Cisco Switching/Routing :: C6500 Filter ARP Answer On 802.1q Port For Specific VLan
Oct 10, 2012
I am trying to filter ARP answer arriving on a C6500 trunk port, for a specific vlan.Filtering conditions are:
- packet arrive from vlan ID x on the trunk (on only for this vlan ID)
- source MAC address = xx:xx:xx:xx:xx:xx
Thae aim is that the C6500 with never enter into its CAM table this MAC address.I looked at several methos like service policy or vlan filter, but no solution for the moment.
I am attempting to filter a specific host(s) from my OSPF routiing table on a ASA 5550 (ABR) using LSA prefix lists. However, when I look at the other routers in that area, I notice that ALL LSA type-3's are being removed (10 hosts are now missing from the routing table). I have verified the filter is working on the ABR, but I can't figure why ALL hosts/routes that were coming into the area are now being filtered instead of the specific one that I want to filter out.
Here is the config on the ABR:
prefix-list pdm_pl_000 seq 10 permit 206.253.180.137/32 ! ! router ospf 1 network 10.0.0.0 255.255.255.0 area 0 network 10.150.10.0 255.255.255.0 area 10 network 10.150.252.0 255.255.255.224 area 10
[code]....
The 206.253.180.137 host is actually coming from Area '3'. Am I doing something that is removing all type-3 LSA's?
I'm decommissioning my SonicWall PRO 3060 and upgrading to an ASA5550 (we're increasing our WAN link speed to 1Gig and need the 5550). In any case, I want to copy over the configuration from the PRO to the ASA. I have everything documented and I've started doing the changeover, but in looking at some other network diagrams on the net I'm seeing router symbols between the LAN switches and the ASA and I'm beginning to worry that I might need routers to do this which, of course, would increase cost quite a bit.
So my question is this: If I have a core switch carved into multiple VLANs and I connect each VLAN to a port on the ASA, will I be able to route and filter traffic from VLAN to VLAN through the ASA? If so how, in general, is this accomplished (I'm betting ACLs). I think that the ASA will be able to do this easily, but I just want to be sure before I get too far into the configuration of this unit,.
is it possible to shutdown a specific port on my 3750x and monitor this port at the same time .for example , im dealing with a mac authenticated network using port security , i want to shut down all the ports that are not used at the moment , however , if some one gets connected to the one of the shutdown ports i want to know the mac address of the user or atleast to know that i have someone who is just plugged in to the one of the shutdowned ports .
Have a quick question regarding inter-vlan routing on a 3750. Overview of network is ISP --> ASA --> 3750 (acting as my core and default gw). I have 5 vlan interfaces on my 3750, all w/ 192.192.x.x subnets, a 6th w/ 192.168.100.x, and a 7th w/ 192.168.200.x. I have enabled "ip routing" on the switch and can successfully ping from subnet A to subnet B as long as both devices are using the correct DG for their vlan, which is the switch. I have a few ports that are trunked as well that go to ESX hosts which break out the vlans according to the subnet the vm should be attached to. The ASA is set to nat internal traffic for all the vlans.
Now my question: short of applying an ACL to each vlan interface to block traffic from other 192.192.x.x subnets is there a better way to accomplish this? I want my 192.168.10.x subnet to be able to reach all the subnets, but don't want 192.192.10.x to be able to talk to 192.192.20.x for example. I was thinking to create an acl like this:
access-list 120 permit ip 192.192.10.0 0.0.0.255 access-list 120 deny ip 192.192.0.0 0.0.255.255 192.192.10.0 0.0.0.255access-list 120 permit ip any 192.168.100.0 0.0.0.255 192.192.10.0 0.0.0.255
and then applying this to the interface for the appropriate vlan.
Need to limit the amount of bandwidth a specific VLAN can use on a 802.1q trunk port. Situation is that we have a pair of Catalyst 4506 switches which have 802.1q trunk ports into a Checkpoint Firewall, this in turn is connected to a managed WAN router (to which I can't apply a QoS policy).If the 4506 was routing the traffic it would be easy to setup a class-map to match the IP traffic and then QoS the traffic, but the VLAN in question is trunked directly into the firewall (no L3/IP presence on the 4506 next hop for all clients on this VLAN is the firewall).What I need to do is restrict any traffic from this specific VLAN to 10Mbps on the uplink to the Checkpoint Firewall so it cannot impact the onward WAN.
Im wondering if the Adaptive Security Services Module has some of the same function as a ASA 5500.Can we configure a IPSec VPN tunnel, SSL VPN tunnel or IPS on a C6500 with ASA-SM or do we need a specific line card for those tasks?
We have Cisco Cat4503 series L3 Switch and Cisco L2 2560 Series Switches, some of the users want to have a dynamic VLAN membership, and connecting with the network as mobile users,
can it possible and create dynamic VLAN for specific group of users.
I have couple C2960G and C3750. Is there any way to filter (on ingress port) type of traffic? I would like to allow IP only, and discard (i.e.) IPX, or other garbage, that any device can produce.I have tried to find something about this, but only thing I have found is feature : protocol filter, which doesn't seems to be working on my hardware.
when plugging a Cisco 7060 to the specific switch port it does not power on. The inline power consumption is abnormally high compared to the other phones that are plugged in, maybe double the amount.
Ask this question, if someone came across a 6513, one of the RJ45 ports are constantly falling.The question is how to disable logging on a specific portno logging event link-status does not work.
We are using catalyst 2960S Lan Base IOS on Radio towers. We just bought 50 Accest points, thas are GPS synchronized. Problem is the APs need to be connected on L2-mac betwen each other. But at this time we are using port isolation on each switch (tower) by protected port function to isolate clients from each other.
My question is, is possible to specifi a Mac addresses in specific vlan thats can comunicate betwen protected ports? On tower is one Master unit and others are slave. I thing there is only 1 dirrection comunication - from master to slave.
I created a wlan just for our wireless IP phones.I assigned an interface I created which in turn was set to a specific port on company 2504 WLC. Connecting switchport is set to trunk. Right now I can't ping the voice wlan interface.
I'm going to start the evaluation of implementing the virtualization of our campus LAN using MPLS.We'll get many inter-VLAN routing domains per VRF on the same LAN infrastructure.The LAN infrastructure is based on C6500 implementing VSS.Do you have experience with this kind of setup?Any known/faced issue that might prevent the setup of MPLS on VSS enabled C6500?
how is calculated heat dissipation of ethernet modules for c6500? For example, heat dissipation of WS-X6908-10G-2T - 2083.32 BTU/hour.. This heat dissipation of the empty module, without transceivers? Or including all installed transceivers?
My C6500 is having relatively high CPU (no spikes, but constantly)
I'm under the impression that cef is causing this problem because alot of packets are being processed or send to/from the CPU. [code]
I did a netdr and I can see that the majority of packets going to the CPU are packets for which I have an entry in the CEF table.What can be a reason why those packets don't get hardware switches?I'm running Version 12.2(33)SXH5 - Sup720-10G.
there is something I find strange on C6500 about QoS: C6500 derive an internal DSCP value for it's internal use, but when configuring the qos mapping on output interfaces, only a cos value (I guess, an internal cos value) can be used. Is it a misunderstanding from me, or is it really illogic?
I want to see net flow data.I have configured this command on the c6500.but I can to see data only below...How can I configration ip cache flow on the C6500? what is the problem?
int gi4/31 ip add x.x.x.x ip route-cache flow c6500# show ip cache flow Displaying software-switched flow entries on the MSFC in Module 5:
I'm using a SRP521W-U. I've set up a SIP account on Line 1. I would like to be able to answer incoming calls on both FXS1 and FXS2. How do I achieve that both ports will ring?
I have a Cisco 2960 48-port switch. I enter "sh vlan" and it lists all the VLAN's. One of the VLAN's listed is "10" with the name "EPIC". What is the quickest way to find out what ports, if any, are assigned to this VLAN?
I have a 3560 switch with the following ports config [code] I would like to use theses ports on a different vlan to connect 4 pc's to them. Can I just remove them from the vlan, remove the trunk switchport and set up on the vlan i want them on with no trunking?
I've been tasked with breaking up a network that has run out of IP's, and have decided to use VLANs to accomplish this. I have to use an ASA5510 to accomplish all the routing between hosts in different VLANs.Port 48 is trunked to the ASA eth0/0 interface, with VLAN 99 and VLAN 20 tagging packets, VLAN 1 Untagged. Hosts hooked up to appropriate ports on Switch.
can i have 4 links from an ESX server to 6500 , each link represents a trunk link carries each the same 2 VLAN , 100 and 101 , keep port-channel out of the picture , does it work well?
We have a pair Cisco 6509 switch in which 2 * 48 Port 1G line cards and 1 * 16 Port 10G line Card, FWSM and Sup 720 are installed.We have Cisco UCS and HP Blade servers.Cisco UCS servers are connected to Cisco 6509 switch using Fabric Interconnect, and HP Servers are directly connected to core switches.Recently the team made many changes in the network. Upgraded the IOS in Cisco 6509 switch, Configured Port profiling , MAC Pinning , HBA Cards to UCS / Nexus 1000V Infrastructure. After this change they lost the connectivity to UCS and HP Serers. Every tower is checking at their end.
The Network Team has reverted back the core switch with old IOS , but still the problem persisit.I could only see the following error log in the core switch. There are two port-channels one between core 1 and core 2. The other is between core switch and FWSM module. [code]
We're going to be switching some of our gear from Foundry to Cisco, and were looking at the WS-C2960S-48TS-L. We currently have 3 different VLAN's, and I wanted to have 1 uplink back to our firewall (ASA 5550) and then let the firewall do the routing between the subnets. I realize that 1 link will carry the traffic twice then, but is that possibly with those switches to have all three vlans assigned to one port and then just let the firewall do the routing between the vlans or would I need to have 3 uplink ports back to the 5550?
