It is understood that sub-50 ms ERPS convergence can be achieved with certain HW/SW combinations.
1) What are the platforms supported (and with what FW/SW) has this been tested ?any results that can be shared?
2) Link failure detection in GigE on Copper is slower compared to GigE over "pure" Fibre; so no sub-50ms would be possible with Copper ring ports.is sub-50ms convergence achievable with "combo SFP ports" ?
we recently had on our network a simple layer 2 loop problem, with big effects.Here is the situation: we have a C3750 switch, with STP activate on all ports.We don't have total control on this switchs, and for some reasons, it is possible that people connect a 2d switch on it (Cisco or non-Cisco).What happened several times is a classic case: a person interconnect 2 ports of this 2d switch, creating a loop. As the loop is created on the 2d switch only, the 1st switch detect no loop, the the uplink port keeps up.Afer this loop created, a broadcast storm occurs through the link between 1st & 2d switch .. and the storm propgates all over the LAN.I try to find some solutions to avoid that. One thing I would like to do is to find a mecanism on the first switch, which can permit to block the uplink port on the 1st switch if it sees the same MAC address as source in the 2 directions.Note that storm control, even configured to a quite low value (ie: 2Mbps) is not efficient enough to protect equipment (we have had big CPU impact on LAN equipments).
I have a network where if an end user attaches an hub to the network, or rather one of those cheap unmanaged 8-port mini-switches and then plugs the two ends of the same cable into two ports of that mini-switch, all the network goes down. Loops are generated and many uplinks are shut down in err-disable state due to the loopback reason.
I know I could discourage the use of those mini-switches using port security. I even have NAC (cisco) deployed on the network, but there are cases where that mini-switches are allowed by the managment.In those cases, is not possible to exactly know wich hosts (mac addresses), and even how many of them will attach the network concurrently.As I know, they could even chain many mini-switch one to another. Of course, when even a single mini-switch is allowed on the network, it raises as a security hole.
Is there a way to allow the use of those devices without the risk of network outages? Some STP protection method? The best would be to have the Cisco access switch to get aware of the loop on its affected switchport (where the mini-switch is attached), immediately shutting down that port (to avoid loops on the network) and maybe sending an SNMP trap or a syslog message.
We are using Cisco Catalyst 2950 and 2960 for our access layer.
Do Cisco Catalyst (IOS) and specially Cisco SG300/500 support a similar feature to HP's Loop Protection or DLINK's Loopback Detection? This is an interesting feature to avoid loops caused by unmanaged switches.
My management has tasked me to give them a high level overview of the different switching we can choose for our new building.
This is what I know so far.4 Closets, each closet has 450 ports,One MDF room that is will contain one UCS Chassis and a Nimble iSCSI SAN.
I am working on the spreadsheet and it looks like this (Not totally filled):
2960s3560x3750x45064510Approx cost (Each, 48PORT, POE+, 10G uplink, Dual PS, IP BASE) 6K7K8K45K75KMax Capacity192432432192384Backplane speed206464520520ProLeast ExpensiveStackable to 9Stackable to 9ProDual PSDual PSDual PSDual PSDual PSProLayer 3 opt Layer 3 optDual SupsDual SupsConExpensiveExpensiveConNo Dual PSConLayer 2 OnlyCannot stack more than 4 For the MDF I would like to use 2 Nexus 5548's with FEX's, and the layer 3 daughter board. For the IDF's I was thinking of two 4010's.
We are setting up a test lab in our DMZ. The path to the internet is basically like this. Anything past the firewall is irrelevant. For this lab lets assume it is vlan 300.
LAB SW ---> DMZ-SW ---> ASA FW ---> INTERNET LAB IP Range = 172.16.300.0 /24 GW = 172.16.300.1 (On FW int) Trunked all the way through.
I have an int vlan set up on the LAB SW. It is being trunked to DMZ SW. DMZ trunks it to ASA FW where there is a failover with a redundant switch.On the ASA the interface 0/2 is a subinterface 0/2.300 being used as the default gateway.
I have DHCP running in a specific range on the LAB SW and do get an ip address when plugged in. I cannot ping the default gateway on the ASA FW.The GW is defined using default-router command for 172.16.300.1 i.e. default-router 172.16.300.1?
We are running ospf on the firewall. There appears to be a pattern with ospf and a similar subnet setup elsewhere. I was wondering based off of this info would configuring ospf for 172.16.300.0/24 allow me to ping the GW from a client on the LAB SW.Secondly. I trunked 300 on the DMZ SW but I didnt add the vlan to the configuration. i.e. conf t <enter> vlan 300 <enter> Does this really matter? Or is having the vlan in the configuration only pertain to access mode on interfaces?
I found that when I enabled layer 2 auto QoS in 3560 switch, I need to wait so much time to open a file in network drive. Howerver, when I disable the Qos. It can improve a lot. I have used a sniffer to capture the packet to see. Those default packet is in DSCP 0. Therefore, I think majority packet will drop to queue 4. How can I increase the buffer and threshold in order to improve queue 4 performance.
I got one SF 300-48 layer 3 switch I tried to configure to use it in the office network.Unfortunately I'm unable to configure the VLAN settings.I need port one for input(VLAN2),port 7-15 for another vlan(vlan3) also need to connect with the vlan 4.port 15 is another vlan(vlan4) this is for wireless.Other ports are static.It doesn't get any connections with other vlans.I wish to know how to configure vlans in GUI mode.I tried , But I can't get the Vlan setting correctly.Also,I need to know how to communicate both vlans in GUI mode.
I created a lab and I have a few issues. One with a layer 3 switch and another with a ASA 5550.
1. Layer 3 switch: I have created multiple Vlans and I am able to route between them. I can ping the switch IP but not the default gateway to the ASA. I did a tracert of the default gateway of the ASA and once I am past the Vlan gateway it fails.
2. On the ASA 5550 I created the Vlans on sub-interfaces but still cannot get to the internet. ASA config is below the switch config.
I have an environment where i have two nexus 7010 switches, along with 2 nexus 5510's. I need to run OSPF as a layer 3 routing protocol between the vpc peer links. I have 1 link being used as a keep alive link, and 3 other links being used as a VpC link.
1) Is it best to configure a separate Vpc VLAN i.e 1010
2) Is it best to configure a vrf context keep-alive
3) just have the management address as the peer ip's.
Is it possible to to build a Layer 3 ether channel from two separate physical switches (layer3) that are trunked together?I know you can easily do this on a single switch and on stacked switches which I've done but in this case the customer have purchased two 3560X's which are not stackable yet want redundancy. The purpose of the etherchannel is to connect both switches to a private circuit provided by the hosted partner then route to the same setup in the DR location to different subnets.
i want to to ask about redirecting in MLS 7600 .assume the user a has an ip x.x.x.xand that user requested url...i want to to redirect his request to url...the users that have to pay the monthly bills , i want to give thim an ips and redirect all the http requests from this to a special local webpage .is is applicable to to it on router cisco 7600 ??or is it applicable on router 7206 npeg2 ? also i have siwtch 2960g.i dont want to do it by proxy server.
I got a different scenario from one of my client.My client have two different branch offices and have 50Mbps point to point connectivity between them. All users in both braches using same series of IP pool ( 192.168.224.0/24) in both branches.Both branches he had only Cisco 2960S series switches only. And in both branches he is using IP cameras. He will monitor the assets by accessing IP cameras through the browser.His requirement is, he wants to prioritize the Video traffic( monitoring through the browser) over the normal data traffic.Note: He had a single VLAN only.
I can understand it 's one of those very basic questions , but how do I identify a Switch is Layer 2 or Layer 3 ?Looking through # show version command and checking the IOS version to be IP BASE or LAN BASE . Is it the right way ?Cisco 2960 is a Layer 2 or a Layer 3 Switch ? I noticed that access-lists could be configured which means that it 's a Layer 3 Switch , right?
I been practicing with the configuration of layer 3 etherchannel configuration and i am facing a problem here. I have two 3560 switches and i want a layr 3 ether channel configuration setup between the first 2 ports of bothe the switches. I assign IPs to the Port-channel 1 of both the switches "10.1.1.1 /24 and 10.1.1.2 /24" but i am unable to get a successful ping. what am i doing wrong. below are the configs for bothe of my switches.
3560_1 Building configuration... Current configuration : 1274 bytes ! version 12.2 no service timestamps log datetime msec no service timestamps debug datetime msec
Lately I have been noticing mac flap messages on some of our access layer 3750G switches. Just a little background on how this is setup.
These 3750G switches are stacked and uplinked to a distribution layer 3750E stack (2 switches) via cross stacked etherchannel. (Usually 4 links) The access layer switches are stricly layer 2 where the distribution layer 3750E is routing the VLANs at the access layer to to the core 6500 switches.
I have just about ruled out physical loops on these stacks for the reason that the Macs are flapping. I am seeing this on two different stacks now each having 3 switches in the stack at the access layer. The cross stack etherchannel is spanned across the first two switches at the access layer and connected to both switches at the distribution layer. I have checked the etherchannel status and all ports appear to be part of the etherchannel and they appear fine.
The mac addressses that are flapping are just plain old desktop machines that plug directly into the access layer. I usually see this when the mac is learned on a port such as when a machine is plugged into the network or reboots.
I've created a scenario using a 3750 cisco as core switch ad other 6 switch model 2900 in access level.my problem is this, the router is not a cisco router, and this router is not able to make NAT on more than one subnet.Into the core switch I've created 4 VLAN and I must to give internet access to 3 of them, 192.168.0.0/24 (vlan1), 172.16.0.0/24 (vlan2), 172.17.0.0/24 (vlan3).I've connected the switch to router via gigabit ethernet 0/1 and I've assigned to this interface ip address 192.168.10.2, the router ip address is 192.168.10.1, Switch ip default-gateway is router ip address 192.168.10.1, ip default route is 0.0.0.0 0.0.0.0 192.168.10.1 I've enabled ip routing feature and I've set no switchport feature to interface gigabit ethernet 0/1.From core switch I can ping router ip address but I can't make it from all other user, and the users not able to have internet access.
Below the switch configuration (only necessary strings)
version 12.1 no service pad service timestamps debug uptime service timestamps log uptime no service password-encryption
My understanding is that even layer 2 switches like the Cisco 3500XL can have 1 IP address for management. However, I cannot seem to figure out how to configure it to get it working in a router on a stick setup. I can manage the router through SSH, but I cannot SSH to the switch.
I have made a topology by using one 3560 switch and 2 2950 switches. I have also made 2 vlans name Clients and other Servers and vlan 1 is for anagement purposes. The left 2950 switch is for clients and the right is for servers. Clients is vlan 2 and servers is vlan3 . Now what i want is that my dhcp is should assign ips to clients in vlans 2 provided that servers are in vlan 3. I am also using a border router and i have introduced a default route on the 3560 to the border router.
Now when i assign static ips to my clients pc and server dhcp then i can ping between vlans but when i try to assign ip through dhcp then it wont work. Also the default route on the switch to the border router doesnt seem to work. I can ping only the border router when i put a default route on the border router instead of the 3560 switch.
is it possible to run a Catalyst 4500 as pure Layer 2 Switch, i.e. disabling "ip routing", but still managing the switch via Fa1, i.e. the defautl mgmtVrf vrf ?I tried the following:
! no ip routing ! interface FastEthernet1 ip vrf forwarding mgmtVrf ip address 192.168.1.1 255.255.255.0 ! ip route vrf mgmtVrf 0.0.0.0 0.0.0.0 192.168.1.254 ip default-gateway 192.168.1.254
I was not able to reach the Switch even from the same subnet. Only after enabling ip routing I could manage the Switch. I haven't found any command to set ip default-gateway for a vrf. Any workaround to keep routing disabled, but still manageable via VRF?
There is very little and quite diverse Information regarding the if, where and how of a Nexus 5000 or 5500 series Switch and support for IEEE 802.1AE Link Layer Encryption (also called MACsec).
For example: the official FAQ denies that the Nexus 5500-series supports 802.1AE at all, while the data sheet says that only "downlink ports" are supported (host access).
On the Nexus 7000 platform the 802.1AE link layer encryption is part of TrustSec (feature cts) and much better documented.
The Question is: If and under which circumstances (configuration, L3 modules, license, NX/OS version) does a Nexus 5k or 5500 series Switch support 802.1AE on 1G or 10G interfaces that are directly connected to a Nexus 7000 (with the necessary cts feature licensed/configured)?
I curently have 2 Data centers connected with a Metro Ethernet Connection. Each Data Center has 6500 with Sup720s. The Metro Ethernet connection is currently conected by a L3 routed interface. I now need to enable VRFs between the locations and want to determine the best way to adjust the Mero. I was considering adjusting the routed interface to use Ethernet sub-interfaces. Each VRF would be given a different subinterface over the Metro Ethernet connection. I have done this on internal LAN connections but am concerned about exteding across data centers over Metro E.
Configuring OSPF on a catalyst 3560G Switch to connect to our building next door by way of fiber. The other two switches in the other building are running OSPF, I am trying to connect to the other building and access a server which is on a switch running OSPF. I am trying to configure the switch here to run OSPF and be able to see the neighbor, but currently can't although I've identified the networks. Maybe I'm missing something, I've followed the instructions but something is not right.
RACK 1 is the old rack and NEW RACK is the rack which is going to be procurred for some new Servers. All the Servers in the RACK 1 has a default gateway as PIX Inside IP. As of now the 3560 Switches acts as Layer 2 and does not have L3 IP routing enabled. How can I enable conenctivity between 192.168.36.0 range and 192.168.57.0 range wihtout making any change to current PIX inside IP address 192.168.57.1?Is it possible that I can enable IP routing on the 3560 Switches , create interface VLAN 36 and since already Switch 2 has it 's default gateway as 192.168.57.1 , Would the traffic from 192.168.36.0 be routed to 192.168.57.1 ? Or do I need to create static route for that ?Since L3 Routing is not enabled and since the 3560 Switches are just acting as L2 , the VLAN 2 - 192.168.57.0 range does not have any interface VLAN configured. When it is changed I would need to create interface VLAN 2 on 3560 Switches?
I just received a Catalyst 2960-C (WS-C2960C-8TC-L R) switch and I am unable to sign into its web GUI in order to configure it. I've tried both the Cisco Network Assistant and Internet Explorer and I am unable to log in either way. The documentation provided by Cisco states that the default password is simply cisco and that a username is unnecessary. Needless to say, it doesn't work. I've also Googled for other default passwords (such as cisco-cisco as the username-password), none of which worked either. I've also tried resetting the switch back to its factory default a few times.
just a simple question. Is it possible to use a nexus 5548 UP switch as a layer 3 router between different vlans on the switch without the layer 3 card ? Or is there no 5548 as a router with the layer 3 card ?
I Like To Intentionally Create A Layer 2 Loop in My LabI have 2960 and 3750 switches and servers with multiple NIC's and also Some PC's and Hubs. Connections and Commands And Features Which Sould Be Disabled or Enabled)