VDS and Cisco 3750 - PVLANS
I was not able to get the VDS to talk to the physical switch (Cisco 3750 running IOS 12.2 (53) SE). I tried many different configurations. Can what comments you make on how to get this working. Here are 3 different configurations I tried:
Installation: I have 3 servers vSphere4 attached through 2 connections each to a Cisco3750. I created a dvSwitch and added the VLAN (100) primary and selected secondary 101 of VLAN (isolated) and the secondary VLAN 102 (community). Communication on the PVLANS work in the ESX servers as they are supposed to, but I can not connect on these PVLANS Cisco switch.
The 3750 is in talks with the firewall on vlan 100, but will not speak for here ESX Servers configurations I tried and all have failed. What I am doing wrong?
Configuration 1: (affecting the switchports promiscuity and the use of the mapping of layer 2 to pvlans)
VLAN 100
private - vlan primary school
private - vlan association 101-102
!
VLAN 101
name PVLAN_Isolated
private - vlan isolated
!
VLAN 102
name PVLAN_Community
Community of private - vlan
!
interface FastEthernet1/0/1
Description ESX_VM_Trunk_Ports
switchport private - vlan mapping 100 101-102
switchport mode private - vlan promiscuity
spanning tree portfast
spanning tree enable bpduguard
!
interface FastEthernet1/0/2
Description ESX_VM_Trunk_Ports
switchport private - vlan mapping 100 101-102
switchport mode private - vlan promiscuity
spanning tree portfast
spanning tree enable bpduguard
!
interface FastEthernet1/0/3
Description ESX_VM_Trunk_Ports
switchport trunk encapsulation dot1q
switchport private - vlan mapping 100 101-102
switchport mode private - vlan promiscuity
spanning tree portfast trunk
spanning tree enable bpduguard
!
interface FastEthernet1/0/4
Description ESX_VM_Trunk_Ports
switchport trunk encapsulation dot1q
switchport private - vlan mapping 100 101-102
switchport mode private - vlan promiscuity
spanning tree portfast trunk
spanning tree enable bpduguard
!
interface FastEthernet1/0/5
Description ESX_VM_Trunk_Ports
switchport trunk encapsulation dot1q
switchport private - vlan mapping 100 101-102
switchport mode private - vlan promiscuity
spanning tree portfast trunk
spanning tree enable bpduguard
!
interface FastEthernet1/0/6
Description ESX_VM_Trunk_Ports
switchport trunk encapsulation dot1q
switchport private - vlan mapping 100 101-102
switchport mode private - vlan promiscuity
spanning tree portfast trunk
spanning tree enable bpduguard
!
interface Vlan100
Description «PVLAN» primary
74.X.X.X 255.255.252.0 IP address
no ip redirection
private - vlan mapping 101-102
Configuration 2: (definition trunk port to the VLAN as its primary VLAN native)
VLAN 100
private - vlan primary school
private - vlan association 101-102
!
VLAN 101
name PVLAN_Isolated
private - vlan isolated
!
VLAN 102
name PVLAN_Community
Community of private - vlan
!
!
!
interface FastEthernet1/0/1
Description ESX_VM_Trunk_Ports
switchport trunk encapsulation dot1q
switchport trunk vlan 100 native
switchport trunk allowed vlan 101 102
switchport mode trunk
Speed 100
full duplex
spanning tree portfast
spanning tree enable bpduguard
!
interface FastEthernet1/0/2
Description ESX_VM_Trunk_Ports
switchport trunk encapsulation dot1q
switchport trunk vlan 100 native
switchport trunk allowed vlan 101 102
switchport mode trunk
Speed 100
full duplex
spanning tree portfast
spanning tree enable bpduguard
!
interface FastEthernet1/0/3
Description ESX_VM_Trunk_Ports
switchport trunk encapsulation dot1q
switchport trunk vlan 100 native
switchport trunk allowed vlan 101 102
switchport mode trunk
Speed 100
full duplex
spanning tree portfast trunk
spanning tree enable bpduguard
!
interface FastEthernet1/0/4
Description ESX_VM_Trunk_Ports
switchport trunk encapsulation dot1q
switchport trunk vlan 100 native
switchport trunk allowed vlan 101 102
switchport mode trunk
Speed 100
full duplex
spanning tree portfast trunk
spanning tree enable bpduguard
!
interface FastEthernet1/0/5
Description ESX_VM_Trunk_Ports
switchport trunk encapsulation dot1q
switchport trunk vlan 100 native
switchport trunk allowed vlan 101 102
switchport mode trunk
Speed 100
full duplex
spanning tree portfast trunk
spanning tree enable bpduguard
!
interface FastEthernet1/0/6
Description ESX_VM_Trunk_Ports
switchport trunk encapsulation dot1q
switchport trunk vlan 100 native
switchport trunk allowed vlan 101 102
switchport mode trunk
Speed 100
full duplex
spanning tree portfast trunk
spanning tree enable bpduguard
interface Vlan100
Description «PVLAN» primary
74.X.X.X 255.255.252.0 IP address
no ip redirection
private - vlan mapping 101-102
config #3 (affecting the trunk port vlan native 2 - another thing that the vlan primary - on the trunk ports on ESX servers)
VLAN 100
private - vlan primary school
private - vlan association 101-102
!
VLAN 101
name PVLAN_Isolated
private - vlan isolated
!
VLAN 102
name PVLAN_Community
Community of private - vlan
!
!
!
interface FastEthernet1/0/1
Description ESX_VM_Trunk_Ports
switchport trunk encapsulation dot1q
switchport vlan trunk native 2
switchport trunk allowed vlan 101 102
switchport mode trunk
Speed 100
full duplex
spanning tree portfast
spanning tree enable bpduguard
!
interface FastEthernet1/0/2
Description ESX_VM_Trunk_Ports
switchport trunk encapsulation dot1q
switchport vlan trunk native 2
switchport trunk allowed vlan 101 102
switchport mode trunk
Speed 100
full duplex
spanning tree portfast
spanning tree enable bpduguard
!
interface FastEthernet1/0/3
Description ESX_VM_Trunk_Ports
switchport trunk encapsulation dot1q
switchport vlan trunk native 2
switchport trunk allowed vlan 101 102
switchport mode trunk
Speed 100
full duplex
spanning tree portfast trunk
spanning tree enable bpduguard
!
interface FastEthernet1/0/4
Description ESX_VM_Trunk_Ports
switchport trunk encapsulation dot1q
switchport vlan trunk native 2
switchport trunk allowed vlan 101 102
switchport mode trunk
Speed 100
full duplex
spanning tree portfast trunk
spanning tree enable bpduguard
!
interface FastEthernet1/0/5
Description ESX_VM_Trunk_Ports
switchport trunk encapsulation dot1q
switchport vlan trunk native 2
switchport trunk allowed vlan 101 102
switchport mode trunk
Speed 100
full duplex
spanning tree portfast trunk
spanning tree enable bpduguard
!
interface FastEthernet1/0/6
Description ESX_VM_Trunk_Ports
switchport trunk encapsulation dot1q
switchport vlan trunk native 2
switchport trunk allowed vlan 101 102
switchport mode trunk
Speed 100
full duplex
spanning tree portfast trunk
spanning tree enable bpduguard
interface Vlan100
Description «PVLAN» primary
74.X.X.X 255.255.252.0 IP address
no ip redirection
private - vlan mapping 101-102
What I've found, is that Cisco 3750 s are PVLAN informed, but do not support promiscuous chutes for the ESX servers. Only the 4500, 4900 and 6500 s have the possibility of doing circuits PVLAN promiscuity due to their hardware ASICs.
Tags: VMware
Similar Questions
-
ESX 3.5, iSCSI and Cisco 3750
I have a pretty basic or newly created three ESX environment 3.5 servers, switches from NetApp for storage and a battery (two) of Cisco 3750.
IM using for my data vmfs iSCSI store and will only run about 15-20 VM at best. This isn't a great environment but I want to plan for future growth and I won't get a second chance to get the stack of 3750 correct configuration.
I have 2 GB ethernet by the host to the storage and 4 GB of my NAS ethernet ports all converge on the stack of Cisco.
Can someone point me to a cisco config guide or the white paper which can guide me for the installation to take advantage of the cross battery etherchannel and balancing of load on the side of esx?
Suggestions?
Experiences?
Advice?
Much appreciated in advance.
Hello.
While it's not hardware Cisco, Scott Lowe has some excellent articles on this subject.
http://blog.scottlowe.org/2007/06/13/Cisco-link-aggregation-and-NetApp-vifs/
http://blog.scottlowe.org/2008/10/08/more-on-VMware-ESX-NIC-utilization/
Good luck!
-
the need to increase the speed of the network on my vpshere 4.1 with cisco 3750
Hello
Must I increase now my network speed on my esxi vpshere 4.1 my switch cisco 3750. the rdp on the erp application is now affected with speed. What would be the best solution on this? each host on my vpshere have two NICs for the network of the vm and vmotion. each network adapter is 1 G and cisco 3750 is the bandwidth of 1 G.
Add multiple NICs for vmotion separated and the vm network? do all the network adapters in vm network stuck for a bandwidth of submission? or do I just have to prioritize the rdp session in my cisco switch? or all will help?
help please, thank you.
It is recommended to separate management, vmotion, storage and LAN VM traffic from each other (or in the case of 10 G, use QOS at the rate limit and separate each type of traffic...
On a standard server with 50 or so VM on it, double 1Gbit nic is much band bandwidth for traffic of vm... and actually on the blades, I saw 2x1GB nic handle all traffic very well...
RDP uses about 121kbits/s of traffic per session rdp (on average)... I highly doubt that the speed of ar causing you performance issues your card network interface, but you should easily be able to tell if you are having problems of saturation of the network with a simple PRTG, MRTG or solarwinds type of surveillance.
-
NIC teaming + with leaves HP VirtualConnect and Cisco load balancing
Hello
I configure ESX infrastructure running on the blades HP (c7000 enclosure), VirtualConnect and Cisco 3750 switches for the uplink. My network configuration is based on the HP VirtualConnnect Cookbook, scenario 11.
On the ESX Server, I configured a vSwitch with two NICs grouped. Each card can see a different network of VirtualConnect. Each VC network has active SmartLink.
Each network of VirtualConnect is associated with two ports on a Bay of VC. These two ports are the uplinks in Cisco 3750 switches. Cisco switches are configured in a pile, and each port associated with the VC network is configured with LACP.
Here are the facts:
-Each network (Host A and host B) is properly configured for the LACP Protocol, in other words, the links are shown as active/active in the VC Manager.
-Communication of ESX is good.
-Failover and failback function OK.
The problem: I can't get the load balancer to work. All virtual machines use a single bear. I tried different algorithms on the server ESX (source port ID, mac, IP hash hash) and the configuration of the equivalent from Cisco.
I have attached a diagram of the physical network, but also the setting to ports.
What Miss me? Thank you very much
Pablo
Because you want to create technically not a channel in an ESX perspective, you do want to use the hash of the IP. If ESX attempts to send traffic through the two network cards, the cisco switch should drop this package as part of its loop avoidance algorithms. You should be able to check that out in the switch port statistics. You should not use the switch port ID.
Not sure about the promiscuous mode. Who do not have any account, as far as load balancing is concerned, unless the portgroup was not properly inherit the vSwitch properties?
-KjB
VMware vExpert
-
Issue of Telnet and SSH on Cisco 3750.
I turn on Cisco 3750 and everything so I wasn't able to connect in the area. I even changed the source interface and update transport under the VTY lines input method, no luck.
Can I choose to disable SSH by removing the corresponding lines of configs and RSA keys. And I changed the entry to transport back to Telnet. After the reboot of the switch, I'm still not able to connect despite the fact that the box is accessible.
Any help?
Thank you
Jean-Marie
Hello
This should help to confirm the configuration and troubleshooting SSH on your device: -.
http://www.Cisco.com/c/en/us/support/docs/security-VPN/Secure-Shell-SSH/4145-SSH.html
I hope this helps.
Kind regards
Dinesh MoudgilPS Please rate helpful messages.
-
Newbie connection DELL 6248 pile to pile of CISCO 3750
Hi all
I need to extend the desktop LAN by connecting a battery of CISCO 3750 existing a new pile of DELL 6248.
I intend to use the fiber/combo harbour in DELL 6248 to connect to the CISCO uplink port.
I want to use DELL port 48 but I saw there was 1/g48 and 1/xg48. From memory, they are mutually exclusive.
Q1. That means I'll just set up 1/g48 and do not enter the config of 1/xg48 of the sentence?
Q2. To connect together the 2 batteries, devrais I defined just two ports to connect as a trunk port? I have no experience in doing so. FOR INFO. We already use VLAN in piles CISCO and so the new DELL batteries must know about it.
Any help will be very appreciated!
Combo ports have a combined input and output of the PHY chip. Only the optical port or RJ-45 port can be used individually, but not at the same time. Any cable is connected will first use the port PHY. If the Ethernet port is used, you will configure with 1/g48, if fiber port is used then set up uses 1 / x 48.
Yes, you are right, a network connection is what you want between the two battery. Commands on the switch PowerConnect looks like this.
Console > activate
Console # config
Console (config) # interface ethernet 1/g48
console switchport mode trunk #.
console # permit trunk switchport vlan add 2,3,4,5
On the PowerConnect 62xx switches, you must use general mode if you want to allow traffic from management on the switch on the PVID. If you use the Trunk mode, you will not have the default VLAN on these ports. The ports will only allow labeled traffic. So if the Trunk mode does not you, then switch to general mode.
As the pile of Cisco has already VLAN on it, we must ensure to the PowerConnect switch has those same VLAN. Here is an example of creating a VLAN on the PowerConnect switch.
Console > activate
Console # config
Console (config) # vlan database
VLAN console(config-VLAN) # 2
output console(config-VLAN) #.
Console (config) # interface vlan 2
Console # name Marketing
Console # end
Another thing you may perform is place a static route to help the traffic at the back of the battery.
IP route {network} {mask with joker} {Next Hop-IP}
Console # config
Console (config) # ip route 172.16.0.0 255.255.0.0 10.0.0.2
Console (config) # end
I hope this info helps,
Thank you.
-
Hi all
I could really do with help with my Cisco 3750 X; Basically, I use the 3750 as a dedicated iSCSI switch which is connected to 3 Hyper-V servers via 1 GB (each server Hyper-V a 4x1Go connections) and it is also a hybrid storage device connected to the switch using 10 GB SFP +.
Interfaces 1 GB I see quite a few drops of output, but on 10 GB interfaces, I do not see drops of output. I really need to find what causes the output drops, and how I can solve this problem.
That's what I've configured on the switch:
- Extended on a MTU of 9000 frames
- Control flow receive desired is on all interfaces
- Quality of service has been disabled (see issues prior to allowing QoS)
- Spanning-Tree Portfast enabled on all interfaces
I also downloaded the release of some show commands that should help out if all goes well (let me know if there are other commands you want to start).
Thanks in advance for any help that anyone can give.
Disclaimer
The author of this announcement offers the information in this publication without compensation and with the understanding of the reader that there is no implicit or explicit adequacy or adaptation to any purpose. Information provided is for information purposes only and should not be interpreted as making the professional advice of any kind. Use information from this announcement is only at risk of the reader.
RESPONSIBILITY
Any author will be responsible for any damage that it (including, without limitation, damages for loss of use, data or profits) arising out of the use or inability to use the information in the view even if author has been advised of the possibility of such damages.
Poster
You probably are bumping within the buffer of the 3750 X series.
You could update your IOS to the liberation of SE8, doubt that will help you in this case.
The only thing that could mitigate your drops is active flow control, although this can cause latency.
PS:
Jumbo Ethernet deactivation may decrease drops too, if it slows down the effective data transfer rate.
-
CISCO 3750: OSPF interface IP unnumbered
Hi Expert,
This is the first time that I'm working on OSPF and IP Unnumbered interfaces.
My task is to adjacencies OSPF put forward two switches CISCO 3750 connected back-to-back by IP of interfaces not numbered. I use the loopback interface to borrow the IP addresses for the interfaces not numbered on both CISCO switches. After trying so many times, OSPF is not at all to come through Unnumbered interfaces but when tried with numbered interface was fine.
I'm pasting here complete running-config. Please help me to solve the problem:
Here is the brief info put in place:
R1(Gi1/0/19) - R (article gi1/0/19)
Swicth R1:
===========
Current configuration: 2129 bytes
!
version 12.2
no service button
horodateurs service debug datetime msec
Log service timestamps datetime msec
no password encryption service
!
Switch host name
!
boot-start-marker
boot-end-marker
!
!
No aaa new-model
1 supply ws-c3750g-24ts-1u switch
mtu 1500 routing system
IP subnet zero
IP routing
!
!
!
!
!
!
!
!
!
!
pvst spanning-tree mode
spanning tree extend id-system
!
internal allocation policy of VLAN ascendant
!
!
!
!
interface Loopback1
IP 10.10.10.10 address 255.255.255.0
!
GigabitEthernet1/0/1 interface
Shutdown
!
interface GigabitEthernet1/0/2
Shutdown
!
interface GigabitEthernet1/0/3
Shutdown
!
interface GigabitEthernet1/0/4
Shutdown
!
interface GigabitEthernet1/0/5
Shutdown
!
interface GigabitEthernet1/0/6
Shutdown
!
interface GigabitEthernet1/0/7
Shutdown
!
interface GigabitEthernet1/0/8
Shutdown
!
interface GigabitEthernet1/0/9
Shutdown
!
interface GigabitEthernet1/0/10
Shutdown
!
interface GigabitEthernet1/0/11
Shutdown
!
interface GigabitEthernet1/0/12
Shutdown
!
interface GigabitEthernet1/0/13
Shutdown
!
interface GigabitEthernet1/0/14
Shutdown
!
interface GigabitEthernet1/0/15
Shutdown
!
interface GigabitEthernet1/0/16
Shutdown
!
interface GigabitEthernet1/0/17
!
interface GigabitEthernet1/0/18
Shutdown
!
interface GigabitEthernet1/0/19
No switchport
IP unnumbered Loopback1
IP ospf network point
!
interface GigabitEthernet1/0/20
Shutdown
!
interface GigabitEthernet1/0/21
Shutdown
!
interface GigabitEthernet1/0/22
Shutdown
!
interface GigabitEthernet1/0/23
Shutdown
!
interface GigabitEthernet1/0/24
Shutdown
!
interface GigabitEthernet1/0/25
!
interface GigabitEthernet1/0/26
!
interface GigabitEthernet1/0/27
!
interface GigabitEthernet1/0/28
!
interface Vlan1
no ip address
Shutdown
!
router ospf 100
router ID - 100.100.100.100
Log-adjacency-changes
Network 10.10.10.0 0.0.0.255 area 0
!
IP classless
IP route 20.20.20.20 255.255.255.255 GigabitEthernet1/0/19
IP http server
IP http secure server
!
!
!
control plan
!
!
Line con 0
line vty 5 15
!
!
control the source session interface 1 item in gi1/0/19
control interface of destination session 1 item in gi1/0/17
end
===
The #show switch ip interface brief | include the
The #show switch ip interface brief | include the
GigabitEthernet1/0/17 no undefined upward down YES
GigabitEthernet1/0/19 10.10.10.10 YES manual up up
Loopback1 10.10.10.10 YES manual up up
==================================================
Switch R2:
==================
Switch #sho run
Switch #sho running-config
Building configuration...
Current configuration: 2079 bytes
!
version 12.2
no service button
horodateurs service debug datetime msec
Log service timestamps datetime msec
no password encryption service
!
Switch host name
!
boot-start-marker
boot-end-marker
!
!
!
!
No aaa new-model
switch 1 supply ws-c3750g-24 t
mtu 1500 routing system
allow authentication mac-move
IP subnet zero
IP routing
!
!
!
!
!
!
!
!
pvst spanning-tree mode
spanning tree etherchannel guard misconfig
spanning tree extend id-system
!
internal allocation policy of VLAN ascendant
!
!
!
!
interface Loopback1
IP 20.20.20.20 255.255.255.0
!
GigabitEthernet1/0/1 interface
Shutdown
!
interface GigabitEthernet1/0/2
Shutdown
!
interface GigabitEthernet1/0/3
Shutdown
!
interface GigabitEthernet1/0/4
Shutdown
!
interface GigabitEthernet1/0/5
Shutdown
!
interface GigabitEthernet1/0/6
Shutdown
!
interface GigabitEthernet1/0/7
Shutdown
!
interface GigabitEthernet1/0/8
Shutdown
!
interface GigabitEthernet1/0/9
Shutdown
!
interface GigabitEthernet1/0/10
Shutdown
!
interface GigabitEthernet1/0/11
Shutdown
!
interface GigabitEthernet1/0/12
Shutdown
!
interface GigabitEthernet1/0/13
Shutdown
!
interface GigabitEthernet1/0/14
Shutdown
!
interface GigabitEthernet1/0/15
Shutdown
!
interface GigabitEthernet1/0/16
Shutdown
!
interface GigabitEthernet1/0/17
!
interface GigabitEthernet1/0/18
Shutdown
!
interface GigabitEthernet1/0/19
No switchport
IP unnumbered Loopback1
IP ospf network point
!
interface GigabitEthernet1/0/20
Shutdown
!
interface GigabitEthernet1/0/21
Shutdown
!
interface GigabitEthernet1/0/22
Shutdown
!
interface GigabitEthernet1/0/23
Shutdown
!
interface GigabitEthernet1/0/24
Shutdown
!
interface Vlan1
no ip address
Shutdown
!
router ospf 100
router ID - 200.200.200.200
Log-adjacency-changes
network 20.20.20.0 0.0.0.255 area 0
!
IP classless
Route IP 10.10.10.10 255.255.255.255 GigabitEthernet1/0/19
IP http server
IP http secure server
!
!
activate the IP sla response alerts
!
!
!
Line con 0
line vty 5 15
!
!
control the source session interface 1 item in gi1/0/19
control interface of destination session 1 item in gi1/0/17
end
====================
The #sho switch ip interface brief | include the
GigabitEthernet1/0/17 no undefined upward down YES
20.20.20.20 GigabitEthernet1/0/19 YES manual up up
Loopback1 20.20.20.20 YES manual up up
====================================
Thank you very much in advance for your answer!
Kind regards
Aerts
Hi AEK.
the IP unnumbered command does not work on multiaccess-interfaces such as Ethernet (even when you set it up as a point-to-point OSPF):
Understand and configure the IP without order number
Cisco IOS IP Addressing Services Command Reference #ip unnumberd
HTH
Rolf
[EDIT]:
... apparently, with the exception of high range as the 6 k platforms:
Order history
(...)
12.2 (18) SXF: this command has been modified to support the physical Ethernet interfaces and switched virtual interfaces (LASS).
-
Cisco 3750 X - 24 Port stacked: support VRF?
Hello community,
We have 2 x switch WS-C3750X-24 t-S that are stacked through StackWise cables. We would like to activate VRF on it, but orders aren't there. We currently have a basic IP license (which I know is the reason). I tried to do some research and looking at the release notes, but the answer is not clear. I read that it is only available as a stand-alone and not stacked switch. Is - anyone out there know if this device is capable of making the VRF as a battery? If so, what are the requirements?
Thank you
Neocec
Hello
You can use this link to verify what image you want.
Ref: http://www.Cisco.com/go/fn
1 select 'Search by feature' and "Multi-VRF VRF Lite support"
2. Select "" Cisco 3750 x".
Finally, you will see that taken IOS support this feature. Then go to the download page (if you have the right to download.)
HTH,
Toshi
-
A VLAN is created on a Cisco 3750 G with the last IOS a 'good' way to secure a vmware network? In this case, I'm hiding vmotion traffic, and the entire network is behind a firewall. I realize, it would be better to have dedicated and isolated switch, but it's a VLAN on a reliable and secure Cisco switch? Or safety lies elsewhere, for example, encrypt the vmotion traffic or ACL solid?
Sly-
I think you got it nailed in your post there are some things you need to do when using VLANs to avoid trouble. The vulnerability referred to as Tom has to do with IOS/CatOS decoding of the VTP frames - just like we see in the Windows RPC/NetbIOS or SMB/CIFS vulnerabilities or other remotely exploitable vulnerabilities, it is possible to design a framework with malicious content that could overflow a buffer, string handling (uncommitted entry), double - frees, etc.. This type of vulns found often by "fuzzing" where you create bad images or images partially wrong and feed them in the unit under test, in the hope of finding an accident or create a denial of service. I remember simple tools like CITI (IP Stack Integrity Checker) to validate the equipment running and occasionally would cause you a switch to plant, especially the more IOS. So it is not limited to any control plane protocols such as VTP, this can also happen in the data plan. The data plan is much more robust because it is attack surface area is much more exposed to attacks that the protocols as VTP and a large number of problems have been corrected. If you look back in history, there are tons of questions of security in the Cisco data plan and other gear in less used features as options of ownership intellectual, management, the fragment of the types and codes rarely used ICMP, TCP sequence overflows. Now, I bet that if the security research community concentrated early protocols such as CDP, VTP and STP - you would have seen several vulnerabilities earlier.
So to say "don't use VLANs otherwise, you are vulnerable due to a VTP vulnerability" is equivalent to say do not run IP using Cisco routers/switches when both IP and ICMP vulnerabilities exist in the data plan.
Now, if you had followed that Cisco and other L2 switches providers recommend, you could be not to expose your VTP domain for such attacks and therefore, you are not vulnerable. Just as you would not expose your switches to receive Spanning Tree BPDU or dynamic routing of packets of protocol like OSPF, ISIS, or BGP of unapproved of speakers. Take a look at a blog I posted w/r/t this topic:
http://blogs.VMware.com/Networking/2009/06/lets-talk-security-DMZs-VLANs-and-L2-attacks.html
There is a lot of fear in the community about the attacks of L2, because networks and network devices are often a mystery to people server and a bad configuration L2 could be a source of security and stability problems. It is important to educate the community on the possible exposures, and VMware and other leaders of the market as Cisco take the responsibility to do.
Disclosure on my part - I'm talking to and had operational experience of implementation and now one of the largest networks of data center global worldwide (Global Crossing/GlobalCenter-> later became the exodus-> Savvis) as one of network engineers senior and even 10 years back we would have data center with massive switch of the fabric that the guests accommodated like Yahoo , Ask Jeeves, etc. - isolated and segmented using VLANS. If you go in a large data center hosted today, you certainly would not get your own physical switch and backbone uplink - you would like to share a 6500, a foundry for 100 + often other customers or the great extreme.
-
LACP hash between N3048 and CISCO SG300/SG200 + question Twinax attach direct cable
Hello
In my network I have deployed two new N3048 with 2 transceivers SPF + and SPF module back + as core switches are connected to other 3 switches from edge of N2048 using optical fiber and I reused my previous CISCO SG300 and SG200 goes to serve the other two boxes of my campus via the spine in copper.
I have 4 copper cable which starts from the hub of the SG300 network and 2 the SG200 brass. I set up to have a redundant connection using 2 + 2 with SG300 and 1 + 1 with SG200 RSTP.
So for the SG300 I re LAG + LACP to have two channels of the N3048s port, but now that a single cable is connected because I don't know what kind of LACP hash mode should I put on N3048 to have a compatible hash between Dell and Cisco switches.
My N3048 have mode 7 (Advanced hash) as default but I guess that cisco models do not understand... so, what mode is the best for LACP work perfectly with small business cisco switches?
I also received my twinax cables to connect my two N3048 via SPF + back modules... conhot can I plug the cables into the slots SPF + (already mounted) without turning off my basic switches?
Thank you!
See you soon
Cables can be connected/disconnected, but I don't know if the real module SFP + for the rear of the N3000 is hot plug.
-
Unable to connect to network WPA2 with Windows 7 64-bit (Intel 4965 and Cisco WUSB600N)
Connect to a WPA2 network seems to be a fairly common problem. Again, I can't be able to find a solution.
OS: Windows 7 Ultimate 64-bit
Wireless adapter (s): Intel 4965AGN (integrated into Dell XPSM1330) and Cisco/Linksys WUSB600N
Drivers: latest windows 7 64 bit drivers from the two websites of companies. Intel (v12.4.1.4), Linksys (3.0.10.0)
Network properties: WPA2 enterprise, encryption of the ACS, authentication EAP - P, several types of routers around the world
History: has been able to use the same laptop with Vista32 on this network without any problem
I can not connect to networks non - WPA WPA networks simply not.
When you try to connect to my companies WPA2 network (at any of our locations around the world).
Method #1:
- Select "Other network" in the list of network
- Enter the SSID of the network
- Windows could not connect to the SSID
Method #2- Open network and sharing Center
- Select set up a new connection or network
- Select manually connect to a wireless network
- Select one of my adapters
- Enter the SSID, as WPA2-Enterprise security type, type of encryption like AES, check the boxes to connect automatically and connect even if the network is not broadcasting
- An unexpected error has occurred
Method #3: Try to trick windows- Open network and sharing Center
- Select set up a new connection or network
- Select manually connect to a wireless network
- Select one of my adapters
- Enter the SSID but select an open network
- Adds the network
- Then try to change properties
- WPA2-Enterprise security type
- Set to AES encryption type
- "Choose a network authentication method:" drop-down menu is empty!
- Windows has encountered an error saving the wireless profile. Specific error: the profile has an invalid length field.
I'm pretty desperate for a solution.Kind regardsJohnThere are a few people with Win7 x 64 that cannot connect to WPA2 P/EAP Corporate/business networks and no solution?
Come on, guys, it's the microsoft answers site! someone give me something! I have two asus laptops, both with network cards Intel having this problem on two networks separate enterprise (school).
Edit:
RESOLVED:
Here's the thread of the resolution:
http://answers.Microsoft.com/en-us/Windows/Forum/Windows_7-networking/unable-to-connect-to-company-wireless-network/3bcd12b1-A0D8-4357-bded-07da96259920?page=3
The problem occurs when you perform a Wizard for easy transfer to a computer that was Symantec Endpoint Protection installed to one without him.
Answer, copypasted:
Inspect the key mentioned above - that is of HKLM\System\CurrentControlSet\services\RasMan\PPP\EAP.
In each of the number keys look something like ConfigPathBackup and its corresponding ConfigPath - there are a number of them.
For each, I deleted the original key (e.g., ConfigPath) and restored the original by renaming ConfigPathBackup to ConfigPath
For each of them, the State is now restored to her pre State Symantec - each key pointed to a Symantec location that is no longer present and by restoring the path key backs up everything was fine
-
This version of Cisco Adaptive Security Appliance Software Version 9.6 (1) 5 is affected by Cisco Adaptive Security Appliance SNMP Remote Code execution vulnerability and Cisco Adaptive Security Appliance CLI Remote Code execution vulnerability of
Hi vrian_colaba,
You can take a look at cisco's Advisory here:
https://Tools.Cisco.com/Security/Center/content/CiscoSecurityAdvisory/CI...
Fixed versions
Cisco ASA Major Release First version fixed 7.2 Affected; migrate to 9.1.7(9) or later 8.0 Affected; migrate to 9.1.7(9) or later 8.1 Affected; migrate to 9.1.7(9) or later 8.2 Affected; migrate to 9.1.7(9) or later 8.3 Affected; migrate to 9.1.7(9) or later 8.4 Affected; migrate to 9.1.7(9) or later 8.5 Affected; migrate to 9.1.7(9) or later 8.6 Affected; migrate to 9.1.7(9) or later 8.7 Affected; migrate to 9.1.7(9) or later 9.0 9.0.4 (40) 9.1 9.1.7(9) 9.2 9.2.4 (14) 9.3 9.3.3 (10) 9.4 9.4.3(8) ETA 26/08/2016 9.5 9.5 (3) ETA 30/08/2016 9.6 (DFT) 9.6.1 (11) / 6.0.1(2) FTD 9.6 (ASA) 9.6.2 5 9.6 (1) is not part of the fixed versions, this means that is assigned for the SNMP Remote Code execution vulnerability.
Cisco Adaptive Security Appliance CLI Remote Code vulnerability to run you can also take a look at cisco's Advisory here:
https://Tools.Cisco.com/Security/Center/content/CiscoSecurityAdvisory/CI...
Fixed versions
The following table shows the first software versions that include fixes for this vulnerability (9.6 is not affected)
Cisco ASA Major Release First version fixed 7.2 Affected, migrate to 8.4 (3) or later 8.0 Affected, migrate to 8.4 (3) or later 8.1 Affected, migrate to 8.4 (3) or later 8.2 Affected, migrate to 8.4 (3) or later 8.3 Affected, migrate to 8.4 (3) or later 8.4 8.4 (3) 8.5 Affected, migrate to 9.0 (1) or later version 8.6 Affected, migrate to 9.0 (1) or later version 8.7 Affected, migrate to 9.0 (1) or later version 9.0 9.0 (1) 9.1 Not affected 9.2 Not affected 9.3 Not affected 9.4 Not affected 9.5 Not affected 9.6 Not affected Hope this info helps!
Note If you help!
-JP-
-
HP J4853A and Cisco SFP Module 100BASE-FX
Hi all!
HP J4853A and Cisco SFP Module modules 100BASE-FX is not compatible?
Thank you!
Both are 100Base FX for at layer 1, they are interoperable.
Higher tier features will not be handled on one platform or another.
-
LAN-to-LAN tunnel between VPN 3000 and Cisco 1721
Hello
I have a current LAN-to-LAN tunnel configuration between VPN 3000 (3.6) and Cisco 1721 (12.2 (11) T).
When I use the encryption = authentication and Des-56 = ESP\MD5\HMAC-128 for the IPSec Security Association, everything works fine.
However, I would like to Turn off encryption for some time getting the speed improvements, so I changed
Encryption = null esp (in 1721) and to "null" in VPN-3000.
Now the tunnel is setup but I can spend only ICMP traffic. When I pass the traffic UDP\TCP the message below appears the Cisco 1721
% C1700_EM-1-ERROR: error in packet-rx: pad size error, id 75, hen offset 0
Has anyone seen this behavior?
All those put in place an IPSec Tunnel with only the ESP authentication and NO encryption between VPN-3000 and Cisco 1721?
Thanx------Naman
Naman,
Disable you the vpn Accelerator? "no accel crypto engine. Sure that you can't do with a null module vpn.
Kurtis Durrett
Maybe you are looking for
-
I lost all the top of the screen that was line, view, messages. write, etc. button on the upper right screen is also gone, so I can't do a thing except read my emails.
-
my firefox crashes for no apparent reason
my firefox crashes for no apparent reasonthe crash report says:EMPTY: no thread crash has been identified; dump corruptedthe report of the accident itself http://crash-stats.Mozilla.com/report/index/BP-715dc850-c4c1-42ee-ACD9-d8ba12120903
-
Laser jet to feed paper Photo 4630: 4630
Photo paper feed or when picked up prints only the bottom half of the photos first half of the book. Roller cleaned, reinstalled driver nothing helped. Any suggestion would be appreciated. Thank you - Douglas
-
FS116 - have information network?
the FS116 there available data netowrk?
-
Max AIR-LAP1142N-E-K9 Access Point devices
Hello How many Wifi devices simultaneously press a Point of access AIR-LAP1142N-E-K9? Thank you