Cisco VPN :: 3750 / ASA Tunneled Traffic With Switch?
Jun 8, 2011
I have some client with Anyconnect 3.0 configured .I want that all traffic (vs. LAN and vs. Internet) is tunnled in the SSL VPN. On the ASA i configured a route that all traffico tunnled goes to Switch 3750. route inside 0.0.0.0 0.0.0.0 192.168.80.229 tunneled The switch ahve this configurtion for the routing
ip default-gateway 192.168.80.228
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.80.228
But if i have a pc that have default gw the switch ip 192.168.80.229 all works fine, but the client vpn have a problem that can't go to internet.I attach a schema and a configuration.If i try to navigate only through the ASA with the client VPN all works. But if i try to tunnle the von traffic to the switch and come back to the and then to internet all stop to works.
View 1 Replies
ADVERTISEMENT
Mar 2, 2012
We are using Cisco 3750 switches in our environment as distribution switches.We currently use to police inbound traffic, but we need to find a solution to limit inbound traffic per IP.Something like this “Inbound traffic for each IP can be maximum 1 Mbps” This can be done having, one ACL and one class-map for each IP, but in my situation is not a practical solution, because we have more than 500 IP’s on that site.
Is any way to accomplish this without writing 500 ACLs and 500 class-map?
View 2 Replies
View Related
Feb 21, 2012
On a router I can use IP Accounting or Netflow to see what kind of traffic is moving over an interface. Are there any tools on a 3750 switch with a routed interface which would tell you who is hogging the bandwidth on that interface?
View 2 Replies
View Related
Aug 4, 2011
I am trying to come up with the best way to traffic shape traffic with 3750 Me switches. the traffic will be coming from a 6504 Sup-7203b downstream and going out the wan. Core---L3---->6504--intvlan80--trunkport to--->3750Me---g/1/1/1-trunkport to---MetroE network--->int f0/0.80--branch router. The idea is to use the 3750 to traffic shape the traffic going towards the wan/branch to 500 to match the contracted rate and then to use qos on shaped rate. I tried to apply it to g1/1/1 using port based policies but it did not shape the traffic. I changed everything to IP interfaces and it worked. I need to break up the metroe into different vlans so I can bring branch offices in on different vlans.c
View 3 Replies
View Related
Nov 2, 2011
i have an issue to connect a trunk between cisco switch and extreme switch i have many vlans that i want to cross via a link between cisco 3750 switch and a Extreme Alpine 3800 switch
View 12 Replies
View Related
Nov 18, 2012
I have two 3750-X configured to be a stack and I am planning to re-rack these somewhere else. What I would like to know is what are the effects of having the master switch itself lose power? Does it immediately just make the member take over master (there should be no election since there are only 2 switches??) and there would be no loss of connectivity?
View 1 Replies
View Related
Feb 16, 2012
I have a new MPLS circuit being stood up for my site; it’s going to replace a site to site VPN connection to our "Headquarters." I want to test this without affecting my production networks. Without getting into alot of details, the admin at the remote site is not very cooperative and basically doesn't want to set this up and I don't have access to his switching/routing. He is prepared to do minimal tasks if necessary. Ultimately, I am looking to test the new Vlan, once successful, route the traffic away from the Site to Site VPN connection to the MPLS circuit. Here is what I plan on doing, I need to determine if it is going to work.
LAN in my office uses EIGRP for routing. MPLS (10.1.1.253) uses OSPF (area 0) and BGP. Currently, traffic destined to headquarters (10.10.1.1/24) uses the default route on a CAT3750 pointing to the firewall (ASA5520) (10.1.1.254).Create new VLAN/DHCP scope to use as a test Vlan to test the new MPLS circuit. 10.1.199.0/24Create static routes on 3750 destined for headquarters for L2L VPN traffic pointing to firewall so traffic to headquarters remains on the L2L connection. ip route 10.10.1.1 255.255.255.0 10.1.1.254 (once I share routes with OSPF, routes to Headquarters will be advertised over the MPLS)Create OSPF instance on the 3750 advertising only the new subnet so that the MPLS network knows to route this traffic over the MPLS for return traffic from headquarters. (this is where it is grey as I don’t know OSPF at all) The switch has a L3 interface which the MPLS router uses as its gateway, so there is direct communication.router-ospf 0 network 10.1.199.0 0.0.0.255 area 0 4. On 3750 create a PBR for the new subnet so that it is routed over the MPLS, (imagine test PC is 10.1.199.100), the remaining production subnets will use the static routes and ignore the OSPF routes because of the shorter administrative distance.Will the PBR route win over the static route for that one subnet? Is that all I need in the OSPF configuration? I see some configs that have neighbor statements with costs, authentication types etc..
View 3 Replies
View Related
Dec 12, 2011
Been dealing with a strange problem for several days now. It started out with a problem that I thought was VTP related but ended up being something else. I setup a span port on a 3750 that I am connected to that was mirroring the trunk connection coming into the switch.
Never saw an VTP traffic come across the connection but doing a sh vtp status indicated the traffic was arriving and getting processed. When I found some debug commands (debug sw-lan vtp), I was also able to see the packets go between switches. Seeing this issue concerns me that there is other traffic that isnt showing up during a span session.
I know that doing a span on a switch, especially using a trunk port as a source, isnt a good idea. Since I didnt have a TAP at time, this was my only choice. I have since borrowed a NetOptics TP-CU3 tap from a good friend and was able to confirm the VTP traffic was going across the trunk connection between switches.
All of my 3750's are running 12.2.55.SE.
View 8 Replies
View Related
Jan 20, 2013
We have a data center with servers set up for different projects, some servers from partner companies and several small LANs. The traffic between all those needs to be controlled and firewalled. The servers and LANs are divided into different subnets and VLANs. Physically, their traffic is aggregated on a couple of 4506 and then sent to a FreeBSD server, where the logical gateways are set up and traffic is filtered between them.The BSD server is dying and having it there is incorrect in the first place, so we are planning to replace it with two ASA (5520) in failover.The question that arises is how to correctly implement firewalling between VLANs. Originally we thought to set up the firewalls in transparent mode and logically terminate VLANs on a stack of 3750 switches behind them, but would that filter the traffic between the VLANs? Then we thought to perhaps terminate the VLANs on the ASAs, use routing mode, and do filtering there, as well. Or should we implement multiple contexts? We have about 20 VLANs and all of them differ in rules of what should go there. None of this can be concidered an "inside" - trusted - zone, nor "outside". Internet and external links are connected and filtered in a different place.
View 1 Replies
View Related
Oct 10, 2012
Have a quick question regarding inter-vlan routing on a 3750. Overview of network is ISP --> ASA --> 3750 (acting as my core and default gw). I have 5 vlan interfaces on my 3750, all w/ 192.192.x.x subnets, a 6th w/ 192.168.100.x, and a 7th w/ 192.168.200.x. I have enabled "ip routing" on the switch and can successfully ping from subnet A to subnet B as long as both devices are using the correct DG for their vlan, which is the switch. I have a few ports that are trunked as well that go to ESX hosts which break out the vlans according to the subnet the vm should be attached to. The ASA is set to nat internal traffic for all the vlans.
Now my question: short of applying an ACL to each vlan interface to block traffic from other 192.192.x.x subnets is there a better way to accomplish this? I want my 192.168.10.x subnet to be able to reach all the subnets, but don't want 192.192.10.x to be able to talk to 192.192.20.x for example. I was thinking to create an acl like this:
access-list 120 permit ip 192.192.10.0 0.0.0.255 access-list 120 deny ip 192.192.0.0 0.0.255.255 192.192.10.0 0.0.0.255access-list 120 permit ip any 192.168.100.0 0.0.0.255 192.192.10.0 0.0.0.255
and then applying this to the interface for the appropriate vlan.
View 4 Replies
View Related
Nov 13, 2011
We have a remote office with a Cisco 3750-X switch with the IP-Services feature set connected via dark-fiber to a 6509-E at the corporate office. We plan on migrating the remote office to a new network (new acquisition) to subnet 10.10.10.0 on VLAN 20 which has an existing subnet of 192.168.100.0 and we would like to run both in parallel using their existing switches (Dell) and the new 3750-X.
I’m curious as to the best way to keep the traffic local between the two subnets using the 3750-X and if necessary put the 192.168.100.0 network on a VLAN. I thought about routing between the two networks via IP routing on the 3750-X but the new workstations default gateway is the 6509-E and existing workstations is a SonicWALL within the remote office. The default gateway for the new workstations can be moved from the 6509-E as a last resort.
View 5 Replies
View Related
Jul 15, 2012
I have 2 new 3750g devices in a small environment. switch1 acts as our collapsed core and has ip routing enabled, and is connected to a ASA 5510. There are 3 HP l2 switches connected to switch1 as well. switch2 is simply a server switch. switch1 and switch2 have a 2port etherchannel between them, and a vlan trunk carrying 4 vlan's. traffic between any 2 hosts on switch2 (same vlan) are slow. (average 300Mbits/sec) If I move one of those hosts to switch1, speeds increase by 3 times. (average 900 Mbits/sec). Additionally, traffic between any 2 hosts on switch1 are quick. testing is done with iperf as well as timing 1gig file transfers.
I don't see any errors or drops anywhere, and there are no other symptoms other than slow transfer beteween hosts on switch2. I just got 2 more of these 3750's to put in a 2nd site that we have, put a quick configuration on them, and have the same result. Other than switch1 having ip routing enabled, the configs are pretty much identical.
View 2 Replies
View Related
Jul 14, 2011
We are a new medical school located in PA. Just have just completed a new building and are now working on getting our network finished. Here is the situation we have a 50MB Internet Connection that comes into our network that then hits the ISPs Cisco 3750 which sends it to two of our Cisco 3750s for redundancy. From the 3750 goes into our Cisco 6509 with a FWSM module, then out from there to our distribution switches which are all Cisco 2960s.
What we would like to do is to control how much WAN connectivity each of our VRFs get. Right now we have a Faculty, Student, and Research VRF formed, and are trying to figure out the best spot where we can say Faculty gets 30MB of Bandwidth, Students gets 10, and Research gets 10. If possible would like burst capabilities.
View 3 Replies
View Related
Jul 10, 2011
We have the next Settings in our SW. We crate an ACL and aplied to a SVI for Incomming Traffic, I understand that is not necesasry to allow the returning traffic in ACL, but we can't access to rdp for example when we add the ACL, if we remove it, the acces is ok, buet when we add again the access is deny, even we have a log entry, and the ACL i just for Incomming traffic. There is no another ACL.
See attached file
[code]...
View 1 Replies
View Related
Dec 2, 2012
I want to know if there is way to tag traffic with DCSP tags without having to do all the other requirments of QOS setup. All i want to do is just tag traffic at different DCSP values via source and destination IPs. We do not have a need to be priortizing traffic on out internal switches. We just want to tag the traffic so our MPLS provider can distinguish the different types of traffic.
Our environments is primarily 3750s in all offices.
View 6 Replies
View Related
May 21, 2012
we have three separated network segments going to one Cisco 3750 switch all is L2 .. from this switch is 100 mbit uplink.we need to apply some Qos mechanism not to saturate line by traffic from one network.. Configuration from various reason CANNOT be done on switch where 100Mbit line is terminated.. so all must be done on SW1,2,3..Correct me if iam wrond but as switches doesnt see traffic from other network iam affraid only think we can do is limit bandwidth on links going into SW1,2,3 to 33 Mbit.I found commad srr-queue bandwidth limit.But links going to SWs are 1Gbit so if i force bandwidth to 10% (minimum what command allows) its 100 Mbit..If I force speed on those links to 100Mbit and than apply srr-queue bandwidth limit to 30% doest it work.??. Will srr-queue bandwidth limit speed to 30Mbit?? Or srr-queue bandwidth limit is calculated from maxim speed of interface?
View 1 Replies
View Related
Mar 14, 2012
I am trying to mark http packets from a web server with DSCP ef, but when I am doing a traffic capture all http packets have tos 0x0.I am able to mark UDP and ICMP packets originated from this server, but not any TCP traffic.The web server is in VLAN 20This is my config mls qos ip access-list extended MARK-HTTP-ACL permit tcp host 10.10.10.10 eq www. [code]
View 4 Replies
View Related
Jun 18, 2012
We would like to setup a link to our DR site that is separate from our main network traffic. This link will be used by an EMC VNX SAN for replication traffic. The SAN will be plugged into a fiber port on a 3750 switch and going out from the same switch (going in as multimode, going out as single mode) into a patch panel that runs over to the DR site (about a mile away). At the DR site it will go from the fiber panel into another 3750 switch which ends up going back out of that switch into our DR SAN.
I'm wondering what the best way would be to configure the fiber ports to accomplish this. I'm affraid that the replication traffic will find it's way over through another route and congest our main network unless configured appropriately.
View 4 Replies
View Related
Jan 28, 2013
Unable to limit traffic on catalyst 3750 gigabit ports it has fiber modules,
I want to limit traffic 2mb per port
I have tried srr-queue and policier but it is not working and there is no ratelimit command under any interface, Applying policy to output is not supported of the interface
policy-map rate-limit
class class-default
police 2000000 8000 exceed-action drop
int gi1/0/3
service-policy input rate-limit
still when I start download it goes to 10 mbps
View 12 Replies
View Related
Feb 23, 2012
We have 2 switches split across 2 datacentres connected via an interconnect. Over the past couple of days the interconnect provider's Cisco kit has shut down our port (err-disabled) due to a broadcast storm. They had the level set at 1 which I thought was a bit low. They say they tried to set to 2, then 5 but still kept tripping the storm-control feature so they set at 10. They say they've always had it set at 1% (on a 100Mb switch) and so we must be generating more broadcast traffic.
I'm trying to identify where the broadcast traffic is coming from. On our Cisco 3750 I've clear interface counters and when I do a sh run | i broadcasts there are a few ports which have what seems like a high broadcast count. The one port that is especially high and the only one tripping the storm-control feature (I've enabled on all our ports to try to identify where the traffic is coming from) is the port connected to the 100Mb interconnect. I've mirrored that port to another port and connected a server with wireshark so I can capture all the traffic across that port.
What I'm struggling to find is the source of the broadcast traffic.I have a few questions are these broadcasts layer 3 or layer 2 broadcasts. Also in the output below when it says broadcasts received is this inbound to the port i.e. from the connected device or is this a total of inbound and outbound broadcasts.
When I use wireshark and filter the capture on broadcasts (ff:ff:ff:ff:ff:ff) I see only 200-300 compared to the thousands the switch is reporting.If I filter on the broadcast IP address I also don't see the numbers corresponding to what I see in the show interface output.
GigabitEthernet1/0/1 is up, line protocol is up (connected)
Hardware is Gigabit Ethernet, address is 0014.a93f.7401 (bia 0014.a93f.7401)
Description: Interconnect
MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,
reliability 255/255, txload 4/255, rxload 44/255
Encapsulation ARPA, loopback not set
[code].....
also I'm currently doing : monitor session 1 source int g1/0/1 both, and also tried just rx incase I just need to be looking at receive traffic but still nothing is standing out.
View 10 Replies
View Related
Jun 3, 2013
Actually i have a design from my customer who have ( Cisco core switch 3750 (allports fiber ports) which is connected to L2 switches , these switches carry servers and end users .the only routing protocol on the access switches is static route ,
My question how can i route the traffic from the server to the end user , as the the server is not direct connect to the core switch.
View 6 Replies
View Related
Aug 6, 2012
I am aware that the 3750 switches are not able to support Netflows, so I have created a SPAN port and spanning traffic from a specific port. I would like to create a seperate VLAN and trunk the traffic from the SPAN port down to the 6509 switch and then capture all the traffic for that VLAN on the 6509.
View 4 Replies
View Related
Feb 21, 2013
I have One switch 3750 and many switch 2960 c.I use one ASA 5510 to reach emote branche site (vpn conexion).I use one router 1841 for internet conexion.Router 1841, ASA and catalyst 2960 are connected on the 3750.Default gateway of all user is ASA IP
I configured Vlan 3750 and it work.Now I need to implement security : permit/block specific traffic between vlan [code] From vlan 72 I cannot have remote access on computer in vlan 34 and I cannot ping computer in vlan 34.
View 1 Replies
View Related
Nov 13, 2011
I am trying to setup a network using Cisco 2960 switches with vlans configured. One vlan will handle video coming from four cameras that are connected to another 2960.
We have four cameras feeeding one port each on a 2960, that 2960 in turn feeds one port on the main 2960 which is the video vlan for that site. From the site it goes back to a Cisco 3750 to be sent over to a Sonicwall firewall. If we connect to the 2960 that the camera are connected to we can see the video, but not on the main site 2960.
View 5 Replies
View Related
Jan 27, 2013
I have catalyst 3750 I want to controle traffics on every port I have tried Frame-Relay Traffice shaping and Quality of service but there is no support for these commands in the switch.do we have any way to limit traffic on every port in catalyst 3750 and 2960 switches ?
View 4 Replies
View Related
Nov 10, 2012
I have a 3750 switch.The status of the switch is rommon," switch : ".there is not an IOS in the switch....Are there ways to install an IOS excepted xmodem
View 6 Replies
View Related
Feb 1, 2011
I need to use a 3750 switch running 12.2 code to route between two networks in a test setup.Switch#sh verCisco IOS Software, C3750 Software (C3750-IPSERVICES-M), Version 12.2(25)SEE2, RELEASE SOFTWARE (fc1)Copyright (c) 1986-2006 by Cisco Systems, Inc. The idea for the test setup is 3750 emulates a client's live network which is two routers having a site-to-site tunnel connecting from their ISPs. This will allow me to test the tunnel configuration with the router configs that are in production but replacing one of the routers with an ASA.
View 3 Replies
View Related
Jan 31, 2012
I am looking at the interface stats of port Fa1/0/2 and see something strange. Ouput drops are 42Billion in 16mins, then 21249 few seconds later, then followed by 42Billion drops again, then 21444...and so forth..I keep getting an entirely different output drops reading everytime i refresh within seconds of each refresh!
sh int fa1/0/2
FastEthernet1/0/2 is up, line protocol is up (connected)
Hardware is Fast Ethernet, address is ecc8.8266.d604 (bia ecc8.8266.d604)
Description: MSGMERGF1
MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec,
reliability 255/255, txload 12/255, rxload 11/255
[code]....
View 3 Replies
View Related
Apr 28, 2013
some of my switches (3750s) are on the right time and some are not. i have them all pointed to the same DC for NTP and they all say they are synchronized. is it possible to have the switches pole the DC for the right time and update?
View 4 Replies
View Related
Jan 18, 2010
I have 3750 switch (WS-C3750G-24TS-S1U) with IP Services version
Switch Ports Model SW Version SW Image------ ----- ----- ---------- ----------* 1 28 WS-C3750G-24TS-1U 12.2(46)SE C3750-IPSERVICESK9-M
on the switch, I have configured aaa new-modelaaa authentication dot1x default group radius dot1x system-auth-control but i am not able to implement the command under interface
Switch(config)#int gigabitEthernet 1/0/20Switch(config-if)#do?down-when-looped
dot1x commands are not available under the interface config. Is the IOS version is compatible with dot1x?
View 5 Replies
View Related
Jan 16, 2013
I am writting in response to MAB issue which I noticed a few days ago and I am still not able to undestand what exactly happend. First of all I would like to say that I configured MAB authentication and according to the MAC the ISE configure a VLAN. All worked well: the test computer can change VLAN based on its MAC. The problem appear when I cut the connection to ISE server. Accourding to configuration the switch authorize the new device to VLAN 11 (critical VLAN) That is fine ! When the ISE server is up again I had a configuration which should reauthorize all ports assign in critical VLAN. But why that is not happend ??? It looks as the switch didn't notice that the RADIUS (ISE) was up and working again. [code]
View 1 Replies
View Related
Apr 16, 2013
We have a current 3-stack 3750 ( 48-P,48-TS & 3750v2-48PS ) running fine. There is a plan to introduce a fourth stack member ( 3750X-48P ) into this stack.as per cisco documentation, it suggests to use 3750X as master for a mixed stack. In this case, we will need to upgrade current other 3 stack switches to a latest version.,Can we do a no-downtime ios upgrade on the existing 3-switch stack?, when this upgrade is done, is there any way to have the new ios pushed down to all three stack members at the same time or do we need to each member upgrade seperately?, for adding the fourth member, is it acceptable if master is ruuning ver eg. 12.2(55) and all rest of the members run ver 12.2(53) ? will this create any issues and will stacking be successful.
View 5 Replies
View Related
May 20, 2013
im trying to move the config from an 3750 to 3750 PoE but without using the PoE options.I have allready download the config with tftp and upload it to the 3750 PoE. Now the new config is stored on the PoE switch but some of the old setting are still there. Not sure why, i think the config only overwrite the settings which are in the conf file and the setting which are not in the conf file but enabled on it will stay on the switch.After the upload of the config file I deleted all the config I do not need by hand.They are some settings i can't delete and I don't know why, this are the sittings:
1. each fastethernet port has this option: "no cdp enabled" this entry was no availble on the old switch, is the any possiblity to remove this entry?
2. the same for "no mls qos rewrite ip dscp"
3 and for this one "vlan internal allocation policy ascending"
View 1 Replies
View Related
