Catalyst 3550 SMI

Is it possible to assign one port to more than one(1) VLAN?
After doing a lot of research it seems this is not possible on the 3550?
I want to assign my server ports to multiple VLAN's(VLAN1 and VLAN2) and have 2 departments separated by these 2 VLANS. This is because of security issues, but the departments should still be able to access the servers.
Any advice? Im running the SMI image and do I need the EMI to do this? Anyone know the cost of the EMI image?
Regards
Mailman

I would suggest you create a minimum of three VLAN's - one for Dept #1, one for Dept #2 and another for your servers. You could also separate the servers into separate VLAN's if required as well. You can then create ACL's restricting access between the VLAN's and apply these to the Layer-3 SVI interfaces to restrict traffic in and out of these VLAN's.
You would need to define what restrictions you want to allow and what you want to block. This could simply be at the IP level or at the Layer-4 protocol level.
HTH
Andy

Similar Messages

Catalyst 3550: Loading IOS via TFTP from ROMmon?

Hi everybody,
I need to load an IOS from ROMmon-mode to a Catalyst 3550.
Of cause I could do that via xmodem but I thought it should also be possible via TFTP.
What I did:
switch: IP_ADDRESS=192.168.1.1
switch: IP_SUBNET_MASK=255.255.255.0
switch: TFTP_SERVER=192.168.1.2
switch: TFTP_FILE=c3550-ipservicesk9-mz.122-35.SE5.bin
switch: DEFAULT_GATEWAY=192.168.1.1
switch: set
BOOT=tftp://192.168.1.2/c3550-ipservicesk9-mz.122-35.SE5.bin
DEFAULT_GATEWAY=192.168.1.1
IP_ADDRESS=192.168.1.1
IP_SUBNET_MASK=255.255.255.0
MAC_ADDR=00:0F:90:7F:B1:00
MODEL_NUM=WS-C3550-48-SMI
MODEL_REVISION_NUM=L0
MOTHERBOARD_ASSEMBLY_NUM=73-5701-09
MOTHERBOARD_REVISION_NUM=A0
MOTHERBOARD_SERIAL_NUM=CAT08130PUT
POWER_SUPPLY_PART_NUM=34-0967-02
POWER_SUPPLY_SERIAL_NUM=DTH08094HH7
SYSTEM_SERIAL_NUM=CAT0813Z29A
TFTP_FILE=c3550-ipservicesk9-mz.122-35.SE5.bin
TFTP_SERVER=192.168.1.2
switch: boot tftp://192.168.1.2/c3550-ipservicesk9-mz.122-35.SE5.bin
Loading "tftp://192.168.1.2/c3550-ipservicesk9-mz.122-35.SE5.bin"...tftp://192.168.1.2/c35 50-ipservicesk9-mz.122-35.SE5.bin: permission denied
Error loading "tftp://192.168.1.2/c3550-ipservicesk9-mz.122-35.SE5.bin"
Interrupt within 5 seconds to abort boot process.
Boot process failed...
switch: boot
Loading "tftp://192.168.1.2/c3550-ipservicesk9-mz.122-35.SE5.bin"...tftp://192.168.1.2/c35 50-ipservicesk9-mz.122-35.SE5.bin: permission denied
Error loading "tftp://192.168.1.2/c3550-ipservicesk9-mz.122-35.SE5.bin"
Interrupt within 5 seconds to abort boot process.
Boot process failed...
Am I doing something wrong or is it generally impossible to load an IOS via TFTP to a 3550?
Thanks in advance
Rolf

I am pretty sure you can't boot from a TFTP server with the Catalyst 3550 (or any of the other standalone access switches - 2950, 3550, 3560 3750 etc). If you want to recover one you need to recover it using XModem via the console:
http://www.cisco.com/en/US/products/hw/switches/ps628/products_tech_note09186a0080169696.shtml
I used to think you had to do this at 9600-baud, however you can increase the baudrate and it only takes 10-20 minutes (I couldn't get 115200 to work but 57600 worked OK and took about 20-minutes).
You need to remember to put the baud rate back to 9600 when the image is back on as it gets stored in NVRAM and reboots etc are at the stored speed (i.e. changing it after it has booted under the line con 0 doesn't get saved to NVRAM).
HTH
Andy

3550 smi and xls randomly slowing network down

Please help i have over 50 3350 xl's and smi Cisco switches, which at random time on different floor in a 20 story building slows network down. The switches are not struggling traffic or reporting errors. I have logged many calls with cisco and together we configed udld loopguard spanning treeport fast and upgrade all devices to the latest ios. but after doing tests by transferring 1 gig data from client building to hosting facilty some switches take 50% more time to tranferrer the data. The swtiches are gig stacked in pairs of 3 which connect to 2 4000 switches via fibre. Any ideas what else this could be. ? I have noticed that the gig stacks to each other are mauanlly set to half duplex. is this normal or should i false to full duplex ?

It shows Spanning-tree Protocol failures in some Catalyst 3550 models
Try bug CSCdy21905

Using Catalyst 3550 Switch with Linksys Home Router and Cable Internet

I've about pulled what little hair I have out of my head on this one, and need some configuration help.
I have a Cisco Catalyst 3550 switch with five Windows 7 desktops, an Avaya PBX and five Avaya IP phones attached. All of these devices are on a 192.168.0.0/24 subnet, and are communicating properly. I will refer to this as network # 1. I also have SEPARATE network, we'll call network # 2, using AT&T ADSL service and a Netgear 4-port/wireless router/ADSL modem combo device, which is functioning properly with a couple of other Windows 7 desktops over its own wired Ethernet network, using DHCP, and also on a 192.168.0.0/24 subnet. I thought it would be a simple integration, just plugging one of the 3550's ports to one of the DSL router's ports, in order to give the five Windows 7 desktop computers on network # 1 internet access via the DSL modem. Guess I was wrong. When I connect the two switches together, although I get a good connectivity (green lights on both ports) and am able to ping the DSL router's gateway address (192.168.0.252) from network # 1's computers, the computers on network # 1 cannot access the internet. Also, the working computers on network # 2 lose their internet access as long as the two switches are connected together. I am not a Cisco guru, but there's got to be a way to make this scenario work. Can someone provide me with a 3550 configuration that will allow me to extend my internet service from network # 2 on the DSL router to my 3550 switch and their computers? Here's what I am looking for:
INTERNET ---> ADSL MODEM ---> NETGEAR ROUTER ---> CISCO 3550 SWITCH ---> NETWORK DEVICES WITH INTERNET ACCESS

The Netgear router is probably what's doing the natting. Is the 3550 configured for routing or is it straight L2? If you have the 3550 configured as L3, then it's going to be easy to do what you want. Just add a static route on the Netgear to point the subnet that it doesn't know about to the 3550. For example, if the Netgear is addressed at 192.168.1.1 and the Cisco 3550 is addressed at 192.168.1.2, but it also knows about the 192.168.0.0/24 (separate vlan), then you would put a static route on your Netgear for 192.168.0.0/24 to go to 192.168.1.2.
The way that I would do it is to create a separate vlan on the 3550 and assign an address to it. Once you do that, make the port that the other switch connects to an access port of that vlan. (It would need to be on the same subnet as the existing equipment.) All of your devices would use it as a default gateway and then you would do the rest as above. You could also use RIP between the Netgear and Cisco if you can't do static routing.
HTH,
John

Policy-map on catalyst 3550

dear all,
how to configure policy-map on catalyst 3550 to shapping bandwidth. I've tried to setting that police-map in one of interface, but when I wrote sh policy-map interface fa0/1, in class-map field, the result are
class-map: policeIn (match-all)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
match: access-group 112qm_police_inform_feature: CLASS_SHOW
Could u give me a clue..??
thx.
..::rhiez::..

hi,
i've checked statistic of interface and there is traffic on that interface :
Hardware is Fast Ethernet, address is xxxx.xxxx.xxxx.xxxx(bia xxxx.xxxx.xxxx)
MTU 1500 bytes, BW 512 Kbit, DLY 100 usec,
reliability 255/255, txload 102/255, rxload 42/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Half-duplex, 100Mb/s
input flow-control is off, output flow-control is off
ARP type: ARPA, ARP Timeout 04:00:00
Last clearing of "show interface" counters 00:03:16
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue :0/40 (size/max)
5 minute input rate 85000 bits/sec, 67 packets/sec
5 minute output rate 961000 bits/sec, 201 packets/sec
12965 packets input, 2137646 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 watchdog, 0 multicast, 0 pause input
0 input packets with dribble condition detected
38564 packets output, 23504798 bytes, 0 underruns
0 output errors, 46 collisions, 0 interface resets
0 babbles, 0 late collision, 62 deferred
0 lost carrier, 0 no carrier, 0 PAUSE output
0 output buffer failures, 0 output buffers swapped out
is there another way to shapping bandwidth per vlan or per port interface on catalyst 3550 with IOS 12.1(8).
thx.
..::rhiez::..

Need help - Catalyst 3550 on CCM4.1 Voip

Guys.
We had a Catalyst 3550 switch fail last week, and the guy who really knows this system has left the company.
The switch has a non-free molecules error, which i believe is terminal.
I've sourced a replacement switch and need help configuring it.
I copied the running config from it's sister switch (there are only 2 switches on this ccm), however, the sister switch is a 3560.
I changed the I.P address and switch name before uploading it to the 3550 on the off chance it might just work.
Show run on the 3550 shows that it might be configured, but when i connected it, it took the gateway down.
I'm really up the creek at the moment unless i can get someone to either look at it, find an old config or get this guy back in for a few hours.
Any advice would be greatly received.
Looking at show run, i see two refernces to VLAN's
interface Vlan1
ip address 170.205.238.3 255.255.255.0
interface Vlan10
ip address 10.10.0.254 255.255.255.0
ip classless
ip route 0.0.0.0 0.0.0.0 170.205.238.1
no ip http server
The I.P address 170.205.238.1 is alien to me.. i don't know what this is. However, what i do know is that i never changed this. This IP address is the same in the 3560.
Could this cause an issue ?. I'm not aware of anything on a 170.X.X.X subnet, this could have been some legacy from the previous owners of the building.
The first 3 ports in the switch are connected to the publisher, subscriber and gateway router.
Does it matter which port is connected to which component. ?
I believe that i can't be too far away from configuring this, but without any help, i'm a bit stuck.
LEE-SW-CC_VOIP-01#show run
Building configuration...
Current configuration : 6147 bytes
version 12.1
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname LEE-SW-CC_VOIP-01
enable secret 5 $1$2BRP$UtiYkRMAsp7roykkfRDo3/
username cisco privilege 15 secret 5 $1$mh3w$w8H5ygAfDUOBdiE2UftB8.
ip subnet-zero
ip routing
vtp domain LEE
vtp mode transparent
mls qos map cos-dscp 0 8 16 26 32 46 48 56
mls qos
no file verify auto
spanning-tree mode pvst
spanning-tree extend system-id
vlan 10
interface FastEthernet0/1
switchport access vlan 10
switchport mode access
switchport voice vlan 10
no ip address
mls qos trust device cisco-phone
mls qos trust cos
auto qos voip cisco-phone
spanning-tree portfast
interface FastEthernet0/2
switchport access vlan 10
switchport mode access
switchport voice vlan 10
no ip address
mls qos trust device cisco-phone
mls qos trust cos
auto qos voip cisco-phone
spanning-tree portfast
interface FastEthernet0/3
switchport access vlan 10
switchport mode access
switchport voice vlan 10
no ip address
mls qos trust device cisco-phone
mls qos trust cos
auto qos voip cisco-phone
spanning-tree portfast
interface FastEthernet0/4
switchport access vlan 10
switchport mode access
switchport voice vlan 10
no ip address
mls qos trust device cisco-phone
mls qos trust cos
auto qos voip cisco-phone
spanning-tree portfast
interface FastEthernet0/5
switchport access vlan 10
switchport mode access
switchport voice vlan 10
no ip address
mls qos trust device cisco-phone
mls qos trust cos
auto qos voip cisco-phone
spanning-tree portfast
interface FastEthernet0/6
switchport mode access
switchport voice vlan 10
no ip address
mls qos trust device cisco-phone
mls qos trust cos
auto qos voip cisco-phone
spanning-tree portfast
interface FastEthernet0/7
switchport mode access
switchport voice vlan 10
no ip address
mls qos trust device cisco-phone
mls qos trust cos
auto qos voip cisco-phone
spanning-tree portfast
interface FastEthernet0/8
switchport mode access
switchport voice vlan 10
no ip address
mls qos trust device cisco-phone
mls qos trust cos
auto qos voip cisco-phone
spanning-tree portfast
interface FastEthernet0/9
switchport mode access
switchport voice vlan 10
no ip address
mls qos trust device cisco-phone
mls qos trust cos
auto qos voip cisco-phone
spanning-tree portfast
interface FastEthernet0/10
switchport mode access
switchport voice vlan 10
no ip address
mls qos trust device cisco-phone
mls qos trust cos
auto qos voip cisco-phone
spanning-tree portfast
interface FastEthernet0/11
switchport mode access
switchport voice vlan 10
no ip address
mls qos trust device cisco-phone
mls qos trust cos
auto qos voip cisco-phone
spanning-tree portfast
interface FastEthernet0/12
switchport mode access
switchport voice vlan 10
no ip address
mls qos trust device cisco-phone
mls qos trust cos
auto qos voip cisco-phone
spanning-tree portfast
interface FastEthernet0/13
switchport mode access
switchport voice vlan 10
no ip address
mls qos trust device cisco-phone
mls qos trust cos
auto qos voip cisco-phone
spanning-tree portfast
interface FastEthernet0/14
switchport mode access
switchport voice vlan 10
no ip address
mls qos trust device cisco-phone
mls qos trust cos
auto qos voip cisco-phone
spanning-tree portfast
interface FastEthernet0/15
switchport mode access
switchport voice vlan 10
no ip address
mls qos trust device cisco-phone
mls qos trust cos
auto qos voip cisco-phone
spanning-tree portfast
interface FastEthernet0/16
switchport mode access
switchport voice vlan 10
no ip address
mls qos trust device cisco-phone
mls qos trust cos
auto qos voip cisco-phone
spanning-tree portfast
interface FastEthernet0/17
switchport mode access
switchport voice vlan 10
no ip address
mls qos trust device cisco-phone
mls qos trust cos
auto qos voip cisco-phone
spanning-tree portfast
interface FastEthernet0/18
switchport mode access
switchport voice vlan 10
no ip address
mls qos trust device cisco-phone
mls qos trust cos
auto qos voip cisco-phone
spanning-tree portfast
interface FastEthernet0/19
switchport mode access
switchport voice vlan 10
no ip address
mls qos trust device cisco-phone
mls qos trust cos
auto qos voip cisco-phone
spanning-tree portfast
interface FastEthernet0/20
switchport mode access
switchport voice vlan 10
no ip address
mls qos trust device cisco-phone
mls qos trust cos
auto qos voip cisco-phone
spanning-tree portfast
interface FastEthernet0/21
switchport mode access
switchport voice vlan 10
no ip address
mls qos trust device cisco-phone
mls qos trust cos
auto qos voip cisco-phone
spanning-tree portfast
interface FastEthernet0/22
switchport mode access
switchport voice vlan 10
no ip address
mls qos trust device cisco-phone
mls qos trust cos
auto qos voip cisco-phone
spanning-tree portfast
interface FastEthernet0/23
switchport mode access
switchport voice vlan 10
no ip address
mls qos trust device cisco-phone
mls qos trust cos
auto qos voip cisco-phone
spanning-tree portfast
interface FastEthernet0/24
switchport mode access
switchport voice vlan 10
no ip address
mls qos trust device cisco-phone
mls qos trust cos
auto qos voip cisco-phone
spanning-tree portfast
interface GigabitEthernet0/1
switchport trunk encapsulation dot1q
switchport mode trunk
no ip address
mls qos trust cos
udld port aggressive
auto qos voip trust
interface GigabitEthernet0/2
switchport trunk encapsulation dot1q
switchport mode trunk
no ip address
mls qos trust cos
udld port aggressive
auto qos voip trust
priority-queue out
interface Vlan1
ip address 170.205.238.3 255.255.255.0
interface Vlan10
ip address 10.10.0.254 255.255.255.0
ip classless
ip route 0.0.0.0 0.0.0.0 170.205.238.1
no ip http server
logging trap debugging
line con 0
exec-timeout 0 0
privilege level 15
login local
line vty 0 4
privilege level 15
login local
length 0
line vty 5 15
privilege level 15
login local
length 0
end
LEE-SW-CC_VOIP-01#

Always wanting to learn more, I re-instated the test config and ran those commands.
LEE-SW-CC_VOIP-01#show cdp neighbor
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone
Device ID Local Intrfce Holdtme Capability Platform Port ID
LEE-SW-CC_VOIP-01#show ip int brief
Interface IP-Address OK? Method Status Prot
ocol
Vlan1 170.205.238.2 YES NVRAM up down
Vlan10 10.10.0.254 YES NVRAM up down
FastEthernet0/1 unassigned YES unset down down
FastEthernet0/2 unassigned YES unset down down
FastEthernet0/3 unassigned YES unset down down
FastEthernet0/4 unassigned YES unset down down
FastEthernet0/5 unassigned YES unset down down
FastEthernet0/6 unassigned YES unset down down
FastEthernet0/7 unassigned YES unset down down
FastEthernet0/8 unassigned YES unset down down
FastEthernet0/9 unassigned YES unset down down
FastEthernet0/10 unassigned YES unset down down
FastEthernet0/11 unassigned YES unset down down
FastEthernet0/12 unassigned YES unset down down
FastEthernet0/13 unassigned YES unset down down
FastEthernet0/14 unassigned YES unset down down
FastEthernet0/15 unassigned YES unset down down
FastEthernet0/16 unassigned YES unset down down
FastEthernet0/17 unassigned YES unset down down
FastEthernet0/18 unassigned YES unset down down
FastEthernet0/19 unassigned YES unset down down
FastEthernet0/20 unassigned YES unset down down
FastEthernet0/21 unassigned YES unset down down
FastEthernet0/22 unassigned YES unset down down
FastEthernet0/23 unassigned YES unset down down
FastEthernet0/24 unassigned YES unset down down
GigabitEthernet0/1 unassigned YES unset down down
GigabitEthernet0/2 unassigned YES unset down down
LEE-SW-CC_VOIP-01#

Cisco 3550 SMI switch for security setup ?

I have a 3550 SMI IOS 12.2 switch, I want to setup http, https, dns services for internet. I do not need to set up any mail or web server.
The connection as follows:
Internet ---------Modem----------3550-----------Computer
Modem has no security function, all the security setting will be on 3550 switch. So what is the best approach ?
Is it layer 2 or layer 3 security ? and can I run VPN for the internet surf ? Please kindly advise.
Thanks,
Susan

Thanks for the Reply.
When I config the switch I find out some interesting things, I am no sure if the
configuration is correct or I miss something ? Please help take a look.
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny tcp any any eq bgp
access-list 101 deny eigrp any any
access-list 101 permit udp any any eq domain
access-list 101 permit tcp any any eq www log
access-list 101 permit tcp any any eq 443 log
access-list 101 deny ip any any log
int fa0/1
switchport
switchport access v 10
switchport mode access
access group 101 in
int vlan 1
no ip add
That work normal
But if when I put access list 101 to vlan interface 10, my computer can access the internet. ???
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny tcp any any eq bgp
access-list 101 deny eigrp any any
access-list 101 deny ip any any log
int vlan 10
ip add 192.168.1.1 255.255.255.0
access group 101 in
int fa0/1
switchport
switchport access v 10
switchport mode access
int vlan 1
no ip add
For both case, Vlan 1 is down, I connect nothing and assign nothing to vlan 1.
So is the configuration has problem ? or
Something to do with vlan 1 ?
or something I miss ?
Thanks

Password reset on a Cisco Catalyst 3550 series

We have a Cisco Catalyst 3550 series, and we don't have the password to gain access to the switch through a web browser. My question is if I reset the password using Hyper-terminal, does changing the password affect any vlan or fiber optic settings that I should know about. Or does resetting the password changes our switch to factory settings?

Hi,
The password recovery procedure for your switch is described in this document:
http://www.cisco.com/c/en/us/support/docs/switches/catalyst-2950-series-switches/12040-pswdrec-2900xl.html
If you follow the instructions in the document exactly, you will retain the original configuration - you just rename the configuration file so that it is not loaded when the switch boots up. However, you will still be able to display it after the switch boots up using the more flash:config.old . Eventually, you can even load it into running-config using copy flash:config.old running-config command. At that point, the old passwords will be brought back but because you already are in the privileged EXEC mode, you can change them and save the updated configuration.
VLANs should not be affected as long as you do not delete the vlan.dat file located in FLASH. Fiber optic ports should not be affected as long as you are using original Cisco GBICs. If you're using 3rd party GBICs, it may be necessary to enter the service unsupported-transceiver hidden command in the global configuration mode before they get recognized.
Good luck!
Best regards,
Peter

Catalyst 3550-48 unable to boot

Hi,
I have a catalyst 3550-48 switch which is running the ios image c3550-ipbase-mz.122-25.SEB4.bin. the problem is now its not booting, it directly goes to rommon mode from there if I issue the command boot flash:c3550-ipbase-mz.122-25.SEB4.bin it gives me the error message like loading ...... c3550-ipbase-mz.122-25.SEB4.bin .....magic number mismatch:bad mzip file
please help me to resolve the issue

Hi Friend,
Seems to be a corrupt image. The best solution will be to xmodem the same image again.
Download the same image again from cisco.com and xmodem to the switch.
Have a look at this xmodem procedure
http://www.cisco.com/en/US/products/hw/switches/ps646/products_configuration_guide_chapter09186a0080320001.html
HTH, if yes please rate the post.
Ankur

Catalyst 3550 & 3560/3750 command 'show mls qos interface statistics'

On the Catalyst 3550 the command 'show mls qos interface statistics' will show ingress packet (or byte) counts with DSCP values. If you have policers configured then it also shows a count of packets that have been marked down to another DSCP value due to policing or any that have been dropped (obviously 'mls qos monitor dscp x' needs configuring). The same command on the 3560/3750 only shows the ingress & egress DSCP values, there is no column that shows packets (or bytes) that have been policed or dropped. Is there any command to display the same information with the 3560/3750?
Neither platform show counters when the command 'show policy-map interface x/x' is used so this won't work.
Thanks
Andy

Hi, I believe there is a command on the 3560 'sh mls qos interface policers' may be what you are looking for.
Here is what the command says it outputs:
To display QoS information at the interface level. This information includes:
The configuration of the egress queues and the CoS3-to-egress-queue map
Which interfaces have configured policers
Ingress and egress statistics, which includes the number of bytes that have been dropped

Catalyst 3550 and unidirectional multicast

I have several segments routed by several Catalysts 3550. In one of the segments i start multicast TV streamer. I use IGMP and PIM to route the multicast. But how to restrict the clients only to receive multicast TV stream not to send multicast traffic to other segments joined the same group ?

Setting a boundary or setting scope will restrict all multicast traffic and preventing any local client from sending any multicast would also prevent forwarding the received multicast any further. Depending on the topology and what the processing requirements are this might or might not be a good solution.
Another alternative to consider is if you want to allow received multicast to be forwarded but want local originated multicast not to be forwarded would be to configure an outbound access list on the interface. In the access list would be a line like this:
deny ip 224.0.0.0 15.255.255.255
this will deny any packet with any broadcast destination address which has a source address within the local subnet. The acccess list would also have to have appropriate permit commands for the traffic that you do want to send (perhaps permit ip any any).
HTH
Rick

Catalyst 3550 Strong Cryptographic Software

What do you lose/gain using Catalyst 3550 Strong Cryptographic Software for features. Are there any authentication features/services not available in the non-crypto image. Need to answer this for a HIPAA review.

I have used Cisco's Software Advisor to look for differences in the crypto and non-crypto images. For several releases the Advisor does not list any differences. I did find a release 12.1EA1 where it did list differences. As far as authentication services there were no differences listed. It did list support for SSH in the crypto image which is not in the non-crypto image. So depending on how broad your definition of services is there may be a difference that you might care about.
HTH
Rick

Catalyst 3550 stack and etherchannel

I wonder if it is possiable to organize gigabit etherchannel from stack of two catalyst 3550 to server. The problem is to connect server's 2-port NIC to both switches, not just one, and have loadbalancing over 2 links while staying connected in case one of the switches goes down. If not, is it possiable with 3750 switches.

Hi,
This is not possible on 3550's as they do not use true stacking feature on that and moreover both the switches have different configs and they do not get Sync. I think it is possible in case of 3750's, though havnt tried myself.
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat3750/12119ea1/3750scg/swethchl.htm#1033981
regards,
-amit singh

Catalyst 3550 & HSRP v2

Hi,
I am testing on lab equipment (2 Catalyst 3550 and 1 Catalyst 3560) HSRP version 1 and 2.
I successfully created a load balancing between the two Catalyst 3550 on a couple of vlans (11 and 12) on ver 1
now, just adding the command "standby xx version 2" my hosts on the 2 vlans are completely unable to ping the virtual IP def. gw
on debugging i checked that
hello msgs are exchanged
the two cat 3550 are seeing each other on HSRP (active / standby roles)
the real ip addresses are pingable
rebooted the swiches (just as a last resort try)
deleted arp chache on hosts
removed the auth on hsrp
all of this no effect...
i also tried to modify the priority on the cat 3560 (before he was on both vlans in standby) to make it the active one and with the same config it worked flawlessly...
My only idea is that there is a bug on CATs 3550 (IOS: c3550-ipservicesk9-mz.122-55.SE4.bin)
configs:
SW-3550-A
interface Vlan11
ip address 12.0.0.2 255.255.255.0
standby version 2
standby 11 ip 12.0.0.1
standby 11 priority 150
standby 11 preempt
standby 11 authentication md5 key-string LAB
SW-3550-B
interface Vlan11
ip address 12.0.0.3 255.255.255.0
standby version 2
standby 11 ip 12.0.0.1
standby 11 preempt
standby 11 authentication md5 key-string LAB
SW-3550-A#sh standby
Vlan11 - Group 11 (version 2)
State is Active
16 state changes, last state change 00:18:08
Virtual IP address is 12.0.0.1
Active virtual MAC address is 0000.0c9f.f00b
Local virtual MAC address is 0000.0c9f.f00b (v2 default)
Hello time 3 sec, hold time 10 sec
Next hello sent in 2.560 secs
Authentication MD5, key-string
Preemption enabled
Active router is local
Standby router is 12.0.0.3, priority 100 (expires in 8.976 sec)
Priority 150 (configured 150)
Group name is "hsrp-Vl11-11" (default)
SW-3550-B#sh standby
Vlan11 - Group 11 (version 2)
State is Standby
10 state changes, last state change 00:17:18
Virtual IP address is 12.0.0.1
Active virtual MAC address is 0000.0c9f.f00b
Local virtual MAC address is 0000.0c9f.f00b (v2 default)
Hello time 3 sec, hold time 10 sec
Next hello sent in 2.208 secs
Authentication MD5, key-string
Preemption enabled
Active router is 12.0.0.2, priority 150 (expires in 9.616 sec)
MAC address is 000a.8a28.ea80
Standby router is local
Priority 100 (default 100)
Group name is "hsrp-Vl11-11" (default)
Any suggestion is appreciatedd and...thank you all in advance!

Thank you for your answer,
i have tried with groups 1 & 2 and 11 & 12
VLAN
GRP
SW-3550-A
SW-3550-B
11
11
ACTIVE
STANDBY
12
12
STANDBY
ACTIVE
VLAN
GRP
SW-3550-A
SW-3550-B
11
1
ACTIVE
STANDBY
12
2
STANDBY
ACTIVE
I also tried to have just 1 group (1 or 11) and avoid a load-balance on hosts: same results.
UPDATE:
Tried with a couple of 1841: everything is working fine
tried changing 3550s hsrpv2 groups to higher values (like 1111 & 1112 instead of 1 & 2) : no way
still on the idea that is a 3550s bug...

ACL's in VLAN Catalyst 3550

Hello !!
We have a Switch Catalyst 3550 - 12G
IOS : Version 12.2(25)SEA
I need to implement ACL security in VLAN's. But, it did't work.
VLAN 11 Definition :
interface Vlan11
description VLAN - RED WAN
ip address 192.168.21.1 255.255.255.0
Interface association (g0/7) with VLAN 11 and extended ACL (ip1)
interface GigabitEthernet0/7
switchport access vlan 11
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 11
switchport mode dynamic desirable
ip access-group ip1 in
ACL definition :
ip access-list extended ip1
permit ip 192.168.70.0 0.0.0.255 any
deny ip any any
This configuration must allow ip communication between 192.168.70.0 / 24 and 192.168.21.0 / 24. However it does't work.
Inter VLAN communication are ok.
Any Suggest ?
.... Switch Conf. attach
Tks.
John Nanez E.

Try putting on the SVI for vlan 11 (interface vlan 11) . don't think you can put it on a individual interface and have it work . Also they way you wrote it you'll have to put it as out on the vlan because you are permitting a address from another network to the vlan 11 address space thus it would have to block the traffic "out" to the devices on vlan 11 .

Catalyst 3550 SMI

Similar Messages

Maybe you are looking for