Configuring Private VLANs

How to configure private VLANs on the Cisco 3560 switch.

The private-VLAN feature addresses two problems that service providers face when using VLANs:

•Scalability: The switch supports up to 1005 active VLANs. If a service provider assigns one VLAN per customer, this limits the numbers of customers that the service provider can support.

•To enable IP routing, each VLAN is assigned a subnet address space or a block of addresses, which can waste the unused IP addresses and cause IP address management problems.

Using private VLANs addresses the scalability problem and provides IP address management benefits for service providers and Layer 2 security for customers.

Private VLANs partition a regular VLAN domain into subdomains and can have multiple VLAN pairs—one for each subdomain. A subdomain is represented by a primary VLAN and a secondary VLAN.

There are two types of secondary VLANs:

•Isolated VLANs—Ports within an isolated VLAN cannot communicate with each other at the Layer 2 level.

•Community VLANs—Ports within a community VLAN can communicate with each other but cannot communicate with ports in other communities at the Layer 2 level.

Private VLANs provide Layer 2 isolation between ports within the same private VLAN. Private-VLAN ports are access ports that are one of these types:

•Promiscuous—A promiscuous port belongs to the primary VLAN and can communicate with all interfaces, including the community and isolated host ports that belong to the secondary VLANs associated with the primary VLAN.

•Isolated—An isolated port is a host port that belongs to an isolated secondary VLAN. It has complete Layer 2 separation from other ports within the same private VLAN, except for the promiscuous ports. Private VLANs block all traffic to isolated ports except traffic from promiscuous ports. Traffic received from an isolated port is forwarded only to promiscuous ports.

•Community—A community port is a host port that belongs to a community secondary VLAN. Community ports communicate with other ports in the same community VLAN and with promiscuous ports. These interfaces are isolated at Layer 2 from all other interfaces in other communities and from isolated ports within their private VLAN.

Trunk ports carry traffic from regular VLANs and also from primary, isolated, and community VLANs.

Primary and secondary VLANs have these characteristics:

•Primary VLAN—A private VLAN has only one primary VLAN. Every port in a private VLAN is a member of the primary VLAN. The primary VLAN carries unidirectional traffic downstream from the promiscuous ports to the (isolated and community) host ports and to other promiscuous ports.

•Isolated VLAN —A private VLAN has only one isolated VLAN. An isolated VLAN is a secondary VLAN that carries unidirectional traffic upstream from the hosts toward the promiscuous ports and the gateway.

•Community VLAN—A community VLAN is a secondary VLAN that carries upstream traffic from the community ports to the promiscuous port gateways and to other host ports in the same community. You can configure multiple community VLANs in a private VLAN.

A promiscuous port can serve only one primary VLAN, one isolated VLAN, and multiple community VLANs. Layer 3 gateways are typically connected to the switch through a promiscuous port. With a promiscuous port, you can connect a wide range of devices as access points to a private VLAN. For example, you can use a promiscuous port to monitor or back up all the private-VLAN servers from an administration workstation.

In a switched environment, you can assign an individual private VLAN and associated IP subnet to each individual or common group of end stations. The end stations need to communicate only with a default gateway to communicate outside the private VLAN.

You can use private VLANs to control access to end stations in these ways:

•Configure selected interfaces connected to end stations as isolated ports to prevent any communication at Layer 2. For example, if the end stations are servers, this configuration prevents Layer 2 communication between the servers.

•Configure interfaces connected to default gateways and selected end stations (for example, backup servers) as promiscuous ports to allow all end stations access to a default gateway.

You can extend private VLANs across multiple devices by trunking the primary, isolated, and community VLANs to other devices that support private VLANs. To maintain the security of your private-VLAN configuration and to avoid other use of the VLANs configured as private VLANs, configure Cisco 3560X private VLANs on all intermediate devices, including devices that have no private-VLAN ports.

Configuring MSDP

How to configure the Multicast Source Discovery Protocol (MSDP) on the Catalyst 3750X switch. The MSDP connects multiple Protocol-Independent Multicast sparse-mode (PIM-SM) domains.

MSDP is not fully supported in this software release because of a lack of support for Multicast Border Gateway Protocol (MBGP), which works closely with MSDP. However, it is possible to create default peers that MSDP can operate with if MBGP is not running.

To use this feature, the switch must be running the IP services image.

Configuring a Default MSDP Peer

In this software release, because BGP and MBGP are not supported, you cannot configure an MSDP peer on the local switch by using the ip msdp peer global configuration command. Instead, you define a default MSDP peer (by using the ip msdp default-peer global configuration command) from which to accept all SA messages for the switch. The default MSDP peer must be a previously configured MSDP peer. Configure a default MSDP peer when the switch is not BGP- or MBGP-peering with an MSDP peer. If a single MSDP peer is configured, the switch always accepts all SA messages from that peer.

shows a network in which default MSDP peers might be used. a customer who owns Switch B is connected to the Internet through two Internet service providers (ISPs), one owning Router A and the other owning Router C. They are not running BGP or MBGP between them. To learn about sources in the ISP's domain or in other domains, Switch B at the customer site identifies Router A as its default MSDP peer. Switch B advertises SA messages to both Router A and Router C but accepts SA messages only from Router A or only from Router C. If Router A is first in the configuration file, it is used if it is running. If Router A is not running, only then does Switch B accept SA messages from Router C. This is the default behavior without a prefix list.

If you specify a prefix list, the peer is a default peer only for the prefixes in the list. You can have multiple active default peers when you have a prefix list associated with each. When you do not have any prefix lists, you can configure multiple default peers, but only the first one is the active default peer as long as the router has connectivity to this peer and the peer is alive. If the first configured peer fails or the connectivity to this peer fails, the second configured peer becomes the active default, and so on.

The ISP probably uses a prefix list to define which prefixes it accepts from the customer's router.

Routing from 3560 to DSL modem not working

I'm setting up a lab switch, WS-C3560X-24T-L   to a DSL router/modem and i cannot seem to get the routing from VLAN100 to the DSL router/ modem to work.
int g0/1 is connected to the DSL router/ modem
int g0/10 is connect to the client (10.10.100.10)

From the 3560, I can ping the DSL router (192.168.1.1), the client (10.10.100.10) and I can ping the internet.
From the client connected to to the 3560, I can ping the g0/1 interface IP address (192.168.1.201), but not the DSL router (192.168.1.1).
From the DSL router, I can ping the internet and the 3560 g0/1 ip address (192.168.1.201) but cannot ping the client (10.10.100.10)

Config from 3560 follows:

version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname 3560Lab1-DLS2
!
boot-start-marker
boot-end-marker
!
no aaa new-model
system mtu routing 1500
vtp domain TestLab
vtp mode transparent
ip routing
ip name-server 4.2.2.2
!
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
vlan 100
name Home_VLAN
interface GigabitEthernet0/1
description To DSL
no switchport
ip address 192.168.1.201 255.255.255.0
!
<snip>
!
interface GigabitEthernet0/10
description Client
switchport access vlan 100
switchport mode access
!
interface Vlan1
no ip address
shutdown
!
interface Vlan100
ip address 10.10.100.1 255.255.255.0
!
!
router eigrp 100
network 10.10.100.0 0.0.0.255
network 192.168.1.0 0.0.0.255
!
ip http server
ip http secure-server
!
!
ip route 0.0.0.0 0.0.0.0 192.168.1.1

I'm actually not sure. I have uverse and the modem that they supply allows you to put all of your traffic into a dmz. I had my router on the dmz interface which allowed my public address to be assigned to my router instead of the modem. The problem with that in this situation is that the 3560 doesn't support natting as far as I know, so it doesn't make sense to put your public ip on you switch.

So, another test that you could do if you wanted is to put your lan side ip on your dsl modem on the 10 subnet. Then you'd have to change the ip on vlan 10, but you'd be able to see if your 10.x.x.x host could get on the internet. I'm almost sure that's what this is. Now it doesn't explain why you couldn't ping between devices on the same switch in different vlans earlier though. You have the vlan created and a l3 svi attached with routing on, so those subnets are locally connected and should be able to route between vlans with no issue. Through all of this, I'm not sure if that part was ever fixed. Have you checked the ios version that you're on to see if you're running the latest?

If you decide to do the internal lan side address change on the dsl modem and it works, I'm afraid that you may not be able to segment your network into different subnets if you can't nat them via the modem. You could still create your vlans for internal testing, but they wouldn't be able to get on the internet because of the natting issue. This is one reason a lot of people on the forums will put a cisco router in between their dsl modem and switches. You could also do WS-C3560X-24T-S   this with an ASA as well.

cisco 3750 VLAN

I would like to make 1 VLAN100 in 3750 totally separate from other few VLAN1,2,3,4,5 in cisco WS-C3750V2-24PS-S with routable.  This 3750 I will going to use EIGRP.  Please help.

VLAN100 cannot be routed (I just need it for public internet sharing)
VLAN1, VLAN2, VLAN3, VLAN4, VLAN5 can be routed each other (for internal subnet routing)

If you are just going to use VLAN100 for L2-transport and it will be routed by the ISP-router you can just create VLAN100 on your switches and not create any VLAN100-interfaces or include them in your routing process.

Just like Simen said, DON'T create interface vlan 100 and it should be ok. Create only vlan 100.

For vlans 1,2,3,4,5 create vlans in a common manner and also create the appropriate interfaces. Enable ip routing on your switch and you are done.

For other routing purposes (connection to other routers, ISP) you can use the EIGRP you mentioned.

es you are correct.

conf t # vlan 10  >>> This will create vlan 10 in the vlan database.

Conf t# int vlan 10 >>> This will create interface vlan 10.

NOTE: Interface vlan to be up and running,  you need to have the vlan 10 present in the vlan database and there should be one link which is up and forwarding the vlan 10. (Either assign the access port to vlan 10 or if you have any trunk port that makes the vlan to be up if that trunk port is configured to allowed vlan all.).

* Only if you want routing to be enabled between the networks have WS-C3750X-24P-S  an ip address assign to every VLAN. Any VLAN which you dont want routing dont have an ip address assign to it.

c3750 not manageable

I started experiencing a weird problem with one of my WS-C3750X-12S-S   today. It seems that connectivity to the managment IP has become sporadic...
I can ping it and get maybe 2-3 responses, then a couple minutes of no responses. However, the switch is still passing traffic normally, users connected to it are not experiencing any symptoms.

Switch is running IOS 12.2(44)SE2 and is connected via 802.1q trunk to 2801 with only 2 VLANs. There's really not a lot of traffic going through this switch. I can't connect to the switch from the directly connected router or elsewhere on my network.

I sat with my finger on the "Get Tree" button in my SNMP MIB Browser, to try gathering some data when it became available to begin narrowing down where the issue could be. Here's what I've found / checked so far:
CPU (via CISCO-PROCESS-MIB):
around 5-10% for all 3 values (1 sec, 5 sec etc)
Memory:
There is pleanty of memory free, nothing out of the ordinary
Syslog:
Log messages are not getting to Syslog server, but the few I've pulled via SNMP look normal. Just interfaces state changes mostly, which is normal at this location.
Interfaces(via MIB-2 interfaces table):
no input or output errors on uplink port or any other ports for that matter, looks very clean.
ARP
Verified ARP on the 2801 is staying the same for the IP of the switch.
Other Observations:
I was able to connect for a few seconds and noticed NTP wasn't syncing.
When the switch is replying to Pings, response times are high (300 - 1900[?!]ms). I verified those high ping response times were not due to latency on the location's WAN connection (T1 is at low utilization)
Issue started today at some point. No changes were made to the switch or environment at that location.

I'm not able to reboot the device at the moment, I hope to do that this weekend, but I was curious if anyone has seen anything similar and had a fix other than rebooting. I'm not even sure if rebooting will help. Its odd that I can't manage the switch, but it is still passing voice and data traffic like it was yesterday.

 We saw something kind of similar in a 6 switch stack .  But our problem appeared to be the  stackmaster had a slow memory leak and occassionally we would not be able to manage the stack for awhile then it would come back  . Switch and port  utilizations once we got in were low across all 6 switches .  I'm speculating in our case because this box is used  as a jump box  into the rest of the net and maybe  it was not releasing memory resources once we got out . We were also getting low free memory warnings from a snmp monitoring tool. We reloaded the entire 6 switch stack and so far we have not seen a WS-C3750V2-48PS-S    reoccurence, think we are at 12.2.35SE something .

c3750 not manageable

I started experiencing a weird problem with one of my WS-C3750X-48T-L   today. It seems that connectivity to the managment IP has become sporadic...

I can ping it and get maybe 2-3 responses, then a couple minutes of no responses. However, the switch is still passing traffic normally, users connected to it are not experiencing any symptoms.

Switch is running IOS 12.2(44)SE2 and is connected via 802.1q trunk to 2801 with only 2 VLANs. There's really not a lot of traffic going through this switch. I can't connect to the switch from the directly connected router or elsewhere on my network.

I sat with my finger on the "Get Tree" button in my SNMP MIB Browser, to try gathering some data when it became available to begin narrowing down where the issue could be. Here's what I've found / checked so far:

CPU (via CISCO-PROCESS-MIB):

around 5-10% for all 3 values (1 sec, 5 sec etc)

Memory:

There is pleanty of memory free, nothing out of the ordinary

Syslog:

Log messages are not getting to Syslog server, but the few I've pulled via SNMP look normal. Just interfaces state changes mostly, which is normal at this location.

Interfaces(via MIB-2 interfaces table):

no input or output errors on uplink port or any other ports for that matter, looks very clean.

ARP

Verified ARP on the 2801 is staying the same for the IP of the switch.

Other Observations:

I was able to connect for a few seconds and noticed NTP wasn't syncing.

When the switch is replying to Pings, response times are high (300 - 1900[?!]ms). I verified those high ping response times were not due to latency on the location's WAN connection (T1 is at low utilization)

Issue started today at some point. No changes were made to the switch or environment at that location.

I'm not able to reboot the device at the moment, I hope to do that this weekend, but I was curious if anyone has seen anything similar and had a fix other than rebooting. I'm not even sure if rebooting will help. Its odd that I can't manage the switch, but it is still passing voice and data traffic like it was yesterday. Thanks

  We saw something kind of similar in a 6 switch stack .  But our problem appeared to be the  stackmaster had a slow memory leak and occassionally we would not be able to manage the stack for awhile then it would come back  . Switch and port  utilizations once we got in were low across all 6 switches .  I'm speculating in our case because this box is used  as a jump box  into the rest of the net and maybe  it was not releasing memory resources once we got out . We were also getting low free memory warnings from a snmp monitoring tool. We reloaded the entire 6 switch stack and so far we have not seen a reoccurence, think we are at WS-C3750X-24T-S   something .

 

Catalyst 2900 XL CMS does not load

I recently acquired a Cisco 2951    that was taken out of service and I am trying to use it at home. I have it setup as a stand alone switch, and I can access the switch from another PC by my web browser and the IP of the switch. I found out that the switch has IOS release 12.0(5)WC3. What I am trying to do is access the switch by the CMS from the switch main page and it starts to load then the Java application fails and all I get is a blank screen. I would like update the software to 12.0.(5)WC16 but I don't know how to upgrade it using the Telnet? Is it possible to use Win XP, IE7 & the latest version of Java to access the CMS page? I read in some documentation that IE5 or 5.5 and Java Plug-in 1.3.1 is supported...

Update:

I have been doing some messing around and I got it to work. I updated the switch software from 12.0(5)WC3b to 12.0(5)WC16 using a TFTP server that was free from SolarWinds. After I got that updated I tried Win2000, IE 5.0, Java plug-in 1.3.0 & 1.3.1. I did not get this configuration to work. I then tried WinXP with IE7 & the Java plug-in 1.4.0 and it worked great! So I answered my own questions...

This first post of such types in the whole of netpro !!! ques & ans on the same post :) pls mark the Cisco 2901-SEC   post as solved which can help others..

Issue with Cisco 3560-C Switch

 I purchased a pair of airFiber antennas to replace my current site link between buildings that was using Cisco 1300 wireless bridges. The main reason was because I was only getting about 12 Mbps throughput on a 500 meter link.

Anyway, after I got everything mounted, alligned, and configured they showed that the link was "operational" and they could communicate with each other. The only problem was that no network traffic was crossing the link. So I began to troubleshoot. One end is connected to a Cisco Catalyst 2960 switch while the other is connected to a Cisco WS-C3560X-24P-S  (layer 3 switch). The first switch and both airFiber antennas are on the same network. The 3560-C switch handles routing between the different networks for this site. I set everything up exactly how I had it with the Cisco bridge.

Now I noticed that when I plugged the airFiber antenna (happens to be the slave) into the 3560-C switch, the switch lost all routing capability. I made sure there were no loops when trying this and that the ports for the antennas on both ends were configured correctly (trunking, etc.), it still killed routing. I had already upgrade each antenna's firmware to v1.5 so I tried v1.1.2. It made no difference. No matter what I did, the moment I plugged the antenna into the 3560-C switch, it killed routing. And what I mean by "killed routing" is that the switch couldn't even communicate with another directly attached switch or any other network.

When you plug cat3560 into the AF, can you copy sh logging output? Maybe sh spa , sh interfaces, sh proc cpu history and so on and post it here?  It's nonsense, AF is only transparent bridge WS-C3560V2-24PS-S  , nothing else. I don't think it can kill routing :manhappy:

memory utilization graph with cisco 3560

we are currently testing OpManager before purchasing the Professional Version.

We are testing OpManager with a Cisco catalyst 2950 series 12G and a Cisco catalyst WS-C3560X-48T-L  series 24 PoE.

We tried the discovery function, and OpManager found the 2950 as a 2950 and the 3560 as a desktop.

The specific OID for the 3560 wasn�t in the database, so we added it with admin\device type\add new device\ and the OID .1.3.6.1.4.1.9.1.563

We deleted the 3560 and rediscovered it. Opmanager found it as a 3560 but we still have problems:

1. The resource monitor �Memory Utilization� which appeared by default with the 2950, doesn�t appear with the 3560 so the memory utilization graph doesn�t seem to appear too.

We created a custom monitor for the memory utilization with the following OID:

(1.3.6.1.4.1.9.9.48.1.1.1.5.1*100)/(.1.3.6.1.4.1.9.9.48.1.1.1.5.1+.1.3.6.1.4.1.9.9.48.1.1.1.6.1)

This requests works but we can�t associate it with the memory graph.

You can remove the Memory Utilization for that specific device under Resource Monitor. After the removing the monitor, then follow the steps given below

Please add this default graph under cisco monitors in OpManager_graphinfo.xml which is under /opmanager/conf

<DEFAULTGRAPH Name="SwitchMemoryUtilization">

<YAXISTEXT>Percentage</YAXISTEXT>

<DISPLAYNAME>Switch Memory Utilization</DISPLAYNAME>

<name>SwitchMemoryUtilization</name>

<Vendor>CISCO</Vendor>

<Monitor>Resource</Monitor>

<Description>Monitors the Memory Utilization</Description>

<oid>(.1.3.6.1.4.1.9.9.48.1.1.1.5.1*100)/(.1.3.6.1.4.1.9.9.48.1.1.1.5.1+.1.3.6.1.4.1.9.9.48.1.1.1.6.1)</oid>

<type>Interface</type>

<interval>900</interval>

<THRESHOLDENABLED>false</THRESHOLDENABLED>

</DEFAULTGRAPH>

Then Open Opmanager_snapshotinfo.xml under /opmanager/conf and find this entry

<CHART>

<Name>MemoryUtilization</Name>

<Title>Memory Utilization</Title>

<Type>AREA</Type>

<Height>250</Height>

<Width>525</Width>

<yaxisLabel>Memory Utilization %</yaxisLabel>

<CHART-INFO>

<PolledDataName>SwitchMemoryUtilization</PolledDataName>

<Color>blue</Color>

<YAXISTEXT>Memory Utilization %</YAXISTEXT>

<DISPLAYNAME>Memory Utilization %</DISPLAYNAME>

<name>MemoryUtilization</name>

<Vendor>OtherCISCO</Vendor>

<oid>(.1.3.6.1.4.1.9.9.48.1.1.1.5.1*100)/(.1.3.6.1.4.1.9.9.48.1.1.1.5.1+.1.3.6.1.4.1.9.9.48.1.1.1.6.1)</oid>

<type>node</type>

<interval>900</interval>

<THRESHOLDENABLED>false</THRESHOLDENABLED>

</CHART-INFO>

</CATEGORY>

</CHART>

Save the file. Restart OpManager. Then try to add the WS-C3560X-48T-S    Switch Memory utilization which is under Cisco Monitors. Now you will have an option for Switch Memory utilization.

Calculate traffic amount on interface

I have not deployed any monitoring software yet; however, Cacti is in the works. But is it possible to change ‘five minute input rate / five minute output rate’ time interval from 5 min to secs and get an accurate account of traffic going over a FastEthernet interface? Would I choke the hardware (WS-C3750X-24T-L  ) if I can change this attribute? Would this be a good method to see the load/traffic values in real time? 

ACKGROUD:

The server team has deployed a new SQL server, and the DB devs are complaining that it is slow. I am suspecting that more traffic is going over the interfaces then what the ‘server team’ and ‘db devs’ indicated because they know I would raise a stink. I do not have access to the database server, nor the other end, yet I have access to network gear between the points.

Since I have never faced this type of issue, or problem – I need some direction and/or suggestions on how to troubleshoot this type of issue.

Issue the command load interval 30  on the interface and it will start displaying the input/output rate for 30 secs.

This won't impact the WS-C3750X-24T-S    efficiency of the switch..

For further troubleshooting of the issue check for any output drops/ input errors/crc in the show interface fax/y output.

Cisco 3750 switches and eigrp

I am practicing my cisco routing skills and am trying to set up eigrp routing between two cisco catalyst WS-C3750V2-24PS-S   switches. I cannot seem to get eigrp to work. I am new here and tried to attach the config files but the site won't let me so I pasted them below. I can ping from one switch to the other and to the vlans on each back and forth. However, this is only because I created a default route on each switch to the other switch. When I do the show ip route command I don't see any eigrp routes showing. When I do the various other commands for eigrp like show neighbors, nothing displays in terms of other swithces. I can go into more detail but please take a look at my configs and let me know if there is anything obviously wrong with the setup of eigrp.

mktest3 switch config below

sh run

Building configuration...

Current configuration : 4401 bytes

version 12.2

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

hostname mktest3

boot-start-marker

boot-end-marker

aaa new-model

aaa authentication login doc local

--More-- !

aaa session-id common

switch 2 provision ws-c3750g-12s

system mtu routing 1500

ip subnet-zero

ip routing

spanning-tree mode pvst

--More-- spanning-tree etherchannel guard misconfig

spanning-tree extend system-id

vlan internal allocation policy ascending

interface Port-channel1

switchport trunk encapsulation dot1q

switchport mode trunk

interface GigabitEthernet2/0/1

switchport trunk encapsulation dot1q

switchport mode trunk

channel-group 1 mode desirable

interface GigabitEthernet2/0/2

switchport trunk encapsulation dot1q

switchport mode trunk

channel-group 1 mode desirable

interface GigabitEthernet2/0/3

--More-- switchport trunk encapsulation dot1q

switchport mode trunk

!

interface GigabitEthernet2/0/4

no switchport

bandwidth 120

ip address 192.168.150.1 255.255.255.0

interface GigabitEthernet2/0/5

interface GigabitEthernet2/0/6

interface GigabitEthernet2/0/7

interface GigabitEthernet2/0/8

interface GigabitEthernet2/0/9

interface GigabitEthernet2/0/10

interface GigabitEthernet2/0/11

interface GigabitEthernet2/0/12

--More-- !

interface Vlan1

no ip address

shutdown

interface Vlan2

ip address 192.168.124.1 255.255.255.0

interface Vlan3

ip address 192.168.125.1 255.255.255.0

interface Vlan4

ip address 192.168.126.1 255.255.255.0

interface Vlan5

ip address 192.168.127.1 255.255.255.0

interface Vlan6

ip address 192.168.128.1 255.255.255.0

interface Vlan7

no ip address

--More-- interface Vlan60

ip address 192.168.130.2 255.255.255.0

router eigrp 1

eigrp event-logging

network 192.168.124.0

network 192.168.125.0

network 192.168.126.0

network 192.168.127.0

network 192.168.128.0

ip classless

ip route 0.0.0.0 0.0.0.0 192.168.150.2 permanent

ip http server

ip http secure-server

ip access-list standard TELNET_ACCESS

permit 192.168.124.3

deny any

ip access-list extended vlan2

--More-- deny ip 192.168.125.0 0.0.0.255 192.168.124.0 0.0.0.255

ip access-list extended vlan3

deny ip 192.168.124.0 0.0.0.255 192.168.125.0 0.0.0.255

control-plane

banner motd ^C UNAUTHORIZED ACCESS IS PROHIBITED FOR INFORMATION, CONTACT DOC.HELPDESK@PO.STATE.CT.US ^C

line con 0

line vty 0 4

access-class TELNET_ACCESS in

exec-timeout 20 0

password test

login authentication doc

line vty 5 15

access-class TELNET_ACCESS in

exec-timeout 20 0

password test

login authentication doc

--More-- end

mktest3#

mktest4 switch config below

sh run

Building configuration...

Current configuration : 1449 bytes

version 12.2

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

hostname mktest4

boot-start-marker

boot-end-marker

no aaa new-model

switch 1 provision ws-c3750g-12s

system mtu routing 1500

ip subnet-zero

ip routing

--More-- !

spanning-tree mode pvst

spanning-tree etherchannel guard misconfig

spanning-tree extend system-id

vlan internal allocation policy ascending

interface GigabitEthernet1/0/1

no switchport

bandwidth 100

ip address 192.168.150.2 255.255.255.0

!

--More-- interface GigabitEthernet1/0/2

switchport access vlan 20

interface GigabitEthernet1/0/3

interface GigabitEthernet1/0/4

interface GigabitEthernet1/0/5

interface GigabitEthernet1/0/6

interface GigabitEthernet1/0/7

interface GigabitEthernet1/0/8

interface GigabitEthernet1/0/9

interface GigabitEthernet1/0/10

interface GigabitEthernet1/0/11

interface GigabitEthernet1/0/12

--More-- interface Vlan1

no ip address

shutdown

interface Vlan20

ip address 192.168.140.1 255.255.255.0

interface Vlan60

ip address 192.168.130.4 255.255.255.0

router eigrp 1

network 192.168.140.0

ip classless

ip route 0.0.0.0 0.0.0.0 192.168.150.1 permanent

ip http server

ip http secure-server

control-plane

--More-- !

line con 0

line vty 0 4

password test

login

line vty 5 15

password test

login

!

end  WS-C3750X-24P-S

mktest4#

Loadbalancer IMPI problems. Help with configuring Cisco 3750/2950

I'm attempting to replicate here in the office and find the solution for a problem that we are experiencing at both our data centre sites.This is the problem:

Everytime we load the IPMI WebUI to any of our Loadbalancer Supermicro units the IPMI crashes shortly after logging in and connectivity can only be restored by power cycling the Loadbalancer or disconnecting/reconnecting the network.

There are two Loadbalancers in each rack as Master/Slave.

The IPMI ports are connected to stacked Cisco WS-C3750X-24T-L   switches into a management VLAN.

As a potential solution we have decided to have a switch just for the IPMI/RSAs but this is currently not working as expected as there is no connectivity from the internal network to the IPMI port even though the VLAN is correct.

The crossed cables connecting the 3750 swtiches and 2950 switch are configured as lacp.

Is this a standard configuration or is there and obvious problem with how we're set up?

There needs to be failover in the event that one of the stacked switches fails. The only single point of failure is the 2950, this isn't ideal but most of the servers in the rack only have a single remote management NIC.

Below is a diagram. If you need any more information just ask.

You already have VLAN tagging with the "switchport mode trunk" and "switchport trunk encasulation dot1q" commands. What you need is VLAN 103 and 104 on both the WS-C3750X-24T-S   and the 2960 in the vlan database ("show vlan" will tell you if they are there). Then you add a "interface vlan 103" to the 3750 and give it the IP address of the default gateway of your load balancer. And you give your 2960 an "interface vlan 104" and set the IP address to an address of the subnet that you will use for management.

When in doubt please post configs without passwords/keys.