i have a catalyst 3750, in this switch i have 3 vlan, i need to secure trafic between vlans but im confused ,should i use ACL or VACL to secure ?which is the best ?if i use ACL to secure and limit ports between vlan, which is the best practice to apply the acl ( on th inside or outside of interface)
View 2 RepliesI´m facing to one issue with VACL. i have a network lan with 10.40.X.X/16 . in this network i have a Production v LAN 10 with 10.40.10.X/24 and i have created one vlan103 for Guest´ user as 10.40.103.X/24
My goals is to restrict the v LAN 103 to reach or access the v LAN 10, better to restrict Guest user access to the production v LAN. So i try to put this script with VACL method, but does n´t work.
Extended IP access list Restriction-Guest
10 permit ip 10.40.103.0 0.0.0.255 any
vlan access-map Guest 10
action drop match ip address Restriction-Guest
vlan filter Guest vlan-list 10
After that i still able to ping or access to the v LAN 10 form v LAN 103.
I have 3 VLANs here that need to be on the same network segment. They are going to be used by our Wi-Fi network (with Aironet APs), bound to 3 different SSIDs (as Aironet APs doesnt allow multiple SSID per VLAN), each one with a different authentication method and server.Is there a way to bridge those VLANs together with a Catalyst 3750 switch? I tryed configuring an IP address on one of the VLAN interfaces, then configuring a bridge with the vlan-bridge protocol (Catalyst 3750 doesnt have the "ieee" bridge protocol type) and put all 3 VLAN interfaces on the same bridge-group, but it didnt work (even with "bridge x route ip").I also tryed configuring IRB bridging, with the 3 VLAN interfaces on the same bridge-group and an IP address on the BVI interface (the way I used to do with old 2600 routers). Same result.(actually, I didint test to see if the interfaces are actually being "bridged", but I see neither of them can reach the router)
View 1 Replies View RelatedI have installed a Catalyst 2960-S and a 3750-X-12S and I am trying to setup a VLAN 51 for some VoIP phones. I have added the VLAN as an interface on both switches, but the 3750 is not showing VLAN 51 as active when i do a show vlan. Also, it omitts showing Gi1/0/1 & Gi1/0/3 which are uplinks to 2960-S switches plugged in and working on VLAN1.
Catalyst3750SFP#show vlan
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Gi1/0/2, Gi1/0/4, Gi1/0/5
[Code].....
My architecture is the same as show on the link with some difference.I use the router 1841 for inetrnet connexion instead of 7200VXR, this router 1841 is connected on the catalyst 3750 port G1/0/1.I use catalyst 2960 instead of catalyst 2950 or 2948.I use ASA 5510 for conexion on remote branche(I have 5 remote site), This ASA is connected on the catalyst 3750 port G1/0/37
Result of the test:
-I can ping devices in the same Vlans
-I can ping devices in different VLANs
-I can ping all device from the catalyst 3750
I cannot ping the router 1841 or ASA 5510 from the any devices (computer)The gateway of each computer is the correpondant VLAN IP address configured on the catalyst 3750.Why I cannot ping the router 1841 or ASA 5510 from the any devices (computer)
I have a network with a Catalyst 3750 as the main switch and then some Catalyst 2960 switches that are plugged in to that. I have a server running windows server 2008 with a couple of virtual machines running in Hyper-V. I created 4 VLANS listed below and gave the 3750 the following IP Address.I would like the 3750 to only be configurable from VLAN 40 but currently every VLAN can connect to it, I noticed in the standard web page settings there was a setting for "Management VLAN" but it was set to 1 and would not let me change it, I kinda assumed that was for the management port in the back.-Now the tricky part, I was trying to set up routing between the VLANs and so far I have only been able to get a sort of "all or nothing" routing to work. I can turn IP routing on and add two or more VLANs to the routing and it works fine. But what I was hoping to do is create a couple of "junction vlans" that would only route to one or two other vlans. For instance, I wanted to create a VLAN 100 that routed to VLAN 20 and 30 but nothing else. I also want to route VLAN 1 just to VLAN 30, and so on. I am able to do each one of the cases but only one, it seems like the switch only supports one "routing table" am I missing something or is this just a limitation of the switch?
View 2 Replies View RelatedI have a network with several catalyst 2960 switches and one catalyst 3750. I have created two VLAN and set up the proper routing and everything is working fine there. I have a client/server application that used multicast in the initial start up for the client to determine available servers, the issue is one of my clients is on a different VLAN then the server. I am able to route the multicast using MVR as long as both the server and the client are plugged into the 3750 by creating a static route, making the server a source port and the client a receive port. Unfortunately I need the client and the server plugged in to different 2960s. My question is how do I establish multicast routing between the two and perferably do it dynamically (always route multicast traffic from one VLAN to another).
View 2 Replies View RelatedI have been looking into this for a while and I can't seem to figure out why my 2nd vlan is not able to connect properly to the net.
My switch has 12 ports where my devices connects directly, they are all on Vlan 1 and they all work perfectly. on Port 12 I have a dlink router that is connected to a cable modem. the dlink router has an Ip address of 192.168.0.20
I created a second vlan (vlan2) and enabled dhcp relay on it. then I assigned port 9 on the switch to (vlan2)my laptop which is connected to port 9 seems to get an ip address fine and able to ping only some devices on my network (vlan1) and is not able to go out to the internet. I think it has to do with the routes. [code]
I have a problem, here are the situation
- 1 Catalyst 3750
- 1 Catalyst 2960
- 4 Finger Print
- 1 HUB
Configuration
- Catalyst 3750
Interface VLAN182
IP Address 10.62.182.254 255.255.255.0
Interface G0/2
Description Finger Print Server
Switchport mode access
[code]....
Here are the problem,If i connect Finger Print Device to port catalyst 2960, some device not sending data to server, but if i connect all Finger Print to HUB and from HUB connect to Catalyst 2960 at port F0/5, All Device(Finger Print) can send data to server...Is there any special configuration in catalyst so all device can direct connect to port catalyst 2960 without HUB?
I have used stack wise 3750 for a long time. Now,I have a new stack of 3750. Both of them are trunking together. If I have a VACL running in the old stack, do I need also implement in the new one.
View 1 Replies View RelatedI have two networks at two sites with a dot1q trunk between the two L3 switches at both sites (no routers involved)
SITE A - Cisco 3750 L3 - VLAN ID 50
10.10.50.0/24
SITE B - Cisco 3750 L3 - VLAN ID 50
10.20.50.0/24
I would like to extend the SITE A VLAN to SITE B so that I can move hosts from SITE A to SITE B without needing to change their IP address but the vlan ID is already in use. Obviously the easy solution is to change the VLAN ID for one or other of the sites but both sites contain hosts that run 24/7. Is there a way to join two VLANs with different IDs together.So for example I create a new VLAN 60 at SITE B and associate it with VLAN 50 at SITE A.
We have a low bandwith (15-20 Mbit/s) to the ASA from our Client vlan. If i connect the Client to the same vlan as the ASA is, the bandwith (90 Mbit/s) is good.
Here are the Layer 3 Design:
Client -> vlan 2 - Switch - vlan 7 -> vlan 1 - ASA 5505 -> ISP
The Layer 2 Design:
Client -> Gig2/0/13 - Switch - Gig4/0/43 -> Eth0/1 ASA5505 -> ISP
IP Address:
Client: 172.16.2.10Vlan2: 172.16.2.1Vlan7: 172.16.7.1ASA: 172.16.7.2
I assuming the switch has a problem with routing ?It is a stacked Switch with following members:
switch 1 provision ws-c3750g-12sswitch 2 provision ws-c3750g-24tsswitch 3 provision ws-c3750g-24tsswitch 4 provision ws-c3750x-48
And we have following error message in the log from the switch:
%PLATFORM_UCAST-4-PREFIX:
One or more specific prefixes could not be programmed into TCAM and are being covered by a less specific prefix, and the packets may be software forwarded I first get the idea that the switch is overloaded with router traffic. Thats why i assuming i have to check the sdm templates, but i'm not sure if this resolves the issue.
Here are the relevant config:
ASA Interface on the Switch:
interface GigabitEthernet4/0/43description ASA-inside LANswitchport access vlan 7switchport mode accessspanning-tree portfast
Client Interface on the Switch:
interface GigabitEthernet3/0/1switchport access vlan 2switchport mode accessswitchport port-securityswitchport port-security aging time 2switchport port-security violation restrictswitchport port-security aging type inactivitymacro description cisco-desktopspanning-tree portfastspanning-tree bpduguard enable
[code]...
I'm trying to configure scp for secure configuration backup. I've configured the SCP server with an account and password but, I keep getting the no such file or directory error
AP-C2R1C5-3750#sh run | b arch archive path scp://mchenry:PASSWORD@172.20.22.229//C:/Program_Files/OpenSSH/Cisco_Configs/Switch_Config
username mchenry privilege 15 password 7 XXXXXXXXXXXXXXXXXXXXX
ip scp server enable
Error: %scp: /C:/Program_Files/OpenSSH/Cisco_Configs/Switch_ConfigSep-17-16-04-44.172-1: No such file or di
SWITCH#ping 172.20.22.229 Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 172.20.22.229, timeout is 2 seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 33/33/34 ms
I need to configure on a cisco catalyst 6509 two VACL. On cisco 6509 there are already two SPAN ports configured, there are problems configuring other two VACL?
These VACLs send traffic to a Traffic Analyzer (SIEM), there are particular configurations to facilitate the operation?
have 3 Catalyst 3750 in same stack, the IOS version is 12.2(53)SE2. Today we can not telnet/ssh to this switch, but ping is ok, and switch function is ok. I try to access the console port, it show "low on memory, try again later". After I reboot the master switch in the stack, the master switch change to another switch, then I can telnet/ssh to this switch. I check the Ciscoworks server syslog report, there are many MAC address flapping error message, and I beleive the MAC address flapping occured before several weeks. ( the G2/0/15 & G3/0/15 is connect to a VMware ESX server and the EtherChannel config mismatch with this Catalyst 3750 switch ) How to mention the root cause of the "low on memory" problem and what is the abnormal memory usage ( free memory percentage below ?% )?
View 5 Replies View Relatedmy Catalyst 3750 switch. Following a power cut the switch no longer boots up. The SYST light flashed green but no POST checks are made. I cannot see any boot messages from the console port either. The switch was on a UPS but some thing may have damaged the switch.
View 7 Replies View RelatedThere is a requirement to configure tacacs and radius on catalyst 3750X (version 15.0) where two vrf exist.Is therer a solution to configure "tacacs-server,host x.x.x.x vrf yyy" ?? I know it is possible to configure under the "aaa group server radius xxx" the command "ip vrf forwarding yyy".Is there anything else for the tacacs-server and radius-server command?
View 2 Replies View RelatedIs is correct that vlan's exceeding 128 runs without spanning-tree.?
View 7 Replies View RelatedI have Catalyst 3750. and 2 ISPs
I wanted to use, let say on port5 of Catalyst 3750 only 2nd the ISP will route to this port.
The rest is pointed to the 1st ISP.
Im thinking of using VLAN..
I have been looking into this for a while and I can't seem to figure out why my 2nd vlan is not able to connect properly to the net. My switch has 12 ports where my devices connects directly, they are all on Vlan 1 and they all work perfectly. on Port 12 I have a dlink router that is connected to a cable modem. the dlink router has an Ip address of 192.168.0.20,I created a second vlan (vlan2) and enabled dhcp relay on it. then I assigned port 9 on the switch to (vlan2),my laptop which is connected to port 9 seems to get an ip address fine and able to ping only some devices on my network (vlan1) and is not able to,go out to the internet.
View 3 Replies View RelatedDoes Catalyst 3550 switch support inter vlan routing ?
View 12 Replies View RelatedI was browsing the Software Adviser on Cisco's website to look for a suitable IOS image, for a 3750. The system displayed a couple of suggested IOSes. there was no mention of IOS 15.0SE version.Could the Software Advisor be not up to date with the current Catalyst IOS releases?
View 1 Replies View RelatedI have CISCO catalyst with VLANs (VLAN ID 33, 36, 40-53) configured. I need to configure port mirroring in Switch 3750 for NAC (Network Access Control). I need to Monitor all the VLANs. Here is the SPAN configuration of switch: [code] Monitor session 1 source vlan 33 , 36 , 40 – 53.Monitor Session 1 destination interface fa 1/0/8 (here I am not able to set encapsulation dot1q ) because the error occurred saying %one or more dest port do not support the encapsulation%.
View 5 Replies View RelatedI have customer who has as Core Switch one Cisco Catalyst 3750 with the IOS c3750-ipbase-mz.122-35.SE5.I know that this image support DHCP Server configuration, but I like to implementate new vlans (approx 15) and I want to know if this switch support 15 DHCP Servers.
View 3 Replies View RelatedHow to setup a port channel between a SG200 and 3750 and am having problems.
What do I need to do on the SG200 I have added the port into the lag but the port will not come up.
I spent half a day messing arround with the web interface and I am unable to get the port to come up.
The Cisco 3750 is a standard port channel config which I have setup maytime before. channel-group 1 mode active channel- protocl lacp Switchport mode trunk
I am working in an environment where i have to use more etherchannels, any way that how many etherchannels could we create on Cisco Switch 3750 e. do they can utilize high process resources of CPU.
View 4 Replies View Relatedif I read the Datasheet of Catalyst 3750X-Series-Switches it is possible to connect a new X-Switch to an existing and old Catalyst 3750-Series Stack.What kind of requirements are needed? Only same IOS-Version in the hole Stack and if possible same Feature-Set? .... like in a normal NOT mixed Stack?
View 4 Replies View RelatedIs it possible to configure LACP etherchannel to a Catalyst 3750? Playing around with the SMB switches for the first time.
I know how to do it on the 3750 but am having trouble figuring out the sge2000p.
SFP-10G-ER are not supported on Catalyst 3750-X and on other switches ....
%PHY-4-SFP_NOT_SUPPORTED: The SFP in Gi1/1/1 is not supported
Why ?When will ER be supported ?
I am trying to use a SF302-08P switch to connect a conference phone (Cisco 7937) to my infrastructure. I connected the G2 port on the SF302 to a Gig copper port on the Catalyst. I configured both ports as trunked ports and port e1 on the SF302 as an access port for the phone. VLAN 1 is the default VLAN and VLAN 10 for voice. However, the phone does not connect to the Call Manager. I have changed the configurations on the G2 trunked port and the ethernet port (trunked ports, general ports, tagged and untagged). I have also changed the configuration on the Ethernet port (general, access, trunk, set it on the default VLAN, in the voice VLAN, etc.) The SF302 connects to the Catalyst, and PCs connect OK.
View 4 Replies View Relatedwhy the AutoQoS macro does not implement "priority-queue out" when configured on the 3750 platform running certain versions of software. The only other platform I have experience with AutoQos is on the 4500 and it enables priority queuing as expected. So what's up with autoqos on the 3750 on version 12.2(35)SE5?
When it comes to configuring QoS on campus user/phone access ports there are some important settings that can and should be considered but one can argue that enabling the priority queue is the single most impactful or important command. So I was very surprised and concerned when I didn't see priority-queue out. Cisco describes AutoQoS as a simple, quick way of deploying QoS on the LAN and it precludes you from having to learn all of the differences between hardware platforms. But is it true that this tool produces an incomplete config solution? Let me know if I am missing something.
Here is an example of what AutoQoS produces when applied to a 4507 with WS-X4648-RJ45V+E:(other interface commands are left out for simplicity)
interface GigabitEthernet5/25description XYZ
switchport mode accessauto qos voip cisco-phoneqos trust device cisco-phoneservice-policy input AutoQos-VoIP-Input-Cos-Policyservice-policy output AutoQos-VoIP-Output-Policy
policy-map AutoQos-VoIP-Output-Policy
class AutoQos-VoIP-Bearer-QosGroup
set dscp ef
[code]......
Here is an example of what AutoQoS produces when applied to a 3750 running version 12.2.(35)SE5: (no priority-queue out)
interface GigabitEthernet1/0/36
switchport access vlan 8
switchport mode access
srr-queue bandwidth share 10 10 60 20
srr-queue bandwidth shape 10 0 0 0
[code]......
Our servers are hosted at the Main site, site office A access to the Main site for Internet and servers. We are thinking NextG to take over when the link between sites goes down.
To start with, what is the configuration for 3750 at Site A and the Main site:
1) Trunking for both switches
2) Routing
3) the automatic failover configuration for the switch at Site A.
I have the wrong code on the device. I can get to the switch: prompt. The manual say to connect a PC to the management port. But it does not come up. x modem does not seem to work. I found some commands :
Examples : This example shows how to clear the Ethernet management port statistics: switch: mgmt_clr