.blocking host in same VLAN
Is it possible to block access from one host to another host (in one direction only), both in the same vlan.
I read about acl blocking using mac id and tried it too, but could not succed.
the switch used is 6509
Rajesh
Take a look at this config guide:
<http://www.cisco.com/en/US/products/hw/switches/ps646/products_configuration_guide_chapter09186a0080403fec.html#wp1177176>
hth,
Ajaz Nawaz
Similar Messages
-
Policy based routing to host in same vlan/subnet
Hello i have nexus 7k that i have a policy based routing setup as follows for 2 vlans, 802 and 803, to set default route out to a host in vlan 802. i have applied my policy to the vlans and everything works fine for a host in vlan 803, it routes over and out properly. However when im in vlan 802 my host traffic never gets to 172.21.1.237 when pointed at the gateway 172.21.1.1. I can see the pbr statistics incrementing indicating that i am initially hitting the policy but im not sure where my traffic goes after that. I can talk to .237 direct in the vlan but i would like this to work through pbr to utilize all of my other routes and default gateway.
vlans 802
172.21.1.1/24
ip policy route-map West
vlan 803
172.21.17.1/24
ip policy route-map West
route-map West permit 10
match vlan 802-803
set ip default next-hop 172.21.1.237
Im thinking there is some kind of hairpinning problem or maybe im creating some kind of blackhole.
any help is appreciated.
thanks, scottScott
If the destination IP is in the same subnet as source IP then it won't be routed it will be L2 switched so it would never use the default gateway ie.
src IP 172.21.1.10 255.255.255.0
dst IP 172.21.1.237 255.255.255.0
src compares it's own IP with it's subnet mask and sees it is on the 172.21.1.x network. src then compares the destination IP with it's own subnet mask and sees it is also on the 172.21.1.x network so it simply arps out for that address and when it gets the mac address it sends it direct to the destination. It would only use the default gateway if the destination IP was on a different network.
So i don't see how you will be able to do this and i'm not sure why you are seeing hits in your PBR acl for the host in the 172.21.1.x network.
Edit - what exactly do you mean when you say -
However when im in vlan 802 my host traffic never gets to 172.21.1.237 when pointed at the gateway 172.21.1.1.
How are you doing this ie. pointing it to the default gateway because as i say it should always be able to communicate with 172.21.1.237 as it is in the same subnet.
Jon -
Nexus 1000v: Control VLAN must be same VLAN as ESX hosts?
Hello,
I'm trying to install nexus 1000v and came across the below prerequisite.
The below release notes for Nexus 1000v states
VMware and Host Prerequisites
The VSM VM control interface must be on the same Layer 2 VLAN as the ESX 4.0 host that it manages. If you configure Layer 3, then you do not have this restriction. In each case however, the two VSMs must run in the same IP subnet.
What I'm trying to do is to create 2 VLANs - one for management and the other for control & Data (as per latest deployment guide, we can put control & data in the same vlan).
However, I wanted to have all ESX host management same VLAN as the VSM management as well as the vCenter Management. Essentially, creating a management network.
However, from the above "VMWare and Host Prerequisites", does this means I cannot do this?
I need to have the ESX host management same VLAN as the control VLAN?
This means that my ESX host will reside in a different VLAN than my management subnet?
Thanks...Control vlan is a totally seperate VLAN then your System Console. The VLAN just needs to be available to the ESX host through the upstream physical switch and then make sure the VLAN is passed on the uplink port-profile that you assign the ESX host to.
We only need an interface on the ESX host if you decide to use L3 control. In that instance you would create or use an existing VMK interface on the ESX host. -
[ACE] Real servers and VIP in the same VLAN
Hello.
I´m facing an issue because the real servers and the VIP address are in the same VLAN, when a request comes from an external client to the VIP (crossing an ASA firewall) , the ACK gets back using the IP of one of the real servers instead of the VIP so this traffic is blocked by our WAN firewall probably due the inspection rules.
My question is if there is some way make the VIP the address who ACK´s that requests? Creating a new VLAN would be complicated because there are other services already running on those real servers.
Thanks a lot,
MiquelHi Miquel,
Please do source nat on ACE so that return traffic gets sent to ACE and not FW. Pasting an example for you.
==========================================================================
One-Armed Load Balancing with VIP, Servers, & NAT Pool on the Same Subnet
==========================================================================
login timeout 0
access-list ANYONE line 10 extended permit ip any any
rserver host SERVER_01
ip address 192.168.1.11
inservice
rserver host SERVER_02
ip address 192.168.1.12
inservice
rserver host SERVER_03
ip address 192.168.1.13
inservice
serverfarm host REAL_SERVERS
rserver SERVER_01
inservice
rserver SERVER_02
inservice
rserver SERVER_03
inservice
class-map match-all VIP-30
2 match virtual-address 192.168.1.30 tcp eq www
class-map type management match-any REMOTE_ACCESS
description remote-access-traffic-match
2 match protocol telnet any
3 match protocol ssh any
4 match protocol icmp any
policy-map type management first-match REMOTE_MGT
class REMOTE_ACCESS
permit
policy-map type loadbalance first-match SLB_LOGIC
class class-default
serverfarm REAL_SERVERS
policy-map multi-match CLIENT_VIPS
class VIP-30
loadbalance vip inservice
loadbalance policy SLB_LOGIC
loadbalance vip icmp-reply active
nat dynamic 1 vlan 451
interface vlan 451
description Servers vlan
ip address 192.168.1.2 255.255.255.0
access-group input ANYONE
service-policy input CLIENT_VIPS
nat-pool 1 192.168.1.10 192.168.1.10 netmask 255.255.255.0 pat
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.1.1
Let me know if you have any question.
Regards,
Kanwal -
I need to block all traffic from host to host that are on the same VLAN. But continue to reach the outside world. I am using a 2921 router. What do I need to do to achieve this?
Cisco ACLs won't help in this case. Traffic between hosts on the same VLAN is controlled entirely from the switches and APs. The routers don't ever see that, so they can't control it.
The APs from just about any vendor will be able to do client isolation, so keeping the wireless clients from talking to each other shouldn't be difficult. Wired clients are another story and will depend on the capabilities provided by the switches. If they have an equivalent to Cisco's "switchport protected" functionality, you should be able to use that. -
Need to configure different SSIDs on same VLAN on 1142
We're having a problem with interference in the B/G range due to the large number of access points owned by other companies in a fairly small area. The various laptops keep deauthenticating, which is causing problems with applications. I'd like to configure two SSIDs on the same VLAN but have them broadcasted on different frequencies. The AP complained about the configuration when I added the Company5.8 SSID below stating another SSID can't be added to a VLAN, but it shows in the configuration. Does any one have a suggestion as to what I can try? Thanks
interface Dot11Radio0
no ip address
no ip route-cache
encryption vlan 1 mode ciphers aes-ccm
encryption vlan 3 mode ciphers aes-ccm
ssid Moleculera Labs
ssid Moleculera Labs-guest
antenna gain 0
mbssid
channel least-congested 2412 2437 2462
station-role root
interface Dot11Radio0.1
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
interface Dot11Radio0.3
encapsulation dot1Q 3
no ip route-cache
bridge-group 3
bridge-group 3 subscriber-loop-control
bridge-group 3 block-unknown-source
no bridge-group 3 source-learning
no bridge-group 3 unicast-flooding
bridge-group 3 spanning-disabled
interface Dot11Radio1
no ip address
no ip route-cache
encryption mode ciphers aes-ccm
encryption vlan 1 mode ciphers aes-ccm
encryption vlan 3 mode ciphers aes-ccm
ssid Moleculera Labs
ssid Moleculera Labs-guest
antenna gain 0
dfs band 3 block
mbssid
channel dfs
station-role root
interface Dot11Radio1.1
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
interface Dot11Radio1.3
encapsulation dot1Q 3
no ip route-cache
bridge-group 3
bridge-group 3 subscriber-loop-control
bridge-group 3 block-unknown-source
no bridge-group 3 source-learning
no bridge-group 3 unicast-flooding
bridge-group 3 spanning-disabledAmjad, if I delete "encryption mode ciphers aes-ccm" what kind of encryption will the AP use?
Mohanak, I'm using the same encryption settings with VLANs
Here is the more complete configuration:
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname COMPANY-AP
no logging console
enable secret 5 *
no aaa new-model
no ip domain lookup
ip domain name COMPANY.local
dot11 syslog
dot11 ssid COMPANY-2.4
vlan 1
authentication open
authentication key-management wpa
mbssid guest-mode
wpa-psk ascii 7 *
dot11 ssid COMPANY-5.8
vlan 1
authentication open
authentication key-management wpa
mbssid guest-mode
wpa-psk ascii 7 *
dot11 ssid COMPANY-guest
vlan 3
authentication open
authentication key-management wpa
guest-mode
mbssid guest-mode
wpa-psk ascii 7 *
bridge irb
interface Dot11Radio0
no ip address
no ip route-cache
encryption vlan 1 mode ciphers aes-ccm
encryption vlan 3 mode ciphers aes-ccm
ssid COMPANY-2.4
ssid COMPANY-guest
antenna gain 0
mbssid
station-role root
interface Dot11Radio0.1
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
interface Dot11Radio0.3
encapsulation dot1Q 3
no ip route-cache
bridge-group 3
bridge-group 3 subscriber-loop-control
bridge-group 3 block-unknown-source
no bridge-group 3 source-learning
no bridge-group 3 unicast-flooding
bridge-group 3 spanning-disabled
interface Dot11Radio1
no ip address
no ip route-cache
encryption mode ciphers aes-ccm
encryption vlan 1 mode ciphers aes-ccm
encryption vlan 3 mode ciphers aes-ccm
ssid COMPANY-2.4 (Want this to be COMPANY-5.8)
ssid COMPANY-guest
antenna gain 0
dfs band 3 block
mbssid
channel dfs
station-role root
interface Dot11Radio1.1
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
interface Dot11Radio1.3
encapsulation dot1Q 3
no ip route-cache
bridge-group 3
bridge-group 3 subscriber-loop-control
bridge-group 3 block-unknown-source
no bridge-group 3 source-learning
no bridge-group 3 unicast-flooding
bridge-group 3 spanning-disabled
interface GigabitEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
no keepalive
interface GigabitEthernet0.1
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
interface GigabitEthernet0.3
encapsulation dot1Q 3
no ip route-cache
bridge-group 3
no bridge-group 3 source-learning
bridge-group 3 spanning-disabled
interface BVI1
ip address 192.168.67.3 255.255.255.0
no ip route-cache
ip default-gateway 192.168.67.1
ip http server
ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
bridge 1 route ip
line con 0
line vty 0 4
exec-timeout 30 0
password 7 *
login local
end
COMPANY-AP# -
I configured ACE30-MOD-K9 in bridge mode and I configured a server farm with his real servers. The traffic passes and is balanced correctly between all RSERVER. But I can not contact a server that is on the same vlan of the serverpharm but doesn't belong at this serverfarm.
I Thought that the traffic directed to this "spare" server shouldn't be balanced but the bridge should permit traffic to pass. (trasperent mode) Is it correct ?
What does ACE in bridge mode with traffic directed to servers that do not belong to any server farm but are present on the same VLAN (same bridge group)?
In rispect at the following configuration 10.10.10.168 isn't reacheable
access-list INBOUND line 8 extended permit ip any any
access-list INBOUND line 16 extended permit icmp any any
probe http HTTP_PROBE1
expect status 200 200
rserver host RS_WEB1
ip address 10.10.10.163
inservice
rserver host RS_WEB2
ip address 10.10.10.164
inservice
rserver host RS_WEB3
ip address 10.10.10.165
inservice
rserver host RS_WEB4
ip address 10.10.10.167
inservice
serverfarm host SF_FIREGROUP
rserver RS_WEB1
inservice
rserver RS_WEB2
inservice
rserver RS_WEB3
inservice
rserver RS_WEB4
inservice
sticky ip-netmask 255.255.255.255 address source sticky-ip
replicate sticky
serverfarm SF_FIREGROUP
sticky http-cookie myCookie sticky-cookie
cookie insert browser-expire
serverfarm SF_FIREGROUP
class-map match-any VS_FIREGROUP
2 match virtual-address 10.10.10.169 tcp eq www
4 match virtual-address 10.10.10.169 tcp eq 8081
5 match virtual-address 10.10.10.169 tcp eq 8082
6 match virtual-address 10.10.10.169 tcp eq 8083
7 match virtual-address 10.10.10.169 tcp eq 8084
8 match virtual-address 10.10.10.169 tcp eq 8085
9 match virtual-address 10.10.10.169 tcp eq 8097
class-map match-any VS_FIREGROUP_HTTPS
2 match virtual-address 10.10.10.169 tcp eq https
policy-map type loadbalance first-match HTTP
class class-default
sticky-serverfarm sticky-cookie
policy-map type loadbalance first-match HTTPS
class class-default
sticky-serverfarm sticky-ip
policy-map multi-match HTTP_HTTPS_MULTI_MATCH
class VS_FIREGROUP
loadbalance vip inservice
loadbalance policy HTTP
loadbalance vip advertise active
class VS_FIREGROUP_HTTPS
loadbalance vip inservice
loadbalance policy HTTPS
loadbalance vip advertise active
interface vlan 4
bridge-group 1
access-group input INBOUND
service-policy input HTTP_HTTPS_MULTI_MATCH
no shutdown
interface vlan 700
bridge-group 1
access-group input INBOUND
no shutdown
interface bvi 1
ip address 10.10.10.150 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 10.10.10.1
Thanks a lot
FrancescoHi Francesco,
Just to add more a bit, A bridge group is very similar to routed mode except ACE cannot NAT pass through traffic, vlan's cannot be shared and couple of other things but client's should be able to access the server as in before.
But also whether in bridge or routed mode, ACE does create flows and applies other security parameters if configured to the traffic. This is for security. Also, ACE should know the MAC of the device to forward the traffic to. Can you check if ACE has the MAC of the destination? You can also put a route for testing purpose and see if that resolves the issue. That should probably be the quickest way to check if ACE is creating any issue here.
Regards,
Kanwal -
Hi -
We have a need to load-balance requests within the same VLAN, but need to make sure it only happens then. We have multiple web servers all members of the same subnet, these servers are grouped differently in 5 different VIPS whose IPs are also part of the same subnet.
Example: We need server A, who is a member of VIP Z, to talk to VIP Y and be load-balanced. These servers and VIPs are all part of the same subnet. however, when that same server A talks to host C somewhere else we don't want it to be translated.
We'll obviously need to use groups and ACLs, but would we be using 'add service XX' in the group command or the 'add destination service XX' command? Should we NAT these connections as a new IP address, or just fake out the dest VIP so that it thinks the sender's MAC is the CSS?
Anyone have a sample config from doing this before?
Thanks!
chadThanks for the info, Steve. I have looked at a couple of online references including that one, but they all seem to be just a percentage of what I'm looking to do. It's probably a combination of them all put together, but because these VIPs are production websites I want to make sure I don't have to try this a second time. To make it make more sense I'll paste in what I'm trying to do below.
First, I have these 2 content VIPs:
content www-LT-80
vip address 10.28.128.30
protocol tcp
port 80
url "/*"
advanced-balance arrowpoint-cookie
arrowpoint-cookie browser-expire
add service lt-bw02-80
add service lt-bw04-80
add service lt-bw06-80
add service lt-bw08-80
add service lt-bw10-80
add service lt-bw12-80
add service lt-bw14-80
add service lt-bw16-80
add service lt-bw18-80
add service lt-bw20-80
add service lt-bw22-80
add service lt-bw24-80
add service lt-bw26-80
add service lt-bw28-80
add service lt-bw30-80
add service lt-bw32-80
balance leastconn
active
content rc-LT-80
vip address 10.28.128.38
protocol tcp
port 80
url "/*"
advanced-balance arrowpoint-cookie
arrowpoint-cookie browser-expire
balance leastconn
add service rc-pub08-80
add service rc-pub06-80
add service rc-pub04-80
add service rc-pub02-80
active
Second, these are the services in each VIP respectively. I'll only paste 1 service from each VIP, all the others are the same just with incrementing IPs:
service lt-bw02-80
ip address 10.28.128.51
protocol tcp
port 80
string wwwltbw2
keepalive type script ap-kal-httptag "10.28.128.51 /keepalive.asp www.lendingtree.com"
keepalive frequency 15
active
service rc-pub02-80
ip address 10.28.128.171
protocol tcp
port 80
string rcpub02
keepalive type script ap-kal-httptag "10.28.128.171 /keepalive.asp rc.lendingtree.com"
keepalive frequency 15
active
Goal to achieve:
I need the lt-bwXX-80 services that are members of the first VIP to be able to talk to the second (RC) VIP and be load-balanced. The caveat is that when these lt-bwXX-80 services talk to other hosts through the CSS I do not want them being NATted at all, for reporting reasons their IPs need to stay the same. To touch on your earlier comment, all of these VIPs are also load-balanced to the Internet for web browsing. Basically, I need some form of address translation, whether it be IP or MAC, but only on specific to/from relationships.
Does that help make it more clear? Thanks in advance for any assistance.
Chad -
I configured ACE30-MOD-K9 in bridge mode and I configured a server farm with his real servers. The traffic passes and is balanced correctly between all RSERVER. But I can not contact a server that is on the same vlan of the serverpharm but doesn't belong at this serverfarm.
I Thought that the traffic directed to this "spare" server shouldn't be balanced but the bridge should permit traffic to pass. (trasperent mode) Is it correct ?
What does ACE in bridge mode with traffic directed to servers that do not belong to any server farm but are present on the same VLAN (same bridge group)?
In rispect at the following configuration 10.10.10.168 isn't reacheable
access-list INBOUND line 8 extended permit ip any any
access-list INBOUND line 16 extended permit icmp any any
probe http HTTP_PROBE1
expect status 200 200
rserver host RS_WEB1
ip address 10.10.10.163
inservice
rserver host RS_WEB2
ip address 10.10.10.164
inservice
rserver host RS_WEB3
ip address 10.10.10.165
inservice
rserver host RS_WEB4
ip address 10.10.10.167
inservice
serverfarm host SF_FIREGROUP
rserver RS_WEB1
inservice
rserver RS_WEB2
inservice
rserver RS_WEB3
inservice
rserver RS_WEB4
inservice
sticky ip-netmask 255.255.255.255 address source sticky-ip
replicate sticky
serverfarm SF_FIREGROUP
sticky http-cookie myCookie sticky-cookie
cookie insert browser-expire
serverfarm SF_FIREGROUP
class-map match-any VS_FIREGROUP
2 match virtual-address 10.10.10.169 tcp eq www
4 match virtual-address 10.10.10.169 tcp eq 8081
5 match virtual-address 10.10.10.169 tcp eq 8082
6 match virtual-address 10.10.10.169 tcp eq 8083
7 match virtual-address 10.10.10.169 tcp eq 8084
8 match virtual-address 10.10.10.169 tcp eq 8085
9 match virtual-address 10.10.10.169 tcp eq 8097
class-map match-any VS_FIREGROUP_HTTPS
2 match virtual-address 10.10.10.169 tcp eq https
policy-map type loadbalance first-match HTTP
class class-default
sticky-serverfarm sticky-cookie
policy-map type loadbalance first-match HTTPS
class class-default
sticky-serverfarm sticky-ip
policy-map multi-match HTTP_HTTPS_MULTI_MATCH
class VS_FIREGROUP
loadbalance vip inservice
loadbalance policy HTTP
loadbalance vip advertise active
class VS_FIREGROUP_HTTPS
loadbalance vip inservice
loadbalance policy HTTPS
loadbalance vip advertise active
interface vlan 4
bridge-group 1
access-group input INBOUND
service-policy input HTTP_HTTPS_MULTI_MATCH
no shutdown
interface vlan 700
bridge-group 1
access-group input INBOUND
no shutdown
interface bvi 1
ip address 10.10.10.150 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 10.10.10.1
Thanks a lot
FrancescoHi Francesco,
Just to add more a bit, A bridge group is very similar to routed mode except ACE cannot NAT pass through traffic, vlan's cannot be shared and couple of other things but client's should be able to access the server as in before.
But also whether in bridge or routed mode, ACE does create flows and applies other security parameters if configured to the traffic. This is for security. Also, ACE should know the MAC of the device to forward the traffic to. Can you check if ACE has the MAC of the destination? You can also put a route for testing purpose and see if that resolves the issue. That should probably be the quickest way to check if ACE is creating any issue here.
Regards,
Kanwal -
Block Traffic under two VLAN's : Unidirectional OR Bidirectional ???
I have a Ciso L3 switch with 4 VLANs and all host computer connected to rest of 8 cisco 2960 switch's:
VLAN 1 : 192.168.1.0/24
VLAN 10: 192.168.10.0/24
VLAN 20: 192.168.20.0/24
VLAN 50: 192.168.30.0/24
There are list of my some Questions about Extended ACL serialwise :
1. For Restrict traffic from VLAN 10 to VLAN 20, I am using only one ACL is : Access-list 100 deny ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255.
What will happen in this scenerio if we talk about traffic from VLAN 20 to VLAN 10. Will it communicate or not ???
2. How to Block the traffic from VLAN 10 to VLAN 20 but allow the traffic from VLAN 20 to VLAN 10 ? Plz tell access list command for this.
Question # 2 Depends on Question# 1...................
Plz find here My cisco 3560 switch configuration in Blog below :
Regards
KuldeepHi Richard,
See this cisco 3560 switch Configuration, and tell me answers accordingly:
CORE_3560#sh run
Building configuration...
Current configuration : 5299 bytes
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
hostname CORE_3560
enable secret 5 $1$d6GO$No/vGsChZP5O.5ANOYI2m/
no aaa new-model
ip subnet-zero
ip routing
no file verify auto
spanning-tree mode pvst
spanning-tree extend system-id
vlan internal allocation policy ascending
interface Port-channel1
description *** CONNECTING TO CISCO-2960 SWITCH-1 ***
switchport trunk encapsulation dot1q
switchport mode trunk
interface Port-channel2
description *** CONNECTING TO CISCO-2960 SWITCH-2 ***
switchport trunk encapsulation dot1q
switchport mode trunk
interface GigabitEthernet0/1
description *** CONNECTING TO CISCO-2960 SWITCH-1 ***
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 1 mode on
interface GigabitEthernet0/2
description *** CONNECTING TO CISCO-2960 SWITCH-1 ***
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 1 mode on
interface GigabitEthernet0/3
description *** CONNECTING TO CISCO-2960 SWITCH-2 ***
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 2 mode on
interface GigabitEthernet0/4
description *** CONNECTING TO CISCO-2960 SWITCH-2 ***
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 2 mode on
interface GigabitEthernet0/5
description *** CONNECTING TO CISCO-2960 SWITCH-3 ***
switchport trunk encapsulation dot1q
switchport mode trunk
interface GigabitEthernet0/6
interface GigabitEthernet0/7
description *** CONNECTING TO CISCO-2960 SWITCH-4 ***
switchport trunk encapsulation dot1q
switchport mode trunk
interface GigabitEthernet0/8
interface GigabitEthernet0/9
description *** CONNECTING TO CISCO-2960 SWITCH-5 ***
switchport trunk encapsulation dot1q
switchport mode trunk
interface GigabitEthernet0/10
interface GigabitEthernet0/11
description *** CONNECTING TO CISCO-2960 SWITCH-6 ***
switchport trunk encapsulation dot1q
switchport mode trunk
interface GigabitEthernet0/12
interface GigabitEthernet0/13
description *** CONNECTING TO CISCO-2960 SWITCH-7 ***
switchport trunk encapsulation dot1q
switchport mode trunk
interface GigabitEthernet0/14
description *** CONNECTING TO CISCO-2960 SWITCH-8 ***
switchport trunk encapsulation dot1q
switchport mode trunk
interface GigabitEthernet0/15
switchport trunk encapsulation dot1q
switchport mode trunk
interface GigabitEthernet0/16
interface GigabitEthernet0/17
interface GigabitEthernet0/18
interface GigabitEthernet0/19
interface GigabitEthernet0/20
interface GigabitEthernet0/21
interface GigabitEthernet0/22
interface GigabitEthernet0/23
interface GigabitEthernet0/24
description Connecting to Cisco-1800 Router
switchport access vlan 50
switchport mode access
interface GigabitEthernet0/25
interface GigabitEthernet0/26
interface GigabitEthernet0/27
interface GigabitEthernet0/28
interface Vlan1 ***** L2 switch's Vlans
ip address 192.168.1.1 255.255.255.0
interface Vlan10
ip address 192.168.10.1 255.255.255.0
ip access-group 101 in
interface Vlan20
ip address 192.168.20.1 255.255.255.0
ip access-group 101 in
interface Vlan50
ip address 192.168.30.1 255.255.255.0
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.30.10
ip http server
access-list 101 deny ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255
access-list 101 permit ip any any
access-list 101 permit icmp any any
control-plane
line con 0
line vty 0 4
password cisco
no login
line vty 5 15
no login
end -
Requirement:
How to make two clients on same VLAN communicate to each other when tunnel-loop-prevention is enabled on tunneled-node configuration at controller?
Whenever we enable tunnel-loop-prevention on controller while we configure tunneled-node, the communication between two tunneled-node client on same VLAN is blocked or dropped.
If the tunneled-node clients are of different VLANs then they can communicate between them even when the tunnel-loop-prevention is enabled on the controller.
Solution:
To make two tunneled-node client on same VLAN to communicate between them, we need to enable "local-proxy-arp" for the interface VLAN on the controller.
Once it is enabled now the tunneled-node clients on same VLAN can communicate between each other.
Configuration:
To enable "local-proxy-arp":
Get to the interface of the VLAN on the controller
Example :
(config)#interface vlan 5
(config)#ip local-proxy-arp
To enable tunnel loop prevention on controller
(config)# tunnel-loop-prevention
Verification
Show commands:
To check if tunnel-loop-prevention is enabled or disabled
#show tunneled-node config
Tunnelded node Server: Enabled
Tunnel Loop Prevention: Enabled
To check if local-proxy-ap is enabled:
#show interface vlan 5
Look for in the output "ProxyARP enable"streetfi8er wrote:
Server ready,waiting for client:
Exception in thread "New THREAD" java.lang.NullPointerException
at server4$server4Thread.run(server4.java:88)
Failed to accept client
when i run the second client programme on different a console in the same system i get the error that:
Unknown HostOK, I'm no socket programming expert; but I can see a few potential problems with what you've written.
1. First off, which line is line 88? Line numbers would be useful. Also, indenting your code properly would make it easier to read.
2. Your 'while(!str.equalsIgnoreCase("close"))' will always fail with a NullPointerException because 'str' is initially set to null.
3. Your 'while(true)' loop worries me. How does it exit? Relying on an exception is usually very bad practise.
4. You are not handling SecurityExceptions. While it's unlikely to happen on your machine; it could easily happen on another.
5. It might be worth indicating the actual exception thrown in your "Failed to accept client" message. accept() can throw three different types of IOException.
6. All the threads you create will be called "New THREAD", which doesn't provide much value.
HIH
Winston -
Multiple data blocks on the same canvas
Forms newbie question:
Is it possible to have 2 data blocks with two different sets of transactional triggers (ON-UPDATE, ON-LOCK, etc.) on the same canvas?
I've got an example where i've got two data blocks (one sourced from a view, and one that is a CTL block) on the same canvas. The block sourced from the view is working fine. When I make updates, they are reflected, etc. But, i've got one field in the control block that I need to update from as well, and I can't seem to get it (or any of the CTL block items) to show up as "updateable", regardless of the set_item_property....theyre always grayed out.
Do i need to take the user to a new canvas to be able to utilize the update of the ctl field?A second canvas is not needed. Normally, control-block items are always updateable, so there is something going on in your form to prevent it.
> I can't seem to get it (or any of the CTL block items) to show up as "updateable",
regardless of the set_item_property....theyre always grayed out.
What... Is there code someplace in the form that sets them to Enabled, false? If that is the case, then to get them working again, besides setting Enabled to true, you also must set Updateable and Navigable to Property_True. (This is documented at the end of the on-line help on Set_Item_Property.) -
AP groups with same vlans , same ssid but different subnet.
Hi Members,
I have a Cisco Flex 7500 in my datacenter and I need to connect 100 sites , each site with 2-3 APs , each side has its own network and is independent of other sites , the site only need to comunity locally and do not need to access any centralized applications.
I am trying to achieve this by Creating 100 different AP groups and assiging 2-3 AP in each groups for each branch, I will achieve WAN failover resiliency by creating flexconnect groug , the issue I am facing are as below .
1.Since all the sites has same setup , the AP and clients on all sites are in vlan 2 , so when I try to create 2 or more AP group with same vlan, it restricts me of doing so , I cannot create diffrent AP groups mapped to same Vlan .
2.If I keep the APs and Clients in the same subnet , I dont think it should be a problem , but I need your second opinion.
to give you an even better picture , look at the topology enclosed , and my question is if both STAFF and STUDENT APs are in same vlan but in 2 different broadcast domain , how would I create the AP groups.
Thank youThanks for the reply Jenn , here is my situation.
I have 2 sites lets day , site A in virginia , site B in Maryland.
SiteA - 10.1.1.0/24 - vlan 2
10.1.2.0/24 - vlan 3
10.1.3.0/30 - WAN to central site where controller sits.
SiteB - 10.2.1.0/24 - vlan 2
10.2.2.0/24 - vlan 3
10.2.3.0/30 - WAN to central site where controller sits.
both the sites will have a single ssid "XYZ" and will switch locally only.
howin my understanding the way I will deploy this is as below
1.I will create WLAN with ssid "XYZ".
2.I will create 2 AP groups lets say "Site-A" and "Site-B"
3.I will map the APs in site A to AP group "Site-A" and APs in Site B to "Site-B"
4.I will create 2 dynamic interfaces one for each AP group , now this is where I am facing problem , when I am creating dynamin interfaces , I need to specify the subnet and vlans when creating dynamic interfaces , since the vlans used is same on both sites , its not letting me create 2 interfaces with same vlan id.
in my understanding HREAP is only majorly used for WAN failover and local authentication so I am not concerned about that right not , my prime work is to udnerstand the AP group and working.
if you still need print shot let me know I will have to go at site.
also validate if my thinking is right on the 4 steps I have mentioned above , I am new to wireless and whatever I have learned I have learned in last 10 days .
Appreciate your help.
Thank you -
2 SSIDs on the same Vlan?
Hi all -
Newbie question. When I am setting up wireless, will I be able to use 2 different SSIDs on the same vlan?
Example:
dot11 ssid Example1
vlan 2
authentication open eap eap_methods
authentication network-eap eap_methods
dot11 ssid Example2
vlan 2
authentication open eap_methods
authentication network-eap eap_methodsHi James,
Hopefully the attached docs will answer your question:
Cisco Aironet 1100 Series
Using VLANs with Cisco Aironet Wireless Equipment
Deprecated versions of Cisco Aironet software permit binding multiple SSIDs to one VLAN. Current versions do not.
http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_example09186a00801d0815.shtml#
Cisco IOS Software Configuration Guide for Cisco Aironet Access Points, 12.2(15)JA
Configuring Multiple SSIDs
vlan vlan-id
(Optional) Assign the SSID to a VLAN on your network. Client devices that associate using the SSID are grouped into this VLAN. You can assign only one SSID to a VLAN.
http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_guide_chapter09186a00802085c4.html
Hope this helps!
Rob
Please remember to rate helpful posts....... -
3750 bandwidth limitation between the same vlan over the trunk
Hi All,
I have 2 3750G series switches on the trunk link. some machines are part of vlan1 on the switch 1 and some machines are the part of the same vlan1 on the other switch2. I need to limit the bandwidth between the switches for the vlan1. picture is attached.
I tried to do through the modulare policy frame work (class-map/service-map and policy-map using the police command) but problems are
1) 3750 does not support output service policy, so i cannot apply the policy on the output of the trunk link.
2) I can apply the input policy but it will be only for one machine but not for the others on the same switch. if i apply the policy on per port basis then every port has separate bw limitation. I require to limit the bandwidth on per vlan basis on the trunk port. like vlan 1 takes 10 MB, VLAN2 takes 10 MB on the trunk link when communicating between the same vlans.
Is there any solution for that scenario? your help in this case will be higly appriciated. As its the layer 2 communication, its hard for me to find the solution. if it was layer 3 then i can do it easily by using the rate-limit commmand on the interface.
thanksOn the 4500 series we use vlan-range for this,
conf t
qos aggregate-policer 10MB 10 mbps 1250000 byte conform-action transmit exceed-action drop
policy-map 10MB
class class-default
police aggregate 10MB
interface GigabitEthernet1/1
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,10,12,15
switchport mode trunk
switchport nonegotiate
vlan-range 1
service-policy input 10MB
service-policy output 10MB
end
dunno if the 3750's have the same options
Maybe you are looking for
-
"NoClassDefFoundError" Java exception while invoking BPEL process
While invoking a BPEL process from my ADF application, I'm getting the following error, it seems some source files are missing, I have made sure the orabpel.jar, and a few other orabpel*.jar are located in the classpath on my PC. Anything else is sti
-
WYSIWYG Color not showing in PDF
Output Designer 5.6 Hi , I have two color shaded boxes on my form - a yellow -and- a light blue. When I output to PDF these show as grey :( . However to test if color is working I included some Blue text in Arial to the form and this prints as Blue !
-
Assign programmatically a BPM role to a user
Hello everybody, I want extend the security administration of the workspace. I have investigated tha you can manage the users programatically, with a jmx connection. But i don't kow how assign progrmatically a BPM role to a user. Thanks, Regards!
-
Hi all, I am an ABAP consultant working from last 4 years on ABAP. Now, want to take a leap into XI .Can anyone help me by providing pdf / doc with configuaration screen shots of FILE 2 FILE .am sure i will not try cram all at a time .I was taught f
-
12.1 12.2 making my programs slow
Hi, I've been using sunstudio 12.1 to compile a prgram witch C/C++ and Fortran 95 parts. Recently, after I've upgraded to Oracle Solaris Studio 12.2, the same program compiled with same compiler options are at least 5 times slow! Even the 'Release' b