Catalyst 4507
I have a Catalyst 4507R as a core switch.
The Data center has more than 40 servers, but I need two of these 40 servers communicate only among themselves and with the remaining company networks.
Can you help me?
Regards
Disclaimer
The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
Liability Disclaimer
In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
Posting
So the two special servers need to NOT communicate with just the other 38 servers? If so, place in different subnet/VLAN from other servers and use ACL(s).
Or, if your equipment supports, place the two special servers within a PVLAN community separate from your other servers.
Similar Messages
-
Catalyst 4507 Sup V-10GE problem
Hello,
We have two Catalyst 4507 connected to two sites at the same city throught a black fiber. We use the Gigabit Ethernet ports on the Sup V-10GE to connect the fiber via Cisco CWDM.
It is the second time that the superviser enginge V-10GE is frozen; L1 and L2 are correct on the switch, the link is well connected. but the switch does not response to IP requests like ping and ssh (L3 does not work). We should reboot the switch to resolve the problem.
Why did it happen? Is it a bug of the Sup V-10GE?
Thank you.
Jessie DongWhen the problem is present do you have console connection? how is the proc cpu? Have you check the STP when the issue is there? Is chaging the uplink port to antoher port regain connectivity to the switch? Wihtout much more info, there no way to tell whether you are running into a bug or not.
-
WCCP version 2 on Catalyst 4507 w/SupII+
Hello,
I am try to do a lab with WAAS but I have a switch Catalyst 4507 with Supervisor II+.
When I am doing the configuration, I can´t use the "ip wccp redirect exclude in" on the vlan where reside the WAAS.
The show version is:
MBO-SW-01#
MBO-SW-01#
MBO-SW-01#sh ver
Cisco IOS Software, Catalyst 4500 L3 Switch Software (cat4500-IPBASEK9-M), Version 12.2(53)SG1, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2009 by Cisco Systems, Inc.
Compiled Fri 30-Oct-09 14:39 by prod_rel_team
Image text-base: 0x10000000, data-base: 0x11D20300
ROM: 12.2(31r)SGA1
Dagobah Revision 226, Swamp Revision 34
MBO-SW-01 uptime is 4 weeks, 6 days, 22 hours, 14 minutes
Uptime for this control processor is 4 weeks, 6 days, 22 hours, 15 minutes
System returned to ROM by power-on
System restarted at 16:57:06 CCS Mon May 10 2010
System image file is "bootflash:/cat4500-ipbasek9-mz.122-53.SG1.bin"
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html you require further assistance please contact us by sending email to
[email protected]. WS-C4507R (MPC8245) processor (revision 10) with 262144K bytes of memory.
Processor board ID FOX1151GHMY
MPC8245 CPU at 266Mhz, Supervisor II+
Last reset from PowerUp
7 Virtual Ethernet interfaces
48 FastEthernet interfaces
26 Gigabit Ethernet interfaces
511K bytes of non-volatile configuration memory.
If
cisco
Configuration register is 0x102
MBO-SW-01#
MBO-SW-01#
MBO-SW-01#
MBO-SW-01#sh mod
Chassis Type : WS-C4507R
Power consumed by backplane : 40 Watts
Mod Ports Card Type Model Serial No.
---+-----+--------------------------------------+------------------+-----------
1 2 Supervisor II+ 1000BaseX (GBIC) WS-X4013+ JAE12035A3E
3 24 10/100BaseTX (RJ45)V, Cisco/IEEE WS-X4224-RJ45V JAE1038BPFF
4 24 10/100BaseTX (RJ45)V, Cisco/IEEE WS-X4224-RJ45V JAE1041D5JM
5 24 10/100/1000BaseT (RJ45)V, Cisco/IEEE WS-X4524-GB-RJ45V JAE11517SDQ
M MAC addresses Hw Fw Sw Status
--+--------------------------------+---+------------+----------------+---------
1 001f.9e15.32c0 to 001f.9e15.32c1 4.5 12.2(31r)SGA 12.2(53)SG1 Ok
3 0016.4617.b1b8 to 0016.4617.b1cf 2.3 Ok
4 0018.18b5.85e8 to 0018.18b5.85ff 2.3 Ok
5 0017.0ec4.6350 to 0017.0ec4.6367 2.3 Ok
Mod Redundancy role Operating mode Redundancy status
----+-------------------+-------------------+----------------------------------
1 Active Supervisor SSO Active
MBO-SW-01#
MBO-SW-01#sh ip wccp
Global WCCP information:
Router information:
Router Identifier: 192.168.166.1
Protocol Version: 2.0
Service Identifier: 61
Number of Service Group Clients: 0
Number of Service Group Routers: 0
Total Packets s/w Redirected: 0
Process: 0
CEF: 0
Redirect access-list: -none-
Total Packets Denied Redirect: 0
Total Packets Unassigned: 0
Group access-list: -none-
Total Messages Denied to Group: 0
Total Authentication failures: 0
Total Bypassed Packets Received: 0
Service Identifier: 62
Number of Service Group Clients: 0
Number of Service Group Routers: 0
Total Packets s/w Redirected: 0
Process: 0
CEF: 0
Redirect access-list: -none-
Total Packets Denied Redirect: 0
Total Packets Unassigned: 0
Group access-list: -none-
Total Messages Denied to Group: 0
Total Authentication failures: 0
Total Bypassed Packets Received: 0
MBO-SW-01#
MBO-SW-01#
MBO-SW-01#
MBO-SW-01#sh ip wccp in
MBO-SW-01#sh ip wccp interfaces
WCCP interface configuration:
FastEthernet3/5
Output services: 0
Input services: 1
Mcast services: 0
Exclude In: FALSE
MBO-SW-01#
Who can I do, to get this work????
Thank a lotHi Zach,
Thanks for your answer, but I don´t have clearly the scenario of your answer.
I´m attaching the Logical Topology; and the configuration is this:
Configration of the Edge Site:
MBO-RT-03#
MBO-RT-03#sh run
Building configuration...
Current configuration : 10757 bytes
version 12.4
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime localtime
service timestamps log datetime localtime
service password-encryption
service sequence-numbers
hostname MBO-RT-03
boot-start-marker
boot-end-marker
ip wccp 61
ip wccp 62
ip cef
interface FastEthernet0/0
description TRONCAL LAN
no ip address
duplex auto
speed auto
interface FastEthernet0/0.202
description *** Vlan for Connection with WAE / Edge ***
encapsulation dot1Q 202
ip address 10.201.201.1 255.255.255.248
ip wccp redirect exclude in
interface FastEthernet0/0.210
description *** Vlan for Users ***
encapsulation dot1Q 210
ip address 192.168.166.129 255.255.255.128
ip wccp 61 redirect in
interface FastEthernet0/1
description *** WAN LINK - EMULATION ***
bandwidth 128
ip address 10.100.100.2 255.255.255.252
ip wccp 62 redirect in
ip nbar protocol-discovery
ip flow ingress
load-interval 30
duplex auto
speed auto
traffic-shape rate 128000 128000 128000 1000
router eigrp 1600
passive-interface default
no passive-interface FastEthernet0/1
network 10.100.100.2 0.0.0.0
network 10.201.201.1 0.0.0.0
network 192.168.166.128 0.0.0.127
no auto-summary
control-plane
line con 0
privilege level 15
password 7 121A150402181B00787B7578
login authentication userauthen
line aux 0
line vty 0 4
session-timeout 5
privilege level 15
password 7 121A150402181B00787B7578
login authentication userauthen
scheduler allocate 20000 1000
end
MBO-RT-03#
MBO-RT-03#
MBO-RT-03#
MBO-RT-03#sh ip wccp
Global WCCP information:
Router information:
Router Identifier: 192.168.166.129
Protocol Version: 2.0
Service Identifier: 61
Number of Service Group Clients: 1
Number of Service Group Routers: 1
Total Packets s/w Redirected: 39212
Process: 0
CEF: 39212
Service mode: Open
Service Access-list: -none-
Total Packets Dropped Closed: 0
Redirect Access-list: -none-
Total Packets Denied Redirect: 0
Total Packets Unassigned: 0
Group Access-list: -none-
Total Messages Denied to Group: 0
Total Authentication failures: 0
Total Bypassed Packets Received: 0
Service Identifier: 62
Number of Service Group Clients: 1
Number of Service Group Routers: 1
Total Packets s/w Redirected: 38171
Process: 0
CEF: 38171
Service mode: Open
Service Access-list: -none-
Total Packets Dropped Closed: 0
Redirect Access-list: -none-
Total Packets Denied Redirect: 0
Total Packets Unassigned: 0
Group Access-list: -none-
Total Messages Denied to Group: 0
Total Authentication failures: 0
Total Bypassed Packets Received: 0
MBO-RT-03#
MBO-RT-03#
MBO-RT-03#
MBO-RT-03#sh ip wccp inter
WCCP interface configuration:
FastEthernet0/1
Output services: 0
Input services: 1
Mcast services: 0
Exclude In: FALSE
FastEthernet0/0.210
Output services: 0
Input services: 1
Mcast services: 0
Exclude In: FALSE
FastEthernet0/0.202
Output services: 0
Input services: 0
Mcast services: 0
Exclude In: TRUE
MBO-RT-03#
MBO-RT-03#
MBO-RT-03#sh ver
Cisco IOS Software, 2801 Software (C2801-ADVENTERPRISEK9-M), Version 12.4(24)T2, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2009 by Cisco Systems, Inc.
Compiled Mon 19-Oct-09 18:21 by prod_rel_team
ROM: System Bootstrap, Version 12.3(8r)T8, RELEASE SOFTWARE (fc1)
MBO-RT-03 uptime is 4 hours, 55 minutes
System returned to ROM by reload at 11:39:53 CCS Wed Jun 16 2010
System image file is "flash:c2801-adventerprisek9-mz.124-24.T2.bin"
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html you require further assistance please contact us by sending email to
[email protected]. 2801 (revision 5.0) with 240640K/21504K bytes of memory.
Processor board ID FTX0926W2NP
2 FastEthernet interfaces
1 Serial(sync/async) interface
1 Virtual Private Network (VPN) Module
2 Voice FXO interfaces
3 DSPs, 40 Voice resources
DRAM configuration is 64 bits wide with parity disabled.
191K bytes of NVRAM.
62720K bytes of ATA CompactFlash (Read/Write)
If
Cisco
Configuration register is 0x2102
MBO-RT-03#
And the Core Site has a 4507R with this configuration:
MBO-SW-01#sh run
Building configuration...
Current configuration : 33778 bytes
! Last configuration change at 16:54:12 CCS Wed Jun 16 2010 by dsalazar
! NVRAM config last updated at 16:05:21 CCS Wed Jun 16 2010 by dsalazar
version 12.2
service nagle
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime localtime
service timestamps log datetime localtime
service password-encryption
service compress-config
service udp-small-servers
service tcp-small-servers
service sequence-numbers
hostname MBO-SW-01
boot-start-marker
boot system flash bootflash:/cat4500-ipbasek9-mz.122-53.SG1.bin
boot-end-marker
logging buffered 1024000
logging console critical
enable secret 5 $1$vzCG$bkRWJO0nJuUvYq5mmU8G00
username cps privilege 15 password 7 011016174B18110B731C1F59
username CNAC_User privilege 0 password 7 096F602829040401595C557A
aaa new-model
aaa authentication login default local-case group radius enable
aaa authentication dot1x default group radius
aaa authorization network default group radius
qos
qos aggregate-policer Prueba 128000 bps 1000 byte conform-action transmit exceed-action drop
ip subnet-zero
ip wccp 61
ip wccp 62
policy-map QoS_Prueba
class class-default
police aggregate Prueba
interface FastEthernet3/5
description *** WAN LINK - Emulation ***
no switchport
bandwidth 128
ip address 10.100.100.1 255.255.255.252
ip wccp 62 redirect in
load-interval 30
service-policy output QoS_Prueba
interface Vlan2
description *** Vlan of Server ***
ip address 192.168.162.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip wccp 61 redirect in
interface Vlan910
description *** Vlan for WAE / Core and Mgmt ***
ip address 10.200.200.1 255.255.255.248
router eigrp 1600
passive-interface default
no passive-interface Vlan1
no passive-interface Vlan710
no passive-interface FastEthernet3/5
no auto-summary
eigrp stub connected summary
eigrp event-logging
network 10.0.2.1 0.0.0.0
network 10.100.100.1 0.0.0.0
network 172.16.0.1 0.0.0.0
MBO-SW-01#
MBO-SW-01#sh ip wccp
Global WCCP information:
Router information:
Router Identifier: 192.168.166.1
Protocol Version: 2.0
Service Identifier: 61
Number of Service Group Clients: 0
Number of Service Group Routers: 0
Total Packets s/w Redirected: 0
Process: 0
CEF: 0
Redirect access-list: -none-
Total Packets Denied Redirect: 0
Total Packets Unassigned: 0
Group access-list: -none-
Total Messages Denied to Group: 0
Total Authentication failures: 0
Total Bypassed Packets Received: 0
Service Identifier: 62
Number of Service Group Clients: 0
Number of Service Group Routers: 0
Total Packets s/w Redirected: 0
Process: 0
CEF: 0
Redirect access-list: -none-
Total Packets Denied Redirect: 0
Total Packets Unassigned: 0
Group access-list: -none-
Total Messages Denied to Group: 0
Total Authentication failures: 0
Total Bypassed Packets Received: 0
MBO-SW-01#
MBO-SW-01#sh ip wccp in
MBO-SW-01#sh ip wccp interfaces
WCCP interface configuration:
FastEthernet3/5
Output services: 0
Input services: 1
Mcast services: 0
Exclude In: FALSE
Vlan2
Output services: 0
Input services: 1
Mcast services: 0
Exclude In: FALSE
MBO-SW-01#
As you can see on the Catalyst 4507R the following stats are 0
Number of Service Group Clients: 0
Number of Service Group Routers: 0
for the services 61 and 62.
In the Router that start reflect a diferent value.
I can appreciate a technical information about how can I configure WCCP for the comunication between the Catalyst 4507 with Sup II+ with the WAE 474.
I probed with other router instead the catalyst 4507 and the configuration and communication were succesfully; that was for verify posible error of configuration on WAEs; but the final objetive is to use the catalyst 4507R.
Thank for your assistance. -
i have redundant 4507 and 4503 connected by 2 gigabit in the main bulding and 4 other bukding contains 4503 , i want to make vlans "around 8 vlans" for my campus. how can i start making this vlans and which protocol i use.
and how can i use vtp in this design.
all catalyst connected to the main 4507 and 4503 by fiber optic.Hi
Assuming that you want your links from your other switches to be Layer 2.
1) You need to make the links between your other switches and your two core switches trunk links.
2) You need to make the 4507 & the 4503 switches vtp servers. You will need to setup a vtp domain name (and optionally a password)
3) Make your other switches are setup as vtp clients using the same vtp domain name. To be absolutely sure you don't mess up the network firstly put your other switches back into VTP transparent mode. Then make them vtp clients.
4) Create your vlans on one of the vtp server switches. You should then see these get propogated to the other switches.
5) Set spanning-tree root for the vlans to be one of your core 4500 switches and spanning-tree secondary to be the other switch.
6) Create Layer 3 SVI's on the 4507 & 4503 and run HSRP between them. ie. if you have created a vlan 10 and the subnet range is 192.168.1.0/24 your SVI config would look like:
4507 switch
interface vlan 10
ip address 192.168.1.2
standby 10 ip 192.168.1.1
standby 10 prio 110
standby 10 auth "add a string here"
standby 10 preempt
4503 switch
interface vlan 10
ip address 192.168.1.3
standby 10 ip 192.168.1.1
standby 10 prio 100
standby 10 auth "add a string here"
Do this for all the vlans. Do a no shut on the interfaces.
6) If all your layer 3 interfaces are on the 4507 & 4503 then you don't need to run a dynamic routing protocol. If you do want to run one i suggest EIGRP as it is easy to configure and fast to converge but as i say you don't really need one in your setup.
I have attached a link to the 4500 config guide for IOS. Your IOS may differ but most of it is pretty much the same.
HTH
Jon -
Dear all,
i have an Catalyst WS-C4507R-E with the following module:
---+-----+--------------------------------------+------------------+-----------
1 18 1000BaseX (GBIC) WS-X4418 JAE0531010T
2 18 10GE (X2), 1000BaseX (SFP) WS-X4606-X2-E JAE173302S4
3 4 Sup 7-E 10GE (SFP+), 1000BaseX (SFP) WS-X45-SUP7-E CAT1740L0A3
5 24 10/100/1000BaseT (RJ45) WS-X4424-GB-RJ45 JAB0546053T
but the 10 GE module work fine but have the following log:
Feb 23 03:51:25.676: %SFF8472-5-THRESHOLD_VIOLATION: Te2/3: Rx power low alarm; Operating value: -40.0 dBm, Threshold value: -13.9 dBm.
The transciver is Cisco, changed the cable but the problem is always same.
what's the problem?
Thanks alot for cooperation.
AngeloDisclaimer
The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
Liability Disclaimer
In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
Posting
You're just using the the patch cord between devices?
If so, with 10g SR, and any 50/125, I agree, I wouldn't expect that to be the issue. -
Packets Dropped In Hardware By CPU Subport on Catalyst 4507
CHAN4507#sh platform cpu pac stat
Packets Dropped In Hardware By CPU Subport (txQueueNotAvail)
CPU Subport TxQueue 0 TxQueue 1 TxQueue 2 TxQueue 3
0 0 0 0 71498709
3 105952 0 0 0
Packets Dropped In Processing Overall
Total 5 sec avg 1 min avg 5 min avg 1 hour avg
3914397 0 0 0 0
Packets Dropped In Processing by CPU event
Event Total 5 sec avg 1 min avg 5 min avg 1 hour avg
Input Acl 338853 0 0 0 0
SA Miss 13 0 0 0 0
Packets Dropped In Processing by Priority
Priority Total 5 sec avg 1 min avg 5 min avg 1 hour avg
Normal 3913388 0 0 0 0
Medium 21642 0 0 0 0
High 996 0 0 0 0
Crucial 3553902 0 0 0 0
Packets Dropped In Processing by Reason
Reason Total 5 sec avg 1 min avg 5 min avg 1 hour avg
SrcAddrTableFilt 2 0 0 0 0
L2DstDrop 15 0 0 0 0
AclActionDrop 338853 0 0 0 0
NoFloodPorts 3575527 0 0 0 0
Total packet queues 16
Packets Received by Packet Queue
Queue Total 5 sec avg 1 min avg 5 min avg 1 hour avg
Esmp 3264762238 132 133 132 132
Control 58750153 1 1 1 1
Host Learning 2278841 0 0 0 0
L3 Fwd Low 12359420458 2263 2016 1155 719
L2 Fwd Highest 2 0 0 0 0
L2 Fwd High/Medium 107 0 0 0 0
L2 Fwd Low 71680133 2 3 2 2
L3 Rx Highest/High/Med 26231554 1 1 1 1
L3 Rx Low 19491956 0 1 1 0
RPF Failure 23 0 0 0 0
ACL fwd(snooping) 4041317 0 0 0 0
ACL log, unreach 120354109 15 13 12 11
Packets Dropped by Packet Queue
Queue Total 5 sec avg 1 min avg 5 min avg 1 hour avg
L2 Fwd Low 732 0 0 0 0
Can anyone answer my following questions?
1. What goes into TxQueue 3?
2. Can we identify any specific ports particularly affected by these drops?
3. Is there some way to rearrange ports on the chassis to reduce drops?check out the following link :
http://www.cisco.com/en/US/products/hw/switches/ps663/products_tech_note09186a00804cef15.shtml
hope this helps -
Information from Catalyst 4507 by SNMP
Hello community!
I need to get access to egp and host catalogs by snmp. I have the following switch's configuration:
snmp-server community public RO
snmp-server community privete RW
Can you help me why doesn't it work?What version of IOS are you running?
Exterior Gateway Protocol (EGP) is BGP predecessor. I doubt that anybody is still running it.
The support for EGP has been removed from IOS, at the same time as IGRP, in the 12.2T train. Therefore support for EGP is not available in 12.3 and up.
If you're still using a old OS, we can find details on what exactly you want to manage in EGP.
If you mean BGP, you can configure the device for BGP traps and BGP related data, you can configure BGP traps or poll using CISCO-BGP4-MIB.
-Thanks
Vinod -
Hi
I am using catalyst 4507 R-E
I did the password recovery and then when I reloaded the below info appears in the rommom mode
please help
as how can solve this problem
I have reloaded several times but its the same
* Welcome to Rom Monitor for WS-X4515 System. *
* Copyright (c) 1999-2004 by Cisco Systems, Inc. *
* All rights reserved. *
Rom Monitor Program Version 12.2(20r)EW1
Supervisor: WS-X4515 Chassis: Unknown( 5 )
Hardware Revisions - Board: 2.14 CPLD: 32 Dagobah: 226
MAC Address : 00-15-c6-bd-d3-54
IP Address : 10.10.10.10
Netmask : 255.255.255.0
Gateway : Not set.
TftpServer : 10.10.10.11
Main Memory : 512 MBytes
***** The system will autoboot in 5 seconds *****
Type control-C to prevent autobooting.
******** The system will autoboot now ********
config-register = 0x2102
Autobooting using BOOT variable specified file.....
Could not find a valid file in BOOT environment variable.
BOOT variable can be set from IOS. To find currently set
Rom Monitor variables, please type 'set' command.
For help on choosing a boot method, type 'confreg' command.
rommon 1 >
rommon 1 >Hi
I am using catalyst 4507 R-E
I did the password recovery and then when I reloaded the below info appears in the rommom mode
please help
as how can solve this problem
I have reloaded several times but its the same
* Welcome to Rom Monitor for WS-X4515 System. *
* Copyright (c) 1999-2004 by Cisco Systems, Inc. *
* All rights reserved. *
Rom Monitor Program Version 12.2(20r)EW1
Supervisor: WS-X4515 Chassis: Unknown( 5 )
Hardware Revisions - Board: 2.14 CPLD: 32 Dagobah: 226
MAC Address : 00-15-c6-bd-d3-54
IP Address : 10.10.10.10
Netmask : 255.255.255.0
Gateway : Not set.
TftpServer : 10.10.10.11
Main Memory : 512 MBytes
***** The system will autoboot in 5 seconds *****
Type control-C to prevent autobooting.
******** The system will autoboot now ********
config-register = 0x2102
Autobooting using BOOT variable specified file.....
Could not find a valid file in BOOT environment variable.
BOOT variable can be set from IOS. To find currently set
Rom Monitor variables, please type 'set' command.
For help on choosing a boot method, type 'confreg' command.
rommon 1 >
rommon 1 > -
I have catalyst 4507 and have the following vlans created:
vlan1 192.168.1.0
vlan10 10.10.1.0
vlan50 192.168.50.0
vlan51 192.168.51.0
I am able to ping host in all vlans from each vlan by IP, but not by name. On our internal dns servers, which are in vlan1, I have created an A record for each host as well as a pointer record.
However, I can ping by name via any host in vlan1 any host that resides in any of the other vlans. I just cannot ping by name from vlan10, vlan50 and vlan51.
Any ideas would be appreciated on how to correct this. Thanks.
JimHi
Assuming that you want your links from your other switches to be Layer 2.
1) You need to make the links between your other switches and your two core switches trunk links.
2) You need to make the 4507 & the 4503 switches vtp servers. You will need to setup a vtp domain name (and optionally a password)
3) Make your other switches are setup as vtp clients using the same vtp domain name. To be absolutely sure you don't mess up the network firstly put your other switches back into VTP transparent mode. Then make them vtp clients.
4) Create your vlans on one of the vtp server switches. You should then see these get propogated to the other switches.
5) Set spanning-tree root for the vlans to be one of your core 4500 switches and spanning-tree secondary to be the other switch.
6) Create Layer 3 SVI's on the 4507 & 4503 and run HSRP between them. ie. if you have created a vlan 10 and the subnet range is 192.168.1.0/24 your SVI config would look like:
4507 switch
interface vlan 10
ip address 192.168.1.2
standby 10 ip 192.168.1.1
standby 10 prio 110
standby 10 auth "add a string here"
standby 10 preempt
4503 switch
interface vlan 10
ip address 192.168.1.3
standby 10 ip 192.168.1.1
standby 10 prio 100
standby 10 auth "add a string here"
Do this for all the vlans. Do a no shut on the interfaces.
6) If all your layer 3 interfaces are on the 4507 & 4503 then you don't need to run a dynamic routing protocol. If you do want to run one i suggest EIGRP as it is easy to configure and fast to converge but as i say you don't really need one in your setup.
I have attached a link to the 4500 config guide for IOS. Your IOS may differ but most of it is pretty much the same.
HTH
Jon -
Hi,
I'm trying to email an alert by eem script when a catalyst 6807 rises a syslog message for an environment alarm (ex: power down). I use the attached script but when i want to add the syslog message in body email (line 83) something is wrong and i can't fixed the error : catalyst try to execute the syslog message (see email).
Same error for a catalyst 4507 4506 Sup 6L-E 10GE IOS 15.2(1)E but the same script works for a catalyst 4506 Sup 6L-E 10GE IOS 15.0(2)SG.
Any ideas ?
ThanksHi,
I found my mystake. In the script, I commented the command "enable" and thus show commands were not recognized by cli. The script has always worked well, "Invalid input" was the result of show command. For ios 15.2, i need to gain enable level.
So I suspect a different behavior between versions 15.0 and 15.2 for running level of tcl script. -
NAC OOB and 6500 in Virtual Switch Mode
Is there any issue or special care to implement NAC OOB in Central Deploy, VGW, using AD SSO for wired clients where the Core Switch is a pair of 6500 in Virtual Switch Mode?
The customer uses Radius IAS for authentication. How does it fit with the AD SSO?Hi Bruce,
I am afraid there are some arguments missing in your db command.
To manually add the OID of Cat4507R+E to CAM's database here is the procedure to do this.
[root@cca-3140-cam ~]# psql -h localhost -U postgres controlsmartdb -c "INSERT INTO supported_switch VALUES ('1.3.6.1.4.1.9.1.1286', '4', 'Cisco Catalyst 4507 R+E')" INSERT 0 1
psql: warning: extra command-line argument "INSERT" ignored
psql: warning: extra command-line argument "0" ignored
psql: warning: extra command-line argument "1" ignored
INSERT 0 1
Then to make sure it is there:
[root@cca-3140-cam ~]# psql -h localhost -U postgres controlsmartdb -c "SELECT * FROM supported_switch" | grep 1286
The output should be:
1.3.6.1.4.1.9.1.1286 | 4 | Cisco Catalyst 4507 R+E
Restart perfigo service on NAC Manager and try to manage the switch using the model used by the above command.
HTH,
Tiago
If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it. -
To to pick your brain i have 2 pairs of dark fibers between two datacenters. Dark fibers are terminating on 8 Port channel CWDM and have two pairs of catalyst 6509 switches connecting to the CWDM using 2 channels each at each datacenters. The connection between the 6509's via CWDM are Layer 3 routing usinf EIGRP. I would like to also have a layer 2 connecting between the datacenters since i have few spare channels on the CWDM for server clustering ( two servers between DC need to be on same subnet) and don't want to encounter any STP issues between the 6509 switches. How can i achieve this?
My idea:
Dont have any layer 2 connection on the 6500's since they are core and connect another pairs of Catalyst 4507 at each datacenter to the spare channels on the CWDM and have a layer 2 trunk between the datacenters from the catalyst 4507 acting as a distribution switches passing frames between the two servers via layer 2 for vlan 95 and have the 4507 connect to the Core 6509 via layer 3 routing. So the cat catalyst 4707 will act as a distribution and access.
will my idea work?
Thanks.Hi
At a high level i cannot see why this wouldn't work although perhaps you may consider eiher 3750-E or 4948 switches rather than the 4500 switch which seems slight overkill for forming a separate L2 link.
You don't say what function your 6500's serve but assuming they are core within your DC's i would support separate switches for L2 connectivty if you can afford it.
HTH
Jon -
Switching IPS4240 from PROMISCUOUS to INLINE MODE
Hi, what's the best way to cut over from PROMI to INLINE MODE? Right now we have our IPS 4240 connected to a hub sitting between our firewall and our Catalyst switch and running in PROMISCUOUS MODE. Our INLINE pair is set up. How can I set the IPS for INLINE MODE? Should I just connect 1 interface into the hub, and the other interface into our Catalyst 4507? Pleae see attached diagram.
Tahnks in advance!Hi, what's the best way to cut over from PROMI to INLINE MODE? Right now we have our IPS 4240 connected to a hub sitting between our firewall and our Catalyst switch and running in PROMISCUOUS MODE. Our INLINE pair is set up. How can I set the IPS for INLINE MODE? Should I just connect 1 interface into the hub, and the other interface into our Catalyst 4507? Pleae see attached diagram.
Tahnks in advance! -
ASA5520 allowing/blocking Skype
I have the following:
redundant ASA5520s on v8.2(1)
proxy server/web filter for blocking access to websites for staff/students
users who want to use Skype
Cisco Catalyst 4507 core
a dozen VLANs for staff/student/WiFi etc
Cisco core policy that routes 80/443 to transparent proxy on a WiFi VLAN
Windows desktops have direct proxy settings in IE
Pretty much all outbound ports are closed with 80/443 and a handful of specifics for various things open. Because of this Skype attempts to use 80/443 which are sent to the proxy server but bnecause they're not HTTP/HTTPS they cannot be understood. Skype attitude is to open 1024-65535 which is just plain stupid!
There's no way to specify which port(s) Skype uses for outbound. I tried opening 33000-33099 which worked perfectly for 2-3 devices (Win laptop, iPad) but others failed all the time.
I've seen people mention using an AIP-SSM module in the ASA for blocking Skype (and other things eg torrents). Is it possible to use this module to allow Skype eg on ports 1024-65535 whilst blocking any other application from using those ports?
Any advice on the handling of Skype in this configuration would be appreciated.Hi Steve,
To block skype is not that easy i am sharing a piece of work which i did some time ago. Hope it might be helpful in case you need to block skype.
Its just a workaround and you may decide your course of action
these are skype login servers:
"dir1.sd.skype.net:9010", "dir2.sd.skype.net:9010", "dir3.sd.skype.net:9010", "dir4.sd.skype.net:9010", "dir5.sd.skype.net:9010", "dir6.sd.skype.net:9010", "dir7.sd.skype.net:9010", "dir8.sd.skype.net:9010" "http1.sd.skype.net:80", "http2.sd.skype.net:80", "http3.sd.skype.net:80", "http4.sd.skype.net:80", "http5.sd.skype.net:80", "http6.sd.skype.net:80", "http7.sd.skype.net:80", "http8.sd.skype.net:80" Skype-SW connects randomly to 1-8.
if you want to block skype totally and dont want to spend alot on your firewall. you can use Squid proxy running on OpenBSD.
The below is not an accurate but near by or approximate study of how Skype operates, and is not a comprehensive analysis of its behaviour :
1) Skype will initially attempt to contact supernodes, the IPs of which are in a file stored along with the other files that Skype installs. The first method of contact is direct. The source ports that Skype attempts to connect from are non-default ports. From my observations I could see that the UDP source port 1247 is the initial control channel. Once the connection is established, the rest of the communications is done in TCP over non-default source ports with ranges sweeping from 2940-3000. In general, any company that is serious about its security policy would have strict egress filtering rules, which makes identifying the non-default source/destination ports that Skype uses irrelevant since they would be blocked anyway.
2) If the above fails, Skype will use the proxy server specified in Internet Explorer, and attempt to tunnel the traffic over port 443 using the SSL protocol. The destination IPs are of course random as above, which makes destination blocking out of the question. The only option left is to block SSL, which is not really a solution, unless you want to end up excluding all legal SSL destinations.Deleting the user's proxy settings would also disallow Skype from connecting. That would however leave the user without internet access. Even if the user had no proxy settings, and the proxying was done transparently (which would definitely include proxying http and https traffic), the Skype traffic (SSL) would again be transparently proxied, which puts us back at square one.
The Alternative That Works :
Internet access services in our corporate workplace are provided by our proxy servers. The setup is basically quid-proxy running over OpenBSD. PF (packet filter, OpenBSD's built-in firewall) takes care of all the egress/ingress filtering, and the rest of the content filtering is done in Squid using custom-written accesslists. Blocking Skype's default operation was a no-brainer, as our strict egress filtering rules block all outgoing traffic. The problem was with Skype detecting the user's proxy server, and tunneling its traffic over Squid. Upon checking Squid's access logs, all we could see was requests made by the user's machines using the 'Connect' method to random destination IPs.
As mentioned above, blocking SSL or the 'Connect' method, means blocking access to all legitimate websites that use SSL (Hotmail, Yahoo,E-banking, E-commerce websites, e.g any website that is secured by SSL).Should you go down that road, you would have to explicitly allow all permitted destinations (an ongoing technical nightmare).
The catch in successfully blocking Skype given all of the above, would be to block access to requests made by clients, to destination specified by their numeric IP address, AND using the 'Connect' method to tunnel the Skype data. I have done that simply by writing an access list in Squid that achieves just that. The access-list is in regex (regular expression) format that identifies numeric IP addresses. The access-list further specifies the connection method that the client is using. In Squid the 'Connect' method is conveniently called 'Connect' as well.
The access list then is of the following form :
# Your acl definitions
acl numeric_IPs urlpath_regex ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+
acl connect method CONNECT
# Apply your acls
http access deny connect numerics_IPs all
Regards
Anim Saxena
*Rate helpful posts* -
I have 2 catalyst 4507's each with a 6 port fiber blade. I wish to trunk the two switches to share 3 vlans.
I understand that i will go ahead and setup switch trunk encapsulation dot1q on each fiber port (i am going to run 2 trunks) and i will add switchport mode trunk.
Is there anything that needs to be done since i will use 2 sets of fiber to make 2 trunks?
Also please confirm if this is correct:
I will create vlan 1, vlan 2 and vlan 3 on both switches and individually assign them the switchports i wish for them to use. Or do i need to do something with VTP?
any help is greatly appreciated.Why would you not etherchannel the turnk ports together. That way you would use all the ports and none would be in a STP blocking state?
Sample config would be like:
interface Port-channel1
description Connection to c4507-2
switchport
switchport trunk encapsulation dot1q
switchport mode trunk
interface GigabitEthernet1/1
description Connection to c4507-1
switchport trunk encapsulation dot1q
switchport mode trunk
channel-protocol lacp
channel-group 1 mode active
interface GigabitEthernet1/2
description Connection to c4507-1
switchport trunk encapsulation dot1q
switchport mode trunk
channel-protocol lacp
channel-group 1 mode active
interface GigabitEthernet2/1
description Connection to c4507-1
switchport trunk encapsulation dot1q
switchport mode trunk
channel-protocol lacp
channel-group 1 mode active
interface GigabitEthernet 2/2
description Connection to c4507-1
switchport trunk encapsulation dot1q
switchport mode trunk
channel-protocol lacp
channel-group 1 mode active
You will need to changet the interface port number but I hope you get the idea.
Andy
Maybe you are looking for
-
Import message on opening; Can't get rid of it.
I get: "A photo has been found in the iPhoto Library folder that was not imported. Would you like to import it?" message pop up everytime I open iPhoto. No mater what I choose, it won't go away. If I choose yes, it imports forever. If I choose no, me
-
Hi Is there a way to remove the Export PDF, Create PDF etc toolbars on the right hand side when a new PDF documents opens etc? I don't want those options showing. Thanks
-
Why i always get ask for the password
why i get ask for my password since two days every time i open my thunderbird?
-
Substract 0calday with a key figure
Hi gurus, in our report requirement we have a Expiry date which we have modeled has key figure and now in the report i have to find out the difference between the EXPIRY DATE and Current Date (0calday) when i use the replacement variable method its g
-
Problems upgrading iphone software
Every time I try to upgrade to the latest version I get the following error message. "There was a problem downloading the software for the iphone ..........The network connection timed out" Any ideas?