inherited a Cisco ASA 5505 and am trying to piggy back the device off of an established Network. Here is the basic layout:
192.168.10.1 (Core Router - Handles DHCP/DNS)
192.168.10.9 (ASA 5505 - Piggy backing off of Network)
192.168.40.x (ASA 5505 - VLAN)
I'm able to get onto the Internet without any problems. Devices from the 192.168.10x Network can not ping the inside VLAN1 (192.168.40.x). However, I would like traffic going from the inside VLAN to the Outside VLAN to be blocked, except for 192.168.10.1 and 192.168.10.9. I've tried using ACL's but end up killing my Internet connection. 192.168.10.1 is the default route and is how I get out to the Internet. Is this possible? Essentially, I'm trying to set up a small Network that guests can connect to. The idea is that they can get to the Internet, but that is it. They can't get to internal resources on the 192.168.10.x Network
Here is the config:
ASA Version 8.2(1)
!
hostname ciscoasa
enable password EeCsulrpu.9LalEE encrypted
[Code].....
SG-300 52 native VLAN blocking network packets
View 3 Replies View RelatedI have a strange issue where spanning-tree is blocking vlans through a mesh network.Here is my set up.
2-Cisco 3560's that have two trunk ports set with do1q and a native vlan of 2. I'm allowing a client vlan (2) and a voice vlan (103) to come over the trunk. They have a native vlan of 2 so the mesh APs can get an address through DHCP. Spanning-tree loop guard is also enabled.
When connected to the mesh network, the voice vlan is being blocked by spanning-tree. I get the following erros:
000129: *Feb 28 19:24:58.289 EST: %SPANTREE-2-LOOPGUARD_BLOCK: Loop guard blocking port FastEthernet0/1 on VLAN0103.000130: *Feb 28 19:24:58.448 EST: %SPANTREE-2-LOOPGUARD_UNBLOCK: Loop guard unblocking port FastEthernet0/1 on VLAN0103.
Eventually the loop is cleared and the port is set back to a forwarding state from a blocking state. I don't want to disabled spanning-tree loopguard since I don't want to create a loop. The mesh network is supposed to act as a P2P connection between two switches. As a test I disconnected the APs from their trunk ports. I then used a cross over cable to connect the switches and no spanning tree loops occured. The mesh doesn't have STP enabled on it and should just be acting as an over-the-air connection from one switch to another.
We have a Cisco 2911 router in our company. I didn't set it up myself nor I was involved. I only started working here recently, bit over 3 months ago. I have been given ongoing task which other IT Technicians been struggling for almost a year with a idea that maybe because I'm fresh person in the company I will find a original idea why could this thing not work.
Our router have a problem with blocking a single IP address, but not completely It's hard to explain but I will try my best. Company is hosting their website externally and accessing the host and FTP on the host on daily bases. It is important for the website to work on the internal network in company. It does work sometimes, but from time-to-time the website showing time-out error 118 on any point before Cisco router using both http and https, have tried putting just the IP address( doesn't matter is it on the general network or last ISA server on DMZ ). I am able to connect to the website using any of proxy gates but not directly to the website. I have also tested the connection past the router and I was able to connect to the website without any problems. I am also able to ping the host's address from the router and internal network.
I have eliminated the possibility of not correctly setup proxy or firewall on the network as problem also occur on the DMZ. I have also checked access-lists on the router and firewall rules for Any possibilities and I can't really see a way why would the router do this.
I have a connection between switches, There are a 3560 (Gi0/37) and a 2960 (Gi0/1), the problem is in the port Gi0/37 of the 3560 switch and this is the log. [code]
I dont understand what is the problem, actually i have added the command power inline never on the port and the problem is solved, but we haven´t changed configuration.
Extended IP access list VLAN20
10 permit tcp any any established
11 permit icmp any any
20 permit tcp any 192.168.20.0 0.0.0.255 eq 80
30 permit tcp any 192.168.20.0 0.0.0.255 eq 443
40 deny ip any any log
[code].....
Above is the network diagram and access list for VLAN 20 and VLAN 30, applied on incoming direction of each valn.But still able to access other port which is not on access list, tried changing the direction with no luck.Inter vlan routing is enabled on CoreSwitch default router is 192.168.10.10
i have one Cisco 3750, am using it as Core Switch where i have 6 more access switches are connected deirectly, and we are using VLANs in our network with the IP reange of 172.16.0.0 , now we had a new Internet connection which is dedicated to Exchange Server only.So we have TWO internet connection One for internet access to all users and another one for only Exchange Server.internet connection for the users is termiated at a Cisco 1700 Series Router and Internet for Exchage Server is terminated at a Cisco ASA Firewall.Now the problem is how can i write an access list, which says that all packets from Exchange server should be routed to ASA Firewall , and all other packets shoulde route to Cisco Router.IP address os Exchange server is 172.16.2.1, 172.16.2.2.
View 13 Replies View RelatedHow can i create an top 10 list of the most popular website that users connect to through the ASA Firewall.
i have enabled HTTP inspect, and setup an Syslog server (S plunk), that collects all HTTP entries in the log, but i don't know how, to create an top list in s plunk.(don't if it is possible)
is there a better way to do this ? e.g. URL filter with web scene or IPS