ACL's and VLan interfaces
I am trying to understand the boundries of a Vlan on a given switch. When a packet that is passed from Vlan int 1 to Vlan int 2 on the same switch if Vlan 2 has an inbound ACL denying this packet would it get acted upon in this manner or does the ACL only get introduced if the packet enters a physical interface.
A packet coming into a device from one interface and going out another interface does not pass two 'inbound' ACLs. It can pass two ACLs but one will be inbound and one will be outbound.
The situation is no different when you are using logical interfaces like SVI (L3 VLAN interfaces). In your case if you have an ACL defined inbound on VLAN 1 in the distribution switch then the packets coming into VLAN1 will be subject to inspection against the rules of this ACL. However, if there is no outbound ACL for VLAN 2 then packets leaving the distribution switch and going out of VLAN 2 to switch 2 will not be subject to any ACLs.
The concept of inbound and outbound is the same in case of both physical interfaces or logical interfaces.
Similar Messages
-
EIGRP IPv6 and VLAN interfaces
We've found that we have to set static link local IPs when two routers might peer over multiple VLAN interfaces.
The issue is that the routers, 6500s with sup720s, utilize the same autoconfig'd link local address on each VLAN interface. EIGRP IPv6 refuses to peer with the other router on multple VLANs when the link local are the same.
Anyone else encounter this? Did we miss a config option that would force unique link locals on different VLANs interfaces?
Because of this issue, we've made it our best practice to configure static link local for all inter-router transits.HI Gary,
I had a setup with SU720 on 2 7600s and I am able to enable the neighborship without any issues. I didnt configure static link local as below,
Ryanair#show ipv6 int vlan 500 | inc FE
IPv6 is enabled, link-local address is FE80::21C:B0FF:FEB5:6D00
Ryanair#sho ipv6 int vlan 501 | inc FE
IPv6 is enabled, link-local address is FE80::21C:B0FF:FEB5:6D00
Ryanair#show ipv6 eigrp nei
EIGRP-IPv6 neighbors for process 100
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
1 Link-local address: Vl501 11 00:15:51 816 4896 0 13
FE80::222:55FF:FE17:25C0
0 Link-local address: Vl500 11 00:17:14 1 200 0 12
FE80::222:55FF:FE17:25C0
Ryanair#
Can you let us know the version on oth the devices?.
Regards,
Nagendra -
ACL applied to Vlan interfaces
I have been working with access lists for a while now and i think i have a good knowledge about them. But the thing i'm still confused with is when you apply ACL "in" and "out" to a SVI or lvna virtual interface.
It seems like in these type of interfaces the directions change completely compared to the normal interfaces (ethernet, serial... etc.) The logic is different and sometimes i find myself in problems when i have to do some troubleshooting in my work.
I've tryied to found some information or manuals on Cisco about this specific issue but unfortunely, i couldn't find anything clear.
Is there some method to quickly know when these ACL should be applied in one direction or another?
Thanks for your time.It's no different on a SVI , "in" means coming in from the network (user ports) . "Out" means out towards the clients network.
-
I am trying to apply an acl on my vlan interfaces that would allow the vlan to initiate tcp traffic. When I apply it I am unable to surf the web from the vlan but I can tftp from the vlan .
This is normal behavior. The first packet coming from the station on the VLAN would not be considered as established.
On the other hand, the established keyword could be configured on an outbound ACL applied to the same VLAN. This would only allow TCP traffic initiated from the VLAN to reenter that same VLAN.
Hope this helps, -
The difference between IEEE802.1Q Native VLAN sub-interface and Physical interface?
Hello
I think the following topologies are supported for Cisco Routers
And the Physical interface also can be using as Native VLAN interface right?
Topology 1.
R1 Gi0.1 ------ IEEE802.1Q Tunneling L2SW ------ Gi0 R2
R1 - configuration
interface GigabitEthernet0.1
encapsulation dot1Q 1 native
ip address 10.0.0.1 255.255.255.0
Topology 2.
R1 Gi0 ------ IEEE802.1Q Tunneling L2SW ------ Gi0 R2
interface GigabitEthernet0
ip address 10.0.0.1 255.255.255.0
And is it ok to use the physical interface and sub-interface with dynamic routing such as EIGRP or OSPF etc?
R1 Gi 0 ---- Point to Multipoint EIGRP or OSPF ---- Gi0 R2 / R3
Gi 0.20--- Point to Point EIGRP or OSPF --- Gi0.10 R4 (same VLAN-ID)
R1 - configuration
interface GigabitEthernet0
ip address 10.0.0.1 255.255.255.0
interface GigabitEthernet8.20
encapsulation dot1Q 20
ip address 20.0.0.1 255.255.255.0
Any information is very appreciated. but if there is any CCO document please let me know.
Thank you very much and regards,
Masanobu HiyoshiHello,
The diagram is helpful.
If I am getting you correctly, you have three routers interconnected by a switch, and you want them to operate in a hub-and-spoke fashion even though the switch is capable of allowing direct communication between any of these routers.
Your first scenario is concerned with all three routers being in the same VLAN, and by using neighbor commands, you force these routers to establish targeted EIGRP adjacencies R1-R2 and R1-R3, with R1 being the hub.
Your second scenario is concerned with creating one VLAN per spoke, having subinterfaces for each spoke VLAN created on R1 as the router, and putting each spoke just in its own VLAN.
Your scenarios are not really concerned with the concept of native VLAN or the way it is configured, to be honest. Whether you use a native VLAN in either of your scenarios, or whether you configure the native VLAN on a subinterface or on the physical interface makes no difference. There is simply no difference to using or not using a native VLAN in any of your scenarios, and there is no difference to the native VLAN configuration being placed on a physical interface or a subinterface. It's as plain as that. Both your scenarios will work.
My personal opinion, though, is that forcing routers on a broadcast multi-access segment such as Ethernet to operate in a hub-and-spoke fashion is somewhat artificial. Why would you want to do this? Both scenarios have drawbacks: in the first scenario, you need to add a neighbor statement for each spoke to the hub, limiting the scalability. In the second scenario, you waste VLANs and IP subnets if there are many spokes. The primary question is, though: why would you want an Ethernet segment to operate as a hub-and-spoke network? Sure, these things are done but they are motivated by specific needs so I would like to know if you have any.
Even if you needed your network to operate in a hub-and-spoke mode, there are more efficient means of achieving that: Cisco switches support so-called protected ports that are prevented from talking to each other. By configuring the switch ports to spokes as protected, you will prevent the spokes from seeing each other. You would not need, then, to configure static neighbors in EIGRP, or to waste VLANs for individual spokes. What you would need to do would be deactivating the split horizon on R1's interface, and using the ip next-hop-self eigrp command on R1 to tweak the next hop information to point to R1 so that the spokes do not attempt to route packets to each other directly but rather route them over R1.
I do not believe I have seen any special CCO documents regarding the use of physical interfaces or subinterfaces for native VLAN or for your scenarios.
Best regards,
Peter -
Any advantages to setting the AP-Manager and Management interface to an untagged vlan?
Any advantages to setting the AP-Manager and Management interface to an untagged vlan? Currently, our controllers have their management and ap-manager interfaces on the same untagged vlan. Would it be wise to change this? Are there any gotchyas I should be aware of?
No really, there won't be a problem. Management an AP-manager can be on different vlans.
The vlan you chose to untag is the vlan you should declare as native on the switch, that's it.
No advantage in having interfaces configured in a way or another.
Some people want the management to be in a "management" subnet and the ap-manager will be in the subnet with all the APs. Some others have several AP subnets so the ap-manager is in the same as management ... no importance whatsoever as long as the config is coherent.
The only thing that is worth considering is the size of AP subnet to me. If you give a /16 for APs and have 1000 APs in a single subnet, ARP and broadcast storms will be hitting the fan. But the vlan tag/untags that you chose are not important
To rate an answer, click on the stars below it. 1 for not so useful and 5 for very useful.
Nicolas
===
Don't forget to rate answers that you find useful. -
Cisco SG 300-10 VLAN and IP Interface Question
Hello,
Please forgive me if you find my question too basic. But, I would really appreciate an answer as I am having a heck of a time getting the VLANs to work. I have several VLANs configured as follows, but, my question is related only two VLANS: VLAN 104 and VLAN 2000. Followings are the screenshots. I have connected cable from Port 6 of the switch to the NIC2 of Windows 8.1 PC. When I use GE6 as access port for VLAN 104, I am able to ping to the NIC2 configured with static IP 10.10.30.30. However, when use GE as Trunk Port for VLAN 104 and 2000, I am not able to ping the NIC2 configured with static IP 10.10.30.30 or static IP 10.10.110.30. I am using the ping utility from the GUI.
If there is a better way to test the trunk port, please let me know.
At this point, I am assuming that something is wrong with my configuration as the NIC2 is unable to receive IP address.
The other assumption is that NICs with Windows 8.1 OS does not accept Traffic from Tagged VLANS.
VLAN TableShowing 1-11 of 1110203050per page
VLAN ID
VLAN Name
Originators
VLAN Interface State
Link Status
SNMP Traps
1
Default
Enabled
Enabled
100
Management A
Static
Disabled
Enabled
101
Management B
Static
Disabled
Enabled
102
VXLAN A
Static
Disabled
Enabled
103
VXLAN B
Static
Disabled
Enabled
104
vMotion
Static
Enabled
Enabled
105
IP Storage
Static
Disabled
Enabled
106
HQ Uplink
Static
Disabled
Enabled
107
HQ Access
Static
Disabled
Enabled
1000
Test VLAN
Static
Disabled
Enabled
2000
Test2 VLAN
Static
Enabled
Enabled
Port VLAN Membership Table
Filter:
Interface Type
equals to
PortLAG
Go
Interface
Mode
Administrative VLANs
Operational VLANs
LAG
GE1
Trunk
1UP
1UP
GE2
Trunk
1UP
1UP
GE3
Trunk
1UP
1UP
GE4
Trunk
1UP
1UP
GE5
Trunk
1UP
1UP
GE6
Trunk
1UP, 104T, 2000T
1UP, 104T, 2000T
GE7
Trunk
1T, 100UP, 101T, 102T, 103T, 104T, 105T, 106T, 107T
1T, 100UP, 101T, 102T, 103T, 104T, 105T, 106T, 107T
GE8
Trunk
1T, 100UP, 101T, 102T, 103T, 104T, 105T, 106T, 107T
1T, 100UP, 101T, 102T, 103T, 104T, 105T, 106T, 107T
GE9
Trunk
1T, 100UP, 101T, 102T, 103T, 104T, 105T, 106T, 107T
1T, 100UP, 101T, 102T, 103T, 104T, 105T, 106T, 107T
GE10
Trunk
1T, 100UP, 101T, 102T, 103T, 104T, 105T, 106T, 107T
1T, 100UP, 101T, 102T, 103T, 104T, 105T, 106T, 107T
IPv4 Interface TableShowing 1-11 of 1110203050per page
Interface
IP Address Type
IP Address
Mask
Status
VLAN 105
Static
10.10.20.1
255.255.255.0
Valid
VLAN 104
Static
10.10.30.1
255.255.255.0
Valid
VLAN 2000
Static
10.10.110.1
255.255.255.0
Valid
VLAN 1
Static
192.168.0.39
255.255.255.0
Valid
VLAN 1000
Static
192.168.1.1
255.255.255.0
Valid
VLAN 106
Static
192.168.100.1
255.255.255.0
Valid
VLAN 100
Static
192.168.110.1
255.255.255.0
Valid
VLAN 107
Static
192.168.130.1
255.255.255.0
Valid
VLAN 102
Static
192.168.150.1
255.255.255.0
Valid
VLAN 101
Static
192.168.210.1
255.255.255.0
Valid
VLAN 103
Static
192.168.250.1
255.255.255.0
Valid
Ping
Host Definition:
By IP address
By name
IP Version:
Version 6
Version 4
<tr id="trSourceIP" display:none"="">
Source IP:
Auto10.10.20.1(VLAN105)10.10.30.1(VLAN104)10.10.110.1(VLAN2000)192.168.0.39(VLAN1)192.168.1.1(VLAN1000)192.168.100.1(VLAN106)192.168.110.1(VLAN100)192.168.130.1(VLAN107)192.168.150.1(VLAN102)192.168.210.1(VLAN101)192.168.250.1(VLAN103)Autofe80::5267:aeff:fe3d:83b3(VLAN1)Auto10.10.20.1(VLAN105)10.10.30.1(VLAN104)10.10.110.1(VLAN2000)192.168.0.39(VLAN1)192.168.1.1(VLAN1000)192.168.100.1(VLAN106)192.168.110.1(VLAN100)192.168.130.1(VLAN107)192.168.150.1(VLAN102)192.168.210.1(VLAN101)192.168.250.1(VLAN103)fe80::5267:aeff:fe3d:83b3(VLAN1)
Destination IPv6 Address Type:
Link Local
Global
Link Local Interface:
VLAN 1
Destination IP Address/Name:
Ping Interval:
Use Default
User Defined
ms (Range: 0 - 65535, Default: 2000)
Number of Pings:
Use Default
User Defined
(Range: 1 - 65535, Default: 4)
Status:Tom and Michal, your response is much appreciated. You are 100% right. The issue was with the Windows recognizing the VLAN tags. I have tested trunking by using the vmxnet3 driver from VMware and it works.
I had another question where I can use your help too. I am not sure how to connect two Cisco SG300 switches - one with L3 mode and the second one with L2 mode. I have configured GVRP for Port 5 of both switches and run a cable connecting to Port 5 of each switch. I have made port 5 of both switches trunk mode ( 1U, 1000T). I have created VLAN 1000 on both switches. With L3 switch, I have added IP Interface (192.168.100.1) to VLAN 1000. My issues is that, I am not able to access the management port (192.168.1.238) of the L2 switch. Note that the L2 switch has only on uplink, which is to the L3 switch. Since the Port 5 also receives untagged traffic from VLAN1 (192.168.1.1), I am assuming that it would receive the management network from VLAN1. -
Vlan and physical interface of vlan shwing different utilizations
Puzzled???
Anyone know why the physical interface of the vlan and the vlan interface show differnt utilizations? For instance the physical interface shows 60% utilization and the vlan interface is double that.
Thanks in advance
Mike G.as per my knowledge, the Subinterfaces are logical interfaces created on a hardware interface. These software-defined interfaces allow for segregation of traffic into separate logical channels on a single hardware interface as well as allowing for better utilization of the available bandwidth on the physical interface.
http://www.cisco.com/univercd/cc/td/doc/product/software/iosxr3/int_c3/hc3vlan.htm -
Doubt with Dynamic Interfaces and VLANs
Hello.
I am trying to get wirelles clientes and APs to be on the same VLAN/subnet, now is working with management interface on my WLC 5508. My problem comes up when I change them to a new dynamic interface.
Before any change:
VLAN: 8
Management Interface IP: 192.168.9.2/23
Gateway: 192.168.8.1
DHCP Server: 192.168.8.2
WLAN SSID linked to Managment interface: Ray123
APs on VLAN 8 and subnet static IP range192.168.9.0/23
There is no dynamic interface.
After changes.
VLAN: 0
Management Interface: 192.168.6.2/23
Gateway: 192.168.6.1
DHCP Server: 192.168.6.2
Dynamic interface name: Wireless-1
VLAN: 8
Management Interface IP: 192.168.9.2/23
Gateway: 192.168.8.1
DHCP Server: 192.168.8.2
WLAN SSID linked to Dynamic interface: Ray123
APs still on VLAN 8 and subnet static IP range192.168.9.0/23
After all this done i can see by cdp neighbors all my APs i can ping them and management interface too, but APs are not registered, no clients too.
According to this guide:
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00805e7a24.shtml
Dynamic interfaces and APs should be on the same VLAN.
But this another guide states the opposite:
http://www.cisco.com/en/US/docs/wireless/controller/7.0/configuration/guide/c70mint.html
"Set the APs in a VLAN that is different from the dynamic interface configured on the Controller. If the APs are in the same VLAN as the dynamic interface, the APs are not registered on the Controller and the 'LWAPP discovery rejected' and 'Layer 3 discovery request not received on management VLAN' errors are logged on the Controller"
I cant understand why VLANs for APs and dynamic interfaces should be on different, it has no sense to configure a vlan intended for APs which shouldnt be on the same vlan.
Please tell me what is wrong.
Thanks in advance.You have to tell the APs where the WLC lives now, 192.168.6.2.
You can do this in the following ways:
Manual Prime the APs
option 43
dns
ip forward udp 5246
move the aps to the same vlan as the management interface let them join and then chnage the vlan
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
"I'm in a serious relationship with my Wi-Fi. You could say we have a connection." -
Problem with FWSM and L3 interface in same switch
I have two 6513s with an 802.1q trunk connecting them. Each switch has redundant Sup720s running in Native mode, IOS ver 12.2(18)SXF (they were initially running SXD3). A FWSM (ver 2.3(3), routed mode, single context) is in each switch, setup in failover mode.
I can not get a PC, in a vlan that has the layer 3 interface defined on the switch with the active FWSM in it, to communicate with devices "behind" the FWSM. If I move the layer 3 configuration for that vlan to the other 6513, everything works fine.
The MSFCs are on the inside of the firewall, they have a layer 3 interface configured in the same vlan as the FWSM "inside" interface. Several "same security level" interfaces are defined on the FWSM and used to protect server farms. I am using OSPF on the MSFCs and FWSM and the routing table is correct.
The FWSM builds connections for attempts made by the PC with the layer 3 interface defined on the same switch as the active FWSM just fine, so this is not a FWSM ACL problem.
A ping of the FWSM "inside" interface from a PC with the layer 3 interface defined on the same switch as the active FWSM fails, even though debug icmp trace on the FWSM shows the request and the response. A packet capture, using the NAM-2, shows only the request packets. I have captured on the common vlan and the FWSM backplane port channel interface.
Just to add to the confusion, if I capture in the same places, but do the ping from a PC that is in a vlan with the layer 3 interface defined in the 6513 that does not contain the active FWSM, which works fine, I see the request and reply on the common vlan capture, but only the request on the port channel capture.
This problem has been there from the beginning of this implementation and has not changed with IOS and FWSM software upgrades. I have experienced this with any and all vlans that I tried to define the layer 3 interface for on the switch with the active FWSM. I have MLS turned on.
If anyone else has experienced this and solved it, or knows what is going on, I would appreciate any insight.
Thanks.
KeithI will have to get setup to record more data, but I do know the FWSM showed a ping request and a ping reply at the "inside" interface.
I believe my problem is related to the IOS command "firewall multiple-vlan-interfaces" which I put in place to allow IPX traffic to be brought around the FWSM. The little documentation that there is for this command, states that policy routing may need to be implemented to prevent ip packets from going around the firewall. I do not have any policy routing in place.
I also do not have any active layer three interfaces defined for any of the vlans assigned to the firewall except the "inside" interface. So my resoning was that I did not need to be concerned about ip packets having a way around the FWSM. My suspicion is that this command and the fact that I have mls on is causing some type of a problem which results in the packet being "lost" when it needs to be going through the MSFC in the switch with the active FWSM to get to the PC. Hopefully that makes some sense.
Do you have any idea where better documention on using the "firewall multiple-vlan-interfaces" may be, or a better explanation of all that is happening inside the switch when that command is used?
Thanks. -
Cisco 871W - VLAN-Interface = 'Up/Down'
Hi,
I have configured our company's Cisco 871W per suggested configs found on the cisco web site, however, VLAN1, VLAN10 and VLAN20 interfaces won't come up (e.g. up/down) and it's preventing communication. Guess I'm expecting this to behave like a multi-layer swt/rtr (i.e. 3560). Can anyone help me on this?
Here is the config:
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname xxxxxxxxxxxxx
boot-start-marker
boot-end-marker
enable secret xxx
enable password xxxxxx
aaa new-model
aaa authentication login default local
aaa authorization exec default local
aaa session-id common
resource policy
ip subnet-zero
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1 192.168.1.99
ip dhcp excluded-address 192.168.2.1 192.168.2.99
ip dhcp pool VLAN10
import all
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
domain-name xxxxxxxxxxxxxxxx
lease 4
ip dhcp pool VLAN20
import all
network 192.168.2.0 255.255.255.0
default-router 192.168.2.1
domain-name xxxxxxxxxxxx
lease 4
no ip domain lookup
ip domain name xxxxxxxxx
crypto pki trustpoint TP-self-signed-1485172728
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1485172728
revocation-check none
rsakeypair TP-self-signed-1485172728
crypto pki certificate chain TP-self-signed-1485172728
certificate self-signed 01
<--------some output omitted--------->
interface FastEthernet0
switchport access vlan 20
spanning-tree portfast
interface FastEthernet1
switchport access vlan 10
spanning-tree portfast
interface FastEthernet2
switchport access vlan 10
spanning-tree portfast
interface FastEthernet3
switchport access vlan 10
spanning-tree portfast
interface FastEthernet4
ip address 10.2.5.1 255.255.0.0
ip nat outside
ip virtual-reassembly
ip tcp adjust-mss 1460
duplex auto
speed auto
no cdp enable
interface Dot11Radio0
no ip address
shutdown
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
interface Vlan1
no ip address
interface Vlan10
description Internal Network
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
interface Vlan20
description Guest Network
ip address 192.168.2.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip classless
ip route 0.0.0.0 0.0.0.0 FastEthernet4
no ip http server
no ip http secure-server
ip nat inside source list 1 interface FastEthernet4 overload
ip access-list extended Guest-ACL
deny ip any 192.168.1.0 0.0.0.255
permit ip any any
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 permit 192.168.2.0 0.0.0.255
<--------------output omitted---------->
End
Sample device-specific configs would help.
We are not concerned with the wireless portion of the config at this point.
Any insight is appreciated.
Thanks!
Chris
News Corp.You may be hitting with a bug : check the details of this bug : CSCsc10989
-
I'm trying to configure a VLan interface on my ME2600X (for inband management), but the switch won't accept the command.
What am I missing? I need a way to combine layer-2 services and a management vlan on the same dot1q trunk into the ME2600X.
Geir JensenHello Geir,
You can use service instances e.g.:
interface GigabitEthernet0/3
switchport trunk allowed vlan none
switchport mode trunk
dampening
mtu 9100
load-interval 30
media-type rj45
service instance 5 ethernet
description Management VLAN
encapsulation dot1q 5
rewrite ingress tag pop 1 symmetric
bridge-domain 5 – this will pop up message:
Bridge-domain 5 created
VLAN 5 does not exist, creating vlan
interface Vlan5
description Management VLAN
ip address 10.0.0.1 255.255.255.0
ip access-group MNGT-ACL in
end
adam -
3750X - Dropped multicat traffic flooding on all switchport vlan interfaces
Hello forum,
I have a problem on source multicast blocking. I have a switch with a vlan interface (Ex. vlan 20 )and on that vlan interface an extended ACL is present. That ACL block specific multicast groups. Furtehrmore I have many switchport access interfaces on vlan 20 with different sources connected.
If one source start streaming with multicast destination IP blocked by ACL, dropped traffic is flooaded on all switchports on source's vlan
IGMP snooping on this vlan is enabled but seems that dropped traffic stay on L2 vlan without it.
Device used: C3750X
IOS: 15.0(2)SE5
Thank you for helpHi Michal,
thanks for your reply!
Yes, probably i've captured all lines of access-list... but I've to change my approach because my access-list is a extended "named" access-list and, on other post, I've read that "named" access-list cannot be debugged...
Now i've deleted all access-lists entries that refer to vlan2 and I've created new one "numerical":
#ip access-list extended 100
#10 ip permit 172.16.2.0 0.0.0.15 any log
In this mode the debug shows only access-list 100 traffic + bcast + mcast.
But, the strange thing is another one now...
I've bought a multifunction printer, that send scanned document to a email account, the printer haven't internal smtp, it makes a connection to hp servers that forward scans to real destination address...
I was curious to find out how this connection works because, my private/confidential documents are send on internet and, i would hope that hp use a secure connection from my printer to its server...
Well, if I add "log" switch command at the end of access-list, or I enable access-list debug, the printer stop to comunicate to hp services/server... if I turn off debug or rewrite access-list without "log" feature, incredibly the printer re-start to comunicate with hp...
Have you any idea that explain that? I'm going crazy... -
Hello !!
We have a Switch Catalyst 3550 - 12G
IOS : Version 12.2(25)SEA
I need to implement ACL security in VLAN's. But, it did't work.
VLAN 11 Definition :
interface Vlan11
description VLAN - RED WAN
ip address 192.168.21.1 255.255.255.0
Interface association (g0/7) with VLAN 11 and extended ACL (ip1)
interface GigabitEthernet0/7
switchport access vlan 11
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 11
switchport mode dynamic desirable
ip access-group ip1 in
ACL definition :
ip access-list extended ip1
permit ip 192.168.70.0 0.0.0.255 any
deny ip any any
This configuration must allow ip communication between 192.168.70.0 / 24 and 192.168.21.0 / 24. However it does't work.
Inter VLAN communication are ok.
Any Suggest ?
.... Switch Conf. attach
Tks.
John Nanez E.Try putting on the SVI for vlan 11 (interface vlan 11) . don't think you can put it on a individual interface and have it work . Also they way you wrote it you'll have to put it as out on the vlan because you are permitting a address from another network to the vlan 11 address space thus it would have to block the traffic "out" to the devices on vlan 11 .
-
MSFC - cannot ping vlan interface
Hi,
We have several vlans defined on the mfsc. On the msfc we could ping all the vlans interface except 1 vlan. The interface is up and just recently we weren't able to ping it. Any help is much appreciated.
TIA.
PFHi PF,
AFAIK, When you are pinging a particular interface stting on the MSFC the source IP would be of any other available interfaces. If you are pinging vlan 110 it will take source ip of any other available vlan interface and the destination is Vlan 110, but ACL defined on the interface doesnot have any ACE for the same so that packets will be dropped.
Removing the ACL worked as explained above.
regards,
-amit singh
Maybe you are looking for
-
Mac mini startup/ shutdown code?
What causes mac mini to display startup and shutdown code?
-
Hi Forum, I couldnt able to modify the database table using the following code. Please help me out. METHOD onactioncopy_selected_rows . DATA: wd_node TYPE REF TO if_wd_context_node, ls_node1 TYPE ig_componentcontroller=>element_node1,
-
Can't Update QuickTime and iPhoto
When attempting to download and install the latest version of QuickTime and iPhoto via Software Update, I got the error message, "None of the checked updates could be saved. You do not have appropriate access privileges." I have two User Accounts on
-
Questions about interfaces,monitors,keyboards,cables help please
I just bought a macbook pro 1.87ghz. w/ 1 gb I would like to record music primararly acoustic stuff (john mayer type stuff) I was wondering what types of interfaces or keyboards, mics, monitors, cables ,should I buy to get the most professional sound
-
How to pass parameter to action methods
Hi, I have a button. Enter action method is associated with this. In the Enter action method, I have added a parameter named param1. When the button is clicked, this method is called automatically. But how do I pass parameters to this method, whi