I`m connecting a client directly to a 3750, and giving them a public IP.
On the port I have set spanning-tree bodyguard enable
But I guess I should also set some storm control etc. What settings should I use for storm control?
The client has a 100Mbps internet connection running trough this port....
We're using ME-3600 and ME-3800 switches to create VPLS domains. Now to avoid L2 loop issues with 3rd parties connected to the multiple ME-3X00 switches and configured in the same VPLS domain, we would like to configure storm-control.
When checking the configuration manual about storm-control on ME-3X00 switches it mentiones: storm-control is configured on the physical interfaces and when it's triggered it will not only impact the physical interface buy also the EFP configured on it.
According to me this could mean two things:
When there's a storm on the physical port, the port wil be shutdown (it if this the action configured) and of course the EFP on that physical interface will be impacted too (logical consequence).When there's a storm on an EVC (EFP) configured on a physical interface, it will shutdown the entire physical port (if this is the action configure) and as a consequence all other EFP will be impacted too. Briefly: is the configured storm-control on an interface also triggered by storm-controls on an EFP? I suppose it would but like to have some confirmation.
configuration example
interface GigabitEthernet0/2
description TEST storm-control
switchport trunk allowed vlan none
[Code].....
I have 2 ME3600Xs and utilize Broadcast and Multicast storm control on client facing interfaces. One of my ME3600s is reporting a Multicast storm and that a packet filter action has been applied. The strange thing is that it is showing up on an Admin Down interface that has nothing connected to it. [code]
View 2 Replies View RelatedWe have around a dozen Catalyst 3560 and 2960 switches in a ring topology. We are considering adding storm control to our trunk ports. Up until now we have only used it on edge ports with default values and without error-disable.I am proposing that we also add storm control to trunk ports at a lower level and that we error-disable only the redundant links that make up our loops.
-storm-control broadcast level 25.00 20.00
-storm-control multicast level 2.00 1.00
-storm-control action shutdown [only on redundant links]
In a storm all links will restrict broadcast which should work accessing remote switches, but the redundant links should errdisable and block the redundant path. It is important that the action line is not applied to links that are not redundant as we could isolate parts of the network. Any reason not to use storm control on trunks?
We have 3750 and 4510 switches and in both we run Q-n-Q but we observed looping/Broadcast Storm we already run TSP on 3750 end and this is corporate branch but 4510 its difference branch where we run q-n-q technology.
View 1 Replies View RelatedI just installed Windows XP Professional on my Toshiba-X205 laptop and I am having a problem getting the OS to detect my NIC. I can not remember how to go into the control panel and configure settings so the OS will detect my wireless network or should i say i can not get my OS to detect my NIC so i can to connect to my wireless network. I think i may need to install the device driver for the NIC but i don't remember which driver i need for the NIC of my laptop and i can not find it on the Toshiba website, not supported anymore.
View 1 Replies View RelatedWe hav ea 5508 pair running in HA mode. Initially the conrollers were running the 73..101.0 code. We were having issues where the primary controller would software reset (according to show sysinfo), the secondary (HA SKU) would take over and then after a few hours the secondary would also software reset and the primary would take over. Also I notice that after this happens that the Tx Power Control doesn't seem to adjust the A radio settings, most of the radios are at the 6 level. Normally they are 1, 2, or 3. Last week I upgraded to 7.3.112.0, later that day the same thing happened.
View 1 Replies View RelatedI have a problem with RV042. My ISP gives me automaticly IP address and i had no problems using different types of routers, including linksys routers. With RV042 i just can't get the IP. It says, the port is up, i see the packets/traffic, front control light is blinking but it never receives the dhcp settings, doesn't matter if i use wan1, wan2, dual wan mode or single wan. I have the newest firmare 1.3.12.19tm. System statistics says "disconnected" but the packets come in and go out. Log shows absolutely nothing. I also disabled firewall but it didn't work. I can't seem to find the older 1.3.12.6 firmware.
View 7 Replies View RelatedWe have a data center with servers set up for different projects, some servers from partner companies and several small LANs. The traffic between all those needs to be controlled and firewalled. The servers and LANs are divided into different subnets and VLANs. Physically, their traffic is aggregated on a couple of 4506 and then sent to a FreeBSD server, where the logical gateways are set up and traffic is filtered between them.The BSD server is dying and having it there is incorrect in the first place, so we are planning to replace it with two ASA (5520) in failover.The question that arises is how to correctly implement firewalling between VLANs. Originally we thought to set up the firewalls in transparent mode and logically terminate VLANs on a stack of 3750 switches behind them, but would that filter the traffic between the VLANs? Then we thought to perhaps terminate the VLANs on the ASAs, use routing mode, and do filtering there, as well. Or should we implement multiple contexts? We have about 20 VLANs and all of them differ in rules of what should go there. None of this can be concidered an "inside" - trusted - zone, nor "outside". Internet and external links are connected and filtered in a different place.
View 1 Replies View RelatedI am in the process of setting up an interop lab for some engineers. The enviornment will consist of some 3750's, H3C's and ProCurves. My concern is that the end user will have Priv-Exec access for CLI usage on the 3750's and they can change the "en" password (I hope they don't but it has happened).Is there a way I can "break in" during the boot process to reset the password? The reason I am doing it this way is because I have an Altiris server with rebuild automation scripts in xpect and I would like to automate the process so I do not have to use a manual factory default reset.
View 5 Replies View Relatedattached diagram and following is the basic configuration on L3 and L2 switch. Is this configuration sufficient for simple routing?
L3SWITCH:
switch 1 priority 15
switch 2 priority 10
[Code].....
We need to change the Channel-group settings in 3750 switch from Mode ON to Mode Active. We have tried once by removing the physical interfaces from the port-channel group but we lost the connectivity to the secondary switch. Any step by step procedure without losing the connectivity between switches.
View 2 Replies View RelatedTo prevent virus to spread throughout the network ports or switches, can i used broadcast storm to control? sometime, network may encountered loop, or some virus spread?
interface gi0/1-24
storm-control broadcast level ?
storm-control multicast level ?
storm-control unicast level ?
storm-control action shutdown
What will be recommended level? or the threshold / pps ?I read through cisco website, and understand, however, just never apply before, what is the recommended level for ?in my network, we do have network ports connected to media server, just sharing video, song, etc for testing purpose, however not using PIM, but it work.
Yesterday there was huge storm, and lightning smashed into nearby house. My computer was running and I turned it off just after that. Result of nearby lightning was that internet no longer worked afterwards.
Soon after I was able to connect on my laptop, (laptop was connected and turned on during storm too) but desktop was still unable to do so.
I noticed that in device manager there is missing network adapter in list. EVerything is connected as it should be, but ethernet port doesnt have any lights on. I believe there should be some small light on port as is on my laptop, but Im unsure.
how I could check whether my network card is ok? Or what could the problem be? I really hope its just software issue.
There is a port on 3560E, facing POP, this port is in the dedicated vlan, that is terminated on 7606 on SVI (peering point).There is configuration made on the 3560E port, that prevents storm of ucast or bcast kind. This is: switchport block multicast switchport port-security maximum 1000 switchport port-security switchport port-security violation restrict storm-control broadcast level bps 1m storm-control multicast level bps 1m storm-control action shutdown storm-control action trap no cdp enable no lldp transmit no lldp receive spanning-tree portfast spanning-tree bpdufilter enable spanning-tree bpduguard enable. [code]
I want to get info not only about the fact of storm attack but also about at least source and destination of it (i.e. source and/or destination MAC). Perhaps this could be some logging messages.Are there any means for this on C3560E-UNIVERSAL-M (IOS ver 12.2(53)SE2) and 7606-S.
So the SG300's have STP on them and prevent network loops when other switches on the network also support STP too. However, if someone plugs in a non-managed switch that doesn't support STP with a network loop, is there anything within the SG300 switches to isolate and/or prevent that from happening?
(I currently have port mirroring turned on for one port and a network sniffer attached awaiting the incident to happen again).
Do I need the Universal image to perform stftp on a 3750 or 3750-X?
View 8 Replies View RelatedI'm looking at adding a Cisco 3750-X switch running c3750e-universalk9-mz.122-55.SE1 (IP base license) into a stack of 3750-G switches running c3750-ipbasek9-mz.122-55.SE1.bin Given that the version and feature sets are the same I don't forsee any compatibility issues. Would there be any reason why a universal image wouldn't stack correctly with other switches running the single .bin file?
View 9 Replies View RelatedI can not get to my control panel. I have tried 192.168.1.1 and 192.168.0.1,. I do have it flashed with DD-wrt. I can access the internet with it, the lights look correct, I don,t believe it is bricked. I have tried hard reset and soft reset.
View 5 Replies View Related(1) forward range of ports to a specific IPs using static NAT? for ex, i would like to forward port 5060 and 10000-20000 to a server 192.168.1.22..
(2) how to apply access control to this static NAT ? for ex. i would like to deny specfic IPs from accessing it from public..
====================================================
interface ethernet 0
ip address 192.168.1.1 255.255.255.0
ip nat inside
[code]....
I'm a bit confused about new NAT functionality in Ver 8.4(2). I've gone through all the documentation as well as different blogs but still not clear about the various things.One of these is NAT-CONTROL. I understand that this has now been removed. Does this means that traffic traversing the ASA doesn't need any NAT'ing commands unless specifically required by the administrator? In other words by default traffic is allowed through the firewall without any NAT'ing.
My Second Query
I've ASA5520 running ver 8.4(2). For inside interface, I've created 13 x sub-interfaces under Gi0/1. All have same security level i.e. 100. What I want to achieve is that:Traffic from these sub-interfaces should be NATTed to outside interface when going to internetBut, intra sub-interface traffic should be allowed without NAT'ing. I'm using RFC1918 on both sides i.e. source / destination The first point is not a problem it's working, however. I'm struggling with the second point. On ver 8.2, it wasn't a problem, I used NAT 0 with access-list permitting RFC1918 addresses as source and destination.
I enabled SBL on ASA 8.4, anyconnect client is Win-XP, everything worked as expected, but some users do not want to see SBL logon screen before windows logon because often times they will need to login before they can get network connection. So I modified profile.xml's following line from
UseStartBeforeLogon UserControllable="false">true</UseStartBeforeLogon
to
UseStartBeforeLogon UserControllable="true">true</UseStartBeforeLogon
the new profile is downloaded to client machine's anyconnect vpn profile fine, yet still users see VPN logon screen before Windows log on, "Connect on startup" is un-checked on Anyconnect VPN client, client machines rebooted multiple times, Anyconnect VPN client was removed and re-downloaded from scratch, no change ... What else do I have to do? I certainly can create a new group-policy/tunnel-group for those users without SBL, but that is far from an elegant solution.
I am in a process of replacing the Cisco ASA 5510 with 7.3 OS with a new Cisco ASA 5515X with 8.6OS. In the existing Cisco ASA 5510, we have configured 'no nat-control' for which the traffic from all sub-interfaces were flowing to the lower security interfaces without any NAT command. Just access-lists were configured. Now how do i acheive the same in the Cisco ASA 5515X with 8.6? I do not find any 'no nat-control' command available for it.
View 3 Replies View RelatedWe are forced to rush a installation of a WLC 5508 various reasons in a testing lab. I eventually want to configure RADIUS and such but cannot do it at this immediate time. What I would like to do is implement straight forward MAC filtering. The problem I am having is the controller allows either any W LAN or only one W LAN, and a interface setting. I need to have each MAC be able to access several W LAN's but not all of them. Can anyone point me to a article or give me a quick idea of what I can do.I have basic W LAN's configured and have MAC filtering generally working. I cannot just use a user authentication because each user may have 20-30 devices, but not all of these devices should be allowed on all W LAN's and I do not want to rely on the user.
View 8 Replies View RelatedASA5540# sh run nat-control
no nat-control
this means higher security can talk to lower security without NAT rules
Question 1) - if I want higher security zone to to talk to lower security with NAT rules. I would use statements like below. Am I correct?
nat (dmz) 1 0.0.0.0 0.0.0.0
nat (inside) 1 0.0.0.0 0.0.0.0
global (dmz) 1 interface
global (inside) 1 interface
Is this correct? So in this case I am kindly of like overriding the no nat-control statement ...right?
Question 2) - Now I have no nat-control enabled. Would the below statements (nat 0) be of any use for NAT exemption??
nat (dmz) 0 access-list dmz-nonat
nat (inside) 0 access-list dbase-nonat
And do I have to have a global statement for NAT 0 ...like below?
global (dmz) 0 access-list dmz-nonat
global (apps) 0 access-list dbase-
We have a stack of switches that is at the max number of members allowed in the stack. Problem is we are running out of port density and need to add more ports. So instead of adding a whole new stack I would rather replace 2 of the 24-port swicthes with 48-port switches.
If the two 24-port swicthes we are removing are stack members and neither of them are the stack master, I should be able to replace the 24-port switches with the 48-port switches without bringing the master offline? If the new 48-port switches are running the same IOS version as the current 24-port swicthes, they should add themselves to the stack?Would I have to tell the new 48-port swicthes what switch numbers they are replacing in order for them to be added to the stack since we are at the max number of members?Also since the 48-port swicthes are replacing 24-port switches will the master give the 48-port switches the configuration for only the 24-ports?
How can i get the mouse to control the arrow when i connect my tv to my laptop computer;i can control the arrow with the control on the laptop but not with mouse.
View 2 Replies View RelatedI am currently at a standstill when it comes to our desired set up for the following:Originally we purchased an iPad app called Luminair, which works as a DMX board. The idea was to be able to control a set of light fixtures hard lined into a Linksys WRT54G router, which would then allow us to control the lights with the iPad and the Luminair App.After quite a long time and a lot of different settings, I've found myself at this point:We recently were able to connect and control our lights from DMX Workshop, an application running on a Windows 7 64bit connected directly to the fixture through a standard ethernet cord. Both the computer and fixture are set at a 2.x.x.x IP address and a 255.0.0.0 subnet. To allow the two systems to connect andw work with each other, the speed had to be throttled from 100Mb to 10Mb.
I've now tried to introduce the Linksys WRT54G router in between the computer and the fixture hard lined with ethernet cables. My hope is to establish a connection with this setup, and then swap the computer for the iPad.Is it possible to set up the Linksys to a 255.0.0.0 subnet? And do you think it needs to be at this subnet and a 2.x.x.x IP to allow it to work?Also, is it possible to throttle the speed in the router to 10Mb as well, because if it is trying to connect at 100mbps, I am confident it will not work.
Is their a program i can use to see who is doing what then disable their monitor keyboard and mouse. I work for my college/student and i am the assistant admin, my teacher gave me full admin privileges. I would like to have this as untended program where they cant change any thing stays hidden in the back ground. I used team viewer but i have to have them to log each one.
View 2 Replies View RelatedI have several computers connected to the network, can I restrict the download bandwidth on specific computer?
View 3 Replies View RelatedCreating an Access Control List
View 2 Replies View RelatedI am trying to bring the mobility group between 5508 wlc (dmz) and internal 5508 wlc but it says control and data path down. (Ihave allowed port 97 and ports 16666-16667 both ways), should the ntp be sinked inline iwth other controllers ?,should the Mobility group need to match (already discussed this in another forum but experts suggested they never had to match the mobility group), should i first create the ssid and anchor - at the moment i havent created the ssid to anchor.
View 11 Replies View RelatedASA 5520
version 8.2
My client has the inside network on interface gig0/1.100 and the guest network on gig0/2.200. The whole 10.77.1.0/24 network needs to be able to reach the server with IP 10.47.47.80 using HTTP. The access list is in place ont the guest interface to allow traffic to the server. The problem is that when I do a packet trace to see the traffic flow, it is dropped on a NAT rpf-check. NAT control is disabled. [code]