I ran into a situation like this a long time ago where a distribution 6500 was configured with a specific access VLAN and on the other end was a 3750 with no configuration at all (everything in vlan 1). The switch was working as expected and providing access to the appropriate VLAN listed on the 6500. This I believe is by design and partly what makes VLAN 1 so insecure.
During an outage period I simply updated the configuration on both ends to properly reflect what it should be (proper trunk and hosts on the access switch in the proper vlans). I assume the coreswitch connects to this other switch and is just an access switch. If that is the case you shouldn't have any loops in the network but you do have an unsecure configuration.
The VTP notification is simply informing you that the remote device is running v1. I assume your coreswitch is running VTP version 2
... View more
A co-worker and I are trying to implement vPC on a Nexus 7004 with layer 3 routing to a single Nexus 7700 upstream. I have experience implementing the Nexus and vPC in a layer 2 only configuration but I've found that trying to do layer 3 routing w/ vPC has its challenges from the various design guides and blogs I've read.
The current configuration is below. We have a 7004 (which we control) that has a Point-to-Point connection to a 7700 which we do not control. They connection is a Layer3 LACP channel with 2 links. We have a static route that two networks use to route out to the rest of the network. The remaining SVIs on the 7004 are internal but do route between each other as needed.
The goal is to implement vPC with an additional 7004 that was purchased. We need to understand how we perform the Layer 3 between the 7700 and the 7004 devices. We know we need to implement HSRP on both devices to support the SVIs and provide a single virtual gateway for the systems on the network. However I have found very few configs that show how to implement the layer 3 to a single device. Would someone be able to provide some insight on options for how we would configure the L3 connection between our 7004s and the 7700? How would the 7700 be configured to talk to the 7004s and vice versa? Would we have to use a routing protocol (like OSPF) or could we do it with static routes. Could we change the links from L3 Point to point to a layer 2 vPC and use SVIs to route between the device?
Thanks in advance for any assistance you can provide.
... View more
I have a question with regard to setting up the ID firewall on the ASA 5585 in a single forest, multiple domain windows network. Currently I have a semi-operational IDF at the top level but can't find users on the lower other domains, here is the setup: I have 3 domains. domain1.test.com domain2.domain1.test.com domain3.domain2.domain1.test.com Both domains have a two way parent-child trust and I can look for users in AD Users/Computer on both domains. I initially setup the ASA to look at domain1.test.com using an LDAP aaa-server per the IDF instructions, and then proceeded to configure the ad-agent. I installed the adagent on the domain1.test.com domain controller configured the settings on that system and had no problem adding users to the firewall and getting functionality within domain1. I looked to see if I could see domain 2 and domain 3 users and found none. I went ahead and added the domain2 system to the adagent on the DC and the system says that it is up, but when I search for users is not pulling them from domain2. Instead, it shows domain1 users as domain2\user1. I also configured another adserver in the ASA to search ldap on domain 2 to no avail. The cisco documentation states the following: •Before you configure even a single domain controller machine using the adacfg dc create command, ensure that the AD Agent machine is first joined to a domain (for example, domain J) that has a trust relationship with each and every domain (for example, domain D[i]) that it will monitor for user authentications (through the domain controller machines that you will be configuring on the AD Agent machine). Single Forest, Multiple Domains—All the domains in a single forest already have an inherent two-way trust relationship with each other. Thus, the AD Agent must first be joined to one of the domains, J, in this forest, with this domain J not necessarily being identical to any of the domains D[i] corresponding to the domain controller machines. Because of the inherent trust relationship between domain J and each of the domains D[i], there is no need to explicitly configure any trust relationships. Reading that it sounds like it should just work. I had everything properly configured before I installed the adagent, but I'm guessing that there is a chance that you can't have the adagent on the top level DC and get to communicate with the lower level domains. I wanted to ask though before I blow everything up and start over. The instructions are not overwhelming clear on what needs to done in this scenario. Suggestions?
... View more
Hello, I am trying to find out the proper IOS command on a 3750 or a 4948 (if possible) to do bridge multicast filtering. The group I am supporting previously did this on a Dell Powerconnect 3324. The dell configuration looks something like this: *Example* int vlan 50 bridge multicast address 0100.5e40.000a add ethernet 1/e5 On the Dell you would continue adding any additional MAC addresses that you have and point them to specific ports you want them to go. Essentially I need to know how to make the above, happen on the above Cisco devices. I've spent a good part of the day trying to look through Switch Configuration documents and looking at the physical switch being used, and haven't seen anything that looks close. Thanks for any assistance, Matt
... View more