Cisco Switching/Routing :: Object Group In C3560 & C3750 Switches?
Feb 16, 2011
I have two layer 3 switches C3560 and C3750 Cisco switches with ios version "ipservices-mz.122-35.SE5".Now with the current ios version, these layer 3 switches are not supporting object group.so my question is , do i need to upgrade the ios, for this feature, if yes, which version ?
In cisco router 2911 how to creat a network object with port permission on ACL. herz what i have done but couldnt succeed in port 22 and 24 should be denied and rest all port services are allowed to outside interface. [code]
Does the ASA treat an object-group with a network-object containing a range of IP addresses as a netmask? For example, I can apply this configuration without the ASA throwing any errors though the configuration calls for a 'net mask':
object-group network test network-object 192.168.0.0 192.168.63.255 ? network-object-group mode commands/options: A.B.C.D Enter an IPv4 network mask sh run ob id test object-group network test network-object 192.168.0.0 192.168.63.255
I found that in the documentation it requires a netmask as oppose to a range. Is this a bug in the code? I am running code version 8.0(5)23 on a 5520. If this is not a bug how does the ASA treat this type of configuration when applied to an access list? When I ran a quick packet trace and denied access from that range it looks like the ASA doesn't read that configuration properly.
We have a Cisco switch in each office and every now and then the port that has the D-Link Wireless AP (DAP-1522) connected to it goes to err-disable state. Actually sometimes even a regular port that has a cisco phone connected may also go to err-disable state (less often). So I have to telnet into the switch and issue shut and no shut command on that interface to get it back to life, then it works for a few days or weeks until it happens again. Any suitable configuraiton for that interface, that would prevent that from happening or a workaround ?
Here's the info:
Model: cisco WS-C3560-24PS and cisco WS-C3560-48PS Image:c3560-ipbase-mz.122-35.SE5.bin
This is the log from one switch:
31w5d: %PM-4-ERR_DISABLE: psecure-violation error detected on Fa0/2, putting Fa0/2 in err-disable state 31w5d: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 74e2.f592.f7f2 on port FastEthernet0/2. 31w5d: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/2, changed state to down
And from another, which is almost the same:
5d10h: %PM-4-ERR_DISABLE: psecure-violation error detected on Fa0/3, putting Fa0/3 in err-disable state 5d10h: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address d8a2.5e31.2cf6 on port FastEthernet0/3. 5d10h: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/3, changed state to down 5d10h: %LINK-3-UPDOWN: Interface FastEthernet0/3, changed state to down
Here's the configuration of fe interfaces (they are all alike):
interface FastEthernet0/2 description Voice & Data Combo Port switchport access vlan 11 switchport mode access switchport voice vlan 15
We are deploying the ISE MAC address authentication by-pass (mab) feature in our network as an alternative to port security on the switch port. Works well except for certain devices e.g. printers, snmp modules, and Unix/Linux Operating systems which can range from 5-10 minutes to never in authentication/opening the port.
Prime 1.3 (POC testing), for testing purposes I discovered a class C range (255.255.255.0) containing a bit of everything (AP 1240, C3560 & C3750).When looking in the config archive only the AP's have configs stored, the others failed, snmp & telnet credentials are the same for the whole range, what could I do wrong ?
I have 3 ASA 5510s; two of which are in production and the 3rd one is new. I inherited the two in production and was trying to configure that 3rd one using some of the existing object-group network statements. The problem is that when I try to create a range of IPs in one of the object-groups; the range command is not available. Here is one of the statements extracted from one of the production ASAs: object network REMOTE range 18.104.22.168 22.214.171.124.Both ASAs have the same image ver (asa842-k8). Is there something that I am missing to be able to enable the range option on the new ASA?
We have Cisco ASA 5510, I am about to add another 2 Objectgroup network groups on the firewall to our already growing list. Under this Object-group Network xxxx , we are planning to add about about 500 network-object host xxx.xxx.xxx.xxx . This objectgroup will then be applied to an ACL. Just wanted to know if thats possible - meaning addnig 500 hosts? If it is whats the limit?
Also are there any other things to keep in mind before i go-ahead with this huge object group?
I have a 5540, and i am trying to allow access to internet for an specific network object group, who has inside a bunch of users, who needs direct internet access without any restrictions, i have tried with dynamic NAT, but that configuration ask for a specific IP o a Network range, and is not permitted to configure an object group as a source
The group is located in LAN zone, so a permission from one zone to another zone is needed i think, but i can allow the internet acess to that group Is there another way to get that , different from NAT ?
I have a test setup of a C3750 stack as a core and some 2960's as access switches.[URL] - The switches at the bottom is the new network (VLANNED). The switches on the left is the current production network (10.1.1.0/24) From the C3750 to the router is a /30 network.
There will be 6 VLANs but at the moment I have one configured. VLAN50 - 10.5.1.0/24 From the C3750 I can ping my current production network, internet, other VLANs in the testsetup, ... Everything.From the C2960 I can ping other VLAN's, reach the gateway, reach the router, reacht the currenct production network. But I can't reach internet. I've configured "ip default-gateway 10.5.1.254" on the C2960. C3750 relevant config is down below.How is it that I can reach other networks connected to the router and not internet from the access switches? I'm just trying to ping 126.96.36.199.
! ip routing ! ! interface GigabitEthernet1/0/1 no switchport ip address 172.16.1.2 255.255.255.252
I have a 3560-8PC in which the mgt vlan randomly (twice in one day or 2 weeks later) goes into the down state and will return w/o any interventaion 15-20 minutes later. Int G0/1 is the uplink to a 3750. I dont think its a layer1 issue at this time since i have seen it work just fine for over 2 weeks and drop again. I don't see any errors on the 3750 either.
WS-C3560-8PC 15.0(2)SE C3560-IPBASEK9-M LOG: ---------------------------------------- .Oct 20 19:34:37.533 EDT: %LINK-3-UPDOWN: Interface GigabitEthernet0/1, changeds tate to up
I have C3560 switches in my work environment. I want configure ssh on that switch but the IOS what they have 'c3560e-universal-mz.122-58.SE2' not support. As per advised I was triying to upgrade 'c3560e-universalk9-mz.122-58.SE2" for all my access switches.
I successfully upgraded for two switches.
I have two problems now
01. I upgraded the IOS successfully one Switch but the Poe is not working. What is the reason ?
02. After upgrade the IOS, the out put is as follows
When I create a service object or group and add the object to a new rule it never works.I mean the traffic match not the rule. I see not hits.I placed the rule on top of my access list to check if I do somethink wrong but it is not working. When I place only a service for example tcp/23 it is working.
#sh run | inc user ! username USER0 secret 5 $1$passwordusername USER1 privilege 15 secret 5 $1$passwordusername USER2 privilege 15 secret 5 $1$password ! #sh run | inc aaa ! aaa new-modelaaa authentication login local_authen localaaa authentication login radius_authen group radius localaaa authorization consoleaaa authorization exec local_author localaaa authorization exec radius_author group radius localaaa session-id common ! #sh run | begin line vty ! line vty 0 4access-class 3 inexec-timeout 15 0authorization exec radius_authorlogging synchronouslogin authentication radius_authentransport input sshline vty 5 15!sh verCisco IOS Software, C3560 Software (C3560-IPSERVICESK9-M), Version 12.2(55)SE6, RELEASE SOFTWARE (fc1)
the intent of the above is that management connections will only be accepted via SSH, and all of those will be authenticated via RADIUS, unless it's down, then it will use the local username/pw combinations, most of which are given Privledge level 15. Telnet should never work.SSH works as expected (authenticates via RADIUS), but the problem is that Telnet also works, will ONLY use the local database (never RADIUS), and, for some reason, leaves the users at Privledge level 1, instead of the configured 15.Essentially, it seems that at every point I have told it to do something that isn't the default with regards to telnet, it ignores me.Prior to a recent IOS upgrade, the switch didn't support SSH, so the previous config was Telnet with RADIUS, and that worked fine.
Had a switch die over the weekend, a c3560, per our normal procedure I pulled the hardware put a very basic config on it(vlans, portchannel, uplink ports, ip of management vlan, con and vty security, snmp, enable secret, and hostname). Then I use solarwinds orion to upload a copy of the old config to bring the switch back to the same state as the one that failed. Its a system that has worked for us 3 or 4 times in the past. But this time when the base config was on the box it couldnt ping across the network.I have tried clearing the arp cache and the dynamic mac tables, i verified the routing tables and even removed the 10.1.185.128/27 route and re-added it, saw the routing update go across to the other 65k, tried bouncing the edge switch(i cant bounce the 65k's), took down the po between the edge and 65k.
I have a c3560 switch that has two gig fiber modules in it. I need to uplink fiber to one of these at 100mb. This is because this port will be rate limited to 20mb and 10 percent is the lowest you can go with the rate limiting command. Is there a 100mb fiber module i can insert in the 3560
We are seeing output drops on a C3560 switchport, this port does not have QoS enabled -- application does not need special qos treatment, as long as packets are not droppd, so I suppose all traffic will share the same queue? then how should I read the output of "show platform port-asic stats drop" which indicates that it is queue 3 weight 2 drop? I am wondering what is the best way to fix this? enable mls QoS and increase queue 3 bandwidth share on this interface or just increase the output queue depth?
switch#sh mls qos interface gi0/1 GigabitEthernet0/1 QoS is disabled. When QoS is enabled, following settings will be applied trust state: not trusted
I am having an issue with VoiP phones giving me an insufficient bandwidth message. I have three remote locations connected to our main building using 2 Mb point to point ethernet solutions through TWC. Each remote location has a Cisco WS-C3560-24PS running IOS C3560-IPBASE-M, version 12.2(25) and have the cable modems plugged into port 1 on them. The remote buildings are labeled 192.168.101.xxx, 192.168.102.xxx, and 192.168.103.xxx. There are 14-16 VoiP phones in each remote building. The main building being in the subnet of 192.168.100.xxx. I have the 3560s connecting to a single port on a 2801 in the main building, all using the subnet of 192.168.253.xxx The phone server sits in our network at 192.168.100.203. I have created the ACLs, class maps, and policy maps on all of the equipment.
For the remote buildings I have the following:
ACL =========== Extended IP access list VOIP permit tcp any host 192.168.100.203 dscp ef permit tcp any host 192.168.100.203 eq 5566
I have put a hub in to capture traffic via Wireshark to see if DSCP flags are being appropriately marked and I do see that all VoiP packets are getting marked with as EF. However, I have been receiving phone calls from people in the remote buildings stating that their phones will cut out, flash Insufficient Bandwidth on the LCD displays and then the call will cut back in. I am wondering if the 2801 is not applying QoS with the rate-limits in mind since it is set to 100 Mb, or is it an issue with trying to take 3 remote locations and bring them down into 1 port on the 2801?
I have a problem to solve in our data center, see attached drawing. HW: Our core switches consists of two stacked C3750 with ip routing. What I want to do is probably simple but I haven't been able to figure out the best method.
VLAN10 and VLAN20 should not be able to communicate with each other. (ACLs?)VLAN10 will have it's own default route/firewall. Both VLAN10 and VLAN20 should be able to send server backups to server in VLAN30. All 3 V LANs come in on a trunk from a pair of stacked C2960-S. I need it to be able to scale if we have 50 VLANs for instance, hopefully without long complicated ACLs. I've been considering VRF's, PBR but can't decide what's the simplest solution to this problem. I have never done this before so I would prefer to start off on the right foot.
I have started to use ip extended access-lists on several 3750X-switches to filter inbound and outbond traffic on the VLANs. But it seems that the use of object-groups is not supported, is this correct? Is it really no way to group different ip-addresses into groups and then use these groups in the access-lists?
I have a C3560-24P PoE switch, running on a very small network with nothing special about the endpoints or the configuration (5 laptops connecting via 1 wireless AP, 1 firewall uplink, a networked printer and one conference room phone using PoE. That's it.) I actually have inline power turned off on all the non-PoE device ports.
We are encountering a very strangle anomaly where if a client attempts to send a print job through the switch, to the network printer, the printer makes a noise as it if's begun to initialize and then the switch immediately goes into a reboot. Also the reboot appears to immediately drain all he batter power from the UPS unit that it's connected to. The unit is an APC SmartUPS 750 (500W, 750VA) and when the switch reboots the load on the UPS jumps to well above 100% until the switch appears to 'level out'. Is that kind of power draw normal when rebooting a C3560?
I am having troubles to get 2 C3750-X switches WS-C3750-X-48P-L) to stack. They are both running iOS 15.0(2)-UNIVERSALK9, and are licensed for IP Base.
If I connect stack port 1 of switch 1 to stack port 2 of switch 1, and stack port 1 of switch 2to stack port 2 of switch 2 I get the following:
WS-C3750-X_STACK1_SW1>show switch stack-ports summary Switch#/ Stack Neighbor Cable Link Link Sync # InPort# Port Length OK Active OK Changes Loopback Status
I have tried restarting (powering off for about 1 min and turning back on) simultaneously, and powering off switch 1 for 1 min and switch 2 for 2 min. I have also tried both enabling the stack ports, and disabling followed by enabling.
I have a cable from an SFP module in a WS-C3750-48P with 12.2(55)SE1 running to a Gigabit port on a Cisco WLC. After the switch recovers from a power failure, the gigabit autonegotiation fails. The cure is a long drive to unplug and reseat the SFP. Note this happens at too many similar sites for this to be a loose connection. Interface shutdown then 'no shutdown' is not sufficient. The state is 'line protocol is down (not connected)'. Interface is configured for switchport mode trunk (auto speed, auto duplex). Command 'switchport nonegotiate' makes no difference. Is there a more powerful command than 'shutdown' which might toggle the interface signals? Is there some way of resetting the SFP? sh int gi 1/0/1 displays 'media type is 10/100/1000BaseTX SFP' and zero packets received.