Cisco Switching/Routing :: Cat4500 With IOS-XE And Object Group ACLs

Feb 5, 2013

Any one know when object-group ACLs will be supported in cat4500 IOS-XE ?? Doesnt seem to be supported now.

View 1 Replies


ADVERTISEMENT

Cisco Switching/Routing :: 2911 - How To Create Object-group With ACL

Jan 2, 2012

In cisco router 2911 how to creat a network object with port permission on ACL. herz what i have done but couldnt succeed in port 22 and 24 should be denied and rest all port services are allowed to outside interface. [code]

View 3 Replies View Related

Cisco Switching/Routing :: Object Group In C3560 & C3750 Switches?

Feb 16, 2011

I have two  layer 3 switches C3560 and C3750 Cisco switches with ios version "ipservices-mz.122-35.SE5".Now with the current ios version, these layer 3 switches are not supporting object group.so my question is , do i need to upgrade the ios, for this feature, if yes, which version ?

View 7 Replies View Related

Cisco Switching/Routing :: 6500 - Acl Object Group With Wccp Redirect List

Dec 31, 2012

Can i use acl object group with wccp redirect list?My platforms are 6500 and isr 2921

View 1 Replies View Related

Cisco Firewall :: 5520 - Object-group With Network-object Containing IP Address Range

Apr 7, 2013

Does the ASA treat an object-group with a network-object containing a range of IP addresses as a netmask? For example, I can apply this configuration without the ASA throwing any errors though the configuration calls for a 'net mask':
 
object-group network test
network-object 192.168.0.0 192.168.63.255
?
network-object-group mode commands/options:
A.B.C.D  Enter an IPv4 network mask
sh run ob id test
object-group network test
network-object 192.168.0.0 192.168.63.255
 
I found that in the documentation it requires a netmask as oppose to a range. Is this a bug in the code? I am running code version 8.0(5)23 on a 5520. If this is not a bug how does the ASA treat this type of configuration when applied to an access list? When I ran a quick packet trace and denied access from that range it looks like the ASA doesn't read that configuration properly.

View 5 Replies View Related

Cisco Switching/Routing :: Interface Showing Inactive On Cat4500?

Jan 22, 2013

We have 3 Cat 4500 switches on three floors teh 3rd floor switch connects to the 2nd and 4th floor switches ,but we are receiving an alert from monitoring tool that " Interface(314) Backup-1Gb-Ring is Down at least 2 min on Switch: SOM500-4510-3FL  the following output from "sh int status module 1 " shows the int 1/3 and 1/4 are 'inactive'local IT guy said If the status is inactive,the ports cannot be used and might lost the capability when he added 48-port blade into the 10th slot.

2nd Floor
Port      Name               Status       Vlan       Duplex  Speed TypeTe1/1     SOM500-Core1       connected    trunk        full    10G 10GBase-LRMTe1/2     SOM500-Core1       connected    trunk        full    10G 10GBase-LRMGi1/3     Backup-1Gb-Ring    notconnect   1            full   1000 1000BaseSXGi1/4     Backup-1Gb-Ring    connected    trunk        full   1000 1000BaseSX
3rd FloorPort      Name               Status       Vlan       Duplex  Speed TypeTe1/1     SOM500-Core1       connected    trunk        full    10G 10GBase-LRMTe1/2     SOM500-Core1       connected    trunk        full    10G 10GBase-LRMGi1/3     Backup-1Gb-Ring    inactive     1            full   1000 1000BaseSXGi1/4     Backup-1Gb-Ring    inactive     1            full   1000

[code]....

View 6 Replies View Related

Cisco Switching/Routing :: Upgrading 4507 From Cat4000-I9S-M12.1(19)EW1 To Cat4500-IPBASEK9-M15.0(2)SG6

Dec 26, 2012

OK so I am following the steps that i got from off the CISCO site on upgrading the IOS, when i get the the part where if says to:
 
redundancy reload peer                  
 
so after i do that i go to the standby supervisor  and i see that it is in a continuous reboot loop. I stop the loop and i reload the sup to the original IOS cat4000-i9s.........
 
SO i look at the logs and this is what i see:
 
Aug 12 22:21:01.251: %C4K_REDUNDANCY-6-INIT: STANDBY:Initializing as STANDBY Supervisor
*Aug 12 22:21:03.259: %CHKPT-3-IPCSESSION: STANDBY:Unable to open an IPC

[Code].....

View 3 Replies View Related

Cisco Switching/Routing :: Cat4500-IPBASEK9-M / Catalyst 4503-E Linecard Support?

Mar 22, 2012

I have a 4503-e with WS-X4013+TS supervisor and WS-X4548-GB-RJ45 card.  I purchased a WS-X4648-RJ45-E card and installed but IOS says its unsupported.  Supervisor is running 12.2(46)SG software and 12.2(31r)SGA firmware.  Obviously I'm hoping this cars can be supported somehow.  Do I need to upgrade software or firmware, or return the linecard and get equivalent supported card?  Oh, system is running Catalyst 4500 L3 Switch Software. (cat4500-IPBASEK9-M)

View 6 Replies View Related

Cisco Security :: ASA 5510 Object-group And Range Option

Feb 6, 2013

I have 3 ASA 5510s; two of which are in production and the 3rd one is new. I inherited the two in production and was trying to configure that 3rd one using some of the existing object-group network statements.  The problem is that when I try to create a range of IPs in one of the object-groups; the range command is not available. Here is one of the statements extracted from one of the production ASAs:  object network REMOTE range 62.77.130.14 62.77.130.208.Both ASAs have the same image ver (asa842-k8).  Is there something that I am missing to be able to enable the range option on the new ASA?

View 2 Replies View Related

Cisco Firewall :: Object Group Network Limit With Asa 5510

Oct 29, 2012

We have Cisco ASA 5510, I am about to add another 2 Objectgroup network  groups on the firewall to our already growing list. Under this Object-group Network xxxx , we are planning to add about about 500 network-object host xxx.xxx.xxx.xxx . This objectgroup will then be applied to an ACL. Just wanted to know if thats possible - meaning addnig 500 hosts? If it is whats the limit?
 
Also are there any other things to keep in mind before i go-ahead with this huge object group?

View 3 Replies View Related

Cisco Switching/Routing :: Cat4500 Sup7 How To Limit Rendezvous Points Connecting To Bootstrap Routers

May 21, 2013

In testlab we use pim-sm with bootstrap router on sup7 with IOS-XE 03.04.00.SG. Any possibility to prevent non authorized rp from connecting to the candidate bootstrap routers? We found several security recommendations concerning limiting registering of sources at the rp, rate-limits etc, but no possibility to control rp connecting to the bsr.

View 4 Replies View Related

Cisco Firewall :: Internet Access Through ASA 5540 For Specific Network Object Group

May 2, 2011

I have a 5540, and i am trying to allow access to internet for an specific network object group, who has inside a bunch of users, who needs direct internet access without any restrictions, i have tried with dynamic NAT, but that configuration ask for a specific IP o a Network range, and is not permitted to configure an  object group as a source
 
The group is located in LAN zone, so a permission from one zone to another zone is needed i think, but i can allow the internet acess to that group Is there another way to get that , different from NAT ?

View 5 Replies View Related

Cisco Switching/Routing :: 3750E / Applying ACLs When Routing Between SVI And Routed Interface?

Mar 12, 2013

Quick question here. Using 3750E series switches with multiple VLANS configured. These switches serve as our 'core'. I have SVIs configured for the different VLANs and add inbound ACLs in each of the SVIs to control traffic between VLANS. This switch also terminates a P2P Ethernet link which connects to our Colo facility. The port used for this is configured as an L3 port. I noticed today that I was able to send traffic across this L3 link that I thought should have been blocked by an ACL I had in place but it wasn't. So the traffic flowed from a port in say VLAN 20 across this L3 link (assigned with an IP address). Would this traffic flow not cause traffic to be checked against an ACL applied in the inbound direction on the SVI of VLAN 20 (int vlan 20)? Traffic does get checked when routing between SVIs. Why would it not get checked when routing between SVI and L3 interface?

View 2 Replies View Related

Cisco Switching/Routing :: 3750G ACLs Not Working

Sep 17, 2012

I am trying to create an ACL that walls off a VLAN and only allows it to the internet. This is on a 3750G, currently the 3750G I am attempting this on is in a stack. I have another 3750G that is a standalone.
 
The first way I attempted this was to create two access-lists: access-list 101 permit tcp 10.249.1.0 0.0.0.255 any eq 80 access-list 102 permit tcp any 10.249.1.0 0.0.0.255 established
 
Let's call the 10.249.1.0 VLAN 2. I applied this to the VLAN2 interface, 101 out, 102 in. It didn't work. If I place a deny statement with nothing else, that works.
 
The second attempt was this: access-list 101 deny ip 10.249.1.0 0.0.0.255 any access-list 101 permit ip any any
 
I applied this to a VLAN I wanted to block VLAN2's traffic from reaching, let's call that one VLAN 3.
 
This lets all traffic from any VLAN (including the one I'm trying to block). If I remove the "permit ip any any", then all VLANs are denied. Which I understand is correct due to the implied deny all. What I don't understand is why it isn't applying the ACL to the specific VLAN.

View 3 Replies View Related

Cisco Switching/Routing :: SW 3750 - ACLs For DHCP

Apr 16, 2013

We are configuring ACLs for a dhcp pool on Sw3750
 
ip access-list extended Test
permit ip any 192.168.1.0 0.0.0.31
permit ip any host 172.16.1.1
 
And, here is dhcp pool:
 
ip dhcp excluded 192.168.1.1 192.168.1.3
ip dhcp pool Name
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
 
But when a PC try to obtain IP automatically, it doesn't work.

View 3 Replies View Related

Cisco Firewall :: ASA 5510 / Ip Service Object And Service Group

May 16, 2011

When I create a service object or group and add the object to a new rule it never works.I mean the traffic match not the rule. I see not hits.I placed the rule on top of my access list to check if I do somethink wrong but it is not working. When I place only a service for example tcp/23 it is working.
 
my ip service object
object-group service g-as400 description access client 2 as400 machine service-object tcp-udp destination eq 397 service-object tcp destination eq 137 service-object tcp destination eq 2001 service-object tcp destination eq 3000 service-object tcp destination eq 445 service-object tcp destination range 446 447 service-object tcp destination eq 449 service-object tcp destination eq 5010 service-object tcp destination eq 5544 service-object tcp destination eq 5555 service-object tcp destination range 8470 8476 service-object tcp destination eq 8480 service-object tcp destination eq

[code]...

View 8 Replies View Related

Cisco Switching/Routing :: Upload Large ACLs To NX-OS Nexus 7009?

Feb 3, 2013

We are migrating from Catalyst 6509 IOS platforms to Nexus 7009. There's the normal differences in commands which is well doucumented. We do have some quite large files containing ACLs varying from 10's of lines to several 1000's of lines. Our normal upload would be done using tftp and then issuing the command 'conf net' on the the 6509. This is no longer the way to do this on NX-OS. I've tried copy ftp: running-config which works fine for small files but for big ones it takes a long time, in some cases I've see it takes 20-30 minutes. The initilal tftp uplaod to the 7009 seems OK but the copy into the running-config is the bit that takes time and initially I thought I'd killed the 7009!! It did finally come back to the prompt. Are the 7009's simply not designed for large ACLs? I did try the configure session (Session Manager) but I couldn't see a way of uploading a file. I tried creating a new session and then exiting it, copying in a file of the same format and then commiting it but it didn't seem to acknowledge the file (checksum?).

View 10 Replies View Related

Cisco Switching/Routing :: Configure NX7000 To Log ACLs Hits On Remote Server

Nov 4, 2011

How should I configure NX7000 to log acl's hits on a remote syslog server.

View 10 Replies View Related

Cisco Switching/Routing :: Object-groups In Access-lists On 3750X?

May 29, 2013

I have started to use ip extended access-lists on several 3750X-switches to filter inbound and outbond traffic on the VLANs. But it seems that the use of object-groups is not supported, is this correct? Is it really no way to group different ip-addresses into groups and then use these groups in the access-lists?
 
I am running sw version 15.0(1)SE2.

View 1 Replies View Related

Cisco Switching/Routing :: 2960 SI Lan Lite ACLs - Configuring For Admin And Guest Access

Jan 26, 2013

I have a 2960 SI lan lite switch that I am configuring for admin and guest access.  I have wireless AP's plugged into trunked ports 2 and 3.  I am using two vlan's (in addition to the native VLAN).  Vlan 5 for Admin and Vlan 10 for guest access.  I have ACL configured on the router preventing guest users from accessing the Admin network.  I want to prevent those on the guest network from seeing other hosts in the vlan however the lan lite software does not support port ACL's. Any way to accomplish this with this switch. 

version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
[Code]...

View 5 Replies View Related

Cisco Switching/Routing :: Will Vrrp Object Tracking Work On 1721 Router

Feb 20, 2013

I am using a bunch of Cisco 1721 routers for my T1 lines. We recently purchased Digi cell modems as a backup for the T1. On configuring vrrp to work on both devices I discovered that IOS 12.3(6c) does not support the "vrrp track" feature. After reviewing the Cisco Feature Navigator I could not see an IOS that will support the vrrp object tracking. Is that correct? The routers have T1 WIC's installed. If it does work what is the latest IOS that will work on this end of life product?

View 1 Replies View Related

Cisco Switching/Routing :: 887 No Ip Access-group

Jul 15, 2012

i am not able to apply an access-list to FastEthernet 0 as the ip access-group is not supported in Interface mode but only in interface vlan mode.How can I stop traffic into the LAN network?

View 6 Replies View Related

Cisco Switching/Routing :: HSRP Group Limit In 4506E Switch?

Oct 31, 2012

I have two cisco 4506-E series switches ..
 
We are planning to go for HSRP redundancy for 32 VLANs. Means In a Cisco 4506-E switch , we will configure 32 vlans and among them 16 vlans will be primary and 16VLANs will be standby ans it is viceversa in another core-switch
 
My querie is How many standby groups can we create in Cisco 4506-E switch,
Is there any limitation..
 
If there is any limitation , can we go ahead with VRRP,GLBP? Are there any limitation in VRRP/GLBP? Is there any design related issue can we face if we use same group number to all VLANs?
 
Product details :
 
Model : Cisco 4506-E
Sup Model : WS-X45-SUP6L-E
IOS  : S45EIPBK9-12254SG

View 2 Replies View Related

Cisco Switching/Routing :: Maximum Group Of HSRP That Supports WS-C3750G-24T-S

May 4, 2011

What is the maximum group of HSRP Group that supports the WS-C3750G-24T-S running the IOS  c3750-advipservicesk9-mz.122-44.SE2.bin?I have this message:Mensaje ERROR: %Platform already has maximum FHRP groups configured

View 6 Replies View Related

Cisco Switching/Routing :: 3750 - Procedure To Modify Channel Group Settings?

Nov 16, 2011

We need to change the Channel-group settings in 3750 switch from Mode ON to Mode Active. We have tried once by removing the physical interfaces from the port-channel group but we lost the connectivity to the secondary switch. Any step by step procedure without losing the connectivity between switches.

View 2 Replies View Related

Cisco Switching/Routing :: 3750 / 3560 / Hsrp Groups Using The Same Group Number?

Nov 24, 2010

I understand on older IOS codes If the same hsrp group number is assigned to multiple standby groups, it creates a non-unique MAC address. Is this true on newer codes like 12.2(52)SE for 3750 & 3560?

View 4 Replies View Related

Cisco Switching/Routing :: SG300-28P And SF200-24P Connected Via LAG Group / Configurations Won't Save

Dec 10, 2012

I have a SG300-28P and a SF200-24P connected via LAG Group.  SG300 routes.  I also have 2 VC240 IP Cameras.  They are connected on ports 18 and 19 on the SF300.  If I lose power, reboot or anything that makes the switches restart, the configuration is not saved.  I know this by the fact that after a reboot, ports 18 and 19 are placed in VLAN 4 Untagged.  If I put them back in VLAN 2 Untagged, save the configuration and reboot, they are placed back in VLAN 4 Untagged.
 
I read something on here about firmware the other night from my iPad so today, I upgraded both switches to the latest firmware, 1.2.7.76.  After the update, I could not access the IP Cams.  I went back into the configuration and they were in VLAN 4 Untagged.  I once again put them in VLAN 2 Untagged, saved the configuration and rebooted.  They went back to VLAN 4UP.
 
There was previous discussion also about xml version of files or something and that a factory reset and setting the switch up from scratch would take care of it.  I cannot do this, I am a seed corn salesman.  Is there a simpler way?  Like saving the config to TFTP and then uploading it after factory reset?  There is LLDP settings for my IP Phones too that if I lost them, I would have no idea how to regenerate them to make my switch work again.  Cisco tech support had issues with it when I first got them and they set it up via remote session so I am lost beyond this.  I just know that I cannot keep going into the switches to change settings and not have them saved.  I lose my security cameras and video recording.

View 1 Replies View Related

Cisco Switching/Routing :: 2960S Stacks / 3750 - EtherChannel Group Numbers?

Jan 27, 2012

I have a 3750 as core switch, adding 2 stacks of 2960S to connect. I want to establish etherchannel between the 3750 and each additonal 2960S stack, do the channel group numbers between the 3750 and the new 2960s have to match? 3750 has two channel-groups(1 and 2) already configured. Need to know,  I would create 2 additional channel groups (number 3,4) for each of the etherchannels between the 3 2960S Stacks and 3750? OR channel-group # is local to the device.

View 5 Replies View Related

Cisco Switching/Routing :: Nexus 5000 IP Reachability Across VPC Within 4 Member HSRP Group

Nov 17, 2011

I have 2 pairs of Nexus 5000 units (pair 1 and pair 2).  A pair consists of 2 Nexus 5000 (A and B) connected to each other via a VPC containing 2 ports ie P1-5KA -- P1-5KB (vpc domain 6) and P2-5KA -- P2-5KB (vpc domain 10) [code] Hsrp exists between all four with a virtual address of 10.18.136.1.  P1-5KA is the Active with P1-5KB as Standby.
 
I can ping between the four using their SVI addresses.  I am unable to ping the HSRP virtual address .1 from P2-5KA or P2-5KB.I can ping ok only if I shut the VPC between P2-5KA or P2-5KB or define another mac address under the HSRP config other than the system default.  IP Packet debugs show that ping sourced from P2-5KB to P1-5KA loop between P2-5KA -- P2-5KB.  Pings sourced from P2-5KA to P1-5KA are transmitted but none of the 4 device debugs show a receive. both peer-gateway and delay restore 120 have been configured under all vpc domains and all units rebooted.

View 8 Replies View Related

Cisco Switching/Routing :: 2951 - IP Access-group In Command Not Allowing DHCP

Feb 27, 2013

I have a Cisco 2951 Router and I am trying to set it up to use DHCP and for security purposes I need to use the "IP Access-Group in" command. The DHCP will not work when I have this command on the interface that I need to run it through, DHCP works fine when I do not have the "IP Access-Group in" command in the configuration. When I check the log after the failed DHCP attempt it shows up as denied, as if it's being blocked. The IOS I have is c2951-UNIVERSALK9-m 15.0 (1) M3. Conf Reg 0x2102.

View 6 Replies View Related

Cisco Switching/Routing :: C2960 - Edit Vlan SNMP Group Context?

Feb 6, 2012

When using Cisco IOS c2960-lanbasek9-mz.122-50.SE3.bin we can delete line in SNMP group config with 

  no snmp-server group <group-name> v3 priv context vlan-<vlan-id>
without problems.
 
But, after upgrade on version c2960-lanbasek9-mz.122-58.SE2.bin there is output:
 
#####% Ambiguous command:  "no snmp-server group <group-name> v3 priv context vlan-<vlan-id> "
 
It looks like some bug, but there is nothing in the bug toolkit.

View 2 Replies View Related

Cisco Switching/Routing :: 2560 Create Dynamic VLAN For Specific Group Of Users

Feb 6, 2012

We have Cisco Cat4503 series L3 Switch and Cisco L2 2560 Series Switches, some of the users want to have a dynamic VLAN membership, and connecting with the network as mobile users,
 
can it possible and create dynamic VLAN for specific group of users.

View 6 Replies View Related

Cisco Switches :: SG300 VLANs - Routing And ACLs

Jan 20, 2013

I have a SG300-28P that is our Main VLAN Switch. Though the VLANs that I have on it are there mostly because of our Edge Router and our AP541Ns.We have the Following VLANs defined (Subnets Changed to conseal Piblic IPs) [code]
 
VLAN200  and VLAN201 come into Our Edge Router and out on a Single GE Port via VLAN Tagged to thje SG300.The SG 300 Splits them out to Untagged Ports and they are connected to Two Firewalls, each with a IP in the 200 and 201 Subnets. The AP510 has the VLAN200, VLAN192 and VLA101 tagged Subnets sent to it. The AP521 has three SSID, each associated with a Paticular VLAN.
 
This all works fine, though there are a few hidden flaws.   Since all of the VLANs are present, both Internal and Public IPs, one could craft packets form one network and use the SG300 as its gateway to the other subnet and Gain Access. How can I isolate the Subnets, so that I can still use the SG300 as a Default Gateway for the 10.1.0.0/16 Network Make it so if someone from the 10.1.0.0/16 netwok accesses the 201.201.201.0/24 Subnet it uses the SG300's 0.0.0.0 0.0.0.0 default router (the Firewall IP) and not the VLAN InterfaceIf somone in the 201, 200, 192 Subnets uses the SG300 as a Gateway and tries to access a 10.1.0.0/16 address it gets blocked.

View 1 Replies View Related







Copyrights 2005-15 www.BigResource.com, All rights reserved