i accidentally formatted my client cisco catalyst 3560 v2 24 ps. Now no firmware inside. Lucky i got another same switch for standby. my question here, how to backup firmware from standby switch to my client switch? im new in this field.perhaps any 1 can give instruction to help…btw, the firmware is flash:/c3560-ipbasek9-mz.122-58.SE2/c3560-ipbasek9-mz.122-58.SE2.bin. ty
How to extract ios firmware from catalyst 3560 v2
cisco-catalyst
Related Solutions
3750 does have some internally priority on what it prefers to punt when congested, but it's not configurable.
So you should rely on common best practices, that is on all your network edges you should have iACL (infrastructure ACL). In iACL you'd allow UDP highports, ICMP to infrastructure network addresses and drop rest. This way ping and traceroute work, but infrastructure cannot be attacked.
iACL should be complemented by policing the allowed traffic to small acceptable rates.
This way when external party is attacking addresses on your 3750, it'll be dropped by network border in the edge.
iACL usually is 100% static so it's low maintenance, as it'll only include infrastructure addresses (loopback, core links).
This will still leave wide open cases where your router is facing customer LAN directly, like when LAN is 192.0.2.0/24 and 3750 has 192.0.2.1 then usually 192.0.2.1 would not be covered by iACL and can be attacked.
Solution for those devices is either to invest on device with proper CoPP capabilities or maintain dynamic iACL always adding the router's customer facing address there.
If you only face customers via link-networks (/30 or /31) solution is much cleaner, you just omit advertising the link-network and add static /32 route for the CPE side, this way external to this router parties cannot attack the router, as they won't have route.
Alternative solution to same issue is to use non-continuous ACL entry in iACL, if your CPE link-network is 198.51.100.0/24 in iACL you could do 'deny ip any 198.51.100.0 0.0.0.254' then all the even addresses would be allowed and odd addresses denied, so if CPE is even and 3750 is odd, all current and future links are protected without updating iACL.
Your Flow Monitor doesn't match your Flow Record or Flow Exporter. You have record NETFLOW
and exporter NETFLOW
. Try something like this:
flow monitor NETFLOW-MONITOR
record NETFLOW-RECORD
exporter NETFLOW-EXPORTER
statistics packet protocol
statistics packet size
cache timeout active 60
You also don't need the old NetFlow commands on the interface, so you can remove:
ip flow ingress
ip flow egress
This is the way I have seen it work successfully, albeit only used on layer-3 interfaces, and only in one direction or the other:
flow record NETFLOW-RECORD
match ipv4 tos
match ipv4 protocol
match ipv4 source address
match ipv4 destination address
match transport source-port
match transport destination-port
collect interface input
collect interface output
collect counter bytes
collect counter packets
!
flow exporter NETFLOW-EXPORTER
destination 10.10.10.12
transport udp 2055
source Vlan100
!
flow monitor NETFLOW-MONITOR
record NETFLOW-RECORD
exporter NETFLOW-EXPORTER
cache timeout inactive 15
cache timeout active 60
!
You can try it in both directions on a layer-2 interface, but I think your problem is the incorrect Flow Record and Flow Exporter in the Flow Monitor.
interface range GigabitEthernet 0/1-52
ip flow monitor NETFLOW-MONITOR input
ip flow monitor NETFLOW-MONITOR output
!
Edit:
This is from Configuring Flexible NetFlow:
NetFlow is supported only on the network services module. Only one flow monitor per interface and per direction is supported by the network services module.
As I understand it, you need IOS 15.x, and at least the IP Base license with the Network Services Module for Flexible NetFlow.
You are trying to apply it to non-module ports, G0/1-48, which doesn't work, anyway. It should only work on G0/49-52, but I'm not sure you can use it on the 3560 at all. I saw a note generated from Cisco TAC saying that this only works on a 3750X:
The netflow module is only available in the 3750x's. You're out of luck.
Sent from Cisco Technical Support Android App
Related Topic
- Cisco Catalyst QoS – Basic Catalyst 3560 Egress Shaping
- How to upgrade the IOS for a couple of Cisco Catalyst 3500 Series XL 48 port switches (via CLI)
- Cisco Catalyst – Auto Voice VLAN on Catalyst 2960X
- Default QoS Behavior on Cisco Catalyst 3650/3850 with IOS XE 16.3.6
- HSRP Limitations on Cisco Catalyst 3560 Switches
Best Answer
Source Healthy Switch : A
Destination Unhealthy Switch : B
On the A switch;
On the B Switch ;
Enter the Rommon (Hint: Ctrl + Brk)