Cisco 3550 ACL on VLAN

i hav got Cisco 3550-12T, in that i hav created VLAN 2,3,4 & 5. now my requirement is VLAN 2 can communicate all VLAN's, where VLAN 5 should only communicate VLAN 2 & vice versa & VLAN 3,4 should only communicate VLAN 2 & vice versa. how do i proceed, by default if i enable "ip routing" i can able to communicate, but i do i filter the packetz as i said above?

Hi,
You can do it using extended acl's fro denying traffic from Vlan 3,4 to vlan 5. This can also be done using Vlan MAPS. Please go through the link below:
http://www.cisco.com/univercd/cc/td/doc/product/lan/c3550/12225sec/3550scg/swacl.htm#wp1082557
regards,
-amit singh

Similar Messages

Assign VLAN from freeradius to Cisco 3550 Switch

Hi All,
I am trying to assign VLAN from freeradius to the a cisco 3550 switch but it's not working.
I keep getting those lines in the cisco switch debug:
3w6d: RADIUS: Tunnel-Medium-Type [65] 6   01:Unsupported            [6]
3w6d: RADIUS: Tunnel-Type         [64] 6   01:Unsupported            [13]
What does it mean? Any idea how to solve this?
Below freeradius conf and switch debug.
Thanks.
Configuration on freeradius users file:
wassim    Cleartext-Password := "wassim"
        Tunnel-Medium-Type:1 = IEEE-802,
        Tunnel-Type:1 = VLAN,
        Tunnel-Private-Group-Id:1 = 100
Cisco Switch debug log:
3w6d: RADIUS: authenticator 99 15 53 A6 AB B7 0B 75 - 9F A7 5F 27 8F F1 2E 67
3w6d: RADIUS: NAS-IP-Address      [4]   6   192.168.1.8
3w6d: RADIUS: NAS-Port            [5]   6   50023
3w6d: RADIUS: NAS-Port-Type       [61] 6   Eth                       [15]
3w6d: RADIUS: User-Name           [1]   8   "wassim"
3w6d: RADIUS: Called-Station-Id   [30] 19 "00-15-F9-F8-4E-97"
3w6d: RADIUS: Calling-Station-Id [31] 19 "00-1A-80-3F-F6-A1"
3w6d: RADIUS: Service-Type        [6]   6   Framed                    [2]
3w6d: RADIUS: Framed-MTU          [12] 6   1500
3w6d: RADIUS: State               [24] 18
3w6d: RADIUS:   DB C1 1C E7 DE C7 09 5E 75 5E 5B 0F 23 3A 54 E7 [???????^u^[?#:T?]
3w6d: RADIUS: EAP-Message         [79] 69
3w6d: RADIUS:   02 06 00 43 15 00 17 03 01 00 38 BF 71 FC FA 04 [???C??????8?q???]
3w6d: RADIUS:   BE DC FD CC 03 D2 7F 8B 09 63 2C B2 AE D8 AC 61 [?????????c,????a]
3w6d: RADIUS:   64 21 2B 00 ED 0E 6E E8 B0 49 50 6B 99 B8 88 A4 [d!+???n??IPk????]
3w6d: RADIUS:   36 C6 FD B9 F0 77 2D 82 28 0A 37 D1 D4 73 B4 59 [6????w-?(?7??s?Y]
3w6d: RADIUS:   F9 37 E6                                         [?7?]
3w6d: RADIUS: Message-Authenticato[80] 18
3w6d: RADIUS:   A2 59 A3 DE A6 98 5F 78 25 12 59 BB 4D B8 74 F0 [?Y????_x??Y?M?t?]
3w6d: RADIUS: Received from id 1645/123 192.168.1.57:1812, Access-Accept, len 186
3w6d: RADIUS: authenticator C0 31 7F D7 A6 D4 1F C8 - 27 AA F0 99 EA 1F 92 C3
3w6d: RADIUS: Tunnel-Medium-Type [65] 6   01:Unsupported            [6]
3w6d: RADIUS: Tunnel-Type         [64] 6   01:Unsupported            [13]
3w6d: RADIUS: Tunnel-Private-Group[81] 6   01:"100"
3w6d: RADIUS: Vendor, Microsoft   [26] 58
3w6d: RADIUS:   MS-MPPE-Recv-Key   [17] 52
3w6d: RADIUS:   86 8B 3E 74 76 E7 CB 9A 8F EF F5 9C 16 2E 88 1A [??>tv????????.??]
3w6d: RADIUS:   12 3B 80 A6 E9 9B B6 6F E6 63 C8 AA B0 DB 0E 76 [?;?????o?c?????v]
3w6d: RADIUS:   61 C1 6A 5D 62 BD 72 BE 78 C8 9D 4D A7 3F 54 35 [a?j]b?r?x??M??T5]
3w6d: RADIUS:   40 DC                                            [@?]
3w6d: RADIUS: Vendor, Microsoft   [26] 58
3w6d: RADIUS:   MS-MPPE-Send-Key   [16] 52
3w6d: RADIUS:   8A 61 97 87 78 FD CA 16 8D F0 ED 75 C0 70 93 AE [?a??x??????u?p??]
3w6d: RADIUS:   71 EF 5A 21 53 35 A4 88 F9 84 16 83 10 43 6E 9E [q?Z!S5???????Cn?]
3w6d: RADIUS:   AB A7 8B 56 6C 42 0D AB 09 1D 82 D3 CB 7E 6C B8 [???VlB???????~l?]
3w6d: RADIUS:   56 58                                            [VX]
3w6d: RADIUS: EAP-Message         [79] 6
3w6d: RADIUS:   03 06 00 04                                      [????]
3w6d: RADIUS: Message-Authenticato[80] 18
3w6d: RADIUS:   82 4B 64 0F 07 64 59 18 0F 27 07 95 A5 15 09 33 [?Kd??dY??'?????3]
3w6d: RADIUS: User-Name           [1]   8   "wassim"
3w6d: RADIUS: EAP-login: length of eap packet = 4
3w6d: RADIUS: Tunnel-MType, [01] 00 00 06
3w6d: RADIUS: TAS(1) created and enqueued.
3w6d: RADIUS: Tunnel-Type, [01] 00 00 0D
3w6d: RADIUS: Tunnel-GID, [01] 100
3w6d: RADIUS: unrecognized Microsoft VSA type 17
3w6d: RADIUS: unrecognized Microsoft VSA type 16
3w6d: RADIUS: TAS(1) takes precedence over tagged attributes, tunnel_type=vlan
3w6d: RADIUS: free TAS(1)
3w6d: RADIUS: no appropriate authorization type for user.
3w6d: RADIUS: Tunnel-MType, [01] 00 00 06
3w6d: RADIUS: TAS(1) created and enqueued.
3w6d: RADIUS: Tunnel-Type, [01] 00 00 0D
3w6d: RADIUS: unrecognized Microsoft VSA type 17
3w6d: RADIUS: unrecognized Microsoft VSA type 16
3w6d: RADIUS: TAS(1) takes precedence over tagged attributes, tunnel_type=vlan
3w6d: RADIUS: free TAS(1)
3w6d: RADIUS: no appropriate authorization type for user.
3w6d: RADIUS: Tunnel-MType, [01] 00 00 06
3w6d: RADIUS: TAS(1) created and enqueued.
3w6d: RADIUS: Tunnel-Type, [01] 00 00 0D
3w6d: RADIUS: unrecognized Microsoft VSA type 17
3w6d: RADIUS: unrecognized Microsoft VSA type 16
3w6d: RADIUS: TAS(1) takes precedence over tagged attributes, tunnel_type=vlan
3w6d: RADIUS: free TAS(1)
3w6d: RADIUS: no appropriate authorization type for user.
3w6d: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/23, changed state to up

I believe you should be using the numerical values in your fields, look at this one :
http://www.scribd.com/doc/75788651/52/X-with-VLAN-Assignment
Tunnel-Medium-Type:1 = 6
Tunnel-Type:1 = 13
Tunnel-Private-Group-Id:1 =

Is Cisco Nexus 5596UP support vlan base Policing and traffic shaping on code NX OS version: 5.1(3)N1(1)

Is Cisco Nexus 5596UP support vlan base Policing and traffic shaping on code NX OS version: 5.1(3)N1(1)
where i couldn't see any police command under the policy map

I have tested this issue on another 5548UP with L3 running the same NX-OS version and get the same problem. Show CDP from the switch is not discovering devices, but the neightbors can see the 5K in question. Reboot sometimes will fix it, but not always. I suspect a problem with the software since that doesn't happen in NX-OS 5.2. The one I am using is
Software
BIOS:      version 3.6.0
loader:    version N/A
kickstart: version 5.1(3)N2(1)
system:    version 5.1(3)N2(1)

Cisco 3550 IP Routing

Hi,
I am unable to run IP Routing command on my Cisco 3550 switch . Do upgrading of IOS will help me ?
regards
Neo

Hi ,
here is the output
Switch-1#sh ver
Cisco Internetwork Operating System Software
IOS (tm) C3500XL Software (C3500XL-C3H2S-M), Version 12.0(5)WC13, RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2005 by cisco Systems, Inc.
Compiled Tue 20-Sep-05 10:05 by antonino
Image text-base: 0x00003000, data-base: 0x00351FFC
ROM: Bootstrap program is C3500XL boot loader
Switch-1 uptime is 1 minute
System returned to ROM by power-on
System image file is "flash:c3500xl-c3h2s-mz.120-5.WC13.bin"
cisco WS-C3548-XL (PowerPC403) processor (revision 0x01) with 16384K/1024K bytes of memory.
Processor board ID FAA0428Y13Q, with hardware revision 0x00
Last reset from power-on
Processor is running Enterprise Edition Software
Cluster command switch capable
Cluster member switch capable
48 FastEthernet/IEEE 802.3 interface(s)
2 Gigabit Ethernet/IEEE 802.3 interface(s)
32K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address: 00:02:B9:9C:23:00
Motherboard assembly number: 73-3903-04
Power supply part number: 34-0971-01
Motherboard serial number: FAA04299A9E
Power supply serial number: PAC042800LS
Model revision number: A0
Motherboard revision number: B0
Model number: WS-C3548-XL-EN
System serial number: FAA0428Y13Q
Configuration register is 0xF
Switch-1#
Switch-1#
Switch-1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Switch-1(config)#ip routing
^
% Invalid input detected at '^' marker.
Switch-1(config)#ip r?
radius rcmd
Switch-1(config)#
regards
Neo

ACL or VLAN Mappings

Good afternoon,
We have several VLANs and would like to restrict traffic on some of them.
For one VLAN, lets say vlan 140 we would it to drop all packets except for traffic going to / from 172.30.0.49. Is this possible? If so how? Also, would users be able to obtain DHCP / DNS queries if this rule was in place?
Just like to get an understanding on how this can be done on our core using either ACL or vlan mappings.
Regards,
Mark

Yes, the main advantages are performance and usability.
With ACLs each document can have different security settings.
As for performance, if you enter a query like "what document can a user read?" it requires to check all ACLs (not sure if it is still true, but I think in earlier versions ACLs were implemented as comma-separated strings, so this query was quite costly). With accounts, or security groups, the logic is much closer to relational database, so even though the queries require few OUTER JOINs, in the end they are much faster.
As for usability, imagine a scenario like "I want to replace a person X with a person Y" - with accounts you do it in one place, with ACLs I do not know (not sure if there is anything like "mass ACL update" available).
Note that "a large number of WLS group" should be auto-generated, ideally, in cooperation with an IDM solution.
In general, I'd recommend ACLs only for very specific situations - namely, if security settings change during items lifetime (in 10g, they were a part of a component called Collaboration Manager, and it meant that a user might be granted access to an item only for the sake of a workflow, which is something you cannot do with accounts/security groups - or to be precise, you cannot do it easily).
I have also heard, with no further details, that recently ACLs were redesigned, so some statements above might become obsolete.

Cisco 3550-12T IP address

Can i set IP address in Cisco 3550-12T in any one of the Gigabit Interface, being a layer 3 switch, it is possible, but when i entered the ip address 192.168.1.1 255.255.255.252 in gigabitEthernet 0/1 i get a message IP addresses may not be configured on L2 links why is that so? I enabled IP Routing & tried without enabling also, but still i get the same message. Thanks in advance.

Hi Anand,
Though it is a layer 3 switch but default behaviour of ports are layer 2.
To make it layer 3 you have to first give "no switchport" command.
int gig0/1
no switchport
ip address
HTH
Ankur

3com and cisco switches (802.1q)vlan integration problem - broadcast storm?

Hi forum,
we are using 3com switches, the 3com switches implement open vlans, which mean if an ieee 802.1q packet is received at a port and the port is not a member of that vlan, the switch does not perform vlan filtering. if the address is previously learned, it will be forwarded correctly, but if it is not, it will be flooded to all ports within that VLAN.
my questions:
1) if another cisco switch connected with the 3com switch are placed in the same vlan, and the 3com switch received a 802.1q packet from a rogue device, it will be flooded to all the ports(including the cisco ports) within that VLANs, will it cause a broadcast storm?
2) how do i configure the cisco switch to filter off unknown tagged packet on a port? by using vlan prunning?
3) how do i blocked the broadcast from the 3com switches? using broadcast suppression?
4) is there a way on the design side to effectly counter this problem?
Kind regards,
paul

It sounds like setup of your 3com switch is not quite up to your requirements. If a port is declared as tagged, it's ok to receive tagged frames for VLAN's that were not previously known on this port. However if your policy requires that only specific VLAN's are permitted on given tagged port, then you need to add some extra command on your 3com switch. Check with documentation and possibly with your 3com support partner.
As for cisco routers, tagged ports in Cisco-speach are trunks (this might be confusing for you as 3com calls trunks what in Cisco world is known as either Etherchannel or port aggregation). By default a trunk (tagged) port allows any VLAN. If your policy requires so, you can explicitly specify which VLAN's are allowed on given trunk (tagged) port. If a frame arrives with a tag that is not on the allowed list, the frame will be discarded. So you don't need any fancy broadcast supression to block traffic from disallowed vlans coming from your 3com switch to cisco.
P.S.: Make sure that you don't mistake 'member of VLAN' with 'native VLAN'. Some parts of your message suggest that you do.

UPDATE: Deal of the Week - Cisco 3550 24 port PoE Switch

Well that didn't last long...our "Deal of the Week" this week sold out in 1 day, so we figured we better do another deal for everyone. - - - Cisco 3550 24 Port PoE Switch - $65.00 --- www.cablesandkits.com/DOW

How might you use PowerShell Direct, the latest addition to the PowerShell family that's coming with Windows 10 and Windows Server 2016? Consider this:Have you ever tried to make a configuration changeon a Friday afternoon, right before beer o’clock, and you couldn’t get access to the machine you needed to change? This problem might be caused by out-of-datesecurity settings, a network change, or something else.PowerShell Direct will work, even when otherwise things would stand in your way.According to Petri, the new software will change the way you operate "between hypervisorhost and guest virtual machine in a secure way." No more "faffing about to get security settings configured, holes poked in firewalls," or remoting in – PowerShell Direct gives you a direct way to open a session on any guest computer in seconds.
If you have Windows...

VoIp settings for replacing a Cisco 3550 switch with a SF300-24P

I am adding the SF300-24P to an existing set of switches. My backbone switch is a 3560.
The 3550 I am replacing has this config for each port that supports a Shoretel phone
switchport trunk encapsulation dot1q
switchport mode trunk
mls qos trust dscp
global settings include
spaning-tree mode pvst
spanning-tree extend system-id
spanning-tree vlan 1,200 priority 28762
vlan internal allocation policy ascending
all other settings are at default
Any ideas how to replicate this on this new switch? I added the Shoretel mac address range (00-10-49) into the Telephone OUI. The phone gets power, I think it gets a 192.168.6.x address (local subnet), but then it should get an IP 10.6.0.xx on its VLAN - but it doesn't.
Some configs from the backbone are attached. I did not need to configure any of this in the 3550.
Any ideas?
Fred

Hi fred,
The shoretel phone sounds like it is not attaching to tagged vlan 200 on my switch, the shortel voice vlan as per your screen captures.
The Voice VLAN should be tagged on my switch so that phones attach to a Voice VLAN and PC's connected on the back of the VoIP phones attach to the Data Vlan .
I scoped out, excuse the pun, the shoretel site and have attached a white paper on setting vlans and shoretel.
They mention setting option 156 on the DHCP server, so the phone can get vendor specific information etc... But the phones are not attached to the voice vlan , but the untagged data vlan. You gotta figure how to get the shortel phones to attach to vlan 200, or if you are not daisy chaining PC on the back of the phone, make vlan 200 untagged on these FastEthernet switch ports..
I have attached my SF300-48P version of my configuration and some configuration screen shots i took along the way.
Please review carefully that attached shortel document and my screen shots and a real configuration done on my SF300-48P. The configuration should be almost identical to your configuration.
I added vlan 200. and made sure that all ports were in trunk mode, even the Gigabit uplink ports.
All ports by default are in VLAN1 as you can see below
I then added all ports as tagged ports to vlan 200 as you can see below.
For the sake of Spanning tree, I then made all fast ethernet (phone or PC) ports fastports except for the uplink Gigabit ports.
If you are not sure what portfast does , here's a little tutorial I grabbed from cisco.com
Spanning-tree PortFast causes a port to enter the spanning-tree forwarding state immediately, bypassing the listening and learning states. You can use PortFast on switch ports connected to a single workstation or server to allow those devices to connect to the network immediately, instead of waiting for the port to transition from the listening and learning states to the forwarding state.
Caution PortFast should be used only when connecting a single end station to a switch port. If you enable PortFast on a port connected to another networking device, such as a switch, you can create network loops.
When the switch powers up, or when a device is connected to a port, the port normally enters the spanning-tree listening state. When the forward delay timer expires, the port enters the learning state. When the forward delay timer expires a second time, the port is transitioned to the forwarding or blocking state.
When you enable PortFast on a port, the port is immediately and permanently transitioned to the spanning-tree forwarding state.
Your tasks I guess should be , making sure that vendor specific options for the shoretel phones are included in the DHCP configuration and that you somehow attach the shortel phones (even manually) to vlan 200.
For some reason this site adds a zip extension to the end of my running configuration. I used wordpad to look at the file
I am using firmware version 1.0.0.27 on my unit and the userid=admin password i used was admin
I hope this helps.
regards Dave

Hooking up a cisco 3550 48 port switch to my E2500 router

I am trying to assign an IP to my 3550 switch so I can telnet into it from my computers upstairs but, when I assign the IP to a vlan on the switch and set the port going to the router to access that vlan I still can't see anything pull in the DHCP table on the E2500. The other thing I am not sure about is what I should be setting my default route to is it the 192.168.1.1 or is that just the management IP for the E2500 router? I am pretty sure this is just a case of the E2500 can't deal with the Vlans but with it being set to access it doesn't seem like it should matter it should just live in that Vlan. I can always put a 2600 in front of the switch but I rather not put in a 3rd piece of equipment if I can help it. Any advanced routing information would be appreciated.

If the swtich is a managed switch, it maybe in compatible with the LAN switch on the router as most "home" class routers do not have manged LAN switched for connectors.
I recommend that you contact Cisco about this and see if they have any help and information regarding this. If the management or "smart" features can be disabled on this switch if the has these features, it maybe still usable with the router.
Let us now how it goes.

Cisco 877W Dual SSID/VLAN Security Issue

Hi All
I have an issue with my 877W that is as fascinating as it is frustrating. I have two SSIDs/VLANs, one for trusted LAN users (PRIVATE), and one for guests (GUEST). The PRIVATE network is secured from the GUEST nework by zone based firewall. Everything works fine, guest devices cannot access private devices, except for one thing - the BVI interface on the PRIVATE network is always accessible to guest devices, and all services open to attack eg telnet/ssh/http/dns etc. I've tried everything to secure this interface from the guest network, including putting deny any any on physical, BVI and VLAN interfaces
Am I missing something obvious, or some fundamental architecture of the 877 that would stop this interface being secured? Any help aprreciated!
P.S config has been pared down to basics below
version 15.1
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname ROUTER
boot-start-marker
boot-end-marker
logging buffered 4096
enable secret 5 $1$BdpF$r/mAhQGYs8LBlqEpANmke0
no aaa new-model
dot11 syslog
dot11 ssid PRIVATE@123
vlan 100
authentication open
authentication key-management wpa
wpa-psk ascii 7 046B0A535A15441D2D0C11141A5A5F
dot11 ssid VISITOR@123
vlan 200
authentication open
authentication key-management wpa
mbssid guest-mode
wpa-psk ascii 7 03374C0A08392040420C00
ip source-route
no ip dhcp conflict logging
ip dhcp excluded-address 172.16.1.1 172.16.1.10
ip dhcp excluded-address 192.168.0.1 192.168.0.10
ip dhcp pool GUEST
utilization mark low 70 log
network 172.16.1.0 255.255.255.0
dns-server 192.168.0.1 61.9.242.33 61.9.226.33
default-router 172.16.1.1
ip dhcp pool PRIVATE
utilization mark low 70 log
network 192.168.0.0 255.255.255.0
dns-server 192.168.0.1 61.9.242.33 61.9.226.33
default-router 192.168.0.1
ip cef
no ipv6 cef
multilink bundle-name authenticated
username cisco privilege 15 password 7 073F205F5D1E491713
policy-map type inspect PM-DENYGUEST
class class-default
drop
zone security GUEST
zone security PRIVATE
zone-pair security GUEST-TO-PRIVATE source GUEST destination PRIVATE
service-policy type inspect PM-DENYGUEST
bridge irb
interface ATM0
no ip address
shutdown
no atm ilmi-keepalive
interface FastEthernet0
no ip address
interface FastEthernet1
switchport access vlan 100
no ip address
interface FastEthernet2
switchport access vlan 100
no ip address
interface FastEthernet3
no ip address
interface Dot11Radio0
no ip address
encryption vlan 100 mode ciphers aes-ccm
encryption vlan 200 mode ciphers aes-ccm
broadcast-key vlan 100 change 30
broadcast-key vlan 200 change 30
ssid PRIVATE@123
ssid VISITOR@123
mbssid
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
interface Dot11Radio0.100
encapsulation dot1Q 100 native
zone-member security PRIVATE
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
interface Dot11Radio0.200
encapsulation dot1Q 200
zone-member security GUEST
bridge-group 2
bridge-group 2 subscriber-loop-control
bridge-group 2 spanning-disabled
bridge-group 2 block-unknown-source
no bridge-group 2 source-learning
no bridge-group 2 unicast-flooding
interface Vlan1
no ip address
interface Vlan100
no ip address
bridge-group 1
interface Vlan200
no ip address
bridge-group 2
interface Dialer0
ip address negotiated
ip access-group 101 out
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname [email protected]
ppp chap password 7 10580A4F1C4005005B
interface BVI1
ip address 192.168.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security PRIVATE
interface BVI2
ip address 172.16.1.1 255.255.0.0
ip nat inside
ip virtual-reassembly in
zone-member security GUEST
ip forward-protocol nd
ip http server
ip http access-class 2
ip http authentication local
ip http secure-server
ip nat inside source list 1 interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
logging trap debugging
logging 192.168.0.11
control-plane
bridge 1 protocol ieee
bridge 1 route ip
bridge 2 protocol ieee
bridge 2 route ip
line con 0
exec-timeout 5 0
no modem enable
transport output all
line aux 0
exec-timeout 0 1
no exec
transport output none
line vty 0 4
exec-timeout 5 0
login local
transport input telnet ssh
transport output none
end

Ignore that. self zone got me. Argh! phew!

Cisco Layer 3, Voice, & VLAN

I have a vSphere 5.5 install and I'm in the process of a network upgrade in preparation for a VOIP implementation. The Switch hardware I'm using is a stack of Cisco 3850 Layer 3 switches and I've been going in circles on getting vlan traffic to work correctly. Hopefully someone can point me in the right direction.
I have one NIC connected to the switch (10GB fiber) that will handle all traffic for the esxi host (except for management). VLAN ID is set to None (0) and load balancing is set to Route based on originating virtual port.
I have 2 subnets, 10.1.0.0/16 (data & management, VLAN 1) and 10.10.1.0/24 (Voice, VLAN 10)
On the host I have a Win 2012 R2 server that will be a VOIP PBX host. It must be able to communicate with the IP phones (VLAN 10) and other servers (VLAN 1).
The switches will do the intervlan routing.
Finally my question - Can anyone give me some hints on how to set up the interface on the Cisco for the 10GB fiber connection from my host? Actual port settings would be extremely helpful. Anything I'm doing at the vmware end that I should be doing differently?

In case anyone comes across this in a search, here's what I ended up with, 1st the Cisco switch:
switchport trunk allowed vlan 1,10
switchport mode trunk
switchport nonegotiate
switchport voice vlan 10
macro description cisco-switch
spanning-tree portfast
spanning-tree link-type point-to-point
The virtual switch I set to all vlan IDs and Route based on originating virtual port.

Cisco 3550 SMI switch for security setup ?

I have a 3550 SMI IOS 12.2 switch, I want to setup http, https, dns services for internet. I do not need to set up any mail or web server.
The connection as follows:
Internet ---------Modem----------3550-----------Computer
Modem has no security function, all the security setting will be on 3550 switch. So what is the best approach ?
Is it layer 2 or layer 3 security ? and can I run VPN for the internet surf ? Please kindly advise.
Thanks,
Susan

Thanks for the Reply.
When I config the switch I find out some interesting things, I am no sure if the
configuration is correct or I miss something ? Please help take a look.
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny tcp any any eq bgp
access-list 101 deny eigrp any any
access-list 101 permit udp any any eq domain
access-list 101 permit tcp any any eq www log
access-list 101 permit tcp any any eq 443 log
access-list 101 deny ip any any log
int fa0/1
switchport
switchport access v 10
switchport mode access
access group 101 in
int vlan 1
no ip add
That work normal
But if when I put access list 101 to vlan interface 10, my computer can access the internet. ???
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny tcp any any eq bgp
access-list 101 deny eigrp any any
access-list 101 deny ip any any log
int vlan 10
ip add 192.168.1.1 255.255.255.0
access group 101 in
int fa0/1
switchport
switchport access v 10
switchport mode access
int vlan 1
no ip add
For both case, Vlan 1 is down, I connect nothing and assign nothing to vlan 1.
So is the configuration has problem ? or
Something to do with vlan 1 ?
or something I miss ?
Thanks

ARD 3.1 on a Cisco network with multiple VLANs

I really hope someone can help me with this one because it's giving me all sorts of headaches.
I manage all the IT for a large elementary school. We have Macs all over the building. (unfortunately many are still OS 9 Macs) As we replace and add new machines we have some that are wired in the network and some that are wireless. This is creating a rather messy issue with ARD. The backend of our network is running Cisco hardware. Our networking department has split our wired and wireless network on to separate VLANs. If I connect wirelessly to the network from my laptop, I can see the wireless Macs. If I connect through a wired connection I can see the wired machines. If I have both turned on, I tend to get problems with ARD freezing up when it tries to scan the local network. If I scan the wired network and switch to a wireless connection, everything works until the DHCP lease expires on the machines overnight and they get new IP addresses. I'm pretty sure this has to do with Bonjour and mDNS.
Can anyone tell me what information to provide my networking department to get Bonjour and mDNS working across these two VLANs. We have a great networking department but Bonjour and mDNS is not something they deal with much and they aren't Mac fans so this gets put way on the back burner.

I really hope someone can help me with this one because it's giving me all sorts of headaches.
I manage all the IT for a large elementary school. We have Macs all over the building. (unfortunately many are still OS 9 Macs) As we replace and add new machines we have some that are wired in the network and some that are wireless. This is creating a rather messy issue with ARD. The backend of our network is running Cisco hardware. Our networking department has split our wired and wireless network on to separate VLANs. If I connect wirelessly to the network from my laptop, I can see the wireless Macs. If I connect through a wired connection I can see the wired machines. If I have both turned on, I tend to get problems with ARD freezing up when it tries to scan the local network. If I scan the wired network and switch to a wireless connection, everything works until the DHCP lease expires on the machines overnight and they get new IP addresses. I'm pretty sure this has to do with Bonjour and mDNS.
Can anyone tell me what information to provide my networking department to get Bonjour and mDNS working across these two VLANs. We have a great networking department but Bonjour and mDNS is not something they deal with much and they aren't Mac fans so this gets put way on the back burner.

Apply ACL on vlan

Amended the post
Hello
can someone guide how to apply access-list to a vlan
office_A connect to Office_B on different floors on vlan 10
need to allow inbond and outbond traffic
Config of Office_A and host
VLAN
int vlan 10
ip address 192.168.177.254 255.255.255.252
Allow the following host to communicate with host of Office_B
host 192.168.110 port 443
host 192.168.1.16
network 192.168.25.0/24
Network of Office_B
allow following host to communicate with hos of Office_A
192.168.100.10 port 443
1192.168.100.17
192.168.27.0/24
plz guide with right inbond / outbond acl to apply on SVI
thanks
Vishal

Just to be on the same side, you want hosts 192.168.1.10:443 & 192.168.1.16 to connect to 192.168.100.10:443 and hosts 192.168.100.10:443 & 192.168.100.17 to connect to 192.168.110:443?
I'm asking because I got confused from your question. If you have a topology for your network, it would be of great asset.
Best Regards,
Islam M. Nadim

Cisco 3550 ACL on VLAN

Similar Messages

Maybe you are looking for