Private vlans and 2960 and 3560 switch
Hi, I have a 3560 switch that supports private vlans. There are few computers connected to it and private vlans work fine. Now I need to connect a 2960 switch to 3560 switch. 2960 seems to have no private vlan configuration options but it can be private vlan edge? What is private vlan edge? If I put the computers on 2960 to a vlan that is isolated vlan in 3560 will the computers be able to communicate with themselves in layer2 on 2960 switch?
Example: I have network 10.0.0.0/24. Networks primary vlan is 2001, isolated is 2002 and community is 2003. These settings are on 3560. So if I put computers on 2960 switch to vlan 2002 and make the ports protected ports they will act as isolated ports and they can't communicate with ports that are on isolated vlan 2002 on 3560???
Can I also use the community vlan on 2960? is this possible because vlans 2002 and 2003 would be on the same network???
Similar Messages
-
LMS 2.6 and 2960-24TC-L switch
Hi,
I have a LMS 2.6 with the followings
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin:0in;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}
Campus Manager – 4.0.3
RME – 4.0.3
DFM– 2.0.3
Cisco View – 6.1.2
The Following switches are showng unknown.
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin:0in;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}
cisco WS-C2960G-24TC-L- 12.2(25)SEE2
cisco WS-C2960-48TC-L - 12.2(35)SE5
In the device comatibility also i am not able to find the switches.
I wanted to know whether i need to upgrade the LMS? if so then will the license on my existing LMS work on the new/Upgraded LMS
BR// RajivHello,
When searching a documentation for LMS device support, it is better to search if exact SNMP sysObjectID is supported. You can execute following command on the LMS server to get the switch sysObjectID (find snmpwalk.exe file on your server, this is an example for default location):
C:\Program Files\CSCOpx\objects\jt\bin>snmpwalk.exe -v2c -c 1.3.6.1.2.1.1.2
(1.3.6.1.2.1.1.2 is the OID for sysObjectID variable.)
I'm not sure if there is a device package for the particular switches, but you can always try to search for updates via LMS Web GUI:
Common Services
> Software Center > Device Update
and:
Common Services > Software Center > Software Update
If your LMS server has Internet access, and you have valid CCO user ID with privileges to download the software, you can download and install all minor updates and device packages... Everything offered for download when using previous Web GUI tools is free if you have paid Cisco SAS support and works with the same LMS license you already have.
Do not forget to check for prerequisits (for example, sometimes is needed to install Mdf update for Common Services before installing some RME update...)
Best regrads,
Jasmina -
Private Vlan, Etherchannel and Isolated Trunk on Nexus 5010
I'm not sure if I'm missing something basic here however i though that I'd ask the question. I recieved a request from a client who is trying to seperate traffic out of a IBM P780 - one set of VIO servers/clients (Prod) is tagged with vlan x going out LAG 1 and another set of VIO server/clients (Test) is tagged with vlan y and z going out LAG 2. The problem is that the management subnet for these devices is on one subnet.
The infrastructure is the host device is trunked via LACP etherchannel to Nexus 2148TP(5010) which than connects to the distribution layer being a Catalyst 6504 VSS. I have tried many things today, however I feel that the correct solution to get this working is to use an Isolated trunk (as the host device does not have private vlan functionality) even though there is no requirement for hosts to be segregated. I have configured:
1. Private vlan mapping on the SVI;
2. Primary vlan and association, and isolated vlan on Distribution (6504 VSS) and Access Layer (5010/2148)
3. All Vlans are trunked between switches
4. Private vlan isolated trunk and host mappings on the port-channel interface to the host (P780).
I haven't had any luck. What I am seeing is as soon as I configure the Primary vlan on the Nexus 5010 (v5.2) (vlan y | private-vlan primary), this vlan (y) does not forward on any trunk on the Nexus 5010 switch, even without any other private vlan configuration. I believe this may be the cause to most of the issues I am having. Has any one else experienced this behaviour. Also, I haven't had a lot of experience with Private Vlans so I might be missing some fundamentals with this configuration. Any help would be appreciated.Hello Emcmanamy, Bruce,
Thanks for your feedback.
Just like you, I have been facing the same problematic last months with my customer.
Regarding PVLAN on FEX, and as concluded in Bruce’s previous posts I understand :
You can configure a host interface as an isolated or community access port only.
We can configure “isolated trunk port” as well on a host interface. Maybe this specific point could be updated in the documentation.
This ability is documented here =>
http://www.cisco.com/en/US/docs/switches/datacenter/nexus5000/sw/layer2/513_N2_1/b_Cisco_n5k_layer2_config_gd_rel_513_N2_1_chapter_0101.html#task_1170903
You cannot configure a host interface as a promiscuous port.
You cannot configure a host interface as a private VLAN trunk port.
Indeed a pvlan is not allowed on a trunk defined on a FEX host interface.
However since NxOS 5.1(3)N2(1), the feature 'PVLAN on FEX trunk' is supported. But a command has to be activated before => system private-vlan fex trunk . When entered a warning about the presence of ‘FEX isolated trunks’ is prompted.
http://www.cisco.com/en/US/docs/switches/datacenter/nexus5000/sw/layer2/513_N2_1/b_Cisco_n5k_layer2_config_gd_rel_513_N2_1_chapter_0101.html#task_16C0869F1B0C4A68AFC3452721909705
All these conditions are not met on a N5K interface.
Best regards.
Karim -
Catalyst series - Private VLAN over trunk
Hey every body
I was planning to implement a Cisco Nexus 5596 in a data center as it supports private VLAN over trunk.
But now, I av been forced to use a Cisco Catalyst series instead of the Nexus one.
Based on the feature that is very important for my manager (private VLAN over trunk), which Catalyst switch can be replaced with the Nexus 5596? In other words, what Catalyst series switch works at the same scale and efficiency of Nexus 5596 and supports private VLAN over trunk feature?
Cheers4500x Yes
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/release/note/OL_26674-01.html
Nexus 5k Yes
http://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5000/sw/layer2/521_n1_3/b_5k_Layer2_Config_521N13/b_5k_Layer2_Config_521N13_chapter_0100.html
3850s
They dont support pvs at all yet
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3850/software/release/3se/vlan/configuration_guide/b_vlan_3se_3850_cg/b_vlan_3se_3850_cg_chapter_0100.html
Restrictions for VLANs
The following are restrictions for VLANs:
The switch supports per-VLAN spanning-tree plus (PVST+) or rapid PVST+ with a maximum of 128 spanning-tree instances. One spanning-tree instance is allowed per VLAN.
The switch supports IEEE 802.1Q trunking methods for sending VLAN traffic over Ethernet ports.
Configuring an interface VLAN router's MAC address is not supported. The interface VLAN already has an MAC address assigned by default.
Private VLANs are not supported on the switch.
You cannot have a switch stack containing a mix of Catalyst 3850 and Catalyst 3650 switches. -
DHCP and voice vlan on Cisco 3560 switch
Greetings,
I'm setting up a Cisco 3560 switch for voice and data comms. I'm looking for documentation with best practice guidelines for the following requirements.
1. Using the Cisco 3560 as a DHCP server - Config examples. Do I need to use different subnets for the voice and data vlans?
2. Layer 2 CoS QoS - I'm connecting Aastra phones as well as notebooks - I've been told that Aastra also makes use of the voice vlan config through LLDP and that Aastra phones supports CDP.
Your assistance will be appreciated.Hi ,
Cisco recommends that you have a separate vlan for voice and data with different ip subnets for voice and data. You will need to configure the dhcp pool accordingly.
Here is the config guide for setting up IOS DHCP server:
http://www.cisco.com/en/US/docs/ios/12_0t/12_0t1/feature/guide/Easyip2.html
Here is the LAN qos recommendations:
http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/srnd/7x/netstruc.html#wp1044009 -
QoS on 3560, 2960 and 3750 does not work (Policy-map).
Hi
I am tryng to configure QoS on 3 switches (2960, 3560 and 3750) with this configuration:
mls qos
class-map match-all QOS_DATA_CLASS
match access-group name QOS-DATA
class-map match-all QOS_DEFAULT_CLASS
match access-group name QOS-DEFAULT
class-map match-all QOS_VOICE_CLASS
match access-group name QOS-VOICE
class-map match-all QOS_SIGNALING_CLASS
match access-group name QOS-SIGNALING
policy-map QOS-SOFTPHONE-POLICY
class QOS_DEFAULT_CLASS
set dscp default
class QOS_SIGNALING_CLASS
set dscp cs2
class QOS_DATA_CLASS
set dscp cs1
class QOS_VOICE_CLASS
set dscp cs3
interface GigabitEthernet0/34
no switchport
ip address 10.10.11.1 255.255.255.252
ip ospf network point-to-point
priority-queue out
service-policy input QOS-SOFTPHONE-POLICY
interface GigabitEthernet0/47
switchport access vlan 150
spanning-tree portfast
service-policy input QOS-SOFTPHONE-POLICY
ip access-list extended QOS-DATA
permit tcp any any eq 22
permit tcp any any eq 465
permit tcp any any eq 143
permit tcp any any eq 993
permit tcp any any eq 995
permit tcp any any eq 1914
permit tcp any any eq ftp
permit tcp any any eq ftp-data
permit tcp any any eq smtp
permit tcp any any eq pop3
ip access-list extended QOS-DEFAULT
permit ip any any
ip access-list extended QOS-SIGNALING
permit tcp any any range 2000 2002
permit tcp any any range 5060 5061
permit udp any any range 5060 5061
ip access-list extended QOS-VOICE
permit udp any any range 16384 32767
but when I check the show commands I see that QoS is not working.
CoreA#sh policy-map interface g0/34
GigabitEthernet0/34
Service-policy input: QOS-SOFTPHONE-POLICY
Class-map: QOS_DEFAULT_CLASS (match-all)
3 packets, 198 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: access-group name QOS-DEFAULT
Class-map: QOS_SIGNALING_CLASS (match-all)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: access-group name QOS-SIGNALING
Class-map: QOS_DATA_CLASS (match-all)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: access-group name QOS-DATA
Class-map: QOS_VOICE_CLASS (match-all)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: access-group name QOS-VOICE
Class-map: class-default (match-any)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any
CoreA#sh policy-map interface g0/47
GigabitEthernet0/47
Service-policy input: QOS-SOFTPHONE-POLICY
Class-map: QOS_DEFAULT_CLASS (match-all)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: access-group name QOS-DEFAULT
Class-map: QOS_SIGNALING_CLASS (match-all)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: access-group name QOS-SIGNALING
Class-map: QOS_DATA_CLASS (match-all)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: access-group name QOS-DATA
Class-map: QOS_VOICE_CLASS (match-all)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: access-group name QOS-VOICE
Class-map: class-default (match-any)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any
What do I do bad?
The flow is the next:
Computer with CIPC --------> Switch 2960 or 3560 or 3750 ------------------> switch core ---------------> CIPC
I have wireshark in a port mirror on switch 2960, 3560 and 3750. In wireshark I always see the packets marked with default label.
I hope you can help me.
Regards.Try this config:
policy-map QOS-SOFTPHONE-POLICY
class QOS_VOICE_CLASS
set dscp cs3
class QOS_SIGNALING_CLASS
set dscp cs2
class QOS_DATA_CLASS
set dscp cs1
class class-default
set dscp default
BR -
Hi all, need advice on OSPF and private vlans
Hi all.
I have a project to complete and need some help on the possible solution I can use.
Basically we have ospf area 0 and the users in question are in ospf area 7 and is a stub.
I need to route the traffic from these users out through area 0 through 3 core devices, onto an external firewall interface to be placed onto the vpn that sits on it. The firewall is not included in the ospf domain.
My thinking was that the firewall has a default route back into the ospf domain so dont need to worry about traffic coming in, however my job is to segregate these users and take them out of our core network and place them onto an external network via this vpn.
Not sure how to achieve this apart from static routing redistributed but surely this does not seperate their traffic only points the route to ospf?!
I was thinking I might have to use private vlans or policy routing but when I try policy routing the policy gets ignored due to normal forwarding.
Any help and advice would be greatly appreciated.
Cheers
SteveSteve
Thanks, that helps.
GRE is defintely out because apart from the 6500 GRE tunneling is not supported on the Cisco switches.
It's good that area 7 is only for these users and not mixed up with other users.
So if i understand correcty the 4500 interface connecting to the 6500 is in area 0 and the interface connecting to the 3550 is in area.
Or is the 3550 connected to both areas and the 4500 totally in area 0 ?
Can you confirm the above ?
In terms of keeping them separate there are 2 possible choices. You can either -
1) use VRF-LIte, although i'm not sure whether the HP switch would support this. With VRF-Lite you are in effect creating virtual devices on the same physical device. This means each virtual device has it's own routing and forwarding table so it is quite secure because you would only populate the routing table with the routes needed so there would be no way for users to jump to thes rest of your networks.
The downside is that is can become quite complex to configure. If the 4500 is only used to connect are 7 to area 0 then that would not be a problem but the connection from the 6500 to the HP could and i don't even know whether the HP supports VRF-Lite functionality let alone how to configure it on that switch.
But it would, at least from the 4500 to 6500 to HP provide complete separation in terms of routing and forwarding. Once it got to the HP it wouldn't but that might not be an issue.
2) Use PBR (possibly together with acls). This is easier to configure ie. you configure PBR on the 4500 and the 6500 to get the traffic to the HP switch. But you do not get the actual separation you get with VRF-Lite ie. the traffic simply overrides the existing routing tables.
The other thing to bear in mind with PBR is that you also have to configure the return traffic as well so each device would need multiple PBR configs.
Again i don't know whether the HP supports PBR but it may not be an issue depending on what the routing is on the HP.
You could also use a combination of the above ie VRF-Lite between the Cisco switches and then PBR for the last hop to the HP device.
I should say i don't have a huge amount of experience with VRF-Lite but that should not necessarily stop you using it if it is what you need. There are lots of other people on here so i'm sure there will be other people who can help if i can't.
It still depends on how much separation is required. VRF-Lite is definitely seen as a way to separate traffic running across a shared infrastructure, PBR is not really seen in the same way. So it may well be worth going back to find out exactly what "segregating" user traffic means.
I don't want to confuse the issue but it's still not entirely clear what the actual requirement is.
Jon -
Catalyst 2960 and SGE500 switches
Hi,
Can we on the same network use Cisco Catalyst 2960 and Cisco SGE500 switches and share the same VLANs ?Hi,
I didn't find VLAN support in key feautures of SGE500 but I'm sure it is there. For VLAN sharing you must configure trunk between switches. The number of VLAN must be the same (exluded some cases).
For sharing VLAN information (VLAN count, names etc) the switches must support VTP protocol, not sure that SGE500 support it. But VTP is not necessary for trunking between switches. -
Private Vlan and Switchport Protected
Dear All,
My core switch is 4500 which support Private Vlan. However, I have several closet switch (2950) which only support Switchport Protected. 4500 and each 2950 are connected with trunk using fiber.
How can I config PC at 2950_Switch1 cannot communicate to PC at 2950_Switch2 (all fastethernet port on both 2950 are at the same vlan and same subnet)?
Thanks.
C.K.Hi C.k.,
I believe you can use switchport protected feature along with port blocking feature to accomplish this. First have your switch ports configured as protected ports on which you dont want the traffic to flow and then configure those ports to deny unknown unicast and multicast using the " port-blocking feature ".
Try that and let us know.
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat2950/12120ea2/2950scg/swtrafc.htm#wp1174968
HTH,
-amit singh -
Private VLAN and ASA subinterfaces
Gents,
I have a dmz 3750 switch and i want to introduce private VLAN on this switch. This switch is connected to cisco ASA with trunk (subinterface for each primary VLAN) because we have multiple dmz. How the configuration on both sides will be ?.
If private VLANs can't be used with ASA subinterfaces, what solution can be done in this scanario ?
Thanks,I would think the ASA doesn't care. The Pvlans are configured on the switch. The port that the ASA is connected too will be promiscuous.
To see how to configure it, check out this guide (a long in depth read but worth it):
http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/31sga/configuration/guide/pvlans.html
Regards,
Ian
If I hepled please rate me. -
Hi, guys. I have a question about Private Vlan and HSRP implement. In my network topology, there are 2 switch 6509 as core switches and Internet outlet. There are a 3750 as a distribute swtich, and 3550 as a access swtich. the topology is as below:
| |
7609----7609
| |
3750
|
3550
|
servers
Now there are some Server will connect to 3550, and 3750 and 3550 will be treated as Layer 2 switch, that is these servers's default gateway will be on vlan interface on 7609, and I have configured HSRP between the vlan on 2 6509. My question is how to implement private vlan on 3550 with HSRP on 7609, so that these servers can have redundancy gateway, and be kept isolated between other servers.It looks like the 3550 do not support private VLAN.
http://www.cisco.com/en/US/products/hw/switches/ps4324/products_tech_note09186a0080094830.shtml
More info. on private VLAN :
http://www.cisco.com/en/US/products/hw/switches/ps4324/products_configuration_guide_chapter09186a00802c30c4.html#wp1138148
Did you configure the VLAN trunking between 7609, 3750 and 3550 ? Once we enable the VLAN trunking then the server can plug to the assigned VLAN and communicate to the 7609 via the trunk w/o interference w/ other VLAN. However, you have to enable the VLAN routing at 7609 to make it able to connect to other VLAN user if you want.
Hope this helps. -
Hi,
On a Catalyst 3750, I have created a Primary and Secondary Community VLANs and have associated them.
The Primary VLAN (100) is attached to a promiscuous port, the Secondary VLANs (101-103) aren't attached to any port.
I would like to let the Secondary VLANs traffic pass over an EtherChannel link that is a dot1q trunk.
The trunk is made with a virtual switch (VMware ESX) and transports non-Private VLANs (101-103). The trunk itself works.
How can I configure the EtherChannel as a private-VLAN port, considering that the EtherChannel isn't using PAgP/LACP modes? ("group-channel 1 mode on").
Is there a way to solve this without replacing the Private-VLANs with VLANs?
Thanks in advance for your help!From "EtherChannel Configuration Guidelines"
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat3750/12225sed/scg/swethchl.htm#wp1021856
Do not configure a private-VLAN port as part of an EtherChannel. -
How to set up VLAN for DATA and VOIP on SRW248G4P switch?
Hi guys,
I am totally new and was given this task to complete. I really really need help.
We are using one network 192.168.1.0
Shared with data and voip.
CISCO C870, 5 switches LINKSYS SRW248G4P .
The email wrote:-
On the Linksys switch;
- create two different VLANs one for voice and one for data.
- put a firewall between the two VLANs (between voice and data) and only enable certain ports to flow to voice network (inbound tcp 8443 and ssh )
What should i do guys? I really need a dumb guide now.
I know its simple for you guys but i am not a smart IT fella. Whats the step by step?If the switch is new or you have support on this, then you might try calling the support center. Here is a link:
https://www.myciscocommunity.com/community/smallbizsupport
On the right hand side you can find links to the support center.
Here is a link to the guide:
http://www.cisco.com/en/US/products/ps9967/prod_maintenance_guides_list.html
@ the bottom of this link you can find your switch model, you want the larger of the two. In this guide it shows you how to create a second vlan.
Will your router be the firewall between the two?
Kindest regards,
Andrew Lissitz -
AAA and 3560 Switch + CNA
Hi
Has anyone got this to work?
CNA. (Cisco Networks Assistants) and AAA (Tacacs+) on a 3560 switch.
I cant get the CNA to work in this setup but it works fine on together with 3500XL and 3550 serie switch. With the same parameter.
this is the aaa conf.
aaa authentication login default group tacacs+ local
aaa authentication login no_tacacs enable
aaa authentication enable default enable group tacacs+ none
aaa authorization exec default group tacacs+ local
aaa authorization exec no_tacacs none
aaa authorization commands 15 default group tacacs+ if-authenticated local
aaa authorization commands 15 no_tacacs none
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting network default start-stop group tacacs+
ip http server
ip http authentication aaaHi
No. I get the prompt for username and password.
and hit enter. Then nothing happens. It looks like it's trying to build the network but it never get fines. I know it works without the aaa statement. But I cant live with that. -
Netflow on 2960 and 3560 !!
Dear all,
I am trying to configure netflow on cisco catalyst 2960(12.250 SE4) and 3560G(12.250 ) switches for mcafee network security manager.
But netflow command is not supported for this mcafee device.
I want to know, is there any process to configure netflow on this device?
thanks in advance.As far as I know those switches do not support any kind of netflow .
Maybe you are looking for
-
I am no longer able to download pics from an email attachment
I used to right click the pic and save to on my other program but it is not saving anywhere but under Firefox download and then I am unable to transfer it anywhere
-
Strange display when charging Gen. 4 Click-wheel iPod
This just began to happen. I'm original owner of my gen. 4 click-wheel iPod. When I connect my iPod to my iMac to charge battery and update songs all works as usual until it is connected for an hour or so. They the display on the iPod shows a battery
-
Anyone help?
-
Bold text in af:table column header
Guys, I want to bold the text in af:column header. I want "label1" text to be bold.. Any suggestions welcome. <af:column sortProperty="test1" headerText="label1" inlineStyle="font-weight:bold;"> <af:outputText value="#{row.attribute1}" id="ot129"> </
-
Silent installation for oracle 9i client
Hi, i need to install oarcle9i client (minimal instalation with network components) , can anyone provide me the step by step procedure to complete the installation in windows PC? i used the below two files 1) responsefile 2) bat file , not installaed