3560 switch and VRF

Hello world,
How do configure a VRF on a 3560 ?
Seems like an easy question isn't it ? ;)
I have enable cef (ip cef distributed)
Can't not do "ip vrf blabla" it's an unrecognized command.
However, everything is there like "router ospf 10 vrf <name> "
Anyone have an idea ?
Oh, yes and my code is:
* 1 28 WS-C3560G-24TS 12.2(25)SEA C3560-ADVIPSERVICESK
- dan

If possible please try the same command in the router configuration mode and check the status.

Similar Messages

  • Stopping MAC addresses on 3560 switch interfaces

    Hi,
    I would like to stop certain MAC addresses connecting to the network via a 3560 switch and have configured the config below for VLAN 1. All interfaces belong to VLAN 1. Can anyone tell me if this is the correct config or have I missed something?
    mac access-list extended Bad_Hosts
    permit host 0011.434c.d9bf any 0x806 0x0
    permit host 0011.434a.8026 any 0x806 0x0
    permit host 000b.5d2a.23e3 any 0x806 0x0
    permit host 000b.5d0e.4019 any 0x806 0x0
    vlan access-map MAC 10
    action drop
    match mac address Bad_Hosts
    vlan access-map MAC 20
    action forward
    vlan filter MAC vlan-list 1
    Regards
    Mark
    Network Specialist

    It look like, all the host 'll be reject.
    Try:
    mac access-list extended Bad_Hosts
    deny host 0011.434c.d9bf any 0x806 0x0
    deny host 0011.434a.8026 any 0x806 0x0
    deny host 000b.5d2a.23e3 any 0x806 0x0
    deny host 000b.5d0e.4019 any 0x806 0x0
    permit any any
    vlan access-map MAC 10
    match mac address Bad_Hosts
    action forward
    vlan access-map MAC 20
    action drop
    vlan filter MAC vlan-list 1
    Please, hope this help and rate this post.

  • AAA and 3560 Switch + CNA

    Hi
    Has anyone got this to work?
    CNA. (Cisco Networks Assistants) and AAA (Tacacs+) on a 3560 switch.
    I can’t get the CNA to work in this setup but it works fine on together with 3500XL and 3550 serie switch. With the same parameter.
    this is the aaa conf.
    aaa authentication login default group tacacs+ local
    aaa authentication login no_tacacs enable
    aaa authentication enable default enable group tacacs+ none
    aaa authorization exec default group tacacs+ local
    aaa authorization exec no_tacacs none
    aaa authorization commands 15 default group tacacs+ if-authenticated local
    aaa authorization commands 15 no_tacacs none
    aaa accounting exec default start-stop group tacacs+
    aaa accounting commands 15 default start-stop group tacacs+
    aaa accounting network default start-stop group tacacs+
    ip http server
    ip http authentication aaa

    Hi
    No. I get the prompt for username and password.
    and hit enter. Then nothing happens. It looks like it's trying to build the network but it never get fines. I know it works without the aaa statement. But I can’t live with that.

  • Private vlans and 2960 and 3560 switch

    Hi, I have a 3560 switch that supports private vlans. There are few computers connected to it and private vlans work fine. Now I need to connect a 2960 switch to 3560 switch. 2960 seems to have no private vlan configuration options but it can be private vlan edge? What is private vlan edge? If I put the computers on 2960 to a vlan that is isolated vlan in 3560 will the computers be able to communicate with themselves in layer2 on 2960 switch?

    Example: I have network 10.0.0.0/24. Networks primary vlan is 2001, isolated is 2002 and community is 2003. These settings are on 3560. So if I put computers on 2960 switch to vlan 2002 and make the ports protected ports they will act as isolated ports and they can't communicate with ports that are on isolated vlan 2002 on 3560???
    Can I also use the community vlan on 2960? is this possible because vlans 2002 and 2003 would be on the same network???

  • DHCP and voice vlan on Cisco 3560 switch

    Greetings,
    I'm setting up a Cisco 3560 switch for voice and data comms. I'm looking for documentation with best practice guidelines for the following requirements.
    1. Using the Cisco 3560 as a DHCP server - Config examples.  Do I need to use different subnets for the voice and data vlans?
    2. Layer 2 CoS QoS  - I'm connecting Aastra phones as well as notebooks - I've been told that Aastra also makes use of the voice vlan config through LLDP and that Aastra phones supports CDP.
    Your assistance will be appreciated.

    Hi ,
    Cisco recommends that you have a separate vlan for  voice and data with different ip subnets for voice and data. You will need to configure the dhcp pool accordingly.
    Here is the config guide for setting up IOS DHCP server:
    http://www.cisco.com/en/US/docs/ios/12_0t/12_0t1/feature/guide/Easyip2.html
    Here is the LAN qos recommendations:
    http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/srnd/7x/netstruc.html#wp1044009

  • Branch office setup with L3 switch and router with IOS security

    Hello,
    I am in the process of putting together a small branch office network and I am in need of some design advise. The network will support about 10-15 workstations/phones, 3-4 printers, and 4-5 servers. In addition we will eventually have up to 25-30 remote users connecting to the servers via remote access VPN, and there will also be 2-3 site-to-site IPSec tunnels to reach other branches.
    I have a 2911 (security bundle) router and 3560 IP Base L3 switch to work with. I have attached a basic diagram of my topology. My initial design plan for the network was to setup separate VLANs for workstation, phone, printer, and server traffic. The 3560 would then be setup with SVIs to perform routing between VLANs. The port between the router and switch would be setup as a routed port, and static routes would be applied on the switch and router as necessary. The thought behind this was that I'd be utilizing the switch backplane for VLAN routing instead instead of doing router-on-a-stick.
    Since there is no firewall between the switch and router my plan was to setup IOS firewalling on the router. From what I am reading ZBF is my best option for this. What I was hoping for was a way to set custom policies for each VLAN, but it seems that zones are applied per interface. Since the interface between the router and switch is a routed interface, not a trunk/subinterface(s), it doesn't seem like there would be a way for me to use ZBF to control traffic on different VLANs. From what I am gathering I would have to group all of my internal network into one zone, or I would have to scrap L3 switching all together and do router-on-a-stick if I want to be able to set separate policies for each VLAN. Am I correct in my thinking here?
    I guess what I am getting at is that I really don't want to do router-on-a-stick if I have a nice switch backplane to do all of the internal routing. At the same time I obviously need some kind of firewalling done on the router, and since different VLANs have different security requirements the firewalling needs to be fairly granular.
    If I am indeed correct in the above thinking what would be the best solution for my scenario? That is, how can I setup this network so that I am utilizing the switch to do L3 routing while also leveraging the firewall capabilities of IOS security?
    Any input would be appreciated.
    Thanks,
    Austin

    Thanks for the input.
    1. I agree, since I have only three to four printers, they need not be in a separate VLAN. I simply was compartmentalizing VLANs by function when I initially came up with the design.
    2. Here's a little more info on the phone situation. The phones are VoIP. The IP PBX is on premise, but they are currently on a completely separate ISP/network. The goal in the future is to converge the data and voice networks and setup PBR/route maps to route voice traffic out the voice ISP and data traffic out the other ISP. This leads up to #3. 
    3. The reason a router was purchased over a firewall was that ASA's cannot handle routing and dual ISPs very well. PBR is not supported at all on an ASA, and dual ISPs can only be setup in an active/standby state. Also, an ASA Sec+ does not have near the VPN capabilities that the 2911 security does. The ASA Sec+ would support only 25 concurrent IPSec connections while the 2911 security is capable of doing an upwards of 200 IPSec connections.
    Your point about moving the SVI's to a firewall to perform filtering between VLANs makes sense, however, wouldn't this be the same thing as creating subinterfaces on a router? In both cases you are moving routing from the switch backplane to the firewall/routing device, which is what I am trying to avoid.  

  • Embeded Event Manager on cisco 3560 switch

    Can someone help me please? I have EEM configured on cisco 3560 switch. The configuration is below. I want that switch inform me through email when device with particilular IP address become unavailable. For some reason this configuration is not good and I can't tell why. I already try to debug this with debug event manager action mail but didn't see any output .
    ip sla 11
    icmp-echo ip address
    frequency 20
    ip sla schedule 11 life forever start-time now
    event manager applet device-TEST
    event snmp oid 1.3.6.1.4.1.9.9.42.1.2.9.1.6.11 get-type exact entry-op lt entry-val "2" poll-interval 20
    trigger occurs 5 period 120
    action 02.0 mail server "ip address" to "[email protected]" from "[email protected]" subject "device is down"

    The mail part looks good, I'm not sure you are hitting the trigger right.
    Why not do a track on the ip sla instead of the snmp stuff?
    Here's a good example of that.
    https://learningnetwork.cisco.com/blogs/network-sheriff/2009/06/19/writing-your-first-eem-applet

  • Access switch and ap's for BYOD

    good day,
    i'm reading the BYOD document and found out that the switch and ap's below are the only listed on their designed, does it mean normal 3560's and 11xx AP's series can't support BYOD solution using ISE? could someone confirm please?
    cat switches:
    Catalyst 3750-X
    Catalyst 3560-X
    Catalyst 4500E Sup7-E
    AP's
    AP3502
    AP3602
    thanks in advance for your input.
    cheers,
    mhon

    The 3560s that can run the code specified in this chart should be able to support ISE -
    http://www.cisco.com/en/US/docs/security/ise/1.1.1/compatibility/ise_sdt.html#wp55038
    The APs that can support the controller code in the above guide show work as well, however if you want to run the AP in standalone mode, and they do not support features such as CoA then you will have to dedicate an inline posture node in order to get the full features of Cisco ISE.
    Thanks,
    Tarik Admani
    *Please rate helpful posts*

  • MAC Addressess not showing on my new 3560 switch

    I have a Cisco 3560 (Switch B) switch I just introduced into my network.  The gigabit ports are trunked from another switch (Switch A) to a Cisco 6509 WS (Main Switch).
    crpf4bsw3#show cdp neighbors
    Device ID            Local Intrfce         Holdtme   Capability    Platform   Port ID
    crpf4bsw2.mdch.com
                        Gig 0/1               124            S I      WS-C3560-4Gig 0/4
    crpcorsw1.mdch.com
                        Gig 0/4               127           R S I     WS-C6509-EGig 2/8
    interface GigabitEthernet0/4
     switchport trunk encapsulation dot1q
     switchport trunk allowed vlan 1,19,124,150,160,164,168,224
     switchport mode trunk
     mls qos trust dscp
     spanning-tree link-type point-to-point
    interface GigabitEthernet0/1
     switchport trunk encapsulation dot1q
     switchport trunk allowed vlan 1,19,124,150,160,164,168,224
     switchport mode trunk
     mls qos trust dscp
     spanning-tree link-type point-to-point
    The trunk ports are working just fine.  I have configured all necessary remote management with no issues.  However, my access ports are not working.  I have set them up exactly the same as the adjacent switch A and it works just fine, but the same configuration on the new switch has not been able to pull IP information.  I have provided information as to how the switch access ports are configured on both Switch A (working) and Switch B (not working).  I should note that I tried this with a Cisco 7940 phone and it got stuck on "configuring IP" then I tried it with my laptop and it pulled a 169 IP address.  Both were direct connections into switch B.  When I run a show mac-address-table, neither device shows up in the table.  Only the gig port MACs.  Any thoughts? Please let me know if you need any more information.
    interface FastEthernet0/3
     switchport access vlan 124
     switchport mode access
     switchport voice vlan 224
     switchport port-security maximum 3
     switchport port-security
     switchport port-security aging time 2
     switchport port-security violation restrict
     switchport port-security aging type inactivity
     srr-queue bandwidth share 10 10 60 20
     srr-queue bandwidth shape  10  0  0  0
     mls qos trust device cisco-phone
     mls qos trust cos
     auto qos voip cisco-phone
     spanning-tree portfast
     spanning-tree bpduguard enable

    Hi Mike,
    It looks like you're guiding me in the right direction.  I did a "show port security interface fa0/2" on the new switch and nothing was out of the ordinary with the exception of the 0 MAC addresses learned.  But then I did a "show spanning tree vlan 224" Here's what I found:
    Switch A (existing switch):
    crpf4bsw2#show spanning-tree vlan 224
    VLAN0224
      Spanning tree enabled protocol rstp
      Root ID    Priority    4096
                 Address     0012.44cc.68e0
                 Cost        8
                 Port        1 (GigabitEthernet0/1)
                 Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
      Bridge ID  Priority    32992  (priority 32768 sys-id-ext 224)
                 Address     0013.60aa.7400
                 Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
                 Aging Time 300
    Interface        Role Sts Cost      Prio.Nbr Type
    Gi0/1            Root FWD 4         128.1    P2p
    Fa0/1            Desg FWD 19        128.3    Edge P2p
    Fa0/2            Desg FWD 19        128.4    Edge P2p
    Fa0/3            Desg FWD 19        128.5    Edge P2p
    Fa0/4            Desg FWD 19        128.6    Edge P2p
    Fa0/5            Desg FWD 19        128.7    Edge P2p
    Fa0/6            Desg FWD 19        128.8    P2p Peer(STP)
    Interface        Role Sts Cost      Prio.Nbr Type
    Fa0/7            Desg FWD 19        128.9    Edge P2p
    Fa0/8            Desg FWD 19        128.10   Edge P2p
    Fa0/9            Desg FWD 19        128.11   Edge P2p
    Fa0/10           Desg FWD 19        128.12   Edge P2p
    Fa0/11           Desg FWD 19        128.13   Edge P2p
    Fa0/12           Desg FWD 19        128.14   Edge P2p
    Fa0/13           Desg FWD 19        128.15   Edge P2p
    Fa0/15           Desg FWD 19        128.17   Edge P2p
    Fa0/19           Desg FWD 19        128.21   Edge P2p
    Fa0/20           Desg FWD 19        128.22   Edge P2p
    Gi0/4            Desg FWD 4         128.28   P2p
    Fa0/29           Desg FWD 19        128.33   Edge P2p
    Fa0/30           Desg FWD 19        128.34   Edge P2p
    Fa0/31           Desg FWD 19        128.35   Edge P2p
    Fa0/32           Desg FWD 19        128.36   Edge P2p
    Fa0/33           Desg FWD 19        128.37   Edge P2p
    Fa0/34           Desg FWD 19        128.38   Edge P2p
    Fa0/35           Desg FWD 19        128.39   Edge P2p
    Fa0/37           Desg FWD 19        128.41   Edge P2p
    Fa0/38           Desg FWD 19        128.42   Edge P2p
    Fa0/39           Desg FWD 19        128.43   Edge P2p
    Fa0/40           Desg FWD 19        128.44   Edge P2p
    Fa0/41           Desg FWD 19        128.45   Edge P2p
    Interface        Role Sts Cost      Prio.Nbr Type
    Fa0/42           Desg FWD 19        128.46   Edge P2p
    Fa0/43           Desg FWD 19        128.47   Edge P2p
    Fa0/44           Desg FWD 19        128.48   Edge P2p
    Fa0/45           Desg FWD 19        128.49   Edge P2p
    Fa0/46           Desg FWD 19        128.50   Edge P2p
    Switch B (new switch):
    Spanning tree instance(s) for vlan 224 does not exist.
    So with this new information, and with my trunk configurations above, what did you mean by a disconnect on the trunk?

  • 1142N NON_CISCO-NO_CDP_RECEIVED with 3560 switch

    I thought the 3560 switches, the 8 port and 24 port are 802.3af standard switches?  When I connect 1142N radios to them I get the no cdp error and the radios are disabled. I have 17 of these that I converted to LAP, and I got the issue both before and after upgrading to LAP from AP.  It's not like I disabled CDP on the switches.

    I may have found the problem. I thought I had initially connected to a switchport that was just setup as a switchport access vlan, with no other configurations on it, and after looking at the port found it was a trunk port, which should work, and does for the other AP's I worked with, but not the 1142N.
    I took one of the other AP's that is connected to the test switch I am using to setup the WLC and AP's and connected that to one of the unconfigured ports, with default settings and the radios both powered up and I saw CDP neighbor detail,
    I removed spanning-tree portfast from the trunk port, and reconnected the AP to that port, I saw it negotiated full power, but I dont see neighbor information. I had to console in and do a no shut on dot11radio 0 for it to come up on all 3 of them.
    I went back and pulled that new one out of the box and reconnected to the interface I used before after removing portfast, still had the same problem, then removed the trunk configuration, and rebooted. Now I see
    *Mar  1 00:14:19.266: %CDP_PD-2-POWER_LOW: All radios disabled - NEGOTIATED WS-C3560-8PC
    Fa0/6     auto   on         14.5    AIR-LAP1142N-A-K9   3     15.4
    I took one of the other AP's that I boxed up and connected it to the same port, this was a converted AP to LAP.
    Fa0/6     auto   on         15.4    AIR-LAP1142N-A-K9   3     15.4
    Futher puzzlement, plugged that last AP into the test switch which is setup to mimic a remote location with trunk ports for FlexConnect, and after the radio powered up, and joined the controller, saw this.
    wmmAC status is FALSE
    *May 30 08:15:02.896: Starting Ethernet promiscuous mode
    *May 30 08:15:03.150: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to administratively down
    *May 30 08:15:03.222: %LWAPP-3-CLIENTEVENTLOG: OfficeExtend Localssid saved in AP flash
    *May 30 08:15:03.629: %CAPWAP-5-JOINEDCONTROLLER: AP has joined controller WLC-2504
    *May 30 08:15:03.677: %LWAPP-3-CLIENTEVENTLOG: SSID wlcman added to the slot[0]
    *May 30 08:15:03.710: %LWAPP-3-CLIENTEVENTLOG: SSID internal added to the slot[0]
    *May 30 08:15:04.137: %LWAPP-3-CLIENTEVENTLOG: SSID guest added to the slot[0]
    *May 30 08:15:04.269: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down
    *May 30 08:15:04.461: %LINK-3-UPDOWN: Interface Dot11Radio1, changed state to down
    *May 30 08:15:04.462: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to down
    *May 30 08:15:04.552: %LWAPP-3-CLIENTEVENTLOG: SSID wlcman added to the slot[1]
    *May 30 08:15:04.553: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to reset
    *May 30 08:15:04.575: %LWAPP-3-CLIENTEVENTLOG: SSID internal added to the slot[1]
    *May 30 08:15:05.010: %LWAPP-3-CLIENTEVENTLOG: SSID guest added to the slot[1]
    *May 30 08:15:05.866: %DOT11-6-DFS_SCAN_START: DFS: Scanning frequency 5300 MHz for 60 seconds.
    *May 30 08:15:06.055: %LINK-3-UPDOWN: Interface Dot11Radio1, changed state to up
    *May 30 08:15:06.351: %WIDS-6-ENABLED: IDS Signature is loaded and enabled
    *May 30 08:15:07.187: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to up
    *May 30 08:15:07.215: %LINK-3-UPDOWN: Interface Dot11Radio1, changed state to down
    *May 30 08:15:07.216: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to reset
    *May 30 08:15:08.223: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to down
    *May 30 08:15:08.237: %DOT11-6-DFS_SCAN_START: DFS: Scanning frequency 5300 MHz for 60 seconds.
    *May 30 08:15:08.237: %LINK-3-UPDOWN: Interface Dot11Radio1, changed state to up
    *May 30 08:15:09.245: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to up
    Why would radio 0 be admin down? It is enabled on the WLC.  I went into the AP and did a no shut on it too.  Not sure what is going on with this, never ran into this sort of issue before.

  • Ipv6 HSRP gloabl unicast address on cisco 3560 switch

    Dear Team,
    We are using cisco 3560 switch. Now we are going to implement ipv6 in our network. But we are not disturbing to existing ipv4. my question is 1) Can we confiure the global unicast ipv6 address in ipv6 HSRP and 2) can cisco 3560 switch will support ipv4 and ipv6 standby group on same SVI ?                 

    YES

  • Cisco 3560 switch| mls qos trust dscp question

    Hi everybody
    Hi everybody .
    Please consider the following example:
    3560 sw f1/1--------trunk---SW2
    3560 sw
    f1/1
    mls qos trust dscp
    3560 is using default cos-dscp map, assume a 3560 receives a frame carrying IP packet on f1/1 with COS 4, what will 3560 switch do?
    1) will it use its default cos --dscp map  ( cos 4--.dscp 32) and rewrite 32 in dscp field  of the packet in the frame and provide PHB for dscp 32 ?
    Much appreciated!!
    Have  a great weekend.

    Hi
    No it will not trust the cos value, because You have configured to trust dcsp. So, the switch will trust the dcsp value in the incoming frame.
    /Mikael

  • SRW224G4P uplink to catalyst 3560 switch trunk

    I have many SRW224g4p switchs,and I use a catalyst 3560  for a core switch.
    The SRW224g4p uplink to 3560 switch
    What can I config the port of the 3560 to SRW224g4p(Their are many of vlans in my network)
    and config the port of SRW224g4p to 3560's port
    ps:config trunk port problem

    Hi Wei,
         Are you working on the Linksys SRW224G4P or the replacement Cisco (300 Series) SRW224G4P-K9-NA? Can you attach your 3560 Truk Port Configuration along with the VLAN Configuration?
    Thanks,
    Kevin

  • Physical position of backup Cisco 3560 switch in relation to other produciton switches

    We currently have three 3560 switches connected to each other using SPF interconnect cables. I have a backup switch ready in the event one of the three switches fails. I'd like to keep the backup switch configured and in the rack connected to the three switches. If a switch fails, do the interconnect cables have to be routed in the same way they're currently setup or can they be connected in any order. In other words, if I have the replacement switch in the rack at the bottom with the other three switches and the top switch fails, after loading the config of the top switch onto the replacement switch, can I keep the cables from the second switch connected to the third switch and run the interconnect cables from the failed switch, now switch 1, to the third switch, which is situated in the rack just above the replacement switch? 
    Thanks in advance. 

    Disclaimer
    The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
    Liability Disclaimer
    In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
    Posting
    For 3560s, what SPF ports you use doesn't really matter.
    If the backup will be a cold spare, you may need to worry about port configurations, before you connect it.
    If the backup will be warm spare, again, you can interconnect the SPF ports however you like.  If, though, you create any L2 loops, you need something to break the loop, e.g. STP, FlexLink.
    If you want intentional redundancy, the simplest configuration would be a ring, and assuming the backup is just a warm spare, a root switch defined with the other two non-backup switches connected to it (on the ring).  (The backup would connect to the two non-root switches.)
    Besides a ring topology for redundancy, you might setup a dual star topology, or as you only have four switches, even a full mesh.

  • MTU Size Issue on Cisco 3560 Switch

    Could anybody tell me how to change MTU Size on a Cisco 3560 Switch.i mean to say whether it is to be changed on FastEthernet Interfaces or on VLAN 1 or on Global Configuration Mode and with which Command to change it.

    I am using MPLS on my Routers and the MTU size i have set on my Router Interfaces is 1524.
    When i do a normal ping from Customer's one site to another (where my Traffic has to pass through this Switch VLAN)i get a reply , but when a Ping with a Byte Size of 1500 or more the Packets get completely dropped.
    I think due to MTU Mistach bet. Switch and Router the Packets r getting droped,that is why i was trying to change it.
    could the Packets get dropped because of this reason.Please suggest.

Maybe you are looking for