1. Home
  2. Cisco Certification
  3. Configuring a Cisco 3725 to allow remote access to 2950 switches behind it

Configuring a Cisco 3725 to allow remote access to 2950 switches behind it

I have a Cisco 3725 that is being used along with several 2950 switches. One of the fast Ethernet ports on the 3725 is setup for subinterfaces. Each subinterface is configured for dot1q encapsulation for each respective VLAN, and a IP address from that pool is configured accordingly. I have omitted the ACL's and obscured the public static addresses in part of the 3725's configuration below.

My problem is, how do I configure the 3725 to give me remote access to each of the four 2950 switches. I would like to be able to telnet to the public IP of the 3725, and reach the Cisco 2950's via another port number. Any suggestions on how I can configure it that way?

ip dhcp excluded-address 10.1.0.1 10.1.0.3 ip dhcp excluded-address 10.2.0.1 10.2.0.3 ip dhcp excluded-address 10.3.0.1 10.3.0.3 ip dhcp excluded-address 10.4.0.1 10.4.0.3 ! ip dhcp pool vlan-101 network 10.1.0.0 255.255.0.0 dns-server X.X.X.X X.X.X.X default-router 10.1.0.1 255.255.0.0 lease 3 ! ip dhcp pool vlan-102 network 10.2.0.0 255.255.0.0 dns-server X.X.X.X X.X.X.X default-router 10.2.0.1 255.255.0.0 lease 4 ! ip dhcp pool vlan-103 network 10.3.0.0 255.255.0.0 dns-server X.X.X.X X.X.X.X default-router 10.3.0.1 255.255.0.0 lease 5 ! ip dhcp pool vlan-104 network 10.4.0.0 255.255.0.0 dns-server X.X.X.X X.X.X.X default-router 10.4.0.1 255.255.0.0 lease 4 ! interface FastEthernet0/0 ip address X.X.X.X 255.255.255.248 ip access-group p2p in ip access-group p2p out ip nat outside no ip mroute-cache speed 100 full-duplex no cdp enable ! interface FastEthernet0/1 no ip address ip access-group viral-stop in ip access-group viral-stop out no ip mroute-cache duplex auto speed auto no cdp enable ! interface FastEthernet0/1.1 encapsulation dot1Q 101 ip address 10.1.0.1 255.255.0.0 ip nat inside no snmp trap link-status no cdp enable ! interface FastEthernet0/1.2 encapsulation dot1Q 102 ip address 10.2.0.1 255.255.0.0 ip nat inside no snmp trap link-status no cdp enable ! interface FastEthernet0/1.3 encapsulation dot1Q 103 ip address 10.3.0.1 255.255.0.0 ip nat inside no snmp trap link-status no cdp enable ! interface FastEthernet0/1.4 encapsulation dot1Q 104 ip address 10.4.0.1 255.255.0.0 ip nat inside no snmp trap link-status no cdp enable ! interface GigabitEthernet1/0 no ip address no ip mroute-cache negotiation auto no cdp enable ! interface GigabitEthernet1/0.1 encapsulation dot1Q 498 no ip mroute-cache no snmp trap link-status no cdp enable ! interface Vlan1 no ip address no ip mroute-cache shutdown ! interface Vlan101 no ip address ! ip default-gateway X.X.X.X ip nat pool Station X.X.X.X X.X.X.X netmask 255.255.255.248 ip nat inside source list 5 pool Station overload no ip http server ip classless ip route 0.0.0.0 0.0.0.0 X.X.X.X

Reply to
Chad
Loading thread data ...

I can only think of a couple ways, there may be more.

1) You can install a network management module in a 26xx or 36xx router. These cards come in a 8, 16, and 32 port card...(NM32a, NM16, NM8), the special cable you'll need will connect to the console port of the switches (CAB-OCTAL-Async=). Then you'll be able to reverse telnet to the async port...connecting you to the console of the switch.

formatting link

2) Another way, is to assign an ip address to the default vlan on each 2950 then telnet from the 3750 to the 2950's.
Reply to
Clawhammerer

The management for the switches is on VLAN 1. The best way would be to set up VLAN 1 on the router and switches and add a sub-interface for VLAN 1.

It is best not to use telnet, for security reasons use SSH to talk to the router and from the router to the switches.

Look in to using AAA for access control. It provides better control of authentication and access than just passwords. Plus you can log access attempts.

Joel

Chad wrote:

Reply to
Joel

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.