Cisco WAN :: ME-3X00 Storm-control Configuration?
Apr 30, 2012
We're using ME-3600 and ME-3800 switches to create VPLS domains. Now to avoid L2 loop issues with 3rd parties connected to the multiple ME-3X00 switches and configured in the same VPLS domain, we would like to configure storm-control.
When checking the configuration manual about storm-control on ME-3X00 switches it mentiones: storm-control is configured on the physical interfaces and when it's triggered it will not only impact the physical interface buy also the EFP configured on it.
According to me this could mean two things:
When there's a storm on the physical port, the port wil be shutdown (it if this the action configured) and of course the EFP on that physical interface will be impacted too (logical consequence).When there's a storm on an EVC (EFP) configured on a physical interface, it will shutdown the entire physical port (if this is the action configure) and as a consequence all other EFP will be impacted too. Briefly: is the configured storm-control on an interface also triggered by storm-controls on an EFP? I suppose it would but like to have some confirmation.
configuration example
interface GigabitEthernet0/2
description TEST storm-control
switchport trunk allowed vlan none
[Code].....
View 0 Replies
ADVERTISEMENT
Dec 22, 2011
I`m connecting a client directly to a 3750, and giving them a public IP.
On the port I have set spanning-tree bodyguard enable
But I guess I should also set some storm control etc. What settings should I use for storm control?
The client has a 100Mbps internet connection running trough this port....
View 1 Replies
View Related
Oct 30, 2012
I have 2 ME3600Xs and utilize Broadcast and Multicast storm control on client facing interfaces. One of my ME3600s is reporting a Multicast storm and that a packet filter action has been applied. The strange thing is that it is showing up on an Admin Down interface that has nothing connected to it. [code]
View 2 Replies
View Related
Feb 9, 2012
We have around a dozen Catalyst 3560 and 2960 switches in a ring topology. We are considering adding storm control to our trunk ports. Up until now we have only used it on edge ports with default values and without error-disable.I am proposing that we also add storm control to trunk ports at a lower level and that we error-disable only the redundant links that make up our loops.
-storm-control broadcast level 25.00 20.00
-storm-control multicast level 2.00 1.00
-storm-control action shutdown [only on redundant links]
In a storm all links will restrict broadcast which should work accessing remote switches, but the redundant links should errdisable and block the redundant path. It is important that the action line is not applied to links that are not redundant as we could isolate parts of the network. Any reason not to use storm control on trunks?
View 2 Replies
View Related
Oct 27, 2011
To prevent virus to spread throughout the network ports or switches, can i used broadcast storm to control? sometime, network may encountered loop, or some virus spread?
interface gi0/1-24
storm-control broadcast level ?
storm-control multicast level ?
storm-control unicast level ?
storm-control action shutdown
What will be recommended level? or the threshold / pps ?I read through cisco website, and understand, however, just never apply before, what is the recommended level for ?in my network, we do have network ports connected to media server, just sharing video, song, etc for testing purpose, however not using PIM, but it work.
View 15 Replies
View Related
May 29, 2012
Yesterday there was huge storm, and lightning smashed into nearby house. My computer was running and I turned it off just after that. Result of nearby lightning was that internet no longer worked afterwards.
Soon after I was able to connect on my laptop, (laptop was connected and turned on during storm too) but desktop was still unable to do so.
I noticed that in device manager there is missing network adapter in list. EVerything is connected as it should be, but ethernet port doesnt have any lights on. I believe there should be some small light on port as is on my laptop, but Im unsure.
how I could check whether my network card is ok? Or what could the problem be? I really hope its just software issue.
View 4 Replies
View Related
Dec 8, 2010
There is a port on 3560E, facing POP, this port is in the dedicated vlan, that is terminated on 7606 on SVI (peering point).There is configuration made on the 3560E port, that prevents storm of ucast or bcast kind. This is: switchport block multicast switchport port-security maximum 1000 switchport port-security switchport port-security violation restrict storm-control broadcast level bps 1m storm-control multicast level bps 1m storm-control action shutdown storm-control action trap no cdp enable no lldp transmit no lldp receive spanning-tree portfast spanning-tree bpdufilter enable spanning-tree bpduguard enable. [code]
I want to get info not only about the fact of storm attack but also about at least source and destination of it (i.e. source and/or destination MAC). Perhaps this could be some logging messages.Are there any means for this on C3560E-UNIVERSAL-M (IOS ver 12.2(53)SE2) and 7606-S.
View 2 Replies
View Related
Jul 17, 2011
We have 3750 and 4510 switches and in both we run Q-n-Q but we observed looping/Broadcast Storm we already run TSP on 3750 end and this is corporate branch but 4510 its difference branch where we run q-n-q technology.
View 1 Replies
View Related
Sep 12, 2012
So the SG300's have STP on them and prevent network loops when other switches on the network also support STP too. However, if someone plugs in a non-managed switch that doesn't support STP with a network loop, is there anything within the SG300 switches to isolate and/or prevent that from happening?
(I currently have port mirroring turned on for one port and a network sniffer attached awaiting the incident to happen again).
View 1 Replies
View Related
Aug 12, 2012
I can not get to my control panel. I have tried 192.168.1.1 and 192.168.0.1,. I do have it flashed with DD-wrt. I can access the internet with it, the lights look correct, I don,t believe it is bricked. I have tried hard reset and soft reset.
View 5 Replies
View Related
Jun 15, 2012
(1) forward range of ports to a specific IPs using static NAT? for ex, i would like to forward port 5060 and 10000-20000 to a server 192.168.1.22..
(2) how to apply access control to this static NAT ? for ex. i would like to deny specfic IPs from accessing it from public..
====================================================
interface ethernet 0
ip address 192.168.1.1 255.255.255.0
ip nat inside
[code]....
View 3 Replies
View Related
Aug 26, 2011
I'm a bit confused about new NAT functionality in Ver 8.4(2). I've gone through all the documentation as well as different blogs but still not clear about the various things.One of these is NAT-CONTROL. I understand that this has now been removed. Does this means that traffic traversing the ASA doesn't need any NAT'ing commands unless specifically required by the administrator? In other words by default traffic is allowed through the firewall without any NAT'ing.
My Second Query
I've ASA5520 running ver 8.4(2). For inside interface, I've created 13 x sub-interfaces under Gi0/1. All have same security level i.e. 100. What I want to achieve is that:Traffic from these sub-interfaces should be NATTed to outside interface when going to internetBut, intra sub-interface traffic should be allowed without NAT'ing. I'm using RFC1918 on both sides i.e. source / destination The first point is not a problem it's working, however. I'm struggling with the second point. On ver 8.2, it wasn't a problem, I used NAT 0 with access-list permitting RFC1918 addresses as source and destination.
View 3 Replies
View Related
Apr 25, 2011
I enabled SBL on ASA 8.4, anyconnect client is Win-XP, everything worked as expected, but some users do not want to see SBL logon screen before windows logon because often times they will need to login before they can get network connection. So I modified profile.xml's following line from
UseStartBeforeLogon UserControllable="false">true</UseStartBeforeLogon
to
UseStartBeforeLogon UserControllable="true">true</UseStartBeforeLogon
the new profile is downloaded to client machine's anyconnect vpn profile fine, yet still users see VPN logon screen before Windows log on, "Connect on startup" is un-checked on Anyconnect VPN client, client machines rebooted multiple times, Anyconnect VPN client was removed and re-downloaded from scratch, no change ... What else do I have to do? I certainly can create a new group-policy/tunnel-group for those users without SBL, but that is far from an elegant solution.
View 7 Replies
View Related
Feb 21, 2013
I am in a process of replacing the Cisco ASA 5510 with 7.3 OS with a new Cisco ASA 5515X with 8.6OS. In the existing Cisco ASA 5510, we have configured 'no nat-control' for which the traffic from all sub-interfaces were flowing to the lower security interfaces without any NAT command. Just access-lists were configured. Now how do i acheive the same in the Cisco ASA 5515X with 8.6? I do not find any 'no nat-control' command available for it.
View 3 Replies
View Related
Nov 29, 2012
We are forced to rush a installation of a WLC 5508 various reasons in a testing lab. I eventually want to configure RADIUS and such but cannot do it at this immediate time. What I would like to do is implement straight forward MAC filtering. The problem I am having is the controller allows either any W LAN or only one W LAN, and a interface setting. I need to have each MAC be able to access several W LAN's but not all of them. Can anyone point me to a article or give me a quick idea of what I can do.I have basic W LAN's configured and have MAC filtering generally working. I cannot just use a user authentication because each user may have 20-30 devices, but not all of these devices should be allowed on all W LAN's and I do not want to rely on the user.
View 8 Replies
View Related
Nov 19, 2011
ASA5540# sh run nat-control
no nat-control
this means higher security can talk to lower security without NAT rules
Question 1) - if I want higher security zone to to talk to lower security with NAT rules. I would use statements like below. Am I correct?
nat (dmz) 1 0.0.0.0 0.0.0.0
nat (inside) 1 0.0.0.0 0.0.0.0
global (dmz) 1 interface
global (inside) 1 interface
Is this correct? So in this case I am kindly of like overriding the no nat-control statement ...right?
Question 2) - Now I have no nat-control enabled. Would the below statements (nat 0) be of any use for NAT exemption??
nat (dmz) 0 access-list dmz-nonat
nat (inside) 0 access-list dbase-nonat
And do I have to have a global statement for NAT 0 ...like below?
global (dmz) 0 access-list dmz-nonat
global (apps) 0 access-list dbase-
View 2 Replies
View Related
Jul 17, 2012
I am position to migrate from CatOS 6509 switch to native IOS 6509 switch. long time ago, there was some site to convert automatically based on copy and paste onto the tool, but i can not find.
Does anybody know how to convert CatOS configuration to Native IOS configuration ? It is not IOS change, but it is configuration convert.
View 1 Replies
View Related
Jan 8, 2011
How can i get the mouse to control the arrow when i connect my tv to my laptop computer;i can control the arrow with the control on the laptop but not with mouse.
View 2 Replies
View Related
May 5, 2011
I am currently at a standstill when it comes to our desired set up for the following:Originally we purchased an iPad app called Luminair, which works as a DMX board. The idea was to be able to control a set of light fixtures hard lined into a Linksys WRT54G router, which would then allow us to control the lights with the iPad and the Luminair App.After quite a long time and a lot of different settings, I've found myself at this point:We recently were able to connect and control our lights from DMX Workshop, an application running on a Windows 7 64bit connected directly to the fixture through a standard ethernet cord. Both the computer and fixture are set at a 2.x.x.x IP address and a 255.0.0.0 subnet. To allow the two systems to connect andw work with each other, the speed had to be throttled from 100Mb to 10Mb.
I've now tried to introduce the Linksys WRT54G router in between the computer and the fixture hard lined with ethernet cables. My hope is to establish a connection with this setup, and then swap the computer for the iPad.Is it possible to set up the Linksys to a 255.0.0.0 subnet? And do you think it needs to be at this subnet and a 2.x.x.x IP to allow it to work?Also, is it possible to throttle the speed in the router to 10Mb as well, because if it is trying to connect at 100mbps, I am confident it will not work.
View 1 Replies
View Related
Feb 9, 2012
Is their a program i can use to see who is doing what then disable their monitor keyboard and mouse. I work for my college/student and i am the assistant admin, my teacher gave me full admin privileges. I would like to have this as untended program where they cant change any thing stays hidden in the back ground. I used team viewer but i have to have them to log each one.
View 2 Replies
View Related
Jun 30, 2010
I have several computers connected to the network, can I restrict the download bandwidth on specific computer?
View 3 Replies
View Related
Apr 6, 2013
Creating an Access Control List
View 2 Replies
View Related
Feb 6, 2012
I am trying to bring the mobility group between 5508 wlc (dmz) and internal 5508 wlc but it says control and data path down. (Ihave allowed port 97 and ports 16666-16667 both ways), should the ntp be sinked inline iwth other controllers ?,should the Mobility group need to match (already discussed this in another forum but experts suggested they never had to match the mobility group), should i first create the ssid and anchor - at the moment i havent created the ssid to anchor.
View 11 Replies
View Related
Jun 28, 2012
ASA 5520
version 8.2
My client has the inside network on interface gig0/1.100 and the guest network on gig0/2.200. The whole 10.77.1.0/24 network needs to be able to reach the server with IP 10.47.47.80 using HTTP. The access list is in place ont the guest interface to allow traffic to the server. The problem is that when I do a packet trace to see the traffic flow, it is dropped on a NAT rpf-check. NAT control is disabled. [code]
View 2 Replies
View Related
Apr 3, 2012
We are an A/V integrator and AMX shop and provide our clients with support through the use of VPN tunnels from our RV042 router to their mostly RVS4000 routers.Support is provided through access of remote site equipment using VNC, Telnet, FTP, etc. from multiple PC's at our main office.Netbios is not turned on, but the remote sites have the ability to access equipment on our local LAN should they know our private IP address range.Is there any way to limit the acces from the remote sites back to our LAN while maintaining our access to the equipment on their LAN?I know that one can limt the IP address range on on end of the VPN, but I would like to limit the ability of remote sites to gain "any" access to our LAN. If there's any way to just prevent all traffic from an IP address range on the remote site, that would also do.
View 1 Replies
View Related
May 17, 2012
I have a fairly simple WLC 2100 configured to control two APs. We had a power outage a few days ago, and though the WLC was on a surge protector, it did not come back up properly after the outage. The STATUS light sticks at amber and I can't get any console response. At this point I'm not sure what to do except replace the WLC, though I'm loathed to do that as our budget was just cut substantially for next year and we're trying to turn nickels into pennies.
View 4 Replies
View Related
Oct 14, 2008
I recently had a issue with conecting Cat4500-E switches with SupIV to CAM. I have recieved error message "unable to control x.x.x.x".Whole problem was switch OID not in the database of CAM. For those experiencing the same problem go to on the CAM:
Device Management > Clean Access > Updates > Update CHECK "all" options and RUN UPDATE!
View 1 Replies
View Related
Feb 16, 2013
We recently deployed ACS 5.3 on a VM, while the main purpose of implementation was to control access (authentication/authorization) on network devices; Can we use the same user to authenticate users' access to our wired network? So only users with a valid credentials on our Windows AD can have access to the network?
View 1 Replies
View Related
Mar 24, 2005
i have a 3550 catalyst and i configured it for bandwidth controlling i have used POLICE command its work fine and i saw it limit the bandwidth but there is a little problem when i limit the bandwidth at 1024000 and i useing all the bandwidth and monitor the bandwidth i see it shows the network uses half bandwidth.
View 6 Replies
View Related
Mar 22, 2010
Using Microsoft IAS as the auth server, how do I get the ASA (v.8.2.1) to take different user groups defined in AD, and control access to different group policies on the VPN? We're setting up the ASA for many different vendors, and need to control access for each vendor with different policy.
For example, Vendor one is in AD group Vendor1 and will only be permitted access to a specific group of defined IPs in our network. Vendor two is in AD group Vendor2 and will only be permitted access to a different group of defined IPs in our network from Vendor1.
View 12 Replies
View Related
Dec 11, 2011
I have setup clientless SSL VPN on my ASA. User authentication is done by RADIUS using ACS 5.2, I have created two portal one for IT department and the other for auditing department but the user in auditing if the select IT group from the drop down list they can login to it, my question is how can I make them login to their group only and prevent them from accessing other groups ?
View 3 Replies
View Related
Feb 5, 2012
We have a 4402 Wireless Controller. However, our AP's are from another manufacturer (Meraki MP12). Is it possible that the 4402 can "control" the Meraki MP12?
View 8 Replies
View Related
May 13, 2012
I've got a Cisco 1841 with 2 FastEthernet ports here. My Cisco isn't great, and I've been given a problem I don't seem to be able to crack.Essentially, I have one network with two sides. I've connected these to fe0/0 and fe0/1 on the router, and put them interfaces into a bridge group which as far as I can tell, essentially makes the router a 2 port switch...I know this won't make a lot of sense from a normal network point of view, but what we need to do is allow all traffic from fe0/0 to fe0/1, but not allow any traffic in the reverse direction. The traffic allowed to flow from fe0/0 to fe0/1 must include broadcast traffic (infact that is the most important traffic, its how the silly theatre application works). None of the traffic is IP addressed.... ie, each of the devices on the network assign themselves an IP address, and then throw broadcast traffic out on to the "dedicated physical network" that exists between them for communication[CODE]
View 2 Replies
View Related
