Trunk Vs physical port
Guys can someone plz tell me what is the difference between using subinterface and physical interface for example if i have four DMZ and i take ether1 and then subdivide them in four and trunk it to the swicth (with port channel)....th eother scenario is that i take each physical link and make seprate DMZ (apart from redudnacy) what is the difference and what does cisco recommends or what is teh security say on this guy plz jhelp as cant get my head around
Hi Guroo,
As such there are no specific recommendations, it all depends on your requirements, if you have 4 vacant ports available and do not have any future requirements then you can use individual physical ports, but if you have any issues, then you can easily make 4 sub-interfaces on the ASA physical port, just make sure not to use that physical ports to pass the traffic.
Thanks,
Varun Rao
Security Team,
Cisco TAC
Similar Messages
-
Remove trunking from a port in catos?
All,
Simple question: I want to remove all trunking from a port on a switch running catos. Clear Trunk seemed the obvious option, though it seems to just remove the vlans that are allowed to pass over the trunk port. Set Trunk mod/port Off doesn't do the trick either. Any thoughts?
thanks!Hi Chris,
"set trunk x/y off" is the correct syntax. When you try that, what happens?
HTH,
Bobby -
WLC2106 - is there a limit of 1 physical port per SSID/WLAN?
Since SSID/WLAN are assigned to a VLAN/Interface, and VLAN/Interfaces are assigned to a physical port, does that mean, on a WLC2106, a WLAN is limited to 100 mbs, the speed of a single port?
How can I add more bandwidth per WLAN? What's the workaround?
On a WLC4400, it is not an issue since the two 1-GIG ports can be made into an etherchannel.
thanksFew things...
Given that one AP will never really push more than 18Mbps of real throughput anyway (yes, even if all clients are running at 54Mbps), I'd be surprised if you actually have any contention worth worrying about.
Create multiple interfaces on the WLC, and using Group Mappings ("AP Groups VLAN"), you can then assign each AP to a different group. Presuming you set each group to use a different VLAN for a given SSID, and also presuming that each VLAN is configured for a different physical interface, you then get more than enough bandwidth (ie, 100Mbps per AP).
Other option is to use H-REAP, which is a mode of operation that allows your LWAPP AP to behave like an IOS AP, ie, client traffic is dumped stright on to the network without being forced thruogh the controller. This has obvious knock-ons about what the WLC can / can't do w.r.t. monitoring / controlling client traffic.
Regards,
Richard. -
Programmatically identifying com ports by their physical port number
I have a system with a NI PXI 8420/16 card. Once in a while a glitch in my PXI system occurs such that my physical RS-232 ports get re-assigned different com port numbers. Then I have to go into MAX and reassign my aliases to re-align my LabVIEW application with my port hardware. Is there a way to stop these glitches from happenning? OR is there a way to programmatically identify a physical port's com number?
Solved!
Go to Solution.See if this helps: http://forums.ni.com/ni/board/message?board.id=170&message.id=490257#M490257
-
Not enough physical ports - error message??
Hi
I just started to get an error message dialog box when I open Soundtrack Pro on my quad core G5. The message says "the current output device does not have enough physical ports for this document. Some outputs may not play back as a result".
I don't understand this - can anyone help. If I click OK then for sure, not audio comes out of STP.
Running version 1.1 on OSX 10.4.10
This hasn't happened before. It happens either when I open a new STP file with nothing in it, or when sending from FCP.
Thanks
NeilFirst of all, thanks for the replies.
I gave it another try today; I deleted the old files and ripped them to my computer again, this time using Windows Media Player instead of iTunes. I tried transferring them to my iPod again and this time it worked. As always iTunes had to convert them to files that it could read, but then it took just a few seconds and all of them made it to my iPod.
I don't know what the problem was the first time around. I checked the file sizes, and the largest was 4.2 MB. There were about 11 songs. It was just a typical audio CD and its total length was 44 minutes.
I guess from now on I'll just import CDs with Windows Media Player and then let iTunes convert them so that I can have even more files on my computer. Oh well. If that's what it takes... Sometime when I have a lot of time to fool around I'll try to see if something is going wrong when I'm importing them with iTunes.
Thanks again for the responses! -
Mapping pWWNs to physical port
I am about to connect up a bunch of V445s with StorageTek PCI-X 4GB HBAs to a SAN solution. Before I can do that, I need to map my pWWNs to the physical support, so our cabling people can connect the bits of wire to the appropriate holes.
I've got the list of pWWNs, now I need to know how to map them to the physical ports. What I want to end up with is a diagram which has the pWWN and an arrow pointing to a particular port on a particular HBA.
Any ideas how I do this?
TIA
StuartStuart,
Give this a try.
....# prtpicl -v | fgrep -e 'scsi-fcp
....> devfs-path
....> wwn'
You will get more than just HBA info but it will be easier to wade through than the entire prtpicl -v. Either way once you've captured the output, search on <scsi-fcp>. Here is a sample using the above filter.....
SUNW,qlc (scsi-fcp, 2e0500000343)
:device_type scsi-fcp
:node-wwn 20 00 00 e0 8b 12 3e a7
:port-wwn 21 00 00 e0 8b 12 3e a7
:devfs-path /pci@1f,4000/SUNW,qlc@2
:_class scsi-fcp
It should be a simple matter to match up the pci slots after that. -
Management port in Cisco Switches (are they really physical port)
Hi all,
I have been taught to console into my cisco switch for configurations through console cable + putty (serial terminal).
Then I have been taught to configure a management ip and gateway on the cisco switch.
Switch# conf t
Switch(config)# interface vlan 1
Switch(config-if)# ip address 192.168.1.11 255.255.255.0
Switch(config-if)# no shut
Switch(config-if)# exit
Switch(config)# ip default-gateway 192.168.1.1
All the while, i thought this is the way to remote in to the switch via putty/telnet through the network to configure the switch, until i saw the picture below (cisco catalyst 2960)
=======================================
There is a physical port call ethernet management port. What is it ? What is the difference between this port and the earlier example of setting a management ip in VLAN 1 ?
If i set an IP on this particular interface and I ssh in, will i see the same screen/display/console from the earlier example in which i set a management ip in VLAN1 and I ssh in ?
Regards,
NoobHi Leo,
Sorry if you find it hard to explain to me.
I have understood to think of the ethernet management port as a separate entity from the original switch.
Maybe with the help of the diagram below, can you let me know if i have understood correctly ?
*please assume connected port is a management port separated from the normal switch ports
q1) does the ethernet management port need to be connected to another switch ?
I have thought of it as a device on the network and it is mentioned by you previously that it will be connected to a switch
"he traffic goes up the cable connected to the Management port and up a switch. Now that switch holds all the information because it is a switch. "
q2) In the current setup then, terminal B will be able to access the management port - am i right ?
q3) you mentioned that the management port is not able to set any gateway, (which is the router fe0/5 - 192.168.0.3 in my illustration), in that case do you mean that terminal A will not be able to access the management port remotely and it can only be accessible locally ?
Please do correct me if my understanding is wrong.
Thank you so much for your advices.
Regards,
Noob -
Port-channel "bouncing" but physical ports are not
Refer to the attached PDF for topology diagram and configuration information.
Here's the issue. According to the logs on DC2-5548-P1 and DC2-5548-P2, port-channels Po3107 and Po3108 are going down numerous times. However, in the same timeframe, the physical interfaces are not reporting any down/up events at all. This issue began just a few days ago. Before that, the systems were operating fine.
NOTE: Po29 is the vPC peer link between P1 and P2.
UPDATE: I totally missed this in the logs somehow but the 5Ks are showing that the physical ports are bouncing. "show interface" output shows the "interface reset" counter incrementing on the physical ports. This problem started in two separate environments 9 minutes apart at approx 01:52 AM on the 16th of March. I'm wondering if there was a power event of some sort which caused physical damage to the hosts. Seems kind of odd that 3 servers started having similar issues within 9 minutes of each other in two 5K environments.Hi,
Putting the EtherChannel to the "on" mode will force the ports to become bundled unconditionally but the true problem, then, is truly seeing if it works. The Cisco switch will happily keep the ports bundled and will even transmit data over these ports but how do we know if Oracle is happy with that and does the same?
Personally, I would not recommend using the "on" mode precisely because of lack of any indication that things are operating just as they should, unless it can be shown without doubts that Oracle runs without LACP and uses a static EtherChannel.
Best regards,
Peter -
Dot1q trunk causes block port go to forwarding
Hi
I have three 3560 switches in a fully-meshed scenario, an access switch and 2 distribution switches. when connecting these switches in the triangle topology, since STP running by default one of port go to blocking mode and then loop is prohibited. But when in access switch i set tow ports connected toward distribution switches in trunk mode with command "switch port mode trunk" the Blocked port go to forwarding and i can't understand why?because i think the loop there is yet and spanning tree must block one of ports.
Spanning tree mode is PVST+ and there are 8 VLANs on switches.
The question is how does this situation occur? i couldn't find reason of this situation.
Thanks in advanceHi,
It would be good that if you can provide the configuration that you had on each switch ports.
Cheers
Zarni -
Difference between Trunk links and port channel
Hi
Can anyone please explain me the difference between the Trunk links and Ether channel ?Disclaimer
The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
Liability Disclaimer
In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
Posting
As the other posters have already described, in Cisco parlance, a "trunk" is a link that carries VLAN tagged frames. (Note, Cisco has two technologies for these, ISL [old/proprietary] and IEEE 802.1Q [vendor independent].) An Etherchannel (also called a port-channel) is one logical link that includes one or more physical links. (Note, although Etherchannel can run across just one link, normally more than one link is configured. Older and most Cisco implementations support up to 8 links in one channel bundle. There's also multiple Cisco technologies that support Etherchannels, such as manual/PAgP[Cisco/old]/LACP[IEEE 802.3ad].)
Trunk links might also be configured on an Etherchannel link. -
Dynamic Trunking Protocol and ports mode
((Dynamic Trunking Protocol (DTP), as the name implies, is the protocol used to automatically negotiate a trunk link.
DTP supports the auto negotiation of both ISL and 802.1q.
By default all ports on the Catalyst 3550 are dynamic desirable ports which will aggressively attempt to negotiate trunking through DTP.
To disable DTP and the auto negotiation of trunking, issue the interface level command switchport
nonegotiate)).
1- How many trunk mode have we got ? one of them is negotiation,,,Do we have any other ?
2- "By default all ports on the Catalyst 3550 are dynamic desirable ports".
2/a- Are there any other mode for ports ?
2/b- Is this different form one type of switch to another type ?"1.Diff trunk modes are on,off,desirable,negotiate".
Does DTP decide which mode to be used (chose one out of 5)?
"2/a. Diff modes of ports are, access, trunk, dynamic desirable. "
does that mean the dynamic desirable can be either access or trunk port ?
I get confused between three different interface mode :
1- switchports----can be access and trunk ports
2- routed ports
3- switched-virtual interface -
Do I configure spanning-tree port type ed trunk on LACP port-channels
Hello,
Can't seem to see a clear answer and wondering if something could offer some advice please?
We are using LACP aggregation across all our 10 gig attached servers and also trunking them. We're running a VPC pair of 5596 Nexus.
For a standard trunk port I always add the spanning-tree port type edge trunk to the interface config.
However I think I should be adding this to the overiding port-channel config. At present a colleague has configured the VPC below omitting the spanning-tree port type config.
interface port-channel100
description a-server
switchport mode trunk
switchport trunk allowed vlan 100
vpc 100
The port member configs are these which do contain the spanning tree port type:
interface Ethernet1/1
description a-server(1)
switchport mode trunk
switchport trunk allowed vlan 100
spanning-tree port type edge trunk
channel-group 100 mode active
I always try to keep the overiding port channel config the same as its members and obviously for most config, you can't have disparate configs anyway.
However for the spanning tree config the NexOS allows you to have the members with spanning tree port types and not have to reflect that in the port-channel.
However I have this issue with STP:
Switch1# show spanning-tree interface po100
Vlan Role Sts Cost Prio.Nbr Type
VLAN0100 Desg BKN*200 128.4996 (vPC) Network P2p *BA_Inc
Is this due to the inconsistency with my port channel to member configs?
Any advice would be gratefully accepted.
Thanks!Hi Paul, there are some parameters you can define on individual ports and there are some of them that will be inherited from the port-channel configuration no matter what has been configured under the infidividual ports. Spanning-tree configuration is one of the inherited ones. As soon as the port joins into a port-channel, it will start to use spanning-tree settings under the port-channel. When it leaves the channel, then it can continue to use the individual configuration.
There is a nice summary here under NX-OS Interface Conf Guide > Port-Channel Conf:
http://www.cisco.com/en/US/docs/switches/datacenter/sw/6_x/nx-os/interfaces/configuration/guide/if_portchannel.html#wp1798338
Evren -
Impact of changing VLAN bandwidh if my physical port is 10G?
My monitoring system is reporting that VLAN X is 100% utilization in my 6509. That VLAN is used to pass traffic between two 10G access ports in that VLAN X. It seems that by default the VLAN bandwidth is 1G, however i am passing more traffic than that in that 10G connection. Is it safe to just change the bandwidth to the VLAN without impact? I think it is but would like to know if someone has some experience with this.
Thank you,
Francisco.Hi,
There should not be any issue by changing it accordingly to the actual speed of the interfaces. Typically the interface bandwidth command would be used to communicate the speed of the interface to Interior Gateway Routing Protocols (IGRP), so they would then calculate their metircs based on that value, the bandwidth value should be accurate, otherwise there would be cases where a routing protocol would rely on wrong values (please see below output) so would consider wrongly a path as equal as another and use them both equally. Please keep in mind also that the bandwidth command does not affect the actual speed of the interface. One more use of the bandwidth command would be in the adjustment of the initial retransmision parameters of tcp.
Switch#sh run int f0/9 | in speed
speed 10
Switch#sh int f0/9 | in BW
MTU 1500 bytes, BW 100000 Kbit, DLY 1000 usec,
In this example, an IGRP would calculate its metric considering 100Mbps as the speed of the interface when the real speed is 10Mbps, that's because the bandwidth is set to 100000 Kb and it is the value that would be used by that IGRP.
Regards,
Aref -
Physical port security on Cisco switching
We have a security problem I would like to resolve. Like most sites our wired network has live ports that periodically, non corporate PCs and laptops connect up to without our knowledge. In our network we do not filter for valid MAC addresses although Ive learned this is a poor approach to security as MAC can be changed in about 10 seconds.
I would like a solution that would validate corporate systems and let them through the Cisco layer 3 switching and block out all other devices which attempt connection. We do not currently have IDS or IPS and are not likely to in short term.
Is there a hardware or software or combination solution out there that works well for this ?
Thank youSteve
2 solutions spring to mind
1) 802.1x authentication. Microsoft XP/Vista has built in 802.1x supplicant and Cisco switches support Network EAP used to pass the 802.1x messages. What you also need is an authentication server such as Cisco Secure ACS server although Microsoft IAS server also supports 802.1x.
Basically before a client is allowed access to the network they have to authenticate to the network with valid credentials otherwise the port is shutdown.
2) NAC - Network Admission Control. This goes one step further than 1) whereby the client is also checked to see if it conforms to company policy eg. does it have the right virus checker on it etc.. and if it doesn't the client can be quarantined.
A search on Cisco's website for both NAC and 802.1x will provide a lot of useful links.
Jon -
Recently added a member to existing stack, everything went as planned. However I noticed on one the member (that existed already) that port 37-48 are not working. From how it looks, it seems that ports 37-48 could be one module. Is there away to run a diagnostic on this bank of ports, possibly clear or reset them? Thanks
Can you post the output to the command "sh post"?
Sent from Cisco Technical Support Nintendo App
Maybe you are looking for
-
Error while publishing BI 7.0 report in SAP EP..
Hi, I want to publish BI 7.0 report in sap ep. I have done SSO configured between SAP EP and SAP BI. When I go to content admin and crerate iview for BI i followed this step: iview template>BEx Web Application iView (SAP Netwever 7.0 Format)> there I
-
Purchase Order Against a Sales Order
Dear All, Will u please explain the cycle of creating a purchase orders with referenence to sales orders Thanks In Advance Geo
-
Desperate need of HELP for a Java GUI !
Hy people, I am working on a project trying to display a GUI where its output is dependant on the user's input. Here is a brief example of what Im trying to do: You have a GUI that contains 2 panels. buttonPanel and DisplayPanel. buttonPanel contains
-
Hi This is gina salinas. I need help. I bought a new galaxys 5 two days ago... I had Iphone 4 for three years. And now that when I text family and friends with the new phone they receive it and replied back and I did not get their messages. I c
-
Missing start Boundary exception
Hi all, I am evaluating an e-mal archiving software that utilizes javamail. I am getting a high number of messages that don't get archived, due to the Missing start Boundary exception. Now I know, that often times e-mail messages don't get correctly