Cisco WAN :: 3750X Switch Security Best Practice On Public Networks
Feb 1, 2013
Any pointers on configuring security on a Cisco 3750X switch that sits on a public (WAN) network. It will distribute connectivity to individual ASA firewalls as there are only two main links from upstream. Obviously I'll be disabling the http server, SSH (besides the management interface), etc.I know I can create ACL's, but worried about performance? I'm looking at blocking Netbios and other protocols that are not nessesery on our network. I've been told to disable the default VLAN... is that a good idea? And instead use the management port? I've looked around but there doesn't seem to be much information about what you should enable or disable on public switches.
View 9 Replies
ADVERTISEMENT
Jul 18, 2011
We have a private network, multiple vlans etc. for our domain users/employees across several amenities. We also have a Public network, that we have managed by a 3rd party for guests/conference rooms/attendees.Private network is all static ips, mac restricted port security, as strict as possible from a security and PCI Compliance standpoint. The public network is all DHCP with hundreds of users. Having them physically separate has always been the best option. Separate switches, server, and I even have the uplinks separated on a 3825 router. However, unfortunately it seems as though that luxury is coming to an end.One of the meetings that is taking place is going to be at one of our outer amenities so I've got to push that "public" network through my network, over my backhaul to the other side.
My suggestion was to create a new vlan on the switches with the shortest path possible to get where it needs to go. This way the traffic never goes through our ASA, and it has a small footprint on our network, it plugs into the switch access port with the dedicated vlan at the entry point into our network, and leaves from an access port on the other end. To me that seems to be the best/most secure way to handle it. We're also in the process of rolling out Public Wifi through the entire property and since we'll want to push both Public and Private vlans over it....merging the two networks to a point is only inevitable. Especially since it will be going through a controller and the property covers a good 7000 acres.
A good IDS/IPS...other than already having port security on every port, I'd definitely like to know if somebody inadvertently cross connects the two networks and it starts flooding whatever vlan access port it's plugged in to with dhcp...especially since a lot of the laptop users on the domain are set to DHCP first with a static in the alternate for working at the office and remote.
View 2 Replies
View Related
Oct 23, 2012
We have many remote offices that we want to add public wifi and a couple of other services that would be completely outside of our internal network. Each office has a 3750 with plenty of open ports. How can I safely create a vlan for public access on these switches which currently have our internal network on. I have read that people are doing this to save on the cost of purchasing a dedicated switch. Some people are using access lists and one person mentioned creating a private vlan for the public network. I looked up private vlan and it seemed bit confusing.
View 3 Replies
View Related
Sep 21, 2012
I'm preparing my self for CCENT and I wonder what are your thoughts on what could I buy to create my own lab.
View 6 Replies
View Related
May 21, 2012
I'm building a new colo presence with a full class C of public IP's. The idea is to connect to our ISP with a 3750x switchstack and they will be providing two ethernet drops that conect directly into two seperate switches on their side with HSRP and BGP at the routing level, so we will just point to their virtual IP (gateway address).I'm not sure how to either segment the public ip block or statically route each ip address and the interaction of vlans/svi with HSRP groups. Just use the switch at layer 2 or handle the internal routing with eigrp or ospf at layer3?
View 2 Replies
View Related
Sep 26, 2012
i have a acer laptop running windows 7 ultimate. I am unable to connect to public WiFi hotspots. But i m able to connetc to ad hocs and my mobile WiFi hotspot
View 2 Replies
View Related
Jul 7, 2011
different levels of security in networks
View 2 Replies
View Related
Jun 8, 2013
I have WS-C3750X-24T-S switch with C3KX-NM-1G and now i want to put a transceiver GLC-EX-SMD= in the switch SFP port, is this GLC-EX-SMD= compatable with that switch ?. i thoroughly check the product datasheet and compatible chart but their i don't have seen ?
View 1 Replies
View Related
Jun 5, 2012
Does the Network Module "C3KX-NM-1G" and "C3KX-NM-10G" for Cisco Catalyst Switch 3750X Comes with a transciever like GLC-SX-MM or SFP-10G-SR or do I need to order in seperately.
View 1 Replies
View Related
Mar 5, 2011
I have a laptop but not the internet.But my neighbor has an internet router. I need to connect to that connection without the consent of him.
View 1 Replies
View Related
Feb 27, 2013
It seems I have seen this before (and even done it once a few years ago).. but it has been a while. I have a stack with a Cisco 3750 stack that I have to replace a member.The replacement switch is a 3750X.
I think I have to upgrade the IOS of the older switch to be the same as the 3750X.
Current switch: WS-C3750G-48TS 12.2(46)SE
TO BE ADDED WS-c3570X-48 15.0 (1)SE2
It seems to me there was a way to upgrade the older switch IOS from the newer switch or downgrade the newer switch with the older IOS.I dont have the Cisco account to download updated IOSs.
View 9 Replies
View Related
Jul 2, 2013
I have RFID Reader (10.10.63.2 - 255.255.255.240) connected Cat-6 POE to ws-c3750x-24p-s - standard TCP/IP web service app pulling data from the reader every 250msec: I have my app server connect via vlan by ws-c3750x-24p-s IP address (128.1.70.1 - 255.255.0.0) as you can see its on a different sub net;
I can ping the device from the server - although I'm not getting any data coming through: my config are as:
0 [switch 1 provision ws-c3750x-24p-s]
1 [system mtu routing 1500]
2 [ip routing]
3 [no ip domain-lookup]
[code]...
I can ping the device from the server - although I'm not getting any data coming through.
View 19 Replies
View Related
Sep 17, 2012
Is it possible to assign a L3 switch port with a public IP? How do you rallow data from the Internet to the above port, if possible?
View 5 Replies
View Related
Jun 6, 2011
I am planning on building the configuration on my ASA 5505, and then distribute that same configuration to several places on ASA5505's.
What is the best way to do this? Screen dumps of the ASDM. Copy the running-configuration from a text file into the ASA5505. TFTP the running-config.
View 2 Replies
View Related
Apr 8, 2013
A couple hours ago I installed AVG free antivirus and pc-cleanup and decided to uninstall them after seeing poor results. When I rebooted my computer, I was unable to, and still am, to find any wireless networks. I've tried disabling Microsoft firewall and restoring but everything has failed.
View 15 Replies
View Related
May 18, 2012
I'm doing something in class where I have to define a ip addressing scheme for multiple buildings in what im guessing is a campus lan. I understand how to subnet, but was never taught how to put it into practice. I'm having trouble grasping the creation of a network for: multiple buildings(4) with 3 levels/floors each, housing around 2000 students and 400 staff, all needing to access the network in each building.The main hall houses the data center on the first of 4 levels.
View 7 Replies
View Related
Dec 15, 2012
while i am configuring a port on switch .The switch reloads.After reload the show version says
System returned to ROM by bus error at PC 0x458F6C, address 0x0
show version from the effected switch is
Cisco IOS Software, C3750E Software (C3750E-UNIVERSALK9-M), Version 12.2(58)SE2, RELEASE SOFTWARE (fc1)
Technical Support: [URL]
[cODE].....
View 2 Replies
View Related
Oct 3, 2012
can I make the stacking of these two switches WS-C3750E-48PD-SF and WS-C3750X-48PF-L. Both have universal IOS.
View 11 Replies
View Related
Apr 14, 2012
if we can stack the 3750G switch with a 3750X switch ?
View 7 Replies
View Related
Jul 15, 2012
At our site we have a 4510 core switch and 3750x switches in our IDFs. The 3750 switches are connected to the core via DOT1Q trunks in a server client setup. We are putting in an Informacast/Berbee server witch will send pages and text to the cisco phones. We also have 1 3750 switch connecting to the core via a layer 3 port channel. If we put the Informacast server on the phones vlan would I just need to enable ip pim sparse-dense mode on that vlan only and enable multicast routing, ip multicast routing?
View 5 Replies
View Related
Jan 28, 2013
when enabling multicasting on layer 3 interfaces the CPU becomes fully utilized , is there any specific configuration should be enabled to reduce this .
Config :
Inetface vlan 100
ip pim sparse-dense
ip igmp version 3
[Code]......
View 1 Replies
View Related
Apr 9, 2013
The process "HL3U bkgrd proce" is causing high CPU usage issues in a switch 3750X-24T-L. The IOS is 15.0.2-SE2.
show platform ip unicast failed route and adjacencies displays a lot of entries, I've seen up to 1200.
After restart HL3U bkgrd proce takes around 10 - 20 % CPU, some hours later 99%.
A coupe of times we got logs like this:
%SYS-3-CPUHOG: Task is running for (2136)msecs, more than (2000)msecs (172/73),process = HL3U bkgrd process.
-Traceback= 0x1BE9C3Cz 0x27E103Cz 0x27E0F64z 0x50DCF8z 0x50DE98z 0x503BD0z 0x4F7718z 0x1FF0A18z 0x1F46DECz 0x1F4816Cz 0x1F48698z 0x1F499C8z 0x1FF15D0z 0x2000430z 0x1FF55B4z 0x1FF5FA4z
[Code].....
View 2 Replies
View Related
Mar 8, 2012
I have a 3750X 24 port switch (with NM-1G network module) running IOS 15.0(1). Is there any benefit or reason to plug in the included Stack Wise cable and loop it back to itself in a single switch installation?
I don't see any recommendation in the documentation. The data sheet indicates a single switch is a non-blocking device so I'd think there's no bandwidth advantage like there is when connecting an actual multi-switch stack and needing to close the loop for the full 32 Gbps stack bandwidth.
View 2 Replies
View Related
Jun 13, 2012
About an hour ago I had the master switch on one of my 3750x (WS-C3750X-48PF-S) stacks crash. The only two items we've found that could have caused this issue are the roughly 1.3 million big buffer misses and several of the following in the syslog
SLT:WARN:No exporter configured for smartlog! I do not have smartlogging turned on, nor is there a netflow exporter configured
sh logging smartlogsmartlog is disabledsmartlog exporter:smartlog pkt length: 64 Total pkts processed: 0Total DHCP Snooping pkts processed: 0Total DAI pkts processed: 0Total IPSG pkts processed: 0Total ACL pkts processed: 0
I did not see any traffic spikes prior to the crash.
This stack has been stable since it's last IOS upgrade from 12.2(58)SE1 to 12.2(58)SE2 back in October 2011 so this has me a little worried.
View 3 Replies
View Related
Jun 28, 2012
I have a problem, i would like todo MACSEC betwwen two switches cisco catalyst 3560-x but I know that for this operation i needed ACS server 5.1 is it possible to encryp dataflow without ACS server and if you have the configuration
View 7 Replies
View Related
Apr 25, 2013
I've been working on an application recently that practice ACL configuration, and since finishing I figured it should be put on the internet as there wasnt much more work to do to make it suitable for a website. It allows you to practice both standard and extended ACL configuration by generating a random number of ACL actions for you to configure, and provides the correct config to compare yours against to see if you were correct. It also emulates a router at a very basic level to allow practice when there is no equipment available.
View 9 Replies
View Related
May 16, 2011
What's the best router / handset to get to practice for CCNA Voice?
View 2 Replies
View Related
Feb 20, 2011
I like to take log backup in ASA.. and i like to check whether any attack pattern is there?? how could i do this...?Also how could i do a best practise for this?
View 12 Replies
View Related
Oct 31, 2011
I've 3750X switch that isn't loading email. then I went to rommon mode and accidently for "format flash". after that I loaded 15.0 SE2 s/w on it using tftp server but it doesn't boot up with that image. flash had only .bin file after I loaded it from tftp server.
since it wasn't booting up, I did format flash again and thought to load image again from tftp server but now, it doesn't load image from tftp server.
View 9 Replies
View Related
Apr 13, 2013
I have a 3750X four-switch stack acting as the core of a fairly simple LAN. All I need to achieve (and this seems inordinately hard, but it is entirely likely that I'm just being dense) is to get access to the internet through my core switch, through the firewall and out through my VSAT. I've spoken at some length with the firewall providers (Cyberoam) and they tell me all I need to do when I migrate onto my new system (Cyberoam is currently in place at the entrance to our existing LAN) is change the local IP address of the Firewall, plug in the new switch to the LAN port, and away I go. Tried that, didn't work, so obviously I'm missing something.
View 22 Replies
View Related
Nov 8, 2011
I am looking for a way to bind between a switch interface (cat 3750X) and a DHCP server reply.The switch can operate as the DHCP server .a PC connected to interface Gi 1/0/1 will lways get IP address 10.0.0.1 because it is connected to interface Gi 1/0/1, a PC connected to interface Gi 1/0/5 will lways get IP address 10.0.0.5 because it is connected to interface Gi 1/0/5 and so on... (no matter the source MAC address who sends the DHCP request).
View 8 Replies
View Related
Feb 25, 2013
i am seeing very high utilization on a random basis on the stack. and the logs indicate me that there is a pattern where there is a stack power cable shows inserted (which was never unplugged) followed by sudden spike in the utilization.
001018: *Mar 6 16:21:22.138: %PLATFORM_STACKPOWER-6-CABLE_EVENT: Switch 4 stack power cable 1 inserted
001019: *Mar 6 18:18:37.982: %SYS-1-CPURISINGTHRESHOLD: Threshold: Total CPU
[Code]......
View 16 Replies
View Related
Jan 31, 2012
I work at a hospital and we have 3750X-48P switches in stacks in various locations throughout the hospital. We have noticed that when an EKG machine is plugged into one of the ports on some of these switches and the EKG machines are set manually to 100/Full, the ports are no longer usable until the switch is restarted. The switch is configured for auto. If the EKG machine is set to auto, it will work and not cause problems. The link on the interface will show up/up and there will be output packets increasing. However, there will be no inputs on the link and the port is unusable. Unfortunately, even when the device is removed, the port becomes unusable for any device. Is there any way to fix this problem without rebooting the switch?
View 5 Replies
View Related
