Cisco Switching/Routing :: Restricting Mac Addresses On 4506 Switch
May 14, 2013
We want to permit certain mac addresses on the cat 4506 switch wherein only those mac addresses will get access to network.
Configuration Planned: For testing purpose we have created mac access list on cat 4506 and deny laptop mac address in this access list. The mac access group is applied to the port where the laptop is connected to cat 4506.Even after applying the mac access group on the port, the laptop is able to ping the vlan ip of cat 4506 [code]
laptop with ip address 192.168.10.2/24 connected to port 2/1 is able to ping 192.168.10.1 even after applying the mac access-group
Note-we have tested same configuration on cat 3560 and its working fine. We apply the mac access-group command on interface and clear the arp-cache and we are not able to ping vlan interface ip. The moment we remove the mac access-group,ping starts again.
View 4 Replies
ADVERTISEMENT
Dec 6, 2012
We have sup engine 6L(WS-X45-SUP6L-E) on two 4506 switch. both switches connected in LAN (HSRP primary and Secondary).
We are going to replace it with Sup7LE. What is the best procedure to get this done with minimal outage?Any other important thing to be noted ? Note : We have Lincence for SUP 7LE
View 2 Replies
View Related
Apr 7, 2012
Yesterday I've faced a Problem that is not letting me boot with the new IOS.
Actually I'm planning upgrade IOS which supports SSH. As part of plan I've downloaded the new IOS image and uploaded via TFTP server to the switch.
After uploading to the switch. I've verified image and MD5 hash also. Everthing is fine. Then after I set the boot variable for the newly uploaded Image.
When I'm rebooting the Device it is not taking the new IOS. It's booting with the OLD image. Even It's not showing any error message while rebooting (ACTIVITY FILE ATTACHED FOR YOUR REFERENCE) I can't take risk by deleting the old IOS.
View 1 Replies
View Related
Nov 30, 2011
I have three 4506 switches with vlan 4 set as the management vlan. Switch 1 is connected to switch 2 and switch 3.
I can access switch 1 and 2 using telnet from the management vlan and both switches reply to pings. But from switch 1 or 2 I cannot ping or telnet switch 3. If I plug into switch 3 and I can ping and telnet switch 3 but not switches 1 or 2.
It is as if the management vlan 4 is not being passed to/from switch 1 and 3. The configs for the uplinks from switch 1 to 2 and 3 are the same. And the configs for switches 2 and 3 look the same apart from the port settings.
I have over 40 vlans running all that work fine between all the switches.
View 28 Replies
View Related
Oct 4, 2012
I have a problem with a newly bought ws-x4548-rj45v+ i've plugged in the module but when i do show modules all , it show as unsupport
Power consumed by backplane : 0 Watts
Mod Ports Card Type Model Serial No.---+-----+--------------------------------------+------------------+-----------1 2 Supervisor IV 1000BaseX (GBIC) WS-X4515 JAE1048GAXQ2 48 10/100/1000BaseT (RJ45) WS-X4448-GB-RJ45 JAB064806WN3 48 10/100/1000BaseT (RJ45) WS-X4448-GB-RJ45 JAB063005DB4 0 Unsupported module WS-X4548-RJ45V+ JAE1545056U
M MAC addresses Hw Fw Sw Status--+--------------------------------+---+------------+----------------+---------1 0007.0e64.f880 to 0007.0e64.f881 5.2 12.2(20r)EW1 12.2(46)SG Ok2 000b.5fa4.da20 to 000b.5fa4.da4f 1.0 Ok3 0009.e844.d760 to 0009.e844.d78f 1.0 Ok4 ccef.4815.9bf0 to ccef.4815.9c1f 2.0 Unsupport
View 2 Replies
View Related
May 25, 2013
A 4506 Switch reboot several times a day for no reason, I have been trying to upgrade the software . Normal operation of more than ten days , Still there reason to restart . CPU and memory usage is normal
Switch output information below:
HKZ-SSL-4-NAN-4506#sh ver
Cisco IOS Software, Catalyst 4500 L3 Switch Software (cat4500e-ENTSERVICES-M), Version 12.2(54)SG1, RELEASE SOFTWARE (fc1) [ code].....
View 3 Replies
View Related
Jan 11, 2012
I currently have a the following configuration and am unable to get more than 2 DHCP addresses for the devices connected to the Cisco new SG 100-16 Switch.The AP have no trouble handing out DHCP to the wireless clients, but we are unable to get the SG 100-16 to be able to do the same thing to wired clients. It is currently connected to the 2960-8 in port 1. We can get 2 devices connected without a problem, but the 3rd machine and beyond do not work. Also, setting up a static IP does not work. Using a static will not even allow us to ping or tracer back to any devices beyond the SG 100-16.
View 7 Replies
View Related
May 9, 2013
I'm looking to restrict Inter-VLAN routing through L3 switch (cisco 6500) and wanted to know best possible way to do it. I used VACL and achieved success to some extent, but my config is making clients take up to 5-6 mins to authenticate IP address from the DNS (bootps).My VACL config was as follows:
Subnet to restrict is 10.100.15.0 (VLAN 15)
STEP 1: Created extended ACL to allow bootpc/bootps through DNS
ip access-list extended EACL_DNS
permit udp any eq bootps any
permit udp any eq bootpc any
STEP 2: Created standard ACLs to allow only relevant subnet, server VLANs & some IPs from other subnets for printers/scanners etc.
ip access-list standard SACL_VLAN_15
permit 10.100.15.0 0.0.0.255 (the subnet I'm restricting)
permit 10.100.50.0 0.0.0.255 (server VLANs)
permit 10.100.25.45 0.0.0.0 (printer in another VLAN which has to have access in VLAN 15)
STEP 3: Created VLAN access list
vlan access-map VACL_15 10
match ip address EACL_DNS
action forward
vlan access-map VACL_15 20
match ip address SACL_15
action forward
STEP 4: Applying VLAN Access list on VLAN 15 vlan filter VACL_15 vlan-list 15 Though the above works, below is noted:
1. I'm still able to PING 10.100.15.2 (the switch virtual interface) from outside the subnet, which I don't intend to do so. Howeve all cients in the subnet have no connectivity from outside the VLAN 15.
2. As mentioned its taking quiet some time to negotiate with the DNS server at system boot time.
View 3 Replies
View Related
Jan 12, 2013
This is my scenario. I have my IP as 172.16.1.1 (aaaa.bbbb.cccc.dddd) which has full internet access. Now when i am not available in the office, i noticed some one assigning my IP in to his workstation and gaining full internet access. How do i restrict such things? i.e. even if some one assigning my IP on the network, they shouldnt access LAN or WAN.I tried 'arp 172.16.1.1 aaaa.bbbb.cccc.dddd arpa' configuring on my L3 Cisco 3750X switch assuming i can acheive, but that did not work.
View 8 Replies
View Related
Jan 17, 2012
I have a 2900 router at branch office. This router has a 4 port switch card and two gigabyte ports. The gigabyte port is use for wan connection and the 4 port switch card is use for lan connection. I have two separate networks on my lan side. (network 1 and network 2)
I have assigned port 0,1 of the switch card to vlan1 for network 1 Ports 2,3 of the switch card is assigned vlan 20 for network 2
My problem is I would like to applied a bandwidth restriction for all data coming out from vlan20 capping same to 384 kb.
Note I do not want use QOS because this will only kickin when saturation occurs,
View 8 Replies
View Related
Jan 17, 2013
My management has tasked me to give them a high level overview of the different switching we can choose for our new building.
This is what I know so far.4 Closets, each closet has 450 ports,One MDF room that is will contain one UCS Chassis and a Nimble iSCSI SAN.
I am working on the spreadsheet and it looks like this (Not totally filled):
2960s3560x3750x45064510Approx cost (Each, 48PORT, POE+, 10G uplink, Dual PS, IP BASE)
6K7K8K45K75KMax Capacity192432432192384Backplane speed206464520520ProLeast ExpensiveStackable to 9Stackable to 9ProDual PSDual PSDual PSDual PSDual PSProLayer 3 opt
Layer 3 optDual SupsDual SupsConExpensiveExpensiveConNo Dual PSConLayer 2 OnlyCannot stack more than 4
For the MDF I would like to use 2 Nexus 5548's with FEX's, and the layer 3 daughter board. For the IDF's I was thinking of two 4010's.
View 12 Replies
View Related
Dec 19, 2011
I am implementing a guest wireless network to work alongside my internal network. The guest network will use the existing switching network and will be separated by VLANs. I have the ASA set so that traffic can get to it and out to the Internet. I can set up a workstation on the same VLAN as my guest network and can route inside my network (strictly doing this for testing purposes). Where I am having problems is with the Catalyst 4506 switches and the ip routing. I had two separate "ip route" statements defined on my switches.
ip route 10.200.2.0 255.255.255.0 10.200.2.254
ip route 0.0.0.0 0.0.0.0 10.100.100.254
I have discovered that the traffic is always following the default route despite the fact that my IP address on my test workstation falls in the 10.200.2.x network. I was looking at documentation and found that it is possible to set up policy-based routing on the core switches. Can you have two "ip route" statements defined like this to segreate traffic or do I have to use PBR for routing (or a combination) in this case? If I define PBR then how does that impact my existing routing? I need to make sure that I can still route the existing traffic while I'm configuring this change.
View 9 Replies
View Related
Aug 27, 2012
We have 2 sites, each with 2 x 4506 switches which will be connected togther using an etherchannel. The switches will provide access ports for client devices and will be configured with HSRP to provide gateway redundancy. SW1 will be HSRP active.2 metro ethernet links will be installed in each site which will connect back to our HQ sites. OSPF will be used over the backbone to provide resiliency and to allow shortest path routing to each HQ and to prevent traffic over the HQ to HQ link.
The 4506 will be trunked togther with an SVI for providing OSFP adjacency.For the traffic flow from SW2 to HQ2, traffic will hit SW1 and then route back to SW2 and then to HQ2. Is this the best way to do this? Should a second link be connected between switches just for routing or should something like GLBP be used?
View 6 Replies
View Related
Aug 31, 2012
CiscoSwitch1(4506) has 3 VLANs(12,13,14) and Switch2(4948) has 3 different VLANs(22,23,24) and IP routing has been enabled in both switches with SVI interfaces for each vlan. intervlan routing is works fine.Now there is a requirement to connect these switches together. Vlan 12 on the Cisco switch 4506 has to be made available from vlan 22 from Switch2(4948). basically Vlan 12 is having a multicast source (225.0.0.0 & 226.0.0.0) which should be accessabile from vlan 22 of cisco switch 4948.I got 2 ideas
1) Create a trunk between these switches and configure L2 vlan(12) in cisco 4948...i know theoritically it should work but what my concern is Ip routing enabled in both switches will it create any issues? is it a gud solution to this requirement?
2) Create a separate IP network on the ports connecting to both switches and set up routes to the networks.ex- console(config)#ip route 192.168.10.10 255.255.255.0 192.168.20.1.
View 8 Replies
View Related
Mar 8, 2013
I am configuring multicast in a environment where I have a 4506 at each site (4 total) and a 6506 as the core. Each 4506 is connected via layer 3 to the 6506. I have a mix of 3560s, 3548s, and 2960s connected to the 4506s and the 6506 via layer 2 trunk
I have multiple multicast sources and hosts communicating at a time (multiple cameras sending video / multiple computers receiving video). So this is not a scenario where there is 1 sender and many receivers. This would be many senders (~50) and some receivers (~10)
Sample Diagram:
->3560
|
6506 --> 4506 --> 3548
| |
| --> 2960
|
4506 --> 2960
|
-->3548
I configured ip multicast-routing on each of the 4506s and on the 6506. IGMP snooping is on by default on the 3560 and 2960 switches. CGMP is on by default on the 3548 switches.
I set up PIM sparse-dense mode and IGMP version 3 on each of the layer 3 interfaces for the 4506s and 6506 where they connect and on each VLAN that is sending or receiving multicast. Multicast is working throughout the network, however I am looking to verify the configuration as I scale this out to more clients on the network.
#1 - Is it correct to us sparse-dense mode in this configuration?
#2 - Do I need to configure a rendezvous points using AUTO-RP? (ip pim send-rp-announce INTERFACE scope TTL). Not sure here if I need to designate this and what to choose. Right now I do not have this and it is working, but documentation seems to infer that I need to designate this.
#3 - Is there any other configuration settings I should be considering? I hard to find real world configurations of multicast as examples or people that know multicast routing well.
View 3 Replies
View Related
Jan 4, 2013
I am currently running a 4506 with a sup V engine. I have purchased a sup 7 engine. Is there a guide on how to perform this task. I am sure I need to do an IOS update as well.
View 2 Replies
View Related
Jun 11, 2012
We are attempting to PXE boot from clients obtaining their DHCP lease information from DHCP pools configured on our 4506. The PXE server, and the client are configured in separate VLANs. We have configured option 66 to point to the PXE server IP address, and the bootfile option to point to the PXE boot configuration filename. On the client side SVI, we also have configured the ip helper-address command to point to the PXE server (which also acts as another DHCP server for redundancy).
The PXE boot continuously fails stating it is unable to find the configuration file. If we remove the DHCP pool from the 4506, and allow the client to receive their DHCP lease info from the secondary server (Windows 2k8 - same server as PXE server), they PXE boot with no issues.
We have no problem obtaining DHCP info, just completion of the PXE process.
View 6 Replies
View Related
Mar 19, 2013
Does SUP 7E is comatible with IOS? It came with IOS-XE preloaded and there are no IOS software listed under downloads.
View 3 Replies
View Related
May 8, 2013
I have 4506 with below sup, my requirement is to enable netfolw , but as i came to know that it is not supported in this sup, is there any additional option which can be explored to get the netflow working without replacing sup.
Card Type Model
-------------------------------------------------------------+-----------------------
Sup 6-E 10GE (X2), 1000BaseX (SFP) WS-X45-SUP6-E
View 4 Replies
View Related
Oct 24, 2010
We have just purchased and installed a 4506-E chassis. It contains a supervisor, two POE blades and 3 non-poe blades. Version is 12.2(53)SG1. Anyhoo, one of the ports isn't providing power to an IP phone. We can plug the phone into any of the other POE ports and it works fine. Is there a way to test an idividual port for POE problems? What could the problem be? The port works for normal data but will not provide power.
View 12 Replies
View Related
Dec 4, 2011
We ordered the wrong part number for a Cisco 4506 non-E chassis, the part number is: WS-X4624-SFP-E and the device is showing "Unsupported module"; What would the part number be for the non-E? WS-X4448-GB-SFP,Catalyst 4500 48-Port 1000Base-X (SFPs Optional) ?
View 1 Replies
View Related
Mar 14, 2013
i'm desperately trying to get LACP working over a dot1q Tunnel. The "Service Provider" Switches are two 4506-E Switches with SUP7-E connected via a 10G Link, running on cat4500e-universalk9.SPA.03.03.00.SG.151-1.SG
sample config:
dot1q tag vlan native
interface GigabitEthernet3/1
switchport access vlan 2001
[Code].....
View 4 Replies
View Related
Jun 8, 2012
a 6509 and a 4506 with 2, 1gb interfaces in a portchannel. Bring it up and everything is fine. Save the config and reload either switch and the interfaces stay in Not Connected state. Either doing a No Shut or a physical unplug the SFP and plug it back in will bring it up with no issues. Interfaces do not go into Err Disabled state they stay in Not Connected like there is no fiber plugged into it. No error mesages in the log. The Just the Interface is now up.Both are running very new code,
6509 - s2t54-ipservicesk9-mz.SPA.150-1.SY1.bin ( 15.0.(1)SY1 )
4506 - Version 03.02.00.XO
View 1 Replies
View Related
Aug 12, 2012
I have "inherited" a Catalyst 4506 with IOS version 12.2(20)EWA1 and Supervisor IV already installed. We recently purchased a second Supervisor IV and I am looking to install this second supervisor for redundancy. Is there anything special with installing a second supervisor or so I just physically install the new supervisor and the IOS will automatically set everything up?
View 3 Replies
View Related
Dec 18, 2012
I have a setup with two Cat 4506E working as a HA,I used a bundle 4Gb interfaces working as ether-channel,I'm facing a problem with DHCP pools on the both SW's,There is no problem if I use the pools on one sw,But when I but the pool on both sw's then I faced a lot of conflict IP in the DHCP pools,How can setup a real DHCP redundancy on both SW's,
View 6 Replies
View Related
Mar 25, 2013
My inherited network has a Cisco Catalyst 4506 with a WS-X4124FX–MT fiber card that connects to twelve Cisco 2950 switches over 62.5 micron multimode fiber at 100 Mbps. I do not know my run lengths (or even where the conduits run), but the furthest switches are well over a thousand feet from the server room. Any appropriate test equipment to provide this information soon.
We are looking at upgrading the main switch to a Catalyst WS-C4507+E with two WS-X4712-SFP+E cards and the closets to Cisco 2960S-48TD-L switches. Assuming this is a reasonable move, my question is about choosing the appropriate SFP’s for our current and future needs.
I am aware that 62.5 micron multimode fiber is the least favorable for extended lengths, but I will not be in a position to replace it for at least a year. If I purchase 10 Gbps modules, like the SFP-10G-SR or SFP-10G-LRM, can they “throttle down”, either automatically or by setting a parameter, to communicate at slower speeds over distances that exceed their 10 Gbps maximum link lengths on multimode fiber?
View 1 Replies
View Related
Nov 14, 2011
I have one computer connected to the 4506 that management does not want this PC to have access to anything on our network except our DHCP server and the one printer that resides on our network. I created an extended access list as follows. Our network is the 10.10.x.x and the external addresses the PC needs to access is 11.1.x.x. Once this PC is rebooted, it is unable to access DHCP to get the needed IP address it bounces back to a 169.x.x.x address and stops working.
Extended IP access list 2000
permit tcp host 10.10.200.242 host 11.1.200.1 (gateway)
permit tcp host 10.10.200.242 host 11.1.2.151 eq smtp (access from the pc to external server for smtp)
permit tcp host 10.10.200.242 host 11.1.2.149 eq 5721 (access from the pc to external server for remote access)
[ code]...
Then I applied the access-group 2000 on the interface the PC is connected to. What am I missing for DHCP to work and for this PC to always get the ip address that is reserved?
View 3 Replies
View Related
Mar 4, 2013
I am running HSRP on three 4506 switches..S1(active) S2( standby) and S3(listen)..S1 is active for all the vlansRight now, I wanted to make S3 active for two vlans: vlan 10 and 19What would be the impact to the end hosts?Also, can you tell me why the arp is not syncing for all the three devices? [code]
View 4 Replies
View Related
Nov 30, 2011
I have two 4506 switches in my organization. Recently the office was relocated and when both the switches were booted they ignored the startup config.The config-reg was set to 0x2101. No boot system command was configured.So I changed the config-reg of SW1 to 0x2102 and gave boot system command as stated below.When reloaded the switch booted to ROMMON and I had to manually boot the IOS.I want them to boot normally with IOS.Config of SW2 is not changed since relocation. I am specifying both configs bor your consideration. [code]
View 12 Replies
View Related
May 17, 2012
I'm dealing with a 4506 switch that whn I try to apply "sh auth sess int xx" I get "Invalid Input Detected" ... Is there any way that I can get the authenticated session over a port even if I can't apply "sh auth sess int"?
View 1 Replies
View Related
Jan 25, 2012
Need to limit the amount of bandwidth a specific VLAN can use on a 802.1q trunk port. Situation is that we have a pair of Catalyst 4506 switches which have 802.1q trunk ports into a Checkpoint Firewall, this in turn is connected to a managed WAN router (to which I can't apply a QoS policy).If the 4506 was routing the traffic it would be easy to setup a class-map to match the IP traffic and then QoS the traffic, but the VLAN in question is trunked directly into the firewall (no L3/IP presence on the 4506 next hop for all clients on this VLAN is the firewall).What I need to do is restrict any traffic from this specific VLAN to 10Mbps on the uplink to the Checkpoint Firewall so it cannot impact the onward WAN.
View 1 Replies
View Related
Jan 18, 2012
I have been asked to upgrade the IOS images on three 4506 switches with a single Supervisor IV engine in each to allow for SSH2 access.The current image is cat4000-i5s-mz.122-25.EWA.bin..I have uploaded cat4000-i5k91s-mz.122-25.EWA14.bin to bootflash on each Supervisor engine.The ROM on each SUP IV is 12.1(20r). I don't want to have to upgrade the ROM version.Will the cat4000-i5k91s-mz.122-25.EWA14.bin image retain all the current features of the current image and provide SSH2 support, without requiring a ROM upgrade?Each switch has 512 Mb of RAM.If this image will accomplish what I want, what are the commands used to select the new image from bootflash. I'm familiar with image updates on fixed chassis switches using the boot system flash command.
View 2 Replies
View Related
Aug 17, 2012
I will go to buy a core 4506 but I'm comfusing about the Sup engines and the Fiber module. What is the different between the Sup7 and Sup7L?in the fiber module that I will go to buy is it contain the SFP inside or I have to buy the SFP ( WS-X4612-SFP-E ). also what is the different between the SFP and GBIC?
View 4 Replies
View Related