In cisco router 2911 how to creat a network object with port permission on ACL. herz what i have done but couldnt succeed in port 22 and 24 should be denied and rest all port services are allowed to outside interface. [code]
I have two layer 3 switches C3560 and C3750 Cisco switches with ios version "ipservices-mz.122-35.SE5".Now with the current ios version, these layer 3 switches are not supporting object group.so my question is , do i need to upgrade the ios, for this feature, if yes, which version ?
Does the ASA treat an object-group with a network-object containing a range of IP addresses as a netmask? For example, I can apply this configuration without the ASA throwing any errors though the configuration calls for a 'net mask':
object-group network test network-object 192.168.0.0 192.168.63.255 ? network-object-group mode commands/options: A.B.C.D Enter an IPv4 network mask sh run ob id test object-group network test network-object 192.168.0.0 192.168.63.255
I found that in the documentation it requires a netmask as oppose to a range. Is this a bug in the code? I am running code version 8.0(5)23 on a 5520. If this is not a bug how does the ASA treat this type of configuration when applied to an access list? When I ran a quick packet trace and denied access from that range it looks like the ASA doesn't read that configuration properly.
We have 3 Cat 4500 switches on three floors teh 3rd floor switch connects to the 2nd and 4th floor switches ,but we are receiving an alert from monitoring tool that " Interface(314) Backup-1Gb-Ring is Down at least 2 min on Switch: SOM500-4510-3FL the following output from "sh int status module 1 " shows the int 1/3 and 1/4 are 'inactive'local IT guy said If the status is inactive,the ports cannot be used and might lost the capability when he added 48-port blade into the 10th slot.
2nd Floor Port Name Status Vlan Duplex Speed TypeTe1/1 SOM500-Core1 connected trunk full 10G 10GBase-LRMTe1/2 SOM500-Core1 connected trunk full 10G 10GBase-LRMGi1/3 Backup-1Gb-Ring notconnect 1 full 1000 1000BaseSXGi1/4 Backup-1Gb-Ring connected trunk full 1000 1000BaseSX 3rd FloorPort Name Status Vlan Duplex Speed TypeTe1/1 SOM500-Core1 connected trunk full 10G 10GBase-LRMTe1/2 SOM500-Core1 connected trunk full 10G 10GBase-LRMGi1/3 Backup-1Gb-Ring inactive 1 full 1000 1000BaseSXGi1/4 Backup-1Gb-Ring inactive 1 full 1000
I have a 4503-e with WS-X4013+TS supervisor and WS-X4548-GB-RJ45 card. I purchased a WS-X4648-RJ45-E card and installed but IOS says its unsupported. Supervisor is running 12.2(46)SG software and 12.2(31r)SGA firmware. Obviously I'm hoping this cars can be supported somehow. Do I need to upgrade software or firmware, or return the linecard and get equivalent supported card? Oh, system is running Catalyst 4500 L3 Switch Software. (cat4500-IPBASEK9-M)
I have 3 ASA 5510s; two of which are in production and the 3rd one is new. I inherited the two in production and was trying to configure that 3rd one using some of the existing object-group network statements. The problem is that when I try to create a range of IPs in one of the object-groups; the range command is not available. Here is one of the statements extracted from one of the production ASAs: object network REMOTE range 220.127.116.11 18.104.22.168.Both ASAs have the same image ver (asa842-k8). Is there something that I am missing to be able to enable the range option on the new ASA?
We have Cisco ASA 5510, I am about to add another 2 Objectgroup network groups on the firewall to our already growing list. Under this Object-group Network xxxx , we are planning to add about about 500 network-object host xxx.xxx.xxx.xxx . This objectgroup will then be applied to an ACL. Just wanted to know if thats possible - meaning addnig 500 hosts? If it is whats the limit?
Also are there any other things to keep in mind before i go-ahead with this huge object group?
In testlab we use pim-sm with bootstrap router on sup7 with IOS-XE 03.04.00.SG. Any possibility to prevent non authorized rp from connecting to the candidate bootstrap routers? We found several security recommendations concerning limiting registering of sources at the rp, rate-limits etc, but no possibility to control rp connecting to the bsr.
I have a 5540, and i am trying to allow access to internet for an specific network object group, who has inside a bunch of users, who needs direct internet access without any restrictions, i have tried with dynamic NAT, but that configuration ask for a specific IP o a Network range, and is not permitted to configure an object group as a source
The group is located in LAN zone, so a permission from one zone to another zone is needed i think, but i can allow the internet acess to that group Is there another way to get that , different from NAT ?
Quick question here. Using 3750E series switches with multiple VLANS configured. These switches serve as our 'core'. I have SVIs configured for the different VLANs and add inbound ACLs in each of the SVIs to control traffic between VLANS. This switch also terminates a P2P Ethernet link which connects to our Colo facility. The port used for this is configured as an L3 port. I noticed today that I was able to send traffic across this L3 link that I thought should have been blocked by an ACL I had in place but it wasn't. So the traffic flowed from a port in say VLAN 20 across this L3 link (assigned with an IP address). Would this traffic flow not cause traffic to be checked against an ACL applied in the inbound direction on the SVI of VLAN 20 (int vlan 20)? Traffic does get checked when routing between SVIs. Why would it not get checked when routing between SVI and L3 interface?
I am trying to create an ACL that walls off a VLAN and only allows it to the internet. This is on a 3750G, currently the 3750G I am attempting this on is in a stack. I have another 3750G that is a standalone.
The first way I attempted this was to create two access-lists: access-list 101 permit tcp 10.249.1.0 0.0.0.255 any eq 80 access-list 102 permit tcp any 10.249.1.0 0.0.0.255 established
Let's call the 10.249.1.0 VLAN 2. I applied this to the VLAN2 interface, 101 out, 102 in. It didn't work. If I place a deny statement with nothing else, that works.
The second attempt was this: access-list 101 deny ip 10.249.1.0 0.0.0.255 any access-list 101 permit ip any any
I applied this to a VLAN I wanted to block VLAN2's traffic from reaching, let's call that one VLAN 3.
This lets all traffic from any VLAN (including the one I'm trying to block). If I remove the "permit ip any any", then all VLANs are denied. Which I understand is correct due to the implied deny all. What I don't understand is why it isn't applying the ACL to the specific VLAN.
When I create a service object or group and add the object to a new rule it never works.I mean the traffic match not the rule. I see not hits.I placed the rule on top of my access list to check if I do somethink wrong but it is not working. When I place only a service for example tcp/23 it is working.
We are migrating from Catalyst 6509 IOS platforms to Nexus 7009. There's the normal differences in commands which is well doucumented. We do have some quite large files containing ACLs varying from 10's of lines to several 1000's of lines. Our normal upload would be done using tftp and then issuing the command 'conf net' on the the 6509. This is no longer the way to do this on NX-OS. I've tried copy ftp: running-config which works fine for small files but for big ones it takes a long time, in some cases I've see it takes 20-30 minutes. The initilal tftp uplaod to the 7009 seems OK but the copy into the running-config is the bit that takes time and initially I thought I'd killed the 7009!! It did finally come back to the prompt. Are the 7009's simply not designed for large ACLs? I did try the configure session (Session Manager) but I couldn't see a way of uploading a file. I tried creating a new session and then exiting it, copying in a file of the same format and then commiting it but it didn't seem to acknowledge the file (checksum?).
I have started to use ip extended access-lists on several 3750X-switches to filter inbound and outbond traffic on the VLANs. But it seems that the use of object-groups is not supported, is this correct? Is it really no way to group different ip-addresses into groups and then use these groups in the access-lists?
I have a 2960 SI lan lite switch that I am configuring for admin and guest access. I have wireless AP's plugged into trunked ports 2 and 3. I am using two vlan's (in addition to the native VLAN). Vlan 5 for Admin and Vlan 10 for guest access. I have ACL configured on the router preventing guest users from accessing the Admin network. I want to prevent those on the guest network from seeing other hosts in the vlan however the lan lite software does not support port ACL's. Any way to accomplish this with this switch.
version 12.2 no service pad service timestamps debug datetime msec service timestamps log datetime msec [Code]...
I am using a bunch of Cisco 1721 routers for my T1 lines. We recently purchased Digi cell modems as a backup for the T1. On configuring vrrp to work on both devices I discovered that IOS 12.3(6c) does not support the "vrrp track" feature. After reviewing the Cisco Feature Navigator I could not see an IOS that will support the vrrp object tracking. Is that correct? The routers have T1 WIC's installed. If it does work what is the latest IOS that will work on this end of life product?
We are planning to go for HSRP redundancy for 32 VLANs. Means In a Cisco 4506-E switch , we will configure 32 vlans and among them 16 vlans will be primary and 16VLANs will be standby ans it is viceversa in another core-switch
My querie is How many standby groups can we create in Cisco 4506-E switch, Is there any limitation..
If there is any limitation , can we go ahead with VRRP,GLBP? Are there any limitation in VRRP/GLBP? Is there any design related issue can we face if we use same group number to all VLANs?
Product details :
Model : Cisco 4506-E Sup Model : WS-X45-SUP6L-E IOS : S45EIPBK9-12254SG
What is the maximum group of HSRP Group that supports the WS-C3750G-24T-S running the IOS c3750-advipservicesk9-mz.122-44.SE2.bin?I have this message:Mensaje ERROR: %Platform already has maximum FHRP groups configured
We need to change the Channel-group settings in 3750 switch from Mode ON to Mode Active. We have tried once by removing the physical interfaces from the port-channel group but we lost the connectivity to the secondary switch. Any step by step procedure without losing the connectivity between switches.
I have a SG300-28P and a SF200-24P connected via LAG Group. SG300 routes. I also have 2 VC240 IP Cameras. They are connected on ports 18 and 19 on the SF300. If I lose power, reboot or anything that makes the switches restart, the configuration is not saved. I know this by the fact that after a reboot, ports 18 and 19 are placed in VLAN 4 Untagged. If I put them back in VLAN 2 Untagged, save the configuration and reboot, they are placed back in VLAN 4 Untagged.
I read something on here about firmware the other night from my iPad so today, I upgraded both switches to the latest firmware, 22.214.171.124. After the update, I could not access the IP Cams. I went back into the configuration and they were in VLAN 4 Untagged. I once again put them in VLAN 2 Untagged, saved the configuration and rebooted. They went back to VLAN 4UP.
There was previous discussion also about xml version of files or something and that a factory reset and setting the switch up from scratch would take care of it. I cannot do this, I am a seed corn salesman. Is there a simpler way? Like saving the config to TFTP and then uploading it after factory reset? There is LLDP settings for my IP Phones too that if I lost them, I would have no idea how to regenerate them to make my switch work again. Cisco tech support had issues with it when I first got them and they set it up via remote session so I am lost beyond this. I just know that I cannot keep going into the switches to change settings and not have them saved. I lose my security cameras and video recording.
I have a 3750 as core switch, adding 2 stacks of 2960S to connect. I want to establish etherchannel between the 3750 and each additonal 2960S stack, do the channel group numbers between the 3750 and the new 2960s have to match? 3750 has two channel-groups(1 and 2) already configured. Need to know, I would create 2 additional channel groups (number 3,4) for each of the etherchannels between the 3 2960S Stacks and 3750? OR channel-group # is local to the device.
I have 2 pairs of Nexus 5000 units (pair 1 and pair 2). A pair consists of 2 Nexus 5000 (A and B) connected to each other via a VPC containing 2 ports ie P1-5KA -- P1-5KB (vpc domain 6) and P2-5KA -- P2-5KB (vpc domain 10) [code] Hsrp exists between all four with a virtual address of 10.18.136.1. P1-5KA is the Active with P1-5KB as Standby.
I can ping between the four using their SVI addresses. I am unable to ping the HSRP virtual address .1 from P2-5KA or P2-5KB.I can ping ok only if I shut the VPC between P2-5KA or P2-5KB or define another mac address under the HSRP config other than the system default. IP Packet debugs show that ping sourced from P2-5KB to P1-5KA loop between P2-5KA -- P2-5KB. Pings sourced from P2-5KA to P1-5KA are transmitted but none of the 4 device debugs show a receive. both peer-gateway and delay restore 120 have been configured under all vpc domains and all units rebooted.
I have a Cisco 2951 Router and I am trying to set it up to use DHCP and for security purposes I need to use the "IP Access-Group in" command. The DHCP will not work when I have this command on the interface that I need to run it through, DHCP works fine when I do not have the "IP Access-Group in" command in the configuration. When I check the log after the failed DHCP attempt it shows up as denied, as if it's being blocked. The IOS I have is c2951-UNIVERSALK9-m 15.0 (1) M3. Conf Reg 0x2102.
I have a SG300-28P that is our Main VLAN Switch. Though the VLANs that I have on it are there mostly because of our Edge Router and our AP541Ns.We have the Following VLANs defined (Subnets Changed to conseal Piblic IPs) [code]
VLAN200 and VLAN201 come into Our Edge Router and out on a Single GE Port via VLAN Tagged to thje SG300.The SG 300 Splits them out to Untagged Ports and they are connected to Two Firewalls, each with a IP in the 200 and 201 Subnets. The AP510 has the VLAN200, VLAN192 and VLA101 tagged Subnets sent to it. The AP521 has three SSID, each associated with a Paticular VLAN.
This all works fine, though there are a few hidden flaws. Since all of the VLANs are present, both Internal and Public IPs, one could craft packets form one network and use the SG300 as its gateway to the other subnet and Gain Access. How can I isolate the Subnets, so that I can still use the SG300 as a Default Gateway for the 10.1.0.0/16 Network Make it so if someone from the 10.1.0.0/16 netwok accesses the 126.96.36.199/24 Subnet it uses the SG300's 0.0.0.0 0.0.0.0 default router (the Firewall IP) and not the VLAN InterfaceIf somone in the 201, 200, 192 Subnets uses the SG300 as a Gateway and tries to access a 10.1.0.0/16 address it gets blocked.