Block Traffic under two VLAN's : Unidirectional OR Bidirectional ???

Similar Messages

• Which is the correct way to filter/block traffic between vlans?

    Hi all. My question is: Which is the correct way to filter/block traffic between vlans?
  i have a more than 15 vlans. I want to block traffic between them except 2 vlans.
  source vlan 3 deny destination vlan 4
  #access-list 100 deny ip 192.168.3.0 0.0.0.255 192.168.4.0 0.0.0.255
  and the oposite:
  #access-list 101 deny ip 192.168.4.0 0.0.0.255 192.168.3.0 0.0.0.255
  I have to do this for all VLANs, ono by one. Is that right?
  Thanks.

  There are a couple of ways to achieve that. I assume that you have a Layer3-Switch. There I would configure one ACL per vlan-interface and allow/deny the traffic as you want. Sadly, the Switches don't support object-groups yet, so you have to use the IP-networks here. Only allow/deny traffic based on networks or hosts. Don't even try to be very granular with permit/denys based on ports. Because the switch-ACLs are not statefull you'll run into problems for the return-traffic if you woulf do that. And the return-traffic of course has to be allowed also.
  Another way: with the help of 802.1x you can deploy port-based ACLs for every user. That takes some time for planning, but is one of the most powerful solutions.
  For more control you could remove the L3-interface from your L3-switch and move that to your router or firewall. These devices support stateful filtering and you can control your traffic much tighter tehn with ACLs on the switch.
  Don't stop after you've improved your network! Improve the world by lending money to the working poor:
  http://www.kiva.org/invitedby/karsteni

• Can't get traffic flowing between VLANs on an ASA 5505

  I've got an ASA 5505 with the Security Plus license that I'm trying to configure.
  So far I have setup NATing on two VLANs, one called 16jda (VLAN 16 - 10.16.2.0/24) and one called 16jdc (VLAN 11 - 10.105.11.0/24).
  From each subnet I am able to connect to the internet, but I need these subnets to also be able to talk to each other.
  I have each VLAN interface at security level 100 and enabled "same-security-traffic permit inter-interface", and I have setup static NAT mappings between the two subnets, but they still can't communicate.
  When I try to ping there is no reply and the only log message is:
  6     Aug 21 2012     09:00:54     302020     10.16.2.10     23336     10.105.11.6     0     Built inbound ICMP connection for faddr 10.16.2.10/23336 gaddr 10.105.11.6/0 laddr 10.105.11.6/0
  I have attached a copy of the router config.

  Hi Bro
  I know your problem and I know exactly how to solve it too. You could refer to https://supportforums.cisco.com/message/3714412#3714412 for further details.
  Moving forward, this is what you’re gonna paste in your FW. This should work like a charm.
  access-list from-inside permit ip 10.105.1.0 255.255.255.0 10.105.11.0 255.255.255.0
  access-list from-inside permit ip 10.105.1.0 255.255.255.0 10.16.2.0 255.255.255.0
  access-list from-16jda permit ip 10.16.2.0 255.255.255.0 10.105.1.0 255.255.255.0
  access-list from-16jda permit ip 10.16.2.0 255.255.255.0 10.105.11.0 255.255.255.0
  access-list from-16jdc permit ip 10.105.11.0 255.255.255.0 10.105.1.0 255.255.255.0
  access-list from-16jdc permit ip 10.105.11.0 255.255.255.0 10.16.2.0 255.255.255.0
  nat (inside) 0 access-list from-inside
  nat (16jdc) 0 access-list from-16jdc
  nat (16jda) 0 access-list from-16jda
  clear xlate
  nat (inside) 1 10.105.1.0 255.255.255.0 <-- You forgot this!!
  Basically, when inside wants to communicate with the other interfaces bearing security-level 100 e.g. 16jda or 16jdc or vice-versa, you’ll need to enable “NAT Exemption” i.e. nat (nameif) 0 . I know you have already enabled the same-security permit inter-interface command, but this command becomes useless once you’ve enable dynamic nat on one of those interfaces. It’s as if the same-security traffic command wasn't even entered in the first place. Hence, the Cisco ASA is behaving as expected as per Cisco's documentation. For further details on this, you could refer to the URLs below;
  https://supportforums.cisco.com/thread/223898
  http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/cfgnat.html#wp1042530
       

• How can i use IDSM-2 in inline mode for more than two VLANs?

  can i use the IDSM-2 in inline mode to be ips to more than two VLANS
  like this or it isn't
  intrusion-detection module 5 data port 1 access-vlan 10,20,30,40,50
  intrusion-detection module 5 data port 1 access-vlan 100,200
  thank u all for your help

  The IDSM-2 ports need to be configured as trunk ports with multiple vlans rather than as access ports.
  http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps4077/products_configuration_guide_chapter09186a00807517eb.html#wp1068377
  And instead of creating an inline interface pair by pairing Gig0/7 with Gig0/8 within the IDSM-2 configuration, you would create inline vlan pairs.
  With an inline vlan pair you pair 2 vlans on the same interface.
  You can have up to 255 inline vlan pairs on each interface (assumining you keep the total traffic from all of the pairs within the IDSM-2s performance limit of around 500Mbps)
  How to create inline vlan pairs:
  http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps4077/products_configuration_guide_chapter09186a00807517bb.html#wp1047852
  The other aspect you need to be aware of is that not all IOS versions will support configuring the IDSM-2 data ports as trunk ports for inline vlan pairs.
  Your best bet is to use 12.2(18)SXF4 or a later version on the 12.2(18)SXF train.
  The 12.2(33)SR train does not currently support the trunk feature for the IDSM-2.

• L4 traffic monitor - blocking traffic ?

  Hello
  How does L4 traffic monitor is blocking traffic if T1/T2 ports are "tap/sniffed ports" ?
  For SPAN we might have "ingress vlan feature" which would allow us to send TCP RST (like IPS does),
  but for hardware TAP we do not have such a feature.
  So - maybe L4 traffic monitor can not block any traffic, just make a decision what to block and execution is on WebProxy and P1/2 ports ?
  Thanks

  Michael,
  Yes, the reset is sent via P1
  Ken
  Sent from Cisco Technical Support iPad App

• Two VLANs on same Switch with NAT problem.

  Hello all.
  I have few cisco devices at home that i am using to study from. I am using for now on this little setup a 2620XM and a 3500XL Switch. I have two vlans setup on the switch VLan10 and VLan20 using router on a stick. I have setup the inside and outside interfaces. I have the fa1/0 as my outside with a dhcp address of 192.168.1.10. I have also setup my internet router to see networks 172.20.0.0/24 and 172.20.1.0/24. I am able to ping back and forth from 192.168.1.0/24 to both networks. The issue comes when i try to apply NAT. I have tried two different setups and both have failed. I have two ping windows open on my PC on the 192.168.1.0/24 side both hitting vlan 10 and 20. Once i applied either Nat solution i lose ping on one vlan while still pinging the other, but both vlans can't go out to the internet. Below is the NAT solutions i have tried below. Also running config for both router and switch. If anybody can i assist i would really appreciate it.
  NAT Solution 1
  ip nat pool INET 192.168.1.10 192.168.1.10 netmask 255.255.255.0
  ip nat inside source list 1 pool INET overload
  access-list 1 permit any
  NAT Solution 2
  ip nat inside source list 100 interface fa1/0 overload
  access-list 100 permit ip any any
  Router config
  R1#sh run
  Building configuration...
  Current configuration : 1470 bytes
  version 12.3
  service timestamps debug datetime msec
  service timestamps log datetime msec
  service password-encryption
  hostname R1
  boot-start-marker
  boot-end-marker
  enable secret
  no aaa new-model
  ip subnet-zero
  ip cef
  interface FastEthernet0/0
   no ip address
   duplex auto
   speed auto
  interface FastEthernet0/0.5
   encapsulation dot1Q 5 native
   ip address 172.16.1.6 255.255.255.248
  interface FastEthernet0/0.10
   encapsulation dot1Q 10
   ip address 172.20.0.254 255.255.255.0
   ip nat inside
  interface FastEthernet0/0.20
   encapsulation dot1Q 20
   ip address 172.20.1.254 255.255.255.0
   ip nat inside
  interface Serial0/0
   no ip address
   shutdown
  interface Serial0/1
   no ip address
   shutdown
  interface Serial0/2
   no ip address
   shutdown
  interface Serial0/3
   no ip address
   shutdown
  interface FastEthernet1/0
   ip address dhcp
   ip nat outside
   duplex auto
   speed auto
   no cdp enable
  router ospf 1
   log-adjacency-changes
   network 172.16.1.0 0.0.0.7 area 0
   network 172.20.0.0 0.0.0.255 area 0
   network 172.20.1.0 0.0.0.255 area 0
   network 192.168.1.0 0.0.0.255 area 0
  no ip http server
  ip classless
  line con 0
   exec-timeout 0 0
   password
   logging synchronous
   login
  line aux 0
  line vty 0 4
   exec-timeout 0 0
   password
   logging synchronous
   login
  line vty 5 181
   exec-timeout 0 0
   password
   logging synchronous
   login
  end
  Switch Config
  SW1#sh run
  Building configuration...
  Current configuration:
  version 12.0
  no service pad
  service timestamps debug uptime
  service timestamps log uptime
  no service password-encryption
  hostname SW1
  ip subnet-zero
  interface FastEthernet0/1
   switchport trunk encapsulation dot1q
   switchport trunk native vlan 5
   switchport trunk allowed vlan 1,5,10,20,1002-1005
   switchport mode trunk
  interface FastEthernet0/2
  interface FastEthernet0/3
  interface FastEthernet0/4
   switchport access vlan 10
  interface FastEthernet0/5
   switchport access vlan 10
  interface FastEthernet0/6
   switchport access vlan 10
  interface FastEthernet0/7
   switchport access vlan 10
  interface FastEthernet0/8
   switchport access vlan 10
  interface FastEthernet0/9
   switchport access vlan 10
  interface FastEthernet0/10
   switchport access vlan 10
  interface FastEthernet0/11
   switchport access vlan 10
  interface FastEthernet0/12
   switchport access vlan 20
  interface FastEthernet0/13
   switchport access vlan 20
  interface FastEthernet0/14
   switchport access vlan 20
  interface FastEthernet0/15
   switchport access vlan 20
  interface FastEthernet0/16
   switchport access vlan 20
  interface FastEthernet0/17
   switchport access vlan 20
  interface FastEthernet0/18
   switchport access vlan 20
  interface FastEthernet0/19
   switchport access vlan 20
  interface FastEthernet0/20
   switchport access vlan 20
  interface FastEthernet0/21
   switchport access vlan 20
  interface FastEthernet0/22
   switchport access vlan 20
  interface FastEthernet0/23
   shutdown
   switchport trunk encapsulation dot1q
   switchport mode trunk
  interface FastEthernet0/24
   shutdown
   switchport trunk encapsulation dot1q
   switchport mode trunk
  interface GigabitEthernet0/1
  interface GigabitEthernet0/2
  interface VLAN1
   no ip address
   no ip directed-broadcast
   no ip route-cache
   shutdown
  interface VLAN5
   ip address 172.16.1.1 255.255.255.248
   no ip directed-broadcast
   no ip route-cache
  ip default-gateway 172.16.1.6
  line con 0
   transport input none
   stopbits 1
  line vty 0 4
   login
  line vty 5 15
   login
  end

  You need to change your acl because NAT doesn't usually work with "any" as the source.
  I tend to use extended acls so -
  access-list 101 permit 172.20.0.0 255.255.255.0 any
  access-list 101 permit 172.20.1.0 255.255.255.0 any
  and then use your second solution ie. overload on the interface.
  If you find you cannot ping between your vlans then you need to modify the above acl to deny traffic between the vlans/IP subnets then permit any as above but it should work without doing that.
  Jon

• Multiple subnets under one vlan

  Hi everyone,
  Is there any way to create multiple subnets under one VLAN ? Right now, I am using VLAN 110 and it's IP is 172.16.0.1/16.
  We have three types of devices on this VLAN.I want to create 3 or 4 subnets for those devices under this VLAN for reducing the traffic or broadcast ?
  Please advise me.....
  Thanks in advance

  Mohammed,
  As long as you have a single VLAN only, you will not reduce the amount of broadcasts in this VLAN by using several IP networks. Even if the stations are in different IP networks within a single VLAN, every broadcast will be sent across the entire VLAN to all stations, regardless of their configured IP address. Broadcasting is a matter of Data Link Layer, or Layer2, and if you keep a single Layer2 domain (the VLAN), you will keep a single, merged, large broadcast domain.
  Just to answer your question, you could assign multiple addresses to an interface in a single network/VLAN by using secondary IP addresses, for example:
  interface Vlan110
  ip address 172.16.0.1 255.255.0.0
  ip address 192.168.1.1 255.255.255.0 secondary
  ip address 10.20.30.1 255.255.255.0 secondary
  However, as I explained, this will only allow you to "stretch" multiple IP networks over a single broadcast domain so there is no saving in terms of broadcasts or traffic reduction. For that, you must resort to multiple VLANs.
  Best regards,
  Peter

• 340 bridge traffic between two non root bridges

  I have a deployent with a 340 series bridge acting as root bridge and two 340 bridges acting as non-root remotes. The hosts hanging off the non-root bridges can communicate with the hosts hanging off the root bridge but i cannot get communication to work between hosts on the two non-root bridges. Is there some sort of split horizon type setting I need to configure on the root-bridge to allow traffic back out the radio interface.

  There isn't anything in the bridges that would block traffic between the two sites. Is this one large subnet, or are there two subnets? If there are two, how are you routing between the two?
  Can one non-root bridge ping the other non-root?

• Block client MAC on VLAN

  Hi,
  I have a WLC 4402 configured with two VLANs (Company and GuestNet).
  Now I need to block a client on the GuestNet VLAN only using its MAC address.
  The access to the company WLAN should still be permitted.
  What is the easiest way to configure this?
  Thanks in advance!
  Best regards,
  Chris

  Agreed... you can create an ACL to block a MAC on the switch level, but not on the WLC.  I'm guessing you are doing either open access to the guest or web pass-through.  Using these type of guest access can't prevent any other users to access your guest net.  Maybe you should look at doing Web-Auth, unless you are doing this now and you have one person who has access.... but then again, you can always change the username/password.

• After Enabling trunking and two VLANs on switchports - clients don't receive IP Addresses

  Hello all and thanks for your help and expertise.  Here's my scenario:  
  I have approximately 35 Ruckus APs in a building which has multiple VLANs.   The switches are Cisco 3560G.  I want to segment the wireless traffic onto a dedicated wireless VLAN (218).  I created two scopes in DHCP to service the APs and wireless clients. The APs should get their IP addresses on VLAN 1 (VLAN 1 scope in dhcp.)   The clients should get their IP addresses on VLAN 218 (VLAN 218 scope in dhcp).  I utilized the following commands to accomplish this goal, unsuccessfully.
  Example:  on port gi0/5
  1 - switchport trunk encapsulation dot1q
  2 - switchport mode trunk
  3 - switchport mode access
  4 - switchport trunk allowed vlan 1,218
  Problems:  1) The APs are not getting an IP address on the default or native VLAN 1 unless I configure an IP Helper.  Please note we have another building where a consultant set this configuration up (and it works) but I don't see an IP helper set when I check the config for VLAN 1.  
  2) The wireless clients do not get an IP address on VLAN 218, even if I set an IP helper address.  In the other building - there is an IP helper set on VLAN 218 so I'm not sure what I missing or if something else is configured.  
  I would greatly, greatly appreciate if someone could tell me what I'm missing here.  Is there something else I have to do to ensure clients on vlan 1 and 218 are able to obtain dhcp addresses in the config of the switch?  Do I have to further configure vlan 1 or 218?  I'm enabling the correct encapsulation, trunking the ports, and setting the vlans.  What am I missing here relative to APs and clients getting dhcp addresses.  Anyway your help is much apprecaited.

  You need vlan 218 on all switches and allowed on all trunks that need to pass traffic for that vlan.
  You don't have to add it explicitly to STP as it should be run anyway but if you manually set STP priorities for other vlans you should probably do if for this vlan as well.
  Shouldn't stop it working though.
  If you manually assign a vlan 218 IP to a client can it ping the SVI IP ie. it's default gateway and if so can it ping devices in other vlans ?
  Jon

• SG300-20 behind firewall with two vlans

  Hello,
  i have the following network running: see attachment. The switch has two VLANs, one for the 10. network, the other should be for the 192. network. Now i want to access 10.0.1.11 from 192.168.178.1 but i get blocked by the firewall. The switch is now in the 192.network, but i want to connect the 10.* ports directly to the router. I am grateful for every hint.
  Best regards,
  Rome

  I would recommend adding a 2nd vlan interface to your firewall, and enable inter vlan routing on the firewall.
  It would be good to set a different network segment between the router and firewall,
  It would look something like this.
  router --> firewall vlan1 -->switch vlan1 -->192.168.178.x clients
                  firewall vlan10 -->switch vlan 10 --> 10.0.1.x clients
  You don't say what the router or firewall models are, or the subnet masks...
  The default gateways for the clients would point to the firewall, and it would do intervlan routing.
  Or:
  You can do intervlan routing on the switch.
  set the switch in layer3 mode (this will factory reset the switch).  Set up the 2 client vlans, including dhcp with default gateways for the clients pointing to the switch.
  select a different network segment for the firewall to switch connection (say 192.168.180.x)
  add a route, rules, and nat statements in the firewall for both networks 192.168.178 and 10.0.1.x.
  add a default route in the switch pointing to the firewall.
  that would look something like
  router - firewall -(192.168.180.x) - switch  - vlan 10.0.1.x
                                                               \- vlan 192.168.178
  This would put the inter vlan routing load on the switch instead of the firewall.
  you can also call in to the small business TAC and request assistance 866-606-1866 in US and Canada.  These devices come with 1 year free tech support.
  Hope this helps,
  Dan

• SA520 two VLAN

  Hi
  i make two VLAN's on Cisco SA520W ( Firmware  2.1.71 )
  a) 192.168.0.x
  b) 192.168.2.x
  in network  configuration -> Available VLANs ->  " Inter VLAN Routing Enable " check box ( enable )  on both VLAN's
  and in
  network  configuration > Port VLANs -> all 4 inside ports make : mode trunk , and VLAN Membership both vlan's
  But i don't have traffic between vlan's
  Can  anybody help ??
  Valts

  Valts,
  Tom is correct, the SA520 has four ports on the inside, two will need to be access ports only. One in each VLAN with either PCs or Switches on each of the ports for each subnet. Otherwise all inside ports are Trunk ports and any computer plugged directly into any of the four "Trunkports" on the SA520 will not forward traffic to the SA.
  To test you'll need to place one port in Access Mode assigned to each VLAN then plug your PCs one into each port making sure the network cards are assigned IP addresses correctly or by letting DHCP assign them if you have it configured on each VLAN subnet.
  Once done this way each PC should be able to ping the other thru the SA520 and Ping each interface assigned to the SA520. Which makes me wonder you did assign the SA520 an IP address on each VLAN subnet?
  Hope this helps,
  Jon

• I have two separate itune accounts under two different email accounts and would like to combine them under one account.  Is this possible and if so, how do I do it?

  I have two separate itune accounts under two different email accounts and would like to combine them under one account.  Is this possible and if so, how do I do it?

  If you go to Settings > iTunes & AppStore , you can sign out from your account, and sign in with the one you've used to purchase apps.This will not remove any apps you already have on it.
  Then you can go to AppStore and download apps you've purchased (either via "Purchased" button in "Updates", or simply search for them and download them.
  That way you can have multiple accounts' apps on your iPad. When updating, you will be prompted for the credentials for account you've purchased given App with.

• I have iTune accounts under two separate Apple IDs.  Can I merge them into one account under one ID?

  I have iTune accounts under two separate Apple IDs.  Can I merge them into one account under one ID?  I have purchased music and video in both.

  No, it is not possible to merge accounts.  Choose one as the primary account and keep a local backup of all purchases so you don't get into the mess where you encounter a 90 day freeze on re-downloading past purchases from multiple accounts.

• Is there an issue with the hitachi hard drives in the MacBook Pro's ?  Got a 15 inch and a 13 inch at the same time and both drives have failed in under two years. I have heard from a few other people with same issue.

  Is there an issue with the hitachi hard drives in the MacBook Pro's ?  Got a 15 inch and a 13 inch at the same time and both drives have failed in under two years. I have heard from a few other people with same issue. Other drive I have had have lasted at least 5 or more years.

  there is a dylib you can put in the springboard if jailbroken but if not you have to find an apple store