I am trying to write an extended ACL for the voice vlan.My scenario is the following:I have two PBXs with two Catalyst 4505 L3 switches.The C4505 are connected trough a trunk link.I have a VTP domain configured.
Voice VLANs are Vlan 100 and Vlan 101 with networks 10.2.0.0/16 and 10.4.0.0/16 Voip telephones are communicating between them self and everything is working fine.I want to secure both voice VLANs with an ACL to allow only couple of IPs to administer the phones.The PCs are connected trough a integrated switch via VOIP telephone.Here is the sample configuration of the dhcp pool for the PC VLAN:
ip dhcp pool PCs
network 10.1.0.0 255.255.0.0
default-router 10.1.1.1
dns-server 10.10.10.1
option 43 hex 010a.5369.656d.656e.7300.0000.0204.0000.0064.0000.0000.00ff
I had to implement the 43 hex option because the PCs did not get the ip from the DHCP because of the vendor specific information.The thing that worries me is will the DHCP forward the ACKs for the PCs if I implement this test ACL:
ip access-list extended VLAN100
permit ip 10.2.0.0 0.0.255.255 10.4.0.0 0.0.255.255
permit ip 10.4.0.0 0.0.255.255 10.2.0.0 0.0.255.255
permit ip 192.168.2.0 0.0.0.255 10.2.0.0 0.0.255.255
permit ip 192.168.2.0 0.0.0.255 10.4.0.0 0.0.255.255
permit udp host 0.0.0.0 eq bootpc host 255.255.255.255 eq bootps (this I am not sure do I need)
permit udp host 255.255.255.255 eq bootps host 0.0.0.0 eq bootpc (also this)
deny ip any any
I only want to allow the network 192.168.2.0/24 and maybe some other hosts to access the web based http gui to adiminister the IP phones.All PCs are connected trough the VOIP terminals. I do not want to deny the traffic to PCs.
I am trying to configerate static switchports on our nexus 5548 (nx-os 5.1(3)N1(1)) over snmp.The support-list url... states that the CISCO- VLAN- MEMBERSHIP- MIB is supported.I can read the information, but if i try to set vmVlan or vmVlanType i get the message: "SET failed. ("ip-address"). Information: Not Writable."I can use set_request in general (e.g. CISCO-CONFIG-COPY-MIB). how to set the vlan and vlan-type over snmp?
|_voip PBX___|-----|__3650___|------fiber-------------|__3650_____|------|_voipphone__| I have a case where voipphone is registered on the voippbx but peaple on both end can't hear each other . No ACL on both 3650 , no firewalls between them , distance is about 2 miles . I tried to make telnet x.x.x.x 1720 or 1719 or 1721 (h323 ports) to opposite switch -connection refused . How can test if ports are open on the 3650 ? Is it coorect If I create allowing acl and apply it on both 3650 on the interfaces connected one switch to voippbx "IN" , second switch on the interf connected to voipphone "IN" ?
How can I configure Cisco 200 (SG200-08P) to learn Voice VLAN and CoS/DSCP from upstreamCatalyst 2960?
The Cat 2960 is today used together with LLDP-MED to announce config to Aastra IP Telephones. In some cases I need to use a small switch inbetween and plan to use the Cisco SG200-08P for this. However, I would like to avoid manual config of the Cisco 200 switch.
I'm using CISCO 3524 switch as access switch and trying to enable voice vlan in fast eth ports as below.
L3 vlans are created in core switches which is cisco 6509 vlan 1 - data vlan vlan 2 - voice vlan in cisco 3524
[code]....
if i use the above configs, the phone which is connected to interface fa0/1 is not taking ip from dhcp server. even it didn't work with static configs.while troubelshooting, i have configured as below and it's started working..
int fa0/1 switchport acces vlan 2 speed 100 duplex full.
in this case i can't use this port for data connectivity where as it's required for data too.
I have CME on Router 2800 series, and switch 2960 PoE connected to this router.On 2960 switch, there is existing 7945 IP Phone that already work properly and get IP 14.x.x.x from voice vlan 2.
Problem is when I add cisco 6921 IP Phone connect to 2960 switch, it get data vlan 10.x.x.x, not voice Vlan 14.x.x.x I have check CDP and it use CDP v2
Config on 2960:
interface GigabitEthernet1/0/34 <--- this is connected to IP Phone 7945 switchport mode access switchport voice vlan 2 spanning-tree portfast
[code]....
With same config and condition on port 2960, why the IP Phone 6921 can't get voice vlan 14.x.x.x, whereas IP Phone 7945 can get voice vlan 14.x.x.x
If we configure a Voice and Data VLAn on a switch. And connect EX90 on voice VLAN and PCwith EX90 terminals. Than can we able to share a presentation or data with EX90 or not?
i am facing a strange issue on cisco 2950 .IOS (tm) C2950 Software (C2950-I6K2L2Q4-M), Version 12.1(22)EA9, RELEASE SOFTWARE (fc1) suddenly my phone stopped working for DTMF tone, i mean when i dial a conference bridge lets say 6565 and then it ask for conference bridge code lets say 12345, it doesnt recognize the code and says code is invalid, SIP Proxy is Asterisk in this case.Currently my cisco switch port is configured for dual data + voice vlan, where DTMF dont work, sample config below [code]
im working in a new enviroment and want to makes some design changes to the environment. I wanted to bounce my ideas some of you folks to see if my thinking is on the right path or maybe i could do things better.
Setup:
Currently the setup that i manage includes and Sonic Wall (also dishes out dhcp), HP 1810 "Core Switch" and 3 SG 300-28P cisco managed switches. (all cisco switches tie back into the HP) The router is managed by the isp. There is only one vlan with all traffic going across it.
Obviously the glaring issue here is that voice and data all reside on the same vlan. Correct me if i am thinking incorrectly but the first step would be to create a separate vlan for the phones with its own IP scheme. currently phones are issued addresses from the 150-200 range and everything else is left for pc's, printers etc. To my knowledge the HP switch does layer 3 but i do not know much about it. There are vpn tunnels to remote offices that are used for sharepoint, email and to access other services. Trying to wrap my mind around the environment as a whole so i may be missing something obvious i could do design wise to improve.
For many years we've had the following vlan and port security config on our 3560s: [code] This has worked great on 12.2(37)SE1, 12.2(40)SE and 12.2(46)SE. However since 12.2(50)SE, and I've tried all the versions since then, we have a problem with 7900 phones and ATA186s taking upwards of 20 minutes before they can get a valid IP number.The problem on the newer IOSes seems to be related to the inactivity aging.On the older IOS versions the mac address of the voice device appears on the voice vlan straight away.
On the newer IOS versions the mac address of the voice device appears on the DATA vlan and seems to be stuck there until the inactivity aging removes it. It then gets re-learned, sometimes on the voice vlan, and sometimes on the data vlan. If you're unlucky and it gets re-learned on the data vlan you've got to wait until the inactivity time ages the address out again. Repeat until the mac address eventually gets learned on the voice vlan. I don't want to be stuck on 12.2(46)SE forever.
Any way to test in a lab what would happen if a tech mistakingly added "switchport voice vlan XX" to a trunk port? I am try to do some RCA on an issue and this has been identified as a possible cause by one of my techs.
The config is Switch1------Switch2--------Switch3 Each interswitch connection is configured as a dot1q trunk with all vlans allowed. The link between switch2 and 3 is where switchport voice vlan 10 was added. Switch1 is a 3750 and 2/3 are 3560's.
I have a Cisco 6509 with IOS "s222-ipservicesk9_wan-mz.122-18.SXF16.bin"I need to enable dot1x on user's ports on the switch. each user is connected to the switch through the IP phone.
I just found out that I can not enabled dot1x on trunk port. I have tried to use "switchport voice vlan " but I got:
recently i just connected a non cisco ip phone(from panasonic) to Cisco 2960 POE switch at site A. The PABX system is located at site B,Site A and site B are connected using MetroE Point to point.I would like to apply QoS for voice vlan. I want to assign 2MB to the point to point connection for voice vlan.
I have a network with a Catalyst 3750 as the main switch and then some Catalyst 2960 switches that are plugged in to that. I have a server running windows server 2008 with a couple of virtual machines running in Hyper-V. I created 4 VLANS listed below and gave the 3750 the following IP Address.I would like the 3750 to only be configurable from VLAN 40 but currently every VLAN can connect to it, I noticed in the standard web page settings there was a setting for "Management VLAN" but it was set to 1 and would not let me change it, I kinda assumed that was for the management port in the back.-Now the tricky part, I was trying to set up routing between the VLANs and so far I have only been able to get a sort of "all or nothing" routing to work. I can turn IP routing on and add two or more VLANs to the routing and it works fine. But what I was hoping to do is create a couple of "junction vlans" that would only route to one or two other vlans. For instance, I wanted to create a VLAN 100 that routed to VLAN 20 and 30 but nothing else. I also want to route VLAN 1 just to VLAN 30, and so on. I am able to do each one of the cases but only one, it seems like the switch only supports one "routing table" am I missing something or is this just a limitation of the switch?
I have a network with several catalyst 2960 switches and one catalyst 3750. I have created two VLAN and set up the proper routing and everything is working fine there. I have a client/server application that used multicast in the initial start up for the client to determine available servers, the issue is one of my clients is on a different VLAN then the server. I am able to route the multicast using MVR as long as both the server and the client are plugged into the 3750 by creating a static route, making the server a source port and the client a receive port. Unfortunately I need the client and the server plugged in to different 2960s. My question is how do I establish multicast routing between the two and perferably do it dynamically (always route multicast traffic from one VLAN to another).
I have been looking into this for a while and I can't seem to figure out why my 2nd vlan is not able to connect properly to the net.
My switch has 12 ports where my devices connects directly, they are all on Vlan 1 and they all work perfectly. on Port 12 I have a dlink router that is connected to a cable modem. the dlink router has an Ip address of 192.168.0.20
I created a second vlan (vlan2) and enabled dhcp relay on it. then I assigned port 9 on the switch to (vlan2)my laptop which is connected to port 9 seems to get an ip address fine and able to ping only some devices on my network (vlan1) and is not able to go out to the internet. I think it has to do with the routes. [code]
I have got a catalyst cisco 2960G series switch and via this switch I want to creat serveral vlans. I am getting a dhcp IP from a router and I want to setup my own vlan networks.
I plugged in the Ethernet cable that came from the dhcp router to port 16 of the cisco switch and configured the ports 1,2 and 3 for vlan 1, 2 and 3
the dhcp router has given me this IP 192.168.10.158 defautl gateway is : 192.168.10.1
when I plug in a PC to port 1 or 2 of the cisco switch I still receiving the IP from range 192.168.10.* but not from the range that I configured for the vlan 1 or 2.
Below is my startup configuration:
no file verify auto spanning-tree mode pvst spanning-tree extend system-id
I have 3 VLANs here that need to be on the same network segment. They are going to be used by our Wi-Fi network (with Aironet APs), bound to 3 different SSIDs (as Aironet APs doesnt allow multiple SSID per VLAN), each one with a different authentication method and server.Is there a way to bridge those VLANs together with a Catalyst 3750 switch? I tryed configuring an IP address on one of the VLAN interfaces, then configuring a bridge with the vlan-bridge protocol (Catalyst 3750 doesnt have the "ieee" bridge protocol type) and put all 3 VLAN interfaces on the same bridge-group, but it didnt work (even with "bridge x route ip").I also tryed configuring IRB bridging, with the 3 VLAN interfaces on the same bridge-group and an IP address on the BVI interface (the way I used to do with old 2600 routers). Same result.(actually, I didint test to see if the interfaces are actually being "bridged", but I see neither of them can reach the router)
i'd like to configure OSPF on a Catalyst 6503 IOS 12.2.17.i habe an Gi1/9 with the ip address 192.168.97.30/24 and a VLAN 19 with the IP Address 192.168.19.0/24.I configured OSPF like this
router ospf 1 network 192.168.97.0 0.0.0.255 area 10.5.0.0 network 192.168.19.0 0.0.0.255 area 10.5.0.0
on the ospf peer is see that the adjaceny is established but i don't get the routes for the 192.168.19.0 network i checked the ip ospf interface vlan 19; i got ospf is not enabled on the interface then i tried to configure
I have installed a Catalyst 2960-S and a 3750-X-12S and I am trying to setup a VLAN 51 for some VoIP phones. I have added the VLAN as an interface on both switches, but the 3750 is not showing VLAN 51 as active when i do a show vlan. Also, it omitts showing Gi1/0/1 & Gi1/0/3 which are uplinks to 2960-S switches plugged in and working on VLAN1.
Catalyst3750SFP#show vlan VLAN Name Status Ports ---- -------------------------------- --------- ------------------------------- 1 default active Gi1/0/2, Gi1/0/4, Gi1/0/5
I'm configuring two etherchannel groups (2 ports in each) on a 3560 switch. I need to trunk multiple vlans over each channel group.
I created the vlan trunks and allowed vlans on each physical interface. I notice that I can also configure the vlan trunks on the port-channel interfaces that were created. Should I configure them under those interfaces, or leave them on the physical interfaces? Relevant config is below:
My architecture is the same as show on the link with some difference.I use the router 1841 for inetrnet connexion instead of 7200VXR, this router 1841 is connected on the catalyst 3750 port G1/0/1.I use catalyst 2960 instead of catalyst 2950 or 2948.I use ASA 5510 for conexion on remote branche(I have 5 remote site), This ASA is connected on the catalyst 3750 port G1/0/37
Result of the test:
-I can ping devices in the same Vlans -I can ping devices in different VLANs -I can ping all device from the catalyst 3750
I cannot ping the router 1841 or ASA 5510 from the any devices (computer)The gateway of each computer is the correpondant VLAN IP address configured on the catalyst 3750.Why I cannot ping the router 1841 or ASA 5510 from the any devices (computer)
I am attempting to create a mass upgrade server for some of our more standardized equipment since our vender cannot upgrade them pre-shipping for us, we've got to do them on our own. This means using a terribly organized wizard written in what appears to be Java...
I have an aversion to Windows and felt that I could accomplish the same thing using expect scripts and a Gentoo Linux server; now all I need is to set my Cisco 3550 (c3550-ipservicesk9-mz.122-44.SE6.bin) to have each port on it's own VLAN, except for fa0/1 which will be a trunk port to communicate with all ports as well as the server.
I was unable to configure vlan-based qos on Cisco IOS Software, s72033_rp Software (s72033_rp-IPSERVICESK9-M), Version 12.2(33)SXH6, RELEASE SOFTWARE (fc1) Seems to me my configuration is not working. Here is the output of the interface:
sh int G1/6 | i rate Queueing strategy: fifo 30 second input rate 25231000 bits/sec, 4282 packets/sec 30 second output rate 46940000 bits/sec, 9257 packets/sec
Why I can't see matches in ACLs? I've double checked the direction and seems to me it is correct. I can't see matches even I configure something like this:
10 permit ip host 192.168.1.168 any 20 permit ip any host 192.168.1.168
Why my output rate is higher than 30M? Is it bacause there is no matching traffic here in ACLs? I'm absolutely shure that this host with such ip connected to this interface:
#sh arp | i 192.168.1.168 Internet 192.168.1.168 0 feed.beef.f00d ARPA Vlan3 #sh mac address-table | i feed.beef.f00d * 3 feed.beef.f00d dynamic Yes 0 Gi1/6
i have a catalyst 3750, in this switch i have 3 vlan, i need to secure trafic between vlans but im confused ,should i use ACL or VACL to secure ?which is the best ?if i use ACL to secure and limit ports between vlan, which is the best practice to apply the acl ( on th inside or outside of interface)
- Catalyst 3750 Interface VLAN182 IP Address 10.62.182.254 255.255.255.0 Interface G0/2 Description Finger Print Server Switchport mode access
[code]....
Here are the problem,If i connect Finger Print Device to port catalyst 2960, some device not sending data to server, but if i connect all Finger Print to HUB and from HUB connect to Catalyst 2960 at port F0/5, All Device(Finger Print) can send data to server...Is there any special configuration in catalyst so all device can direct connect to port catalyst 2960 without HUB?
I am going to creat VLANs very 1st time therefore for test purpose I have following simple scnerio.I have created 2 VLANs , VLAN2 and VLAN3 on Cisco Catalyst 2960 series switch. Ports 1-12 is assigned to VLAN2 and Ports 13-24 are assiged to VLAN3. Now I have configured DHCP on Microsoft Server 2003 defining 2 scopes with following configurations.
Scope 1 for VLAN 2--- Range is 172.16.0.17 to 172.16.0.30 with subnet mask=255.255.255.240 . Server IP address 172.16.0.17 ( Note: Address 172.16.0.17 is excluded from dhcp server Scope 1 and give to the MS server itself) Scope 2 for VLAN 3----Range is 172.16.0.33 to 172.16.0.46 with subnet mask=255.255.255.240 .
Now in Cisco 2960 series switches, under Vlan 2 and Vlan 3, I have following configurations...
interface Vlan2 ip address 172.16.0.30 255.255.255.240 ip helper-address 172.16.0.17 interface Vlan3 ip address 172.16.0.46 255.255.255.240 ip helper-address 172.16.0.17
Now the problem is when i connect a client computer to any port from 1-12, It gets correct IP address from Scope 1 but when I connect a computer to any port from 13-24, it does not get the ip address.
Further I want to do inter VLAN comunication as well for that purpose i Have an ISR 2900 series router. What further configuration i will have to do on router for inter vlan communication.
