?switchport protected between switches
Hi,
I have several 2950's and 3550's hung on trunks off a common 3550 EMI.
Configuring switchport protected on interfaces disables L2 communications between these interfaces on the same switch.
Can anyone tell me a sane/simple way to disable L2 between interfaces on the same VLAN on different switches?
Thanks.
Thanks.
As I understand it then, all hosts connected to associated primary and secondary private vlans occupy the same ip subnet with a gateway configured on the primary vlan's svi.
Short of replacing all switches with 3560/3750's, could I get L2 isolation by
1. replace the 3550 at the root with a 3560 trunked to both 2950's.
2. configure the 3560 with private primary vlan X with associated private isolated vlan Y
3. configure all 2950 ports connected to workstations as switchport access vlan Y and switchport protected.
4. configure the 2950 ports connected to the server as switchport access vlan X and no switchport protected.
Similar Messages
-
802.1X Authentication issues when moving between switch ports
Hi Guys,
We are having some issues at our office where when users move from one switch to another, the 802.1X authentication does not want to take place. The PC just gets an APIPA address. Now I have read about features that MAC Move and MAC replace but they seem to be used when moving from one port a switch to another port on that same switch. Will MAC move help for issues between switches? And should I focus my attention on the switch's configuration or have a look at the NPS server that might be blocking that authentication as the user is already authenticated?
My configuration we have on the switch ports look as follows:
authentication host-mode multi-domain
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
dot1x pae authenticator
Your help is greatly appreciated.
GrantHi Neno,
Thanks for the reply. We are using NPS on a Server 2008 R2 virtual machine. The switches are stacked 2960S-48FPS-L running 15.0(2)SE. I will quickly do the debugs and get back to you.
Here is the config:
aaa group server radius customer-nps
server name radius1
server name radius2
aaa authentication dot1x default group radius
dot1x system-auth-control
radius server radius1
address ipv4 172.28.130.52 auth-port 1645 acct-port 1646
key 7 05392415365959251C283630083D2F0B3B2E22253A
radius server radius2
address ipv4 172.28.131.52 auth-port 1645 acct-port 1646
key 7 107C2B031202052709290B092719181432190D000C
interface GigabitEthernet1/0/1
switchport access vlan 300
switchport mode access
switchport voice vlan 2
srr-queue bandwidth share 1 30 35 5
queue-set 2
priority-queue out
authentication host-mode multi-domain
authentication order dot1x mab
authentication priority dot1x mab
authentication periodic
authentication timer reauthenticate 28800
authentication timer inactivity 1800
mab
no snmp trap link-status
mls qos trust cos
dot1x pae authenticator
auto qos trust cos
storm-control broadcast level 1.00
storm-control multicast level 1.00
spanning-tree portfast
spanning-tree bpdufilter enable -
Private Vlan and Switchport Protected
Dear All,
My core switch is 4500 which support Private Vlan. However, I have several closet switch (2950) which only support Switchport Protected. 4500 and each 2950 are connected with trunk using fiber.
How can I config PC at 2950_Switch1 cannot communicate to PC at 2950_Switch2 (all fastethernet port on both 2950 are at the same vlan and same subnet)?
Thanks.
C.K.Hi C.k.,
I believe you can use switchport protected feature along with port blocking feature to accomplish this. First have your switch ports configured as protected ports on which you dont want the traffic to flow and then configure those ports to deny unknown unicast and multicast using the " port-blocking feature ".
Try that and let us know.
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat2950/12120ea2/2950scg/swtrafc.htm#wp1174968
HTH,
-amit singh -
Firmware bug: SF220 "switchport protected" command missing
Hello!
We have SF220-48 switches and there are no "switchport protected" command:
sw-u1(config)#interface fa1
sw-u1(config-if)#switchport
access VLAN unaware port
default-vlan default vlan
dot1q-tunnel 802.1Q tunnel port
forbidden forbidden
general Configure switchport in general mode
mode port mode
port-security Configure an interface to be a secure port
trunk VLAN aware port
vlan VLAN
sw-u1(config-if)#
But show interfaces protected-ports command available.Hi Tim,
I saw this problem in 1.4 while not in 1.3.5.
Now there is a solution for this issue, which is to add the trunk native vlan setting to the user defined macro so that it will finally be recovered after reboot.
no macro auto user smartport macro ip_phone_desktop
# disassociated the user macro
macro name u_ip_phone_desktop
#macro keywords $u_native_vlan $u_voice_vlan
#macro key description: $u_native_vlan: The native VLAN for trunk
# $u_voice_vlan: The voice VLAN ID
#Default Values are
#$u_native_vlan = 10
#$u_voice_vlan = 30
#the default mode is trunk
smartport switchport trunk allowed vlan add $u_voice_vlan
smartport switchport trunk native vlan $u_native_vlan
no macro description
spanning-tree portfast
macro name no_u_ip_phone_desktop
#macro keywords $u_voice_vlan
#macro key description: $u_voice_vlan: The voice VLAN ID
#Default Values are
#$u_voice_vlan = 30
smartport switchport trunk allowed vlan remove $u_voice_vlan
no macro description
spanning-tree portfast auto
macro auto user smartport macro ip_phone_desktop u_ip_phone_desktop $u_native_vlan 10 $u_voice_vlan 30 -
How can I encrypt my data uplinks between switch trunk ports ? I'm unable to use "cts Manual" command in C3560X switch.suggest me as I want to encrypt my switch-to-switch link with Cisco TrustSec.
Hi
Login to switch & go to interface..
There you can give tags.. (ISL & DONT1Q)
Command switch-port mode trunk
Switch-port trunk encapsulation ssl or dot1Q -
Speed between Switches & IDF MDF
Hello,
I had a question reguarding the types of speed and cable one should use when connecting switches in an IDF togeather, and then connecting those swtiches back to an MDF.
If I connect each switch in the idf togeather with gigabit ethernet, probably cat 6 cables, how do I know that these 1 gigabit inter-connections will support all the traffic between the switches without issues? What if the right speed that I should have used was 10 gigabit? How often is 10gigabit used to interconnect switches in the idf?
And this is the same issue im trying to figure out with connecting the IDF back to the MDF. Would 1 cat6 via gigabit ethernet speed be enough for all that traffic goign back to the MDF? Is there a general rule or something to follow so that I know what speeds to use when?
Also, why use fiber 1gb vs 1gb over cat6 if distance between mdf and idf is less than 100m.
Thank you for your timeDisclaimer
The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
Liability Disclaimer
In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
Posting
Regarding your questions about bandwidths between switches, that really depends on traffic volume. An old rule-of-thumb has been uplink bandwidths might be good at about 24:1 for users and 4:1 to 8:1 for servers. Such a rule-of-thumb doesn't account for your hosts their bandwidth requirements, and I believe, with higher bandwidth links, ratios can be increased.
For various technical reasons, fiber is generally considered superior to copper, and so is often preferred by many for inter-network-device links, even when copper offers equivalent performance. I, though, have used gig copper for inter-network-device links with no notable issues (but with huge cost savings). -
Difference between Switching Structure in CCA and Transfer Structure in PC
Hi experts,
Could anybody define the difference between Switching Structure in CCA and Transfer Structure in CO-PCP? I can't also define when we create Primary Cost Component Split, do we use only range of Primary Cost Elements in the Cost Components for the Primary Cost Component Structure? Thanks for the help!
Best Regards,
GeorgiThis has been discussed please check it in forum
https://forums.sdn.sap.com/click.jspa?searchID=480466&messageID=114309
https://forums.sdn.sap.com/click.jspa?searchID=480466&messageID=1419481
https://forums.sdn.sap.com/click.jspa?searchID=480466&messageID=1479212
Shortly:
Append structures are used for enhancements that are not included in the standard. An append structure is a structure that is assigned to exactly one table or structure. There can be more than one append structure for a table or structure.
http://help.sap.com/saphelp_erp2004/helpdata/en/cf/21eb61446011d189700000e8322d00/content.htm
Includes are used to group fields, an include structure can be assigned to many tables. If you add a fields to an include structure, all tables/structures, which contain that include structure, will be updated too.
http://help.sap.com/saphelp_erp2004/helpdata/en/cf/21ea6a446011d189700000e8322d00/content.htm
Regards,
Santosh -
Difference between Switch -off and disable of an aggregate.
Hi All,
Can any one please tell me whats the difference between Switch-off and Disable an aggregate?
Appreciate ur help.
Thanks,
Soumya.Hi,
You can temporarily switch off an aggregate to check if you need to use it. An aggregate that is switched off is not used when a query is executed.
To do this select the relevant aggregate and choose This graphic is explained in the accompanying text Switch On/Off. An aggregate that is switched off is marked in column Filled/Switched off with This graphic is explained in the accompanying text.
Since aggregates that are switched off must also be consistent, you do not have to activate the aggregate again or to fill it when you switch it back on.
Execute a query or trace that would use the aggregate that was switched off. Compare the time that the database needs with the time that the query needs when using the aggregate. If the query is not significantly slower without the aggregate, you can deactivate or delete the aggregate.
The system deletes all the data and database tables of an aggregate. The definition of the aggregate is not deleted.
Deactivation
Select the required aggregate and choose This graphic is explained in the accompanying text Deactivate.
The status display in the columns Status and Filled/switched off change back to This graphic is explained in the accompanying text.
If you want to, you can activate and fill the aggregate again later.
More information:
http://help.sap.com/saphelp_nw70ehp1/helpdata/en/26/4bc0417951d117e10000000a155106/frameset.htm
Hope it helps.
Regards,
Ray -
Re: Difference between switcher component and router activity
Hi all,
Here i want to know the difference between switcher component and router activity.
Can anybody give the difference between them or suggest any blog for this.
Thanks,
Syam<af:switcher> component is an ADF Faces component. You can use it within (the source of) a JSF page or fragment to include a particular group of other JSF components depending on the switcher expression's value.
Router activity is not a JSF component, i.e. you cannot use it within a JSF page of fragment. It is an ADF taskflow activity. You can use it as an activity within an ADF Taskflow to route transitions between some other activities in the taskflow depending on the router's expression.
Dimitar -
Nokia E71 Difference between Switch mode and Profi...
I have Nokia E71, Phone having option to switch modes and also we have profile option.
Can some body explain the difference between switch mode and having different profile ?.
ThanksThe profile impacts things like default ringtone, vibration settings, etc.
With the mode switching you can also switch active standby applications and plugins (e.g., work vs. free time).
Personally, I don't use the modes, and with profiles, I only use "General" and "Silent" and don't bother with others. -
Password protect between 10pm and 5am only
I want to password protect my iMac between 10pm and 5am only. At any other times no password would be required.
Log out at 10 pm and log back in at 5 am. Note that, although there are ways to script this automatically, it wouldn't be wise, as unsaved documents would ultimately cancel log out if you're not there to take care of it.
Alternately, you could see my response on the following topic, which requires fast user switching to be turned on (in System Preferences -> Accounts -> Login Options). Of course, then if you lose power or something in the middle of the night, unsaved documents are simply lost. -
Etherchannel or Aggregated ports between switch and AIX server
I have a problem with the configuration of an etherchannel or port aggregation between an 4507 Catalyst switch and a server running AIX 5.2 maintenance level 4. The two ports on the switch are on the same blade.
I tried configuring etherchannel with the command
config-if# channel-group XX mode on
and I tried configuring 802.3ad with the command
config-if# channel-group XX mode activ
but in both cases, as soon as I configured the second port, connection went down (I monitored with pings).
On the AIX, I tried configuring modes "round-robin" and "802.3ad" with both switch configurations, but the result was the same.
Does anyone has experience with this kind of configuration?
thanks,
AntoineHi amaitre
Could you setting the etherchannel with the AIX Server?
I configured in my switch 4510 with a AIX, but the 2 ports with channel-group keep in suspend. This is the configuration
interface Port-channel2
description ## LACP AIX ##
switchport
switchport access vlan 100
load-interval 30
interface GigabitEthernet4/20
description ## LACP AIX ##
switchport access vlan 100
channel-protocol lacp
channel-group 2 mode active
spanning-tree portfast
interface GigabitEthernet4/21
description ## LACP AIX ##
switchport access vlan 100
channel-protocol lacp
channel-group 2 mode active
spanning-tree portfast
This configuration works with a server Dell with windows 2008.
The schema is 1 switch 4510 with etherchannel to AIX.
Thanks! -
Can two WRT610N routers be used to create a wireless connection between switches?
I am getting somewhat lost in the jargon involved with routers and access points and need better understanding of the functionality of the WRT610N router. The questions I need answered are:
To eliminate the need for WUSB600N USB adapters for each of the happily switched office computers: can I use two WRT610N routers to connect one end of the building to the other without wires in between? One end has the switched LAN the other has the internet connection.
If this is not the highest bandwidth solution... what is?
Sorry to go off topic but, whether the above is feasable or not, can I establish more than one wireless network - one internal and one for guests - using a WRT610N router?Firstly thank you for your interest
It is not possible to connect the two parts of our network with a physical connection such as a wire. The goal is therefore to wirelessly join one end of the building to another with as much bandwidth as possible. I am hoping to use high end dual band N equipment. However as linksys does not seem to have an access point which - with my limited understanding - suspect I could connect to an existing gigabit switch. I wish to know if a router can be configured to slave itself to the internet connected router.
One end of the building has the internet and a reception room workstaion, the other end currently has 3 computers and a NAS which need to be connected to the internet and each other, as efficiently as possible. I am concerned that USB adapters for each computer would drain workstation resources and be quite expensive.
I am pleased with every aspect of the WRT610N as a router but need guidance as to how to best deal with the other end of the building.
Furthermore I would like to provide a separate independent wireless network for guests to access the internet. Can one dual band router produce two networks? One for internal use only - secured against the outside world and a separate network for guests. If not can a/the second router pull this off?
Does this explain more?
Thank you for any assistance -
802.1x between Switch 3750 and ACS 4.2 Authentication faild --need help
I configured the Switch 3750 and ACS for 802.1x authentication.
when I used the windows as the 802.1x client, it prompted "click here to enter user name and pasword for the network " as normal.
The problem is that after I entered username and password (i am sure i enter the identical username and password as in ACS) the authentication failed,
What is the most possibly problem?
Thx in advance!!!
The configuration is Sw3750 is:
aaa new-model
aaa authentication login default local
aaa authentication enable default line
aaa authentication dot1x default group radius
aaa authorization network default group radius
dot1x system-auth-control
interface GigabitEthernet1/0/18
description Link to test 802.1x
switchport access vlan 119
switchport mode access
dot1x pae authenticator
dot1x port-control auto
spanning-tree portfast
radius-server host 10.1.1.333 auth-port 1645 acct-port 1646
radius-server source-ports 1645-1646
radius-server key keepopen0
In the ACS:
Network Configuration -->aaa client ip address: 10.1.119.1(the vlan 119's ip address), shared secret: keepopen0
user setup -->real name:test1, password: test1.
Attached is the debug informationWhat do you see in acs failed attempts?
-
Encrypting vlan-trunk traffic between switches
Hi,
Can anyone guide me to some papers or other resources on how to encrypt traffic between 2 switches. The switchces will be connected with fiber and use dot-1q tagging. And I wan't to encrypt all of the trunked traffic.
I was thinking of L2TP, but I haven't found any good description on how to implement this. I have two 3750 switches I thought I might use.
Thanks for any input,
Regards,
Oyvind Mathiesen
mnemonic
NorwayHi,
Thanks for the response. I had a look at MACsec and it looks good. I would have liked to employ something P2P though, to also limit the ammount of MAC addresses broadcasted on the "wire". But let me first give you an understanding of the task:
We have two sites, connected via fibre and we want to create a VLAN trunk across and order to expand the broadcast domains to te other site.
The IDIOT carrier, has a limitation on the number of MAC addresses they allow on the fibre service, 100.
We also need to encrypt the datatraversing this connectivity.
MACsec wuold work 100% exept the source and dstination MAC addresses are still sent (at least according to https://docs.google.com/viewer?a=v&q=cache:LEf2qOmYZyYJ:www.ieee802.org/1/files/public/docs2011/bn-hutchison-macsec-sample-packets-0511.pdf+&hl=en&gl=za&pid=bl&srcid=ADGEESgmAHXpDOY0RBAE-Rv1HDpu_C_gkeSPN4cv6NGgyP0M1aXVu0UqzCfxo8t_P41ep6J37k4OLKnjfp1M9hoTDHxY22WGz2h7yB7YRLyPvRUbGS8TICzvEMlG92xqbhy6RWFugmnj&sig=AHIEtbTfu0LQIJejdYidE6yzq4lpPifxjQ
And that would cause me to eat into the 100 MAC limit.
Ridiculous I know, but we are looking for an out-of-the-norm plan...
Thanks
Maybe you are looking for
-
Can't reference methods in a Bean from a Composite JSF Component.
I have the following composite component TestCC.xhtml: <html xmlns="http://www.w3.org/1999/xhtml" xmlns:f="http://java.sun.com/jsf/core" xmlns:h="http://java.sun.com/jsf/html" xmlns:cc="http://java.sun.com/jsf/composite" xmlns:af="http://xmlns.oracle
-
I am trying to access the Cisco PIX device manager to get access to my firewall, but get the error message above when trying to start the applet: Is this a bug? Thankful for any input! See the Java concole output below: Java Plug-in 1.5.0_06 Using JR
-
Terminate or Retire Action - Default 00000000 job and org unit
As of now, our system is set up that if there is a termination or retire action, 99999999 is defaulted into the position. The org unit and job ids are left as is. II noticed when running program RHINTE30 that the program proposed changing all org
-
Problems Using Crystal Reports 2008 sample reports in CR2008 Basic
I just downloaded Crystal Reports 2008 sample reports from [Service Packs, Hot Fixes, Samples, and Utilities|http://service.sap.com/~form/sapnet?_SHORTKEY=01100035870000714768&_SCENARIO=01100035870000000202&] to use them with CR2008 Basic. I hav
-
For this question my client needs a reliable answer when their global IT migrates all Windows clients to Win7. Now, Support Note 1061272.1 says Oracle Client 10.2.0.5.0 IS certfified on Win7 32bit. But, Support Note ID 66403.1 says Oracle ODBC Driver