Cisco Switching/Routing :: Switch 3750 / Policy Inbound Traffic Per IP?
Mar 2, 2012
We are using Cisco 3750 switches in our environment as distribution switches.We currently use to police inbound traffic, but we need to find a solution to limit inbound traffic per IP.Something like this “Inbound traffic for each IP can be maximum 1 Mbps” This can be done having, one ACL and one class-map for each IP, but in my situation is not a practical solution, because we have more than 500 IP’s on that site.
Is any way to accomplish this without writing 500 ACLs and 500 class-map?
View 2 Replies
ADVERTISEMENT
Jun 9, 2013
ON switch 6500 i have configured an interface vlan x and applied policies on inboud and outbound directions as per below: [code] But the problem i am facing is that the policy outbound works ok , but the policy inbound doesnt work at all. specifically it doesnt match anything. [code]
View 1 Replies
View Related
Jan 28, 2013
Unable to limit traffic on catalyst 3750 gigabit ports it has fiber modules,
I want to limit traffic 2mb per port
I have tried srr-queue and policier but it is not working and there is no ratelimit command under any interface, Applying policy to output is not supported of the interface
policy-map rate-limit
class class-default
police 2000000 8000 exceed-action drop
int gi1/0/3
service-policy input rate-limit
still when I start download it goes to 10 mbps
View 12 Replies
View Related
Feb 12, 2010
BEFSX41 V2.1
Firmware: 1.52.16
The manual states how to create an inbound traffic policy but if you follow the directions there is no place to select inbound traffic.From the manual: To Create an Inbound Traffic Policy1. Enter a Policy Name in the field provided. SelectInbound Traffic as the Policy Type.2. Enter the IP Address from which you want to block.Select the Protocol: TCP, UDP, or Both. Enter the portnumber or select Any. Enter the IP Address to whichyou want to block.3. Select Deny or Allow as appropriate.4. By selecting the appropriate setting next to Days andTime, choose when the Inbound Traffic will be filtered.5. Lastly, click the Save Settings button to activate thepolicy.When finished making your changes on this tab, click theSave Settings button to save these changes, or click theCancel Changes button to undo your changes.I want to filter out a range of ip addresses from trying to connect to my network.
View 3 Replies
View Related
Feb 21, 2012
On a router I can use IP Accounting or Netflow to see what kind of traffic is moving over an interface. Are there any tools on a 3750 switch with a routed interface which would tell you who is hogging the bandwidth on that interface?
View 2 Replies
View Related
Jan 17, 2013
I have two Cisco 7606 routers using BGP to connect our customers to the internet. Recently we added a new 1G circuit in addition to an existing 1G circuit and all traffic inbound is now on this new 1G circuit. We would like to shift some of the inbound traffic over to the other 7606. Our Tier provider has the same AS number for both paths. One path goes directly to New York and the other goes to Boston then New York.
View 1 Replies
View Related
Dec 15, 2011
I have a non-cisco router with a public WAN address. This is conencted to a 3750 switch internally. The switch is the default gateway for all VLANs, and the gateway router has static routes back to the 3750. The Router provides NAT, no NAT is done on the switch.My requirement is to port forward port 29 000 so that I can access a server on VLAN4 via this port.
So, I have: Router: Port 29000 map to 192.168.4.1 (Switch VLAN4 address)
The question is, how do I route port 29000 from the 3750 to the server on 192.168.4.42 ? what exactly I should add in order to port forward port 29000 incoming form my router, to my server on 192.168.4.42.
View 17 Replies
View Related
Nov 1, 2012
I have a VPN on my ASA 5510 between (A)192.168.255.0/24 and (B)172.20.2.0./24. The purpose of the tunnel is to send kerberos tickets from our domian controller on the A side, across to a server at B, and receive a respose. I want to lock down inbound traffic to the A network, but not sure of best method.
I initially tried using an ACL filtering on ports, but soon realised the incoming traffic uses a wide range of ports so this is not really possible.Seeing as the A side will always be initiating the conversation, I was wondering if I could use the 'established' option on the inbound ACL for the ASA at A side, so that it would block any flows that are not initiated by the A side.
View 3 Replies
View Related
Jun 10, 2010
I try to enter the command "ip policy route-map" on 3750's interface. But the command doesn't appear. Why? Whereas I see several times that this command is possible on this switch. What I have to do to enter this command?
View 3 Replies
View Related
Oct 17, 2011
I have a simple design with 3750. I configured a route-map which define a next hop. I defined this route-map on a policy on a vlan interface.When I test some ping and a debug ip policy and it seems that my policy never match.Is there any mechanism that prevent the switch from using PBR? I think of CEF .
View 5 Replies
View Related
Jan 28, 2013
In our datacenter we have a 3750 stack with IP base image. I have enabled PBR and reloaded the switch. Show sdm prefer says i am using default template. The reason i want to use PBR is that we have 2 firewalls on the same work and want to be able to have granular control over which gateway out of the network they use but still be able to access all internal resouces accross wan and locally.
Created access list to identify traffic:
access-list 10 permit 10.2.3.59 (test workstation on vlan 3)
Created policy:
route-map TestASA permit 10
match ip address 10
set ip next-hop 10.2.0.3
Assigned policy to the user vlan3:
ip policy route-map TestASA
Results:It changed the default gateway to the above gateway but i could not access any resources on any other vlan, could not access resouces accross wan.
View 16 Replies
View Related
Sep 5, 2012
I have a simple design with 3750.I configured a route-map which define a next hop.I defined this route-map on a policy on a vlan interface.When I test some ping and a debug ip policy and it seems that my policy never match.Is there any mechanism that prevent the switch from using PBR?
View 10 Replies
View Related
Dec 2, 2012
I have 2 ISP connected to Router A and Router B.Both the routers are connected to the core 3750 switch.. I want to send the traffic from the switch that goes to router A to router B..[code]
View 10 Replies
View Related
May 29, 2012
We have a Catalyst 6509 switch, and we hope to use policy based routing to redirect http traffic to my proxy server, where I can find the configuration example?
View 11 Replies
View Related
Feb 18, 2012
I am trying to do policy on the interfaces of my switch WS-4507R, below the configuration I used to shap the traffic to 1 Mbps. However, when I tested it the traffic excceded the 1 Mbps.
class-map match-all 1MB
match access-group name 1MB
!
policy-map 1MB
class 1MB
[code]...
how I can restrict my bandwidth on the interface on 1 Mbps.
View 2 Replies
View Related
Apr 23, 2013
I have a client with a 3750x stack. We've upgraded it to IP Services. We have a simple PBR setup. One access-list to forward traffic from a specific LAN ip to another gateway on the network.
I go to vlan1 (default vlan) to apply the PBR and the command takes with no errors, but do a "show run" and it doesn't show up under the interface.
I go to vlan1 and apply a PBR that doesn't exist and the command takes with no errors, and is listed under the interface in the config
I can apply the PBR globally and appears to work, but we can't have it there based on other issues it creates.
config: (all tracks are up)
C3750_stack#show sdm prefer
The current template is "desktop routing" template.
[Code]....
View 8 Replies
View Related
Nov 1, 2012
I am trying to configure policy based routing however when i try to apply to an interface vlan. The configuration does not show in the interface.
route-map OTHER_ROUTE permit 10
match ip address OTHER_ROUTE
set ip next-hop x.x.x.x
[Code]....
View 4 Replies
View Related
Dec 24, 2012
i would like to know the possibility to use mls qos trust dscp with service-policy in the IOS ver.12.2(25)SEE2.The specific version is not possible to configure like below.
Cat3750(config-if)#do sh run int f1/0/1
Building configuration...
[code]....
View 8 Replies
View Related
Jan 26, 2009
I have a 3750 switch (c3750-ipbasek9-mz.122-46.SE.bin) were i want to add bandwitdh limit pr. interface, doing the following:
ip access-list extended customer_A
permit ip any any
class-map match-all BW_10Mbps
[Code]....
When i trie to apply the "service-policy output 10 Mbps" to the interface, it says the service-policy output is not supported on the switch. Is this a software related isue ?
View 4 Replies
View Related
Apr 22, 2012
Here is my configuration below , i have upgraded my C-3750 switch IOS from IPbase to IPservices , after upgrading i have tried to apply PBR on my Vlan 4 and failed , when i am tying to apply route-map to Vlan4 the command was taking but i am unable to see the route-map when sh run , i am giving the command as "ip policy route-map TTSL" in my Vlan4 , below is the configuration.
In Vlan2 i have connected one ISP and Vlan4 I have connected one ISP , my local subnets are 192.168.1.x and 192.168.2.x , now i want to route the 192.168.1.x traffic from Vlan2 and 192.168.2.x Traffic from Vlan4 .
sh boot
coreswitch#sh boot
BOOT path-list : flash:c3750-ipservices-mz.122-35.SE5/c3750-ipservices-mz.122-35.SE5.bin
[Code].....
View 9 Replies
View Related
May 15, 2012
I would like to know if it possible to create a policy map in order to redirect the traffic ( 80 , http, 8080) to a proxy.
My current equipment its a 3750X using a IP Service License ,I was reviewing some options but i want to be sure before implement in production.
View 8 Replies
View Related
Nov 2, 2011
i have an issue to connect a trunk between cisco switch and extreme switch i have many vlans that i want to cross via a link between cisco 3750 switch and a Extreme Alpine 3800 switch
View 12 Replies
View Related
Nov 18, 2012
I have two 3750-X configured to be a stack and I am planning to re-rack these somewhere else. What I would like to know is what are the effects of having the master switch itself lose power? Does it immediately just make the member take over master (there should be no election since there are only 2 switches??) and there would be no loss of connectivity?
View 1 Replies
View Related
Dec 12, 2011
Been dealing with a strange problem for several days now. It started out with a problem that I thought was VTP related but ended up being something else. I setup a span port on a 3750 that I am connected to that was mirroring the trunk connection coming into the switch.
Never saw an VTP traffic come across the connection but doing a sh vtp status indicated the traffic was arriving and getting processed. When I found some debug commands (debug sw-lan vtp), I was also able to see the packets go between switches. Seeing this issue concerns me that there is other traffic that isnt showing up during a span session.
I know that doing a span on a switch, especially using a trunk port as a source, isnt a good idea. Since I didnt have a TAP at time, this was my only choice. I have since borrowed a NetOptics TP-CU3 tap from a good friend and was able to confirm the VTP traffic was going across the trunk connection between switches.
All of my 3750's are running 12.2.55.SE.
View 8 Replies
View Related
Oct 10, 2012
Have a quick question regarding inter-vlan routing on a 3750. Overview of network is ISP --> ASA --> 3750 (acting as my core and default gw). I have 5 vlan interfaces on my 3750, all w/ 192.192.x.x subnets, a 6th w/ 192.168.100.x, and a 7th w/ 192.168.200.x. I have enabled "ip routing" on the switch and can successfully ping from subnet A to subnet B as long as both devices are using the correct DG for their vlan, which is the switch. I have a few ports that are trunked as well that go to ESX hosts which break out the vlans according to the subnet the vm should be attached to. The ASA is set to nat internal traffic for all the vlans.
Now my question: short of applying an ACL to each vlan interface to block traffic from other 192.192.x.x subnets is there a better way to accomplish this? I want my 192.168.10.x subnet to be able to reach all the subnets, but don't want 192.192.10.x to be able to talk to 192.192.20.x for example. I was thinking to create an acl like this:
access-list 120 permit ip 192.192.10.0 0.0.0.255 access-list 120 deny ip 192.192.0.0 0.0.255.255 192.192.10.0 0.0.0.255access-list 120 permit ip any 192.168.100.0 0.0.0.255 192.192.10.0 0.0.0.255
and then applying this to the interface for the appropriate vlan.
View 4 Replies
View Related
Nov 13, 2011
We have a remote office with a Cisco 3750-X switch with the IP-Services feature set connected via dark-fiber to a 6509-E at the corporate office. We plan on migrating the remote office to a new network (new acquisition) to subnet 10.10.10.0 on VLAN 20 which has an existing subnet of 192.168.100.0 and we would like to run both in parallel using their existing switches (Dell) and the new 3750-X.
I’m curious as to the best way to keep the traffic local between the two subnets using the 3750-X and if necessary put the 192.168.100.0 network on a VLAN. I thought about routing between the two networks via IP routing on the 3750-X but the new workstations default gateway is the 6509-E and existing workstations is a SonicWALL within the remote office. The default gateway for the new workstations can be moved from the 6509-E as a last resort.
View 5 Replies
View Related
Jul 15, 2012
I have 2 new 3750g devices in a small environment. switch1 acts as our collapsed core and has ip routing enabled, and is connected to a ASA 5510. There are 3 HP l2 switches connected to switch1 as well. switch2 is simply a server switch. switch1 and switch2 have a 2port etherchannel between them, and a vlan trunk carrying 4 vlan's. traffic between any 2 hosts on switch2 (same vlan) are slow. (average 300Mbits/sec) If I move one of those hosts to switch1, speeds increase by 3 times. (average 900 Mbits/sec). Additionally, traffic between any 2 hosts on switch1 are quick. testing is done with iperf as well as timing 1gig file transfers.
I don't see any errors or drops anywhere, and there are no other symptoms other than slow transfer beteween hosts on switch2. I just got 2 more of these 3750's to put in a 2nd site that we have, put a quick configuration on them, and have the same result. Other than switch1 having ip routing enabled, the configs are pretty much identical.
View 2 Replies
View Related
Dec 2, 2012
I want to know if there is way to tag traffic with DCSP tags without having to do all the other requirments of QOS setup. All i want to do is just tag traffic at different DCSP values via source and destination IPs. We do not have a need to be priortizing traffic on out internal switches. We just want to tag the traffic so our MPLS provider can distinguish the different types of traffic.
Our environments is primarily 3750s in all offices.
View 6 Replies
View Related
May 21, 2012
we have three separated network segments going to one Cisco 3750 switch all is L2 .. from this switch is 100 mbit uplink.we need to apply some Qos mechanism not to saturate line by traffic from one network.. Configuration from various reason CANNOT be done on switch where 100Mbit line is terminated.. so all must be done on SW1,2,3..Correct me if iam wrond but as switches doesnt see traffic from other network iam affraid only think we can do is limit bandwidth on links going into SW1,2,3 to 33 Mbit.I found commad srr-queue bandwidth limit.But links going to SWs are 1Gbit so if i force bandwidth to 10% (minimum what command allows) its 100 Mbit..If I force speed on those links to 100Mbit and than apply srr-queue bandwidth limit to 30% doest it work.??. Will srr-queue bandwidth limit speed to 30Mbit?? Or srr-queue bandwidth limit is calculated from maxim speed of interface?
View 1 Replies
View Related
Mar 14, 2012
I am trying to mark http packets from a web server with DSCP ef, but when I am doing a traffic capture all http packets have tos 0x0.I am able to mark UDP and ICMP packets originated from this server, but not any TCP traffic.The web server is in VLAN 20This is my config mls qos ip access-list extended MARK-HTTP-ACL permit tcp host 10.10.10.10 eq www. [code]
View 4 Replies
View Related
Jun 18, 2012
We would like to setup a link to our DR site that is separate from our main network traffic. This link will be used by an EMC VNX SAN for replication traffic. The SAN will be plugged into a fiber port on a 3750 switch and going out from the same switch (going in as multimode, going out as single mode) into a patch panel that runs over to the DR site (about a mile away). At the DR site it will go from the fiber panel into another 3750 switch which ends up going back out of that switch into our DR SAN.
I'm wondering what the best way would be to configure the fiber ports to accomplish this. I'm affraid that the replication traffic will find it's way over through another route and congest our main network unless configured appropriately.
View 4 Replies
View Related
Feb 23, 2012
We have 2 switches split across 2 datacentres connected via an interconnect. Over the past couple of days the interconnect provider's Cisco kit has shut down our port (err-disabled) due to a broadcast storm. They had the level set at 1 which I thought was a bit low. They say they tried to set to 2, then 5 but still kept tripping the storm-control feature so they set at 10. They say they've always had it set at 1% (on a 100Mb switch) and so we must be generating more broadcast traffic.
I'm trying to identify where the broadcast traffic is coming from. On our Cisco 3750 I've clear interface counters and when I do a sh run | i broadcasts there are a few ports which have what seems like a high broadcast count. The one port that is especially high and the only one tripping the storm-control feature (I've enabled on all our ports to try to identify where the traffic is coming from) is the port connected to the 100Mb interconnect. I've mirrored that port to another port and connected a server with wireshark so I can capture all the traffic across that port.
What I'm struggling to find is the source of the broadcast traffic.I have a few questions are these broadcasts layer 3 or layer 2 broadcasts. Also in the output below when it says broadcasts received is this inbound to the port i.e. from the connected device or is this a total of inbound and outbound broadcasts.
When I use wireshark and filter the capture on broadcasts (ff:ff:ff:ff:ff:ff) I see only 200-300 compared to the thousands the switch is reporting.If I filter on the broadcast IP address I also don't see the numbers corresponding to what I see in the show interface output.
GigabitEthernet1/0/1 is up, line protocol is up (connected)
Hardware is Gigabit Ethernet, address is 0014.a93f.7401 (bia 0014.a93f.7401)
Description: Interconnect
MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,
reliability 255/255, txload 4/255, rxload 44/255
Encapsulation ARPA, loopback not set
[code].....
also I'm currently doing : monitor session 1 source int g1/0/1 both, and also tried just rx incase I just need to be looking at receive traffic but still nothing is standing out.
View 10 Replies
View Related
Jun 3, 2013
Actually i have a design from my customer who have ( Cisco core switch 3750 (allports fiber ports) which is connected to L2 switches , these switches carry servers and end users .the only routing protocol on the access switches is static route ,
My question how can i route the traffic from the server to the end user , as the the server is not direct connect to the core switch.
View 6 Replies
View Related
