Cisco 3560 Routing Between Vlans

I have got a cisco WS-C3560V2-24TS-S  which i use as my core switch, it is setup with multiple vlans and ip ranges. 

i am trying to get the 10.0.10.x ip range to be able to communicate with the 192.168.4.x range, my routing table is below and shows everything as i believe it should but when i try to ping from the 10.0.10.x range it fails? anyone have any ideas? do i need to do anything different as i am using vlan tagging? 
do sh ip route Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP        D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area        N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2        E1 - OSPF external type 1, E2 - OSPF external type 2        i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2        ia - IS-IS inter area, * - candidate default, U - per-user static route        o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
     172.16.0.0/24 is subnetted, 1 subnets C       172.16.16.0 is directly connected, Vlan30 C    192.168.4.0/24 is directly connected, Vlan1      10.0.0.0/24 is subnetted, 3 subnets C       10.0.10.0 is directly connected, Vlan20 C       10.1.1.0 is directly connected, Vlan100 C       10.0.0.0 is directly connected, Vlan10      150.150.0.0/21 is subnetted, 1 subnets C       150.150.0.0 is directly connected, Vlan40

then yes, you need the static route on the host to point to 192.168.4.253 as that is the gateway for vlan 1 (directly attached network). Even if you add a static route on the router (192.168.4.254) that all other vlans are accessed via a static route of 192.168.4.253, this will cause TCP Half sessions. Example (assuming that no static route to 192.168.4.253 exists on the 192.168.4.10 host), if 10.0.10.10 sends a TCP syn packet to 192.168.4.10, the packet is sent via the default gateway (10.0.10.254). A routing table lookup is conducted on the 3650, the 192.168.4.0/24 network is directly attached via vlan 1, an ARP lookup is executed for 192.168.4.10 to obtain the MAC address to building the layer 2 frame, it is located and the packet is forward out directly via VLAN 1. The issue is on the return (TCP SYN), 192.168.4.10 sends a TCP SYN packet back to 10.0.10.10, so the packet is sent to the GW, 192.168.4.254. A routing table lookup is conducted and the route is via 192.168.4.253, so the packet is forwarded to the WS-C3560X-24P-L   The 10.0.10.0/24 is directly attached on the 3560, an ARP lookup is executed for 10.0.10.10 to obtain the MAC address to building the layer 2 frame, it is located and the packet is forward out directly via VLAN 20 addressed directly to 10.0.10.10 and NOT sent back to 192.168.4.254 where the path of the TCP Packet was originated from. Any SPI Firewall will typically drop the TCP SYN packet as it does not have an entry in its SPI table for any SYN sessions from the originating host. In some cases you can disable SYN checking, but this might cause unforeseen issues. At any rate, best practice dictates to create another vlan for your Internet traffic (Vlan 2) and move the link over to that vlan, then you can use the 3560 as the aggregate gateway for all your traffic (Local and traffic destined to the Internet). The addition of the static route on the host is required for the topology you have that exists.

Cisco Catalyst 3560 48port; lots of ports not power PoE devices

Here's a weird experience I'm having with some of my cisco WS-C3560X-24T-L  switches. After a power surge occurred, a few of my catalysts can't seem to power any of my PoE devices such as Cisco phones and AP's. These switches are plugged into an APC managed PDU which are connected to an APC RT 10k UPS.

It just seems like maybe the switches are not getting enough power required to fully enable PoE for each port. Do you think this is the case when plugged to a PDU?

I originally had them plugged to a separate UPS and had no issues. I have a Fluke Linkrunner AT 2000 that I use to diagnose ports but I'm not sure if this tool can test the PoE.

I would try plugging a switch directly into house power and bypass the UPS/PDU altogether. If you magically get full PoE like before, then the finger starts to point at the UPS/PDU. If you get the same results, perhaps the WS-C3560X-24T-S   switch got hit by the surge in a way that (very strangely) only affected PoE.

Cisco 3560 ACL and Syn Protect

We have added the given acl to our cisco WS-C3560X-48T-L  router

Extended IP access list 103

    10 permit tcp any host 77.223.156.156 eq www log (136803 matches)

    20 permit tcp any host 77.223.156.156 eq ftp log

    30 permit tcp any host 77.223.156.156 eq telnet log

    40 permit tcp any host 77.223.156.156 eq pop3 log

    50 permit tcp any host 77.223.156.156 eq smtp log

    60 permit tcp any host 77.223.156.156 eq 443 log

    70 permit tcp any host 77.223.156.156 eq 3389 log (2508 matches)

    80 permit tcp any host 77.223.156.156 eq domain log

    90 permit udp any host 77.223.156.156 eq domain log (68 matches)

    100 deny ip any host 77.223.156.156 log (5633 matches)

    110 permit ip any any (24 matches)

and as you should see there is a high match of www port and if we check it deeply ,

it seems as a ddos or botnet. should i protect the machine from the router for syn ?

you will see multiple same ip address.

Looks like it must be a router feature and not a layer 3 switch feature for Cisco. WS-C3560X-48T-S  Another reason to add to the list of why l3 switches shouldn't be placed on the internet edge. Sorry man, but you need some type of firewalling. An acl just isn't enough these days.

 For more information about Cisco products, please click here. 

http://cisco3560x.over-blog.com/

OSPF Between 2 Cisco 3560 Switches

I would like to connect two switches to one another, with each switch connected to one host. I would like to use a dynamic routing protocol such as OSPF between the two switches, and make sure that Switch1 can ping Host2 and Switch2 can ping Host1 and vice versa.

How can this be done using 2 Cisco WS-C3560X-48PF-S Switches that have Layer 3 capability?

Host1 --------- Switch1 ---------------- Switch2 -------- Host2

Host1: 172.16.10.2 255.255.0.0

            Interface fe1/1 - connected to Switch1 - switchport access vlan 2

Switch1: VLAN 2 - 172.16.10.1 255.255.255.0

              interface g1/1 - 10.1.1.1 255.255.255.0 (connected to Switch2)

Switch2: VLAN 3 - 172.17.10.1 255.255.255.0

              interface g1/1 - 10.1.1.2 255.255.255.0 (connected to Switch1)

Host2: 172.17.10.2 255.255.0.0

            Interface fe1/1 - connected to Switch 2 - switchport access vlan 3

You will also need to add the command

network 10.1.1.0 0.0.0.255 area 0

under router ospf 10 to both switches.

Also, I assume this is just a typo, but host 1 and switch 1 have inconsistent subnet masks.

OSPF normally only comes with IPservices image and not IP Base image. The 3560-C series data sheet says that it only suport IP Base image, yet it mentions that support for OSPF in included. Are there any restictions in the OSPF support?.

Configuring OSPF on a catalyst WS-C3560X-48PF-L  Switch to connect to our building next door by way of fiber.  The other two switches in the other building are running OSPF, I am trying to connect to the other building and access a server which is on a switch running OSPF.  I am trying to configure the switch here to run OSPF and be able to see the neighbor, but currently can't although I've identified the networks.  Maybe I'm missing something, I've followed the instructions but  something is not right.

Connecting a CradlePoint CBA750 to a Cisco 3560 switch

Need your help.  Our company made a decision to implement a network backup that uses Verizon LTE 4G.  The setup is as follows:  On the corporate side there is a Cisco 2911 using VPN going to the Verizon private network.  On the remote side we have a series of layer 3 switches (Cisco WS-C3560X-24P-L).  On the suggestion of Verizon we purchased CradlePoint CBA750 modem/router devices. 

We need to use the Verizon connection as the backup.  The primary is Metro Ethernet going through another ISP.  When connecting the CradlePoint to the switch the link will not activate (actually receive a down/ err-disable).  I can use a PC directly to the CradlePoint Ethernet port and test successfully.

My question is does anyone have experience in connecting the CradlePoint to Cisco Switches?  I have eliminated the cable (it is straight-through)  and also made a call to both Verizon and CradlePoint (have not called Cisco as of this writing)  The CradlePoint is being set in IP Pass-through mode and is receiving its address from Verizon.  I think I have covered the basics so if anyone could lead me in the right direction I would appreciate it.  Thanks.

I've worked on this before and had a couple difficulties. First make sure the DHCP option is turned off on the CP. With your laptop, verify what IP you are getting. I ran in to an issue where Verizon was handing out an IP that wasn't an officially legitimate IP. It was something in the realm of 9.9.9.163/30. Windows didn't mind this IP, but when you look closer the subnet of the IP was 9.9.9.160/30, and the 163 address was actually a broadcast address according to subnetting rules. Not sure how or why VZ was handing that out, but I had to put in a request to have my public IP changed. This may or may not be your case.

For the Err-disable, did you see the reason for the err? "show int status err" will give you better details. Also, check the speed/duplex settings on both devices.

Here is the configuration for the Fast Ethernet Port

interface FastEthernet0/1

 switchport access vlan 140

 switchport mode access

 speed 100

 duplex full

Jun 27 12:40:46: %ILPOWER-7-DETECT: Interface Fa0/1: Power Device detected: IEEE

 PD

Jun 27 12:40:47: %ILPOWER-5-IEEE_DISCONNECT: Interface Fa0/1: PD removed

I believe that explains the port flapping.  Am I getting this error due to the CradlePoint or is the switch looking for the device to not have a power supply attached?

Thanks to all of you.  I was able to find out that the Cisco WS-C3560X-24P-S switch considered  the CradlePoint a PoE device.  Since I am using the power cord on the CradlePoint it was causing an issue with the switch.  Turned off the power on the port by using the 'power inline never' command.  The port is up now with no flapping.  I got a piece of the answers from the posts I received so thanks to the posters.

Cisco 3560 to SG200 VLAN trunking

I need desperate help with my limited Cisco knowledge. I am setting up a VM lab I need to do vlan trunking between my Master L3 WS-C3560V2-24TS-S switch to SG200 L2 Switch .

I have setup a couple of vlans in the master and I would like the sg200 talk to these vlans. I have tried at least five different possible solutions and no luck so far. The sg200 is only web based, No CLI supported. I will attach screenshots from my sg200 and txt from the 3560 config file.

To start my project I would like to only start with Vlan 224 and be able to talk to this vlan from the sg200.

Cisco gi0/1 is connected to my Comcast router with a 192 Network DHCP

Links Between: Cisco 3560 Interface gi0/4  to SG200 GE26.

The device should now be access through the DHCP address, find this by looking up the server or doing an nmap scan and look for Cisco equipment.

Now create the VLANs you need and name them under the "Create VLAN tab".

The created VLAN/s now need to be added to the desired trunk port on the smart switch, this is done through "Port VLAN Membership". Simply select the trunk port, edit the details and select the VLAN that is to be allowed on the trunk, tick Membership and then click the arrow to move it in to the selected column.

The VLANs that are needed on the trunk should now be showing on the Port VLAN Membership page.

Access ports can now be configured, which is straight forward by changing the required ports to access ports and defining which VLAN is required, which is done through "Interface Settings". This won't actually work until we configure a trunk port on the other switch.

Depending on your native vlan settings, you may have to change the management vlan setting before changing the port on the other switch to a trunk. Just a reminder make sure the management vlan is a member of the trunk port. This can be done through the "IPv4 Interface".

The smart WS-C3560V2-48TS-S switch might be unconnectable if the management VLAN has been changed, therefore we need to enable a trunk port on the other switch to gain access again.