Cisco WAN :: Switch L3 3750 - Bypassing Firewall With Network Management VLAN 20
Aug 22, 2011
I would like to push route for admin services (Vlan20) to bypass the firewall via an other connection (CSI to CSE). So my first choice was to create a route-map in (CSI) but I don't know how to do it. On my Firewall ASA, I don't have any Context License, that is why I would like to do it like this.
I have included some part of my initial configuration CSI and CSE and diagram.
CSI configuration (Switch L3 3750) {
interface GigabitEthernet1/0/1
description To ASA
no switchport
[Code]....
I have two networks at two sites with a dot1q trunk between the two L3 switches at both sites (no routers involved)
SITE A - Cisco 3750 L3 - VLAN ID 50 10.10.50.0/24
SITE B - Cisco 3750 L3 - VLAN ID 50 10.20.50.0/24
I would like to extend the SITE A VLAN to SITE B so that I can move hosts from SITE A to SITE B without needing to change their IP address but the vlan ID is already in use. Obviously the easy solution is to change the VLAN ID for one or other of the sites but both sites contain hosts that run 24/7. Is there a way to join two VLANs with different IDs together.So for example I create a new VLAN 60 at SITE B and associate it with VLAN 50 at SITE A.
I'm having some problems with a D-Link switch. I believe it's filtering the management VLAN frames, which is really strange. If you look at the graph, you can see that the D-Link is connected to three switches by trunk links. I'll just use the numbers set in red on the graph to explain what's going on, it's simpler to see.So when I'm connected either to switch 4 or switch 5 (or the others on 5's level) I can use the management VLAN (ID = 1) to connect to all switches above number 3 (including number 3) but I can't get to switches numbers 1 and 2.The only way to connect to those switches is to either connect directly to one of their ports attributed to VLAN 1 or by connecting directly to switch 3. So that's why I concluded that switch 3 filters VLAN 1 frames. It's not switch 4 cause I can get from 5 to 3. But at 3, the frames stop.Also, this only happens for VLAN 1. We have some VoIP phones connected to switches 1 and 2 and their frames can communicate anywhere in the network.
We have a small cisco 1800 series workgroup router that seperates our network from the outside world. The data coming into our network goes into the router on interface fa0/1 and comes out on interface fa0/0. fa0/0 is split into 2 sub-interfaces (fa0/0.2 and 0/0.3). These sub-interfaces correspond to a desktop and server vlan on our network. The workgroup router is connected to a 3560G trunk port (we'll call it switch 1) and switch 1 connects to another 3560G (we'll call it switch 2). Recently I was asked to add another layer of security to our network by installing an ASA 5510 firewall and forcing certain types of traffic to authenticate using their domain credentials for our network. The firewall was set up between the router and switch 1 in transparent, multi-context mode. There are 2 security contexts, 1 for the desktop vlan and 1 for the server. Both have the same security settings applied to them since we want the same behavior regardless of whether they are trying to access the servers or the workstations.
I've got an ASA 5505 running 6.3 I've connected the management interface to our management vlan (which contains switch IPs, ilo's etc)Is there a way to allow access to this vlan from another?
I have set up an ACL on my 3750 switch to deny icmp from PC A on our inside network to PC B on a different VLAN on our inside network using the following ACLs:
These ACLs belong to an access-list that also limits ip traffic to a few specific machines.When I try pinging from PC A I receive a reply message back from PC B. Shouldn't this configuration block any ICMP from PC A to PC B and from PC B to PC A? I would have expected the first ACL statement to block any packets associated with ICMP and when that didn't work I tried the second configuration.
I'm having some trouble getting my head round the following but I think it's routing related?
I have a Cisco 3750 switch with the following configured:
interface Vlan1 ip address 192.168.0.223 255.255.254.0 no ip route-cache
[Code].....
The 3750 is connected to a firewall which handles the routing. From the 3750 I can only ping remote networks from the vlan1 interface not from vlan6,8 or 10 i.e ping 10.34.37.101 (remote network) source 192.168.0.223 (vlan1) works but ping 10.34.37.101 source 10.74.10.1 (vlan10) does not? I can ping 10.34.37.101 from computers on the various vlans but not from the 3750 it self.
I looked at setting a default gateway for the various vlan interfaces
My core switch is a 6509-e and my IDF closets have 3750's.I have a couple of vlans currently setup, that can communicate with each other.VTP is setup Client/Server where as my core is Server, all IDF's are Client.
What i'm trying to do is create an isolated VLAN. I want to setup a DHCP scope and use helper address. When i plug in a client to that VLAN, i want it to get an IP, but not have any other network access.
Is this possible to do without switching to Transparent mode? If not - what reprocussions will i see by switching to transparent mode?
I have a 2911 router connected to a 3750 switch. I have configured vlan interfaces on the 2911 router:I am using the vlan 89 (89.2) as the management ip address for me to remotely get to the switch. Is this a proper configuration or could this cause issues in the future.
This is regarding VLAN creation on C3750E switch.I want to create new Vlan 94 on this switch and also I want to allowed same interfaces like Vlan 95 & Vlan 96. [code]
we are using 3750 and 2950 switches both of them do not support vlan up to 4000 .we need vlan about 3000 .Whic cisco series switch do support vlan up to 4000.
2950 S-SW1.3(config-vlan)#exi
Proposed configuration has too many VLANs for this platform. Reduce the number of VLANs proposed.
S-SW1.3(config)#end 3750 SW1(config-vlan)#exi
proposed configuration exceeds the limit of 1005 VLANs that can be supported on this platform. Reduce the number of VLANs proposed to be within this limit.
I have a rather large network with multiple VLANs and routing. Here's the layout:
5540 subinterface = gi0/2.18 = 10.16.18.1/24 TRUNKED to a 2960 2960 has an interface set to VLAN 18 (no IP) goes to a Cisco 4507 with an int. set to VLAN 18 (no IP) 4507 then has a trunk to a Cisco 7206 7206 then trunks to a Cisco 3845 3845 trunks to a 3750 (single) 3750 (single) trunks to a 3750 Stack 3750 Stack has int. set to VLAN 18 that goes to a 3750(lab) w/ int set to VLAN 18 w/ IP 10.16.18.251/24, VLAN502 = 10.202.255.1/30, VLAN510 = 10.203.255.1/30 3750(lab) then has a trunk that connects to ASA 5510 w/ subinterfaces: e0/1.18 = 10.16.18.253/24, e0/1.510 = 10.203.255.2/30, e0/1.502 = 10.202.255.2/30 ASA5510 then goes to Internet
Any trunks are set to allow all VLANs. From the 2960 to the 3750 stack it's obviously all Layer 2 with trunking.
Issue:If I sit at the 5540, I can ping 10.16.18.251 and .253 with no problems. I can also ping 10.203.255.1 with no problems. Problem is that I cannot get to the other subinterfaces on the 5510 for VLANs 502 and 510. How do I ensure that my trunk is set up right? I have a route in the 5540 pointing to the 10.203 and 10.202 using the 10.16.18.251 address. It seems like a traceroute gets to the 10.16.18.251 address but then it stops. What route should be on the 5510 to make sure it gets back? The default route on the 5510 points to the Outside. I think it's something to do with the trunk that's just something I don't understand yet.
5510: show int ip bri: Ethernet0/1.18 10.16.18.253 YES manual up up Ethernet0/1.502 10.202.255.2 YES manual up up Ethernet0/1.510 10.203.255.2 YES manual up up
I have a Netgear GSM7248R switch with 5 different Vlans including th management Vlan. Each of the vlans are connected to my layer 3 switch for routing. I want to access the management vlan form any of my Vlans so my layer two switch can be detected by my snmp manager.
I have been trying to play WoW but it seems it is blocked by my netgear firewall. Thus, I tried using a proxy server [URL] but it seems that only allows me to surf the web but not open up the actual game client. So, now im not sure what i need to do to bypass the block.
I am working on the exact same configuration as noted here [URL] that uses subinterfaces on the asa. I have two interfaces on my stacked 3750's configured as trunk ports (primary ASA on primary 3750 stack member, secondary ASA on secondary 3750 stack member).
My questions is what should the DG be configured on the 3750. Can I keep the 3750 in L2 or will I have to enable L3 routing? Should the VLAN interfaces be configured.
The port that the ASA is configured with has 3 subinterfaces on VLAN 100, 200, and 300.
The subinterfaces are G0/2.100, G0/2.200, and G0/2.300.I am in the middle of converting from 3 separate DMZ switches, each attached to their own port on the asa which is their default gateway to one physical port on the ASA broken into 3 subinterfaces which then connect to stacked 3750's. The stack will then have the 3 separate DMZs in actual separate VLANs.
My goal is to leave the default gateway for each dmz on the ASA so I don't have to modify other areas of the ASA config.
There arer 3 stacks of 3750 at each building. The core switch/router in our network is at location B. The way it was originally setupis every L3 device has an ip address for each lan. So let's say we have VLAN 200 withnetwork 192.168.200.0/24. The DataCenter would be assigned (192.168.200.3), Building B would be assigned (192.168.200.1), and Building A would be assigned (192.168.200.2). I'm configuring the DC and BA to be L2 only and Building B to be the only real router in the network besides a few ASAs. When I ran a 'no ip address' on the vlan interface on Building A, the internet connectivity for 192.168.200.0 dies, but local connectivity is fine. After doing some research and troubleshooting, I found out that if I set the next hop on the ASA for the local networks for an IP address on building B everything works perfectly.
The way the routes on the ASA are setup for local networks are as follows.
All local networks have ip route localnetwork mask x.110.215.17. This address is the IP address of the inside interface on the ASA. Now, when I kill the IP address on the vlan interface on Building A internet connectivity goes down, while the next hop is still pointed to this address, BUT if I give it a next hop of the vlan interface ip address on B everything works fine. Now, I can easily fix this, I was just wondering why this is happening?
I have been looking into this for a while and I can't seem to figure out why my 2nd vlan is not able to connect properly to the net.
My switch has 12 ports where my devices connects directly, they are all on Vlan 1 and they all work perfectly. on Port 12 I have a dlink router that is connected to a cable modem. the dlink router has an Ip address of 192.168.0.20
I created a second vlan (vlan2) and enabled dhcp relay on it. then I assigned port 9 on the switch to (vlan2)my laptop which is connected to port 9 seems to get an ip address fine and able to ping only some devices on my network (vlan1) and is not able to go out to the internet. I think it has to do with the routes. [code]
We have a 3750 as core switch with critical oracle servers ( production & development ) connected to this. The goal is to have these servers behind a firewall, which is to be done by logically routing the traffic towards the device.Now, we need to connect the 3750 with two juniper srx firewall physically. The oracle server VLAN will be removed from 3750 and same layer 3 vlan will be created in the juniper firewall. How do i connect the 3750 to the two junipers. what configurations will be involved, on a logical basis.
A CISCO 3750-X stack with several VLANs and many ACLs applied to the virtual interfaces. Intervlan routing is on. Connected to this stack are VMware hosts and with about 500 VMs.We started using the ACLs to allow connectivity between VLANs to specific hosts and it has grown to thousands of lines. I personally do not think this is good for the switch and believe the switch was not intended to be used for that security feature.
- Does it make it sense to add an "internal firewall" between the CORE ROUTER AND THE 3750-X SWITCH STACK ?
- Do you recommend any other way?
- Any recommended CISCO resource/white paper to read about best practice
I am trying to configure a trunk between the above two devices. I like to have vlan11 on ASA. Then I like to connect a host to my switch, and have it communicate with other devices in VLAN 11 or other vlans that reside on the ASA. Below is the config that I currently have.
ASA: ciscoasa# show run interface Ethernet0/1 ! interface Ethernet0/1
We have a low bandwith (15-20 Mbit/s) to the ASA from our Client vlan. If i connect the Client to the same vlan as the ASA is, the bandwith (90 Mbit/s) is good.
And we have following error message in the log from the switch:
%PLATFORM_UCAST-4-PREFIX:
One or more specific prefixes could not be programmed into TCAM and are being covered by a less specific prefix, and the packets may be software forwarded I first get the idea that the switch is overloaded with router traffic. Thats why i assuming i have to check the sdm templates, but i'm not sure if this resolves the issue.
I've been trying to resolve this problem for a while now, but finally decided to post the question on the forums.live in a collage dorm. internet connection is behind a router that does NOT support port forwarding (no uPnP either). However it'd be great if I could access my computer from the "outside".I figured if I could connect to the computer in the dorm by using some 3rd party server (having dorm comp connected to the 3rd party, and me connecting to the 3rd party). However idk if anyone provides such services (preferably free ) also I don't know how such a service is named, so I can't really do any searching.
I need to create a DMZ Vlan. Core switch is a 6509. FW is an ASA5520. Need to create a VLAN for DMZ purposes for outside facing servers. NAT is used on ASA.
new to networking, I can not fully understand concepts like VLAN, so I would like to know whether it is possible to have a a few VLANs without a switch but over a bridge (created under linux - connecting a few virtual machines).
I am trying to make the multicast working between few hosts inside a single vlan. Host are running mysql cluster and Multicast is used to send master/slave status information to the IP 228.10.10.10 on port 45566.The vlan is defined in FWSM and the host are connected via the core-switch(6513). (hosts-->core-sws--->fwsm)I have tried searching the documentation, but couldn't find specific info to enable multicast between hosts residing in same vlan. FWSM is running code 3.1(4). since the hosts are residing in the same vlan, I am thinking of applying the <multicast-routing> just for that SVI in FWSM.
I have made a seperate VRF for management.But have a strange problem with a Cisco 3750 and a Cisco 3550.When I added these to the VRF, I can not reach them on tools like Network Assistant and web interface.Telnet works, no problems there.And there is no ACLs on the device restricting this.
Can I change the untagged vlan on a 1131 to a new vlan. I need to move my management vlan from 10.1.1.1 on vlan 1 , to 172.16.0.1 on vlan 200. I attempted several configuration options including removing the vlan1 ip, changing my new vlan200 to untagged and mirroring it on the switch, and adding my new ip to vlan 1 untagged and then untagging the switch with access vlan 200 on the connected port. Nothing worked.
Below is a sample of what I changed:
interface Dot11Radio1 no ip address no ip route-cache
We are installing a 2504 with management on VLAN2. The management port is on interface 1 which is attached to a layer 3 3750. From other VLANs in the network we cannot manage the 2504 controller with the web manager. We are running the latest code, 7.2.103.0, since we are using 3600 APs. We have a TAC case open, but spent 3 hrs with them and they can't figure out the problem. TAC did some debugging and saw that the 2504 is ARPing for the address of the PC on the other VLAN instead of sending the packet to its default gateway. How to get success with the management interface on a VLAN and managing the controller from another VLAN?
Apparently on older switches you could just enter the "management" command under the new VLAN interface and it would pull the config from the old one, apparently that feature isn't around anymore. I've tried establishing a trunk to the damned thing and trying to switch over that way, but it doesn't seem to work.
