Is it possible with a 3560 to block all traffic to a certain vlan except for one or two IP addresses? Create an ACL or something? We have a vlan for voice calls (SIP) and we are getting a lot of scnas that are making the phones ring and such, and I think we can stop this if we only allow traffic onto the vlan from the IP's the SIP traffic is SUPPOSED to be coming from.
View 1 RepliesI have 4 vlan and all has conectivity/access with all (VLAN10,VLAN20,VLAN30 and VLAN40, I use a 3560 Switch for this propose, I need to modificate one vlan (VLAN40) that has access to the rest of the VLAN's BUT the rest of the VLAN's dont have access to VLAN40. I know that it is a problem of access-list BUT I can't undertand how to obtain the result that I like
View 1 Replies View RelatedI have One switch 3750 and many switch 2960 c.I use one ASA 5510 to reach emote branche site (vpn conexion).I use one router 1841 for internet conexion.Router 1841, ASA and catalyst 2960 are connected on the 3750.Default gateway of all user is ASA IP
I configured Vlan 3750 and it work.Now I need to implement security : permit/block specific traffic between vlan [code] From vlan 72 I cannot have remote access on computer in vlan 34 and I cannot ping computer in vlan 34.
I have an ASA 5520 with the below config
Gi0/0: outside (Internet)
Gi0/1: inside (Internal users)
Gi0/2: DMZ (web servers, ftp, Mail etc..)
I have a SMTP relay deployed on the DMZ for mailing. I have also a mail servers installed in the internal lan,
I want to allow trafic from dmz to reach internal lan, and i want normally also allow stmp relay from dmz to reach Internet.
How can i block trafic from DMZ to reach Internal Lan (instead of smtp) if the to allow trafic from dmz to internet i must put ANY in the policy?
For allowing trafic from DMZ to reach Internet, the policy must be DMZ -----> ANY ----->Services., this policy means DMZ can implicity reach Internal Lan?
Between our hosting and a customer we have an extended vlan, traveling on a fiber, between two cisco 3560 switches.The thing is, that we want to create one or more vlans inside that extended vlan, in some way if possible?
View 3 Replies View Relatedi'm going mad on following problem. I'm trying to get 2 networks seeing each other while one of the network is a non VLAN network and the other one is a VLAN network.They should use the same interface so i added VLAN e0/0.122 to the interface e0/0.Send a ping from my asa to both gw-IP's made me happy at first. In second in figured out that i cannot reach any client in the other network. For testing purpose i created an permit acl to any/any for both networks, but the packets still get dropped by the default implicit rule. (deny any/anyMaybe i'm to stupid for this
View 10 Replies View RelatedIn cisco documentation for the 3560 it is mentioned that blocking appletalk will not work .It shows up in command line but it is not working due to hardware limitation.Is there any other way to block appletalk on 3560 swiitches.
View 3 Replies View RelatedI need to block the P2P traffic on a Cisco router. How can do it effectively? I configured NBAR on my router but still users can download using the utorrent client.
View 5 Replies View Relatedwhere is the best place to block unwanted traffic? By that I mean, should I block it at the router, firewall, IPS? As an example, I'm dealing with DNS flood attacks - probably DDoS and reflection. I have a pair of Cisco 2821 routers with two different ISPs doing BGP. Behind that I have an ASA 5510 with IPS module. Behind that I have 2 public DNS servers. Over the last few days I've seen an increase in bogus DNS queries - high volume, distributed. My question is where is the best place to put the ACL to block them? I've been putting them on the ASA, but when the attack is running, it jacks the CPU to 60%. If I don't put the ACL, the IPS seems to pick them up after a while and the CPU is almost as high as with the ACL. I haven't tried to put the ACL on the routers.
View 2 Replies View RelatedIs it possible to block outside P2P traffic on a guest wireless network using an ACL on the controller? I know we can do it our firewall
View 6 Replies View RelatedI'm using ASA 5515X my concern is I was not able to block the traffic of P2P such as BitTorrent etc. I was also view some technotes on how to use webfilter without using Websense or Smartfilter tools and lucky I'm able to block certain websites. how to block the traffic of P2P?
View 2 Replies View Relatedwhen I run nestat -b command. I always see a lan ip sending TCP traffic to my computer with state syn_receivedProto >> Lan Address >> Foreign Address >> state >> Process idTCP >> (my ip) >> 192.168.2.222(lan ip) >> syn_received >> 4
View 6 Replies View RelatedI would like to block incoming traffic from a specific ip on a specific port
This is what I have
source: interface: wan ip address range: 5.xxx.xxx.226 - second one is empty (valid ip instead of x's) protocol: tcp
dest: interface: lan ip address range: both fields empty port range: 139 - empty field
ON and DENY box is ticked name field has some text in it
I click save and get this pop-up: Incorrect source ip address. Invalid format of the start IP address. Current Firmware Version : 2.11 The ip is obviously valid, what should I do?
My HO is connected to BOs over MPLS Links.The links are terminated on routers but i dont have access on those routers as it is maintained by the ISP.Behind of the HO router there is s 3560 switch. Can i configure this switch to prioritize some traffic over the WAN link to the BOs.
View 4 Replies View RelatedIs it possible to block internet traffic on the PC using ASA5501 firewall which is used in transperent mode.The DHCP pc is working fine we just need to pass through ASA to block the internet on the pc however intranet should be available.
View 3 Replies View RelatedGot servers in vlan 10 ip range 10.0.0.0 and servers in vlan 20 ip range 20.0.0.0 at the same layer 3 switch. (c6509 sup720)I would like to block TCP traffic initiated from Vlan 20 to Vlan 10. But the servers in Vlan 10 needs to be able to open an TCP connections to Vlan 20 did test with the ACL thats blocking (ack/established/syn) but unable to get it to work.Or it works both directions or is works non directions.
View 4 Replies View RelatedI have a working L2L between two locations. Location A and Location B.
Location A: 172.16.16.0/24
Location B: 192.168.0.0/24
I would like to block anything inbound to Location A from Location B that isn't initiated from Location A. The block should be done on the ASA5505 at Location A. Location B uses an ISR G2 router. i.e. Location A can start an SSH session to a server in Location B Location B cannot start an SSH session to a server in Location. .
I tried using a VPN filter on the ASA5505 but it isn't stateful, I cannot pass any traffic when using it.
Config on my ASA:
access-list vpn-traffic extended permit ip 172.16.16.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list block-vpn-to-local extended deny ip 192.168.0.0 255.255.255.0 172.16.16.0
[Code]....
I also have an AnyConnect VPN setup for the ASA5505 and it is running 8.2(5).
I was configure 3 interface on ASA1st - managemetn (only for management)2nd - gig0/0 is connected to internet with real IP3rd - gig0/1 is connected to local networkI was configure routed NAT to internet.But I have problem with restriction incomming traffic to inside interface (ifname is inside)but I can connect to ip address of inside interface from other ip. It is wrong and i can't understand where is my mistake.
View 2 Replies View RelatedIs there a way to block lan to lan traffic (except lan to gateway/gateway to lan traffic of course) on a Cisco 2960?
View 9 Replies View RelatedAny comprehensive list of custom settings for NBAR V6 that will block most P2P traffic. The built in list seems incomplete. Either that or a way to better block P2P traffic at the router level.
View 1 Replies View RelatedWe had a new building thats gone up and complete now and we're trying to get a ip phone working down that end of the school on a vlan. We seem to be having trouble with the VLAN going through on the 2960 switch but it works fine on our core 3560 switch.
There looks like a slight variation in the config of the switches, the 3560 switch supports the "switchport trunk encapsulation dot1q" command on the interface where as the 2960 doesn't support the "switchport trunk encapsulation dot1q". Is this why the vlan is working on the 3560 and not the 2960, or is it something else?
Both switches are using the 12.2 IOS
Heres the trunk port configured on the 3560 going down to the new building and connecting into the 2960 with a 1gbit fiber link
interface GigabitEthernet1/2 description 3560X Port UpLink as Trunk Mode switchport trunk encapsulation dot1q switchport mode trunk udld port storm-control broadcast level 60.00 spanning-tree guard root
Heres the trunk port configured on the 3560 going to a Linksys switch which then connects to the DHCP server (The other end of the 3560 is also configued as trunk)
interface GigabitEthernet0/6 description Edge Switch port for clients switchport trunk encapsulation dot1q switchport mode trunk spanning-tree portfast
Heres the working vlan port on the 3560, the ip phone is able to get an ip and ring all other phones etc
interface GigabitEthernet0/7 description Edge Switch port for clients switchport access vlan 2 switchport mode access spanning-tree portfast
Ok now heres the config for the 2960
Heres the trunk port configured on the 2960 going back upto the 3560 switch
interface GigabitEthernet1/0/25 description Port UpLink as Trunk Mode switchport mode trunk udld port storm-control broadcast level 60.00
Heres the access port configured on the 2960 which isn't passing on vlan information. Is there another command i need to use to enable encapsulation as dot1q?
interface GigabitEthernet1/0/19 description Edge Switch port for clients
switchport access vlan 2 switchport mode access spanning-tree portfast
I have a computer on my network I would like to use for media streaming. I would like to block all incoming/outgoing internet traffic and keep all network traffic on this computer local. Is this even possible? Can I also easily restore it if necessary? The computer is running Windows 7.
View 4 Replies View RelatedHow to configure the 825 to block inbound traffic from a specific internet IP address ?i noticed an IP and MAC that i don't recognize that is listed as a connection to my NAS's media server ...i blocked it in the NAS configuration page, but i don't want any unsolicited traffic into my network.
View 3 Replies View RelatedI Do want know what could be best Device to prioritize Skype Traffic i mean should i implement it on Cisco 3560 or squid or Mikrotik according to my current scenario to get best result.Also do Let know how to Prioritize Skype Traffic in Cisco 3560 Switch
View 2 Replies View RelatedI am having an ASA5510 with a CSC-SSM-10 module. I am able to block http traffic through the ASA but cannot block https traffic through it. Need to block https traffic using the CSC module.
View 19 Replies View RelatedFor my company, I am running a Cisco 5508 WLC with a 4400 WLC as a guest anchor in our DMZ. There is a guest SSID and several business SSID's for internal equipment. Guest traffic should be tunneled out to the 4400 controller where [the client] gets its IP address and is sent out to the internet. No internal corporate access is possible. However, when I do a packet capture from my wired PC, I'm seeing traffic generated by different iPhones. It appears to be mostly IPv6 mDNS or ICMPv6 traffic. How would this traffic make it onto the corporate wired network, when it should be staying on the guest network? None of the iPhones have been setup on the business SSIDs, so I know it isn't legit traffic. Is there a setting in the WLC that will block this? Will an ACL work?
These are examples of some of the traffic that wireshark is capturing:
349 7.794875 fe80::e77:1aff:fe3c:f81 ff02::fb MDNS 253 Standard query response PTR, cache flush Tonyas-iPhone-2.local PTR, cache flush Tonyas-iPhone-2.local
356 7.802667 fe80::e77:1aff:fe3c:f81 ff02::fb MDNS 151 Standard query ANY Tonyas-iPhone-2.local, "QU" question ANY Tonyas-iPhone-2.local, "QU" question
361 7.806964 fe80::e77:1aff:fe3c:f81 ff02::fb MDNS 151 Standard query ANY Tonyas-iPhone-2.local, "QM" question ANY Tonyas-iPhone-2.local, "QM" question
Both controllers are running software version 6.0.196.0. I also have a WCS server running version 7.0.220.
I have a Ciso L3 switch with 4 VLANs and all host computer connected to rest of 8 cisco 2960 switch's:
VLAN 1 : 192.168.1.0/24
VLAN 10: 192.168.10.0/24
VLAN 20: 192.168.20.0/24
VLAN 50: 192.168.30.0/24
There are list of my some Questions about Extended ACL serialwise :
1. For Restrict traffic from VLAN 10 to VLAN 20, I am using only one ACL is : Access-list 100 deny ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255.\ What will happen in this scenerio if we talk about traffic from VLAN 20 to VLAN 10. Will it communicate or not ???
2. How to Block the traffic from VLAN 10 to VLAN 20 but allow the traffic from VLAN 20 to VLAN 10 ?
Is there any way to check if this VLAN is used by somedevice?
Cisco3560#sh ip int b
Vlan55 unassigned YES NVRAM administratively down down
Cisco3560#sh vlan
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active
55 Print active Fa0/5, Fa0/6, Fa0/7, Fa0/8
I want to give a breif overview of the current setup and what I had planned to do in the future. This is also where a few questions come into play. Currently we have 3 10.x.x.x subnets between three buildings with a wan connection. This connection is invisible to us so it can be seen as just a lan. The speed is 100mb. We have a 2811 router sitting at each building translating their traffic back to 10.3.1.1. We then have a router in the main building which ships the 10.3.x.x traffic to a ASA and then out the door to a ISP.
My plan was to upgrade this 100mb WAN connection to 10g fiber between our buildings as they are in extremely close range of each other. I would need a equipment upgrade as a 2811 won't support 10g traffic. Rather than replacing 3 routers in each of the buildings it seemed logical that I could get something like a catalyst 4500 or 6500 and do int vlan routing making it all one huge campus lan. Creating a vlan for each building to segment the traffic between them. My understanding was that a cat 3500/4500/6500 did not need a router with sub interfaces in a one arm setup to bridge this traffic. This is where the problem comes in.I tested with a cat 3560 and was unable to get the vlans to route correctly. Do I have to have a router to get int vlan routing to work? If so then I might as well get a Router which can handle multiple 10g fiber for the core instead of a cat 4500/6500 since I'd need the router to do the int vlan routing anyway?
In our new Head office we have to set up a Network connectivity.Total our office 4 floors.In each floor we kept three cisco 2950 switch.We have L3 switch(cisco 3560) to connect the all the other switch.In our office total 5 departments.we have to create VLan for each departments in the switch.
We want to all user to communicate to each other.We have WAN connectivity in the router(cisco 2900) to connect the other office.First i want know how to physically connect all the swiches and finally with the L3 switch.How to configure the VLAN in both L2 and L3 switch.In our other client office one router to connect the both office.In the router how to configure and which protocol to use to communication.
Ip address:10.10.40.0/22
WAN IP :192.168.214.65/30
My first question is I have an access layer switch which is a single VLAN and I am trunking that VLAN to a distribution layer switch, I can ping the gateway on the distribution layer switch for THAT VLAN, But cannot ping the gateway address for the second VLAN I have on the distribution layer switch. I know it is simple, But I have forgotten and just need a push
Also I have a third VLAN set to route traffic not bound for those 2 VLANs out to a router is the statement "ip route 0.0.0.0 0.0.0.0 172.16.252.2" good enough and do I actually need to create a VLAN for that traffic? and if so, is an access switchport the best option?
I have 2 locations, at a distance of 600KM.These two locations are well connected by Point to Point L2 VLAN with a speed of 2 MBPS and supported by CISCO 3560G switches.Location A has a VLAN to communicate to the other VLAN at Location B. Location B has also got 3 VLANS which are inter connected with Location A.Now the hardware in one of VLANs in Location B has moved to Location A for obvious reasons.
For further refernce am giving the VLAN IP address here....
Location A
VLAN1 for communicatng to Location B
IP Range 172.20.44.210
Subnet Mask 255.255.255.0
Default Gateway 172.20.44.210
VLAN2 for the desktops in Location A
IP Range 192.193.194.1-255
Subnet Mask 255.255.255.0
Default Gateway 192.193.194.1
[code]....
I have no router inplace that can do trunking (5505 basic license )I have 2 VLANS 10 Data 20 voice I have given both VALNs IPs lets say
-VLAN10 192.168.1.1
-VLAN20 192.168.2.1
Enabled IP routing and set the router as the gateway of last resort.Now becuase the L3 switchis doing the routing I have had to set the default gateway as the VLAN IPs. So PCs on VLAN10 get a gateway of 192.168.1.1 and phones on VLAN20 get a gateway of 192.168.2.1
Any real downside to having the 3560 doing the VLAN routing, is this the "correct "way to do things in the event I don't have a trunkable router?