I want to understand - if 10G ports of 4948E (4 x 10Gb) they are block or non-blocks? I want to connect this switches with 20 GB (lag) to my BB switches and i need to prepare my infrastructure to 17.5GB troughput of video traffic.
View 9 RepliesI try to insert a picture, to make the situation easily understandable.
The problem: After I have connected one more PC to the unmanaged switch, it cannot connect to network neither by DHCP IP, nor Static IP. (Physical Link is Ok, but no communication)
Tests made:
- PC1 turned off, to test connection, but PC2 cannot connect
- portfast has been turned off on the port of Cisco (which connects to Mediaconverter), but PC2 cannot connect
- PC2 has been reinstalled, replaced, other network adapter has been inserted, but cannot connect.
- the unmanaged switch has been replaced to a new one, but no success.
PC2 can connect to Cisco only if connected directly to RJ45 port of D-link Mediaconverter. But this is not a solution, because in that office, I would need for both of the PCs.
running config of the switch:
System image file is "flash:c2900XL-c3h2s-mz-120.5.2-XU.bin"
cisco WS-C2924C-XL (PowerPC403GA) processor (revision 0x11) with 8192K/1024K byt
es of memory.
Model number: WS-C2924C-XL-EN
#sh run
Building configuration...
Current configuration:
[code]....
I have been asked to look at designing a network internally. I have no control of the upstream network besides requesting changes.Essentially I'm confused as to the best way to approach configuring the following and wondered if you could share any experiences. It's stretching the limits of a CCNA IMHO, although I understand a lot about networking this is one area where I'm a little sketchy.
Kit list:
4948-E-S or E-E switches.
Cisco ASA 5545 firewalls
Cisco ASA 5520 firewall
& Multiple L2 switches
- I have 3 subnets in total, a /29 for routing and two larger subnets routed to the /29
What I'm trying to do:
1) Have some hosts protected by the ASA 5545 firewalls, probably in routed mode (that's the confusing part). I cannot use NAT so the inside interface/VLAN would need public IP's.
2) Have some hosts not protected by the ASA, therefore straight out onto the public Internet with no firewall whatsoever, they connect directly to the L3 or to the L3 via a L2 switch.
3) Have the ASA 5520 take an IP from the public (non-protected range), as this will be a VPN endpoint too and will also need to have NAT enabled. This should be easy as it just takes an IP from a public subnet, the ASA 5545's are the tricky part as they cannot use NAT at all. I've also been advised not to use Transparent mode either.
4) L3 switches are essentially external switches, doing the routing for our subnets, before upstream.
5) Upstream provider provides gateway with HSRP, we're looking at using HSRP and a routing protocol on our side over two 4948 switches. Any recommendations on this?
6) Further to point 5, we do not currently have any ability to do BGP or anything. That would be done by a separate team, upstream.
Note: I've also got to justify the use of each IP to the network management team, they are quite stingy so I have to be careful that I don't waste too many IP's for core network. So what I'm thinking is I have to create subnetworks of my main subnets to break them up into smaller pieces, and then add some onto the inside interface of the ASA and others will be on the L3 switch. Then of course route the networks to the ASA outside IP. Saying that, I'm not clear if I should create a /29 or /30 to route to the outside of the ASA or grab one from the larger subnet as it were? The final outcome is that we can connect a machine directly to the Internet or behind a firewall, depending on the requirements for that individual device. All devices will have public IPs.
Using a 4948E switch with FastEthernet1 as the management interface which uses the VRF mgmtVrf. I cannot get DNS resolution to work for some reason.
I am using code enterprise 15.1-2.SG and here are the relevant config snippets:
ip domain-lookup source-interface FastEthernet1
ip domain-name domain.com
ip name-server 4.2.2.1
[Code].....
I read online there are some commands in a different code that support specifying the VRF along with the name servers, but I don't have those options. All I can do is set the source-interface on the domain-lookup command.
I am trying to setup SNMP v3 on a 4948E switch here is what I have done so far:
snmp-server location "location"
snmp-server contact IT Admins
snmp-server group SNMPgrp v3 priv read SNMP-ro write SNMP-rw access 80
snmp-server user snmp_user SNMPgrp v3 auth sha xxxxxxxxx priv aes 128 xxxxxxxx access 80
What else am I missing and how can I confirm that it is configured correctly?
I'm in the process to install two 4948E switches. I will be configuring GLBP and wanted to get some guidelines on configuring GLBP and EIGRP:
- First question is like HSRP I'm configuring it on both swithches like this:
Switch 1:
interface vlan 5
ip address 10.1.5.249 255.255.255.0
glbp 5 ip 10.1.5.1
glbp 5 priority 110
glbp 5 preempt
glbp 5 authentication md5 key-string xxxxxx
[code]....
- Second question is about EIGRP, when I configure EIGRP on the main switch that is AVG with the following commands, will I also have to run the same commands on the second 4948 E too?
router eigrp 10
network 10.1.5.0 255.255.255.0
Cisco c4948e switch log is showing :
COMPACTFLASHNOTREADY: Compact flash is not ready
Feb 24 00:28:22.338 UTC: %C4K_FLASH-4-COMPACTFLASHNOTREADY: Compact flash is not ready
COMPACTFLASHNOTREADY: Compact flash is not readyFeb 24 00:28:22.338 UTC: %C4K_FLASH-4-COMPACTFLASHNOTREADY: Compact flash is not ready
Checked the data sheet and is not supported. Why we get this log from the switch? is it cosmetic?
AME: "Linecard(slot 1)", DESCR: "10/100/1000BaseT (RJ45), 10GE (SFP+) Supervisor with 48 10/100/1000BASET ports and 4 10GE SFP+ port"PID: WS-C4948E , VID: V01 , SN: CAT1425S0NZ
NAME: "TenGigabitEthernet1/49", DESCR: "SFP-10Gbase-SR"PID: SFP-10G-SR , VID: V02 , SN: AGD132134ER
NAME: "TenGigabitEthernet1/50", DESCR: "1000BaseLH"PID: Unspecified , VID: , SN: FNS141203YF
[code]...
Trying to configure the Cisco 4948e switch gigabit ethernet port with "switch port trunk encapsulation dot1q", but didn't get the option. Please find below the options got after "swith port trunk"............
SW(config-if)#switch port trunk ?
allowed Set allowed V LAN characteristics when interface is in trunking mode
native Set trunking native characteristics when interface is in trunking mode
pruning Set pruning V LAN characteristics when interface is in trunking mode
SW(config-if)#switch port trunk. Please find below the version of the SW............
SW#sh ver
Cisco IOS Software, Catalyst 4500 L3 Switch Software (cat4500e-LANBASE-M), Versi
on 12.2(54)SG1, RELEASE SOFTWARE (fc1)
Technical Support: {URL}
ROM: 12.2(44r)SG11
Hobgoblin Revision 21, Fortooine Revision 1.22
[code]...
So, whether the command is not supporting on this Cisco switch ? But we have Cisco 4948 Cisco sw where that command is working fine.
I work for a small pharmacy that uses a Cisco RV120W router to separate hospital VPN traffic from general internet traffic. The VPN traffic is redirected to a dedicated T1 line (Or T-something, I wasn't involved in the actual setup of the VPN) connecting our store directly to the local hospital, and general internet traffic gets redirected to a ZyXel PK5000Z DSL modem (We have Qwest/CenturyLink 7m/768k). The DSL modem is running the latest version of our ISP's custom firmware.
Prior to installing the VPN and RV120W, LAN traffic was handled with a basic D-Link DI-604 wired router. The router itself was configured with an IP of 10.100.100.254 (With all LAN clients assigned DHCP IPs in the 10.100.100.XXX range) and "WAN" IP of 192.168.0.4, and the modem configured with a LAN IP of 192.168.0.1. The router was connected from it's WAN port to one of the LAN ports on the modem.
The modem has it's own built-in router, but the store owner wished to have an "extra layer of protection", so to speak, and had the D-Link router installed to serve that purpose. Prior to connecting the VPN, a second router was admittedly redundant and unnecessary. However, now that we have the hospital VPN, a second router is REQUIRED to properly separate the VPN traffic from other internet traffic, since the router built into the DSL modem doesn't have the capabilities to perform this task (We had already attempted to operate the VPN over DSL...it failed miserably and spectacularly. A dedicated T1 was the only reliable option).Anyway, when installing the RV120W, we duplicated every possible setting from the old router, including configuring it with a LAN IP of 10.100.100.254 and a "WAN" IP of 192.168.0.4 and connecting it in exactly the same fashion as the old router (Modem LAN to Router WAN). Essentially, the RV120W was set up exactly the same as the old D-Link router, just with the added VPN functionality.
The problem is this: ever since installing the RV120W, we are no longer able to access the DSL modem's administration page (http://192.168.0.1). We were able to do this without any trouble whatsoever with the old D-Link router, but the RV120W seems to be blocking it somehow. Any attempt to load the modem administration page just forever sits at "Waiting for 192.168.0.1...". It never times out, it never shows any error messages. It just sits there, forever trying to load the page, showing nothing but "Waiting for 192.168.0.1..." at the bottom of the screen.
Now, we know for a fact that it is NOT a problem with the modem, because if we connect a computer directly to it via ethernet (Completely bypassing the RV120W), the administration page loads perfectly fine. And, admittedly, we could configure the modem in this manner whenever required. HOWEVER, the modem is located in a rather inconvenient location (In the ceiling, sitting on top of a ceiling tile), and having the ability to remotely manage it like we could before would definitely be something we want to be able to do again...especially since there are plans in motion to install new pharmacy equipment that will require us to do a ton of "trial and error" configuration to the modem.The RV120W has been updated with the latest firmware, yet the problem still persists.
I have a fresh SR520 that I only did two things to it using CCA 3.2(1):
1. Assign the address of FA4 to be 1.23.456.90 with a mask of 255.255.255.252
2. Declared a static nat of 1.23.456.90 port 80 to 192.168.75.12 port 80
I connected laptops to two ports:
1. FA0 (DHCP assigned laptop the address 192.168.75.12)
2. FA4 with the address on the laptop set to 1.23.456.90 and mask of 255.255.255.252
This is an exercise to simulate a cable internet configuration I will install the SR520 into.I can ping and point my browser to 1.23.456.89 and access the web server running there on port 80 via the inside laptop.I CANNOT point my browser to 1.23.456.90 from the outside laptop and make a connection.
What I am doing wrong with NAT? (I believe the problem lies therein as I did even try telling CCA to delete the firewall and I still could not connect to the inside web server).I have a network monitor (Wireshark) on the inside and see nothing coming across. I THINK I see successful NAT translations in the NAT logging (also in the attachment).
I have a Cisco RV042 Wired Router. I've got a static IP and a MS Small Business Server in my Router Network. I have forwarded the essential ports to use the IIS and the Exchange Server of my SBS2011 (HTTPS, HTTP, smtp, rpc). I have also created some access rules for these ports, but I don't have any access on my server services, if the firewall is activated.
Here are my Firewall Access Rules from the RV042 Web Interface:
Does the 3750G divide blocks of memory between adjacent ports? We have 6 high use devices on ports 1 through 6 and I was told that splitting them up allocates memory better. Is this correct?
View 1 Replies View RelatedI would like to know if Catalyst WS-C3750G-48TS-E recognizes and understand Cisco VSS ( Virtual Switching System) . Is there a List available which tells us which Old Catalyst Switches or current switches understand Cisco VSS?
View 3 Replies View RelatedWe recently updated a site2site link to metro ethernet, ISP call it 100mbps LAN Extension, but to me it is just QinQ over fibre connection. Most went well, one thing (annoying to me) is we can not ping our switches on both ends anymore.
We have a 3750 in headend and another 2960 on the other end. I used to be able to ping/telnet to the management IP from one to the other. Now we can not. I think the ISP is applying some configuration on ports of their customer-premises equipments (both are Cisco switches) but agent in ISP told me no. I thought there is some configuration on Cisco switch to block "MAC discovery" but i just can not remmenber what was that and google also failed me this time.
I have the network described below, on which I am running PIM.
(network) ---- Embedded Linux Router --(vlan 5)-- CAT 3560G --(vlan 5)-- Cisco 1811 Router ---- Multicast Listener
The Linux Router and the 1811 have formed a PIM neighbor relationship. The multicast listener sends an IGMP Join and I can see the PIM join leave the 1811 router (via "debug ip pim"). Using tcpdump on my linux router I never see the Join come in, but I can see the PIM Hellos (which is why the neighbor relationship formed).
I have a network with a Catalyst 3750 as the main switch and then some Catalyst 2960 switches that are plugged in to that. I have a server running windows server 2008 with a couple of virtual machines running in Hyper-V. I created 4 VLANS listed below and gave the 3750 the following IP Address.I would like the 3750 to only be configurable from VLAN 40 but currently every VLAN can connect to it, I noticed in the standard web page settings there was a setting for "Management VLAN" but it was set to 1 and would not let me change it, I kinda assumed that was for the management port in the back.-Now the tricky part, I was trying to set up routing between the VLANs and so far I have only been able to get a sort of "all or nothing" routing to work. I can turn IP routing on and add two or more VLANs to the routing and it works fine. But what I was hoping to do is create a couple of "junction vlans" that would only route to one or two other vlans. For instance, I wanted to create a VLAN 100 that routed to VLAN 20 and 30 but nothing else. I also want to route VLAN 1 just to VLAN 30, and so on. I am able to do each one of the cases but only one, it seems like the switch only supports one "routing table" am I missing something or is this just a limitation of the switch?
View 2 Replies View RelatedI have a network with several catalyst 2960 switches and one catalyst 3750. I have created two VLAN and set up the proper routing and everything is working fine there. I have a client/server application that used multicast in the initial start up for the client to determine available servers, the issue is one of my clients is on a different VLAN then the server. I am able to route the multicast using MVR as long as both the server and the client are plugged into the 3750 by creating a static route, making the server a source port and the client a receive port. Unfortunately I need the client and the server plugged in to different 2960s. My question is how do I establish multicast routing between the two and perferably do it dynamically (always route multicast traffic from one VLAN to another).
View 2 Replies View RelatedDoes Catalyst 3550 switch support inter vlan routing ?
View 12 Replies View RelatedI have been looking into this for a while and I can't seem to figure out why my 2nd vlan is not able to connect properly to the net.
My switch has 12 ports where my devices connects directly, they are all on Vlan 1 and they all work perfectly. on Port 12 I have a dlink router that is connected to a cable modem. the dlink router has an Ip address of 192.168.0.20
I created a second vlan (vlan2) and enabled dhcp relay on it. then I assigned port 9 on the switch to (vlan2)my laptop which is connected to port 9 seems to get an ip address fine and able to ping only some devices on my network (vlan1) and is not able to go out to the internet. I think it has to do with the routes. [code]
I am implementing a guest wireless network to work alongside my internal network. The guest network will use the existing switching network and will be separated by VLANs. I have the ASA set so that traffic can get to it and out to the Internet. I can set up a workstation on the same VLAN as my guest network and can route inside my network (strictly doing this for testing purposes). Where I am having problems is with the Catalyst 4506 switches and the ip routing. I had two separate "ip route" statements defined on my switches.
ip route 10.200.2.0 255.255.255.0 10.200.2.254
ip route 0.0.0.0 0.0.0.0 10.100.100.254
I have discovered that the traffic is always following the default route despite the fact that my IP address on my test workstation falls in the 10.200.2.x network. I was looking at documentation and found that it is possible to set up policy-based routing on the core switches. Can you have two "ip route" statements defined like this to segreate traffic or do I have to use PBR for routing (or a combination) in this case? If I define PBR then how does that impact my existing routing? I need to make sure that I can still route the existing traffic while I'm configuring this change.
I have been looking into this for a while and I can't seem to figure out why my 2nd vlan is not able to connect properly to the net. My switch has 12 ports where my devices connects directly, they are all on Vlan 1 and they all work perfectly. on Port 12 I have a dlink router that is connected to a cable modem. the dlink router has an Ip address of 192.168.0.20,I created a second vlan (vlan2) and enabled dhcp relay on it. then I assigned port 9 on the switch to (vlan2),my laptop which is connected to port 9 seems to get an ip address fine and able to ping only some devices on my network (vlan1) and is not able to,go out to the internet.
View 3 Replies View RelatedWe have two catalyst 3560 switches running c3560-ipbasek9-mz.122-58.SE2.bin They are connected using etherchannel using gi 0/21 - 24 interfaces.
on 3560-1 switch, there isn't any ip-default gateway or ip route configured. It only have 1 interface vlan configured.
on 3560-2 switch, there is ip default gateway configured along with 1 interface vlan.
What i dont understand here is that, i can reach out to other subnets from 3560-1 switch in which the routing is not enabled?
I have peculiar challenge ahead of me and would like to get new perspectives.
The objective is to route specific VLAN traffic and the caveat is that I have multiple VLANs with the same network address.
For example:
VLAN100 10.10.10.0/28 VLAN101 10.10.11.0/28 VLAN102 10.10.12.0/28
VLAN103 10.10.12.0/28
VLAN104 10.10.11.0/28
I need traffic going from VLAN100 with a destination of 10.10.11.0 forwarded to VLAN101 and NOT VLAN104.
This task is currently being completed by a multi context firewall and we're trying to decommission the asset.
I have a 2504 WLC connected to a Catalyst 3560 which has multiple vlans and is connected to a 2800 series router. I know the catalyst is L3 but I am needing nat functions to get outside to the internet. From my 2800 series router I am able to ping out to the internet, also I am able to ping the vlan interfaces on the catalyst switch. Problem is from the catalyst switch I can ping the inside and outside address of the 2800 but I cannot get any further then that. I cannot ping the 2800 router gateway. Not sure what I am doing wrong as far as routing.
I've attached my 2800 and 3560 configs.
Got servers in vlan 10 ip range 10.0.0.0 and servers in vlan 20 ip range 20.0.0.0 at the same layer 3 switch. (c6509 sup720)I would like to block TCP traffic initiated from Vlan 20 to Vlan 10. But the servers in Vlan 10 needs to be able to open an TCP connections to Vlan 20 did test with the ACL thats blocking (ack/established/syn) but unable to get it to work.Or it works both directions or is works non directions.
View 4 Replies View RelatedI have 4 vlan and all has conectivity/access with all (VLAN10,VLAN20,VLAN30 and VLAN40, I use a 3560 Switch for this propose, I need to modificate one vlan (VLAN40) that has access to the rest of the VLAN's BUT the rest of the VLAN's dont have access to VLAN40. I know that it is a problem of access-list BUT I can't undertand how to obtain the result that I like
View 1 Replies View RelatedI have a 2800 router and tried so many ways to block the unwanted sites on my office network.Like access list ip based, null0 routing and policy map. Faced issues with below config
1. Creating Access-list. very difficulty to block the sites with https those sites will be opend, and we cant block all the IPs
2. Creating null0 routing. it also a bit deficult the block maximum sites because we can't fiend all IPs for those sites
3. Policy map.. with policy map we can only 1site we can block, but not more than one..
I heard that port based routing or port based access-list are the best ways to stop the websites in my local network..for this one i need to map the site to unsued ports then i need to null rouging or need to create the access-list.
I have a cisco 2800 router.. (flash:/c2800nm-advsecurityk9-mz.151-4.M4.bin, Version 12.4(13r)T11) configured DHCP, DNS, NATING and Bandwidth restriction...And to stop some social network [URL] i configured ip route 66.220.144.0 255.255.240.0 Null0 (rang of facebook address) But still i am able to open facebook.com in my network...
ADMIN-II_2811#sh run
Building configuration...
Current configuration : 1812 bytes
!
! Last configuration change at 17:26:33 UTC Sat Nov 24 2012
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
[code]....
Is there a way to block lan to lan traffic (except lan to gateway/gateway to lan traffic of course) on a Cisco 2960?
View 9 Replies View RelatedIn cisco documentation for the 3560 it is mentioned that blocking appletalk will not work .It shows up in command line but it is not working due to hardware limitation.Is there any other way to block appletalk on 3560 swiitches.
View 3 Replies View RelatedI have arequirement where in I need to allow only specific vendor made desktops/laptops to be connected to the switch and block the rest. Say I want only the HP made Laptops to be connected on the Network. and block all other vendors. such as dell, ibm etc.
I am having Catalyst 4500 switches in My network. i tried using the mac access list using the permit and deny statement and then mapping the access list to the vlan access map and then filter using the vlan id. But this doesnt work on cat 4500....the same I tested for 2950 switch and it works perfectly. are there any restrictions on 4500 or any extra configuration has to be done.
I wish to block some url that users have access through my LAN .That's i wish to block icmp,access towards such sites, i wish to block icmp because dns will resolve the domain and they can access through ip address.what i have in place is a cisco 2800 series routers,
View 7 Replies View RelatedI use Nexus 7010 as our layer 3 router.I have ssh feature turned on so I can manage it from the management interface. I just found out that users can use putty to ssh to the local SVI interface of the NEXUS. Although they still need username and password to login but we dont want them even able to bring up the welcome screen.Example, user's IP is : 172.16.25.100 , they can ssh to 172.16.25.1 which is the NX SVI interface.
View 1 Replies View Related