Disable Multicast MAC Addr restricted in Catalyst 3750 and C3560G

Hi All,
I'm using Cisco 3750 Catalyst and C3560G, recent days ago i purchased a pair of WatchGuard Firewalls and put in the system to run HA Active/Active model.
The requirement to run WatchGuard Firewall HA A/A model is to allow ARP request if the response contains a multicast MAC Address in Routers and Switches.
I read somewhere that Routers and layer 3 switches, the default behavior is to follow RFC 1812, which says that the routers must not believe any ARP reply that claims that the link later address of another host or router is a broadcast or multicast address.
Can you pl show me the command to Allow all Multicast MAC Address for interfaces? Or disable RFC 1812 in order to get WatchGuard Firewall works properly.
Here is the information from WatchGuard firewall: "When you configure WatchGuard FireCluster in an active/active configuration, the cluster uses multicast MAC addresses for all interfaces that send network traffic. Before you enable FireCluster, make sure your network switches, routers, and other devices are configured to route network traffic with multicast MAC addresses.
Pl help. Thanks.

Disclaimer
The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
Liability Disclaimer
In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
Posting
My experience on 3750 has been generally only a reload will clear the detailed MLS QoS stats.
However, I thought could could clear the interface stats, although, if not, might be a bug in your IOS version (you didn't note actual 3750 model or specific IOS version being used).
Lastly, the interface stats don't clear at all?  Reason I ask, disabling QoS doesn't preclude you still getting drops.

Similar Messages

  • Interconnecting Catalyst 3750 and 2948G-L3

    I am trying to interconnect a Catalyst 3750 and a 2948G-L3 using fiber GBIC. The interfaces where the GBIC and fiber are attached show up as physically down. I have tried different ports and also changed both switches. No Luck. If I connect a 3524 to the 3750 using the same connection it works.
    Are 2948G-L3 switches compatible with the 3750?
    Thanks,
    VT

    Should have no problem. Can you try the following on the 3750's gig interface:
    speed nonegotiate
    See of the link comes up.
    Please rate all posts.

  • Catalyst 3750 and VRRP

    Can you tell me if your Catalyst 3750 switch (*not* the –E or –X variants) support VRRP ipv4?  If so what version of firmware do I need?
    Thanks - Walt

    Walt
    Support for VRRP was added in version 12.2(58)SE.
    See this link for details -
    http://www.cisco.com/c/en/us/products/collateral/switches/catalyst-3750-series-switches/product_bulletin_c25-658743.html
    Jon

  • Catalyst 3750 and jumbo frames

    We're looking to implement a gigabit segment with a 3750 switch, with the latest apple imac G5 clients connected and and an xserve G5 connected doing link aggregation using a 4 port smalltree NIC.
    Although the Xserve supports jumbo frames i believe the imac NICs DON'T support jumbo frames although the operating system does( the imac NICs DO support 1000T ) Ideally we'd want the 3750 switch to be configured for Jumbo frames. The 3750 switch we've chosen has all ports of 10/100/1000T with the SMI, so all ports will have the MTU set at 9000 if we enable jumbo.
    Although the Xserve will be fine, i'm worried about traffic that ingresses from the xserve and egresses out to a 10/100/1000 port to which an imac is connected which i believe does not support Jumbo frames. What are the issues in terms of connectivity and dropped packets for an imac G5 connected to a 3750 ?
    seeing as the MTU is set globally and all our ports are gigabit, and machines will be connected to these ports that don't support jumbo but are advertised as having 'gigabit capability'
    Sorry if these sounds like an incoherent rant, but i needed to provide as much info as possible. Help much appreciated

    just to add, in comparison HP gigabit switches can do jumbo vlan on a per vlan and per port basis it's a shame the 3750 can't do that

  • Catalyst 3750 and ACL

    Hello. We have the next Settings in our SW. We crate an ACL and aplied to a SVI for Incomming Traffic, I understand that is not necesasry to allow the returning traffic in ACL, but we can't access to rdp for example when we add the ACL, if we remove it, the acces is ok, buet when we add again the access is deny, even we have a log entry, and the ACL i just for Incomming traffic. There is no another ACL. What should we check?  What are we missing here?
    Please see attached file
    Thanks in Advance
    interface Vlan64
    ip address 10.147.64.254 255.255.255.0
    ip access-group 134 in
    access-list 134 permit udp any any eq bootpc log
    access-list 134 permit udp any any eq bootps log
    access-list 134 permit ip any 172.30.146.0 0.0.0.255
    access-list 134 permit ip any 172.23.146.0 0.0.0.255
    access-list 134 permit ip any 10.146.137.0 0.0.0.63
    access-list 134 permit ip any 10.146.137.128 0.0.0.63
    access-list 134 permit ip any host 10.146.81.240 log
    access-list 134 permit ip any host 10.146.46.250
    access-list 134 permit ip any host 10.146.46.157
    access-list 134 permit ip 10.147.64.0 0.0.0.255 host 10.146.46.228
    access-list 134 permit ip 10.147.64.0 0.0.0.255 host 10.146.137.99
    access-list 134 deny   ip any 192.168.0.0 0.0.255.255
    access-list 134 permit tcp any host 172.27.72.27 eq www
    access-list 134 deny   ip any 172.16.0.0 0.15.255.255
    “The next entry generates a log when I try RDP from 10.146.40.29 to 10.147.64.39”
    access-list 134 deny   ip any 10.0.0.0 0.255.255.255 log
    access-list 134 deny   ip any host 98.139.60.248 log
    access-list 134 permit ip any any
    access-list 134 permit icmp any any
    "This is the log showed"
    25w6d: %SEC-6-IPACCESSLOGP: list 134 denied tcp 10.147.64.38(3389) -> 10.146.40.
    29(1150), 1 packet

    What you are missing is a statement in the access list to permit traffic to the subnet of 10.146.40.0. Since there is no statement to permits this traffic then the line access-list 134 deny   ip any 10.0.0.0 0.255.255.255 log denies the traffic as it should.
    To fix this problem you need to add a statement in the access list before that line to permit the traffic. The line might look something like this:
    access-list 134 permit ip any 10.146.40.0 0.0.0.255
    HTH
    Rick

  • Fast EtherChannel between Catalyst 3750 and 2821 Router

    Hi Guys
    I'm trying to setup a Fast EtherChannel between a cat3750-smi and a 2821 router that consists of only 2 links.
    I am following instructions per TAC, but I'm getting an error along the way;
    On the cat3750:
    interface port-channel 1
    no switchport
    Command Rejected: Not a convertable port
    Can anyone help???
    Also... do the IP Addresses for the EtherChannel need to be the same for both port-channels? Or do I assign the switch like 192.168.1.1 and the router 192.168.1.2 ?
    Thanks!
    Adam

    Hi Adam,
    The ip address cannot be same but it should belong to same subnet. So one side 192.168.1.1 and other side 192.168.1.2 will work fine.
    Its better to convert your layer 2 port as a layer port fist so what you do the port which you want to be port channel go that that interface and convert with "switchport" command
    once it is a layer 3 port configure with channel group and automatically layer 3 port channel will be created and you can sssign an ip address then.
    Just give a try and update if it works.
    Regards,
    Ankur

  • Catalyst 3750x and 4510R and Cisco Security Manager

    Hi,
    I just downloaded and install trial (evaluation) version of Cisco Security Manager 4.3. In supported devices list I saw Cisco Catalyst 3750 and 4510R but when I try to add it I got for 3750:
    Invalid device: Device is a switch and cannot be mapped to a Generic Router model.
    Please verify the selected device type, OS version and device configuration
    For 4510R:
    Invalid device: Version 03.03.00.SG (N/A) is not supported for the device type of Cisco Catalyst 4510R Switch Please verify the selected device type, OS version and device configuration
    We need to make a purchase decision but for it we need to import all of our devices and perform some tests.
    Thanks in advance for your replies!
    BR, Vasily.

    I figured this out on my own -- change Compatibility mode of the installer to be Windows 8 (which is same OS version as Windows 2012) and it installs just fine.

  • Catalyst (3750 24 10/100/1000T) and (3750 12 SFP) Stacking Problems

    Dear all
    I'm having a very strange situation here (at least for me)
    we have 4 core switches
    2 x   WS-C3750G-24T-S Catalyst 3750 24 10/100/1000T + IPB Image
    and
    2 x   WS-C3750G-12S-S Catalyst 3750 12 SFP + IPB Image
    Stack configuration is done this way
    when the switches are powered on, the first two SFP core switches are seen as a single stack with the stack master LED turned green on the first switch
    the other two (24 10/100/1000T) switches have the RPS LEDs always green, mode cannot be changed, and cannot be accessed by Console connection
    but when the (24 10/100/1000T) are powered off, the first (SFP) switch in the stack reports that " Switch 3 and 4 has been removed from Stack "
    which means they are stacked but there's something wrong, because
    only the SFP ports are shown in the " Show interfaces status " , the ethernet ports of the bottom switches are not present !!!
    can you please tell me what's the poblem ?

    Dear Daniel
    Sorry for my delayed response but i was actually quite busy
    but the problem was actually in another sense
    the default profile for the Catalyst 3750 SFP is the Aggregate SDM Template
    while the 3750 10/100/1000 ethernet Switch Default SDM profile was Desktop profile
    so i had an SDM mismatch
    DATACENTER#sh switch detail
    Switch/Stack Mac Address : 081f.f3cf.1c80
                                               H/W   Current
    Switch#  Role   Mac Address     Priority Version  State
    *1       Master 081f.f3cf.1c80     1      0       Ready              
    2       Member 081f.f3cf.5900     1      0       Ready              
    3       Member aca0.16ac.0180     1      2       SDM Mismatch       
    4       Member aca0.16a3.bc80     1      2       SDM Mismatch 
             Stack Port Status             Neighbors    
    Switch#  Port 1     Port 2           Port 1   Port 2
      1        Ok         Ok                2        4
      2        Ok         Ok                3        1
      3        Ok         Ok                4        2
      4        Ok         Ok                1        3 
    all i did was changing the default profile of the SFP switches into the Desktop Profile and problem was solved
    switch 1 provision ws-c3750g-12s
    switch 2 provision ws-c3750g-12s
    switch 3 provision ws-c3750g-24t
    switch 4 provision ws-c3750g-24t
    system mtu routing 1500
    ip subnet-zero
    no file verify auto
    spanning-tree mode pvst
    spanning-tree extend system-id
    vlan internal allocation policy ascending
    interface GigabitEthernet1/0/1
    interface GigabitEthernet1/0/2
    interface GigabitEthernet1/0/3
    interface GigabitEthernet1/0/4
    interface GigabitEthernet1/0/5
    interface GigabitEthernet1/0/6
    interface GigabitEthernet1/0/7
    interface GigabitEthernet1/0/8
    interface GigabitEthernet1/0/9
    interface GigabitEthernet1/0/10
    interface GigabitEthernet1/0/11
    interface GigabitEthernet1/0/12
    interface GigabitEthernet2/0/1
    interface GigabitEthernet2/0/2
    interface GigabitEthernet2/0/3
    switchport trunk encapsulation dot1q
    switchport mode trunk
    interface GigabitEthernet2/0/4
    interface GigabitEthernet2/0/5
    interface GigabitEthernet2/0/6
    interface GigabitEthernet2/0/7
    interface GigabitEthernet2/0/8
    interface GigabitEthernet2/0/9
    interface GigabitEthernet2/0/10
    interface GigabitEthernet2/0/11
    interface GigabitEthernet2/0/12
    interface GigabitEthernet3/0/1
    interface GigabitEthernet3/0/2
    interface GigabitEthernet3/0/3
    interface GigabitEthernet3/0/4
    interface GigabitEthernet3/0/5
    interface GigabitEthernet3/0/6
    interface GigabitEthernet3/0/7
    interface GigabitEthernet3/0/8
    interface GigabitEthernet3/0/9
    interface GigabitEthernet3/0/10
    interface GigabitEthernet3/0/11
    interface GigabitEthernet3/0/12
    interface GigabitEthernet3/0/13
    interface GigabitEthernet3/0/14
    interface GigabitEthernet3/0/15
    interface GigabitEthernet3/0/16
    interface GigabitEthernet3/0/17
    interface GigabitEthernet3/0/18
    interface GigabitEthernet3/0/19
    interface GigabitEthernet3/0/20
    interface GigabitEthernet3/0/21
    interface GigabitEthernet3/0/22
    interface GigabitEthernet3/0/23
    interface GigabitEthernet3/0/24
    interface GigabitEthernet4/0/1
    interface GigabitEthernet4/0/2
    interface GigabitEthernet4/0/3
    interface GigabitEthernet4/0/4
    interface GigabitEthernet4/0/5
    interface GigabitEthernet4/0/6
    interface GigabitEthernet4/0/7
    interface GigabitEthernet4/0/8
    interface GigabitEthernet4/0/9
    interface GigabitEthernet4/0/10
    interface GigabitEthernet4/0/11
    interface GigabitEthernet4/0/12
    interface GigabitEthernet4/0/13
    interface GigabitEthernet4/0/14
    interface GigabitEthernet4/0/15
    interface GigabitEthernet4/0/16
    interface GigabitEthernet4/0/17
    interface GigabitEthernet4/0/18
    interface GigabitEthernet4/0/19
    interface GigabitEthernet4/0/20
    interface GigabitEthernet4/0/21
    interface GigabitEthernet4/0/22
    interface GigabitEthernet4/0/23
    interface GigabitEthernet4/0/24
    that's it !
    : D
    cheers

  • /31 on Catalyst 3750 routed port

    I've discovered the feature 'Using 31-Bit Prefixes on IPv4 Point-to-Point Links' and I'm interested in implementing it on a point-to-point uplink network that terminates on one end to a Catalyst 3750 routed FastEthernet port ("no switchport").
    I can enter the IP address in the interface config (172.16.100.0 255.255.255.254), and I get the warning "% Warning: use /31 mask on non point-to-point interface cautiously". Since I can guarantee that this is in fact a point-to-point uplink to a Layer 3 device, can I safely ignore the warning? Is there any way to configure the interface explicitly as a Point-to-Point interface instead of a broadcast interface?
    Thanks!
    -Mason

    Hi,
    It doesn't appear the error is platform specific. I am getting the same error in my lab 2600 when configuring a /31 bit mask.
    You would use the /31 bit mask only on a p-t-p interface hence, you don't need to tell the interface it's a p-t-p interface. I don't know of any generic command to tell the broadcast interface that it's a p-t-p interface. There is a OSPF command but that doesn't have anything to do with this setup.
    R2(config)#int e0/0
    R2(config-if)#ip add 1.1.1.0 255.255.255.254
    % Warning: use /31 mask on non point-to-point interface cautiously
    R2(config-if)#^Z
    R2#show run
    *Mar 1 18:20:21.795: %SYS-5-CONFIG_I: Configured from console by console int e
    /0
    Building configuration...
    Current configuration : 78 bytes
    interface Ethernet0/0
    ip address 1.1.1.0 255.255.255.254
    half-duplex
    end
    R2#show ip arp
    Protocol Address Age (min) Hardware Addr Type Interface
    Internet 1.1.1.0 - 0004.dd85.eee0 ARPA Ethernet0/0
    R2#ping 1.1.1.1
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
    Success rate is 80 percent (4/5), round-trip min/avg/max = 1/3/4 ms
    R2#show ip arp
    Protocol Address Age (min) Hardware Addr Type Interface
    Internet 1.1.1.1 0 0004.dd85.e9c0 ARPA Ethernet0/0
    Internet 1.1.1.0 - 0004.dd85.eee0 ARPA Ethernet0/0
    HTH
    Sundar

  • Catalyst 3750 interface explaination

    Dear Sir,
    I don't understand as follows :-
    1.) why on Catalyst3750 interface fastethernet 1/0/1 ?? <--- what's the meaning of 1/0/1 ?
    2.) what's the meaning of no mdix auto?
    Please explain and advise.
    Thank you.

    The 3750 has many interesting features, I recommaned you go through before you connect your switches in a production environment.
    Basically, you should provision your stack master with the number of switches and their types. You could provision as well the interfaces with their corresponding configurations, even though the other elements are still not connected yet. This way, you ensure, when you add a provisioned element with the right number, it will take exactly the provisioned configuration you've already set on the master,... as well when changing an element with an other, when moving it,... you will have just to provision its number and then connect it to the stack while is not yet powered on.
    Second, it is recommanded to set priority to each element, this way you will have a deterministic configuration and you know in advance which one will be reelected as master in any sitution.
    If no provision is set on the stack master, when you connect a switch, it has by default the number "1", in this case the newly added switch will take the lowest switch number available (2).
    1.) 1/0/1 --> so the second will be 2/0/1.
    And to address its ports you tape: 2/0/1, 2/0/2, 2/0/3,2/0/4,...2/0/24,...
    How to stacked both of the catalyst 3750? just purchase one stackable cable to link both of them and will it automatically configure the 2nd switch from 1/0/1 to 2/0/1 after we plug in the stackable cable into the 2nd switch.
    For large deployment I recommand the switches to be provisioned manually: Before stacking the switches:
    1/ power on the switch that will be the stack master, then wait till it will be in "Ready" state by issuing "show switch detail" command.
    2/ Provision the stack master with the desired stack configuration (numbers of switches, types of switches and interfaces configurations).
    3/ Reload the stack master.
    4/ Provision the second switch with its number and type.
    5/ Power off the second switch afetr having saved its configuration.
    6/ Stack the second switch to the stack master.
    7/ power it on. It will take the provisioned configuration on the stack master.
    The advantage of this procedure is that switches could not be renumbered while stacked and running.
    Repeat steps 4 to 7 for each new element having been provisioned in the stack master.
    Do not forget to save after each step.
    2.) so i put "no mdix auto" on catalyst 3750, what's the meaning and impact?
    no mdix-auto will disable the advanced feature of abstructing the type of cable (staight throu or cross over). You will downgrade to the standard interfaces specifications. In fact, mdix-auto (activated by default) permits to not to have the "overhead" of distinguishing crossover and straight throu cables, the interfaces will adapt automatically to the type of cable.
    An other advantage of this function is that it opimises (combined with other functions) error and recovery procedures in layers 1 and 2.
    Mohamed BEN HASSINE

  • Catalyst 3550 and unidirectional multicast

    I have several segments routed by several Catalysts 3550. In one of the segments i start multicast TV streamer. I use IGMP and PIM to route the multicast. But how to restrict the clients only to receive multicast TV stream not to send multicast traffic to other segments joined the same group ?

    Setting a boundary or setting scope will restrict all multicast traffic and preventing any local client from sending any multicast would also prevent forwarding the received multicast any further. Depending on the topology and what the processing requirements are this might or might not be a good solution.
    Another alternative to consider is if you want to allow received multicast to be forwarded but want local originated multicast not to be forwarded would be to configure an outbound access list on the interface. In the access list would be a line like this:
    deny ip 224.0.0.0 15.255.255.255
    this will deny any packet with any broadcast destination address which has a source address within the local subnet. The acccess list would also have to have appropriate permit commands for the traffic that you do want to send (perhaps permit ip any any).
    HTH
    Rick

  • Catalyst 3750 12.2(25)SD1 and dual nics

    When a Catalyst 3750 stack master fails or leaves the stack, a cross-stack EtherChannel in trunk mode running Link Aggregation Control Protocol (LACP) protocol might stop forwarding traffic on some VLANs.
    The workaround is to enable the stack-mac persistent feature by using the stack-mac persistent timer global configuration command. You can also use the shutdown interface configuration command and then the no shutdown command on the EtherChannel interface.
    Network Infrastructure: LAN Routing and Switching
    I have upgrade a Catalyst 37024 TS 2 switch stack to 12.2(25)SED1 from 12.1(14)EA. The switch has an Alpha Server Custer connected to it the cluster has two servers each having two nics . There is a active server which has an application IP address and each server has a Server IP address one nic active ata time.
    All worked ok upto the upgrade. Now every night when the backup runs noone can access the application ip address or the acive server address but te offline server is pingable. This is only for devices outside the serrver VLAN. Devices within the server VLAN can hapily ping any address.
    I thought this was arouing issue but all looks ok and the offline server can be pinged from any where.
    the active server nics areon 1/0/20 and 2/0/24
    Any one have any ideas?

    I forgot to add if I shut both interfaces an then do a no shout on both the issue is resolved until the next night.

  • Disabling Multicast in Solaris 10

    Hi,
    I have been searching the internet all morning trying to figure out how to disable solaris 10 multicast. I have no need for it. The best information I could find was to modify the script /lib/svc/method/net-svc and comment out the adding of a route point for multicast near the end of the script.
    I thought that hand modifying the methods of SMF was a big no no in solaris 10. Is there a better way to disable multicast?
    For instance, if I do an ifconfig -a I see that all of my intefaces have the MULTICAST flag set. Is there a way in ifconfig to disable that flag?
    I have seen people put ifconfig options into their /etc/hostname.interface file. I think if I can find the correct ficonfig option I can disable the multicast flag during system boot and that should disable multicast.
    Any comments/suggestions would be welcome.
    Eric

    Now that I have done more research I guess I do not have to turn off the multicasting.
    This problem appeared because during snoop sessions I see MANY of the following messages:
    ? -> (multicast) ETHER Type = 022C ... 53 bytes
    I assumed that one of my machines was doing the multicast. However, I shut down all but one machine and then I removed the multicast route from the route table and the messages still appear. I think that either my cisco switch or cisco router is doing the multicast.
    So I guess I will not turn off the multicast on the machines.
    Does it make sense that the router and/or switch is sending out the multicasts?

  • Password problem on Catalyst 3750

    Hi all,
    I am an Unix administrator and we lost all account and password informations to connect on a Catalyst 3750 switch.
    Is there a way to connect to the switch (With a serial cable?) an to create a new account without losing the configuration ?
    Thank's for your reply.
    Regards.

    This method won't reset the configuration.
    During the boot process, you rename the current configuration so it doesn't get loaded.
    rename flash:config.text flash:config.old
    When  the switch boots, it loads a blank image. Then you rename the config  file and load it into the running config and you can change the logon  credentials to something you know.
    It's important that you follow the steps exactly so you don't lose the configuration. Password recovery is a pretty common procedure.
    The  only other method of recovery is if you have a copy of the current  running configuration. Send me a private message if you have this config and we can discuss the possibility.

  • Policer with IPv6 class-map on Catalyst 3750

    Hi,
    I've the following problem.
    It's my goal to ratelimit incoming IPv6 traffic dependent on the destination IP address range.
    On a Catalyst 3750 (Image: c3750-ipservicesk9-mz.122-55.SE1.bin) I've set up the configuration as follows:
    mls qos
    ipv6 access-list DESTINATION-RANGE-A
     permit ipv6 any 2007::/16
    ipv6 access-list DESTINATION-RANGE-B
     permit ipv6 any 2B03::/16
    class-map match-all A
     match access-group name DESTINATION-RANGE-A
    class-map match-all B
     match access-group name DESTINATION-RANGE-B
    policy-map RL-POLICY
     class A
      police 2000000 8000 exceed-action drop
     class B
      police 6000000 8000 exceed-action drop
    interface GigabitEthernet1/0/7
     switchport access vlan 90
     load-interval 30
     service-policy input RL-POLICY
    The last CLI command which should bind the policy to the specific interface, leads to the following error message
    QoS: class(A) IPv6 class not supported on interface GigabitEthernet1/0/7
    Are hardware/software limitations the reason for this behavior or is there any misconfiguration?
    Thanks in advance for your help!
    Regards,
    Jens

    If you are thinking of IPv6 prefix I tried everything. From /128 for single host to /64, nothing works.

Maybe you are looking for