Communication between 2 vlans on firewall.

Similar Messages

• How do I set my firewall settings in Avasti to allow communications between my HP 8600 and my comput

  How do I set my firewall settings in Avasti to allow communications between my HP 8600 and my computer

  Something to Consider:
  If you are talking about "Avast!" Security Software, either the free or the paid version, the following may apply to you:
  There are three main levels of Security in the Avast! software:  Home, Work, and Public
  Home is the setting many people use when "at home", that is, connected to the home network.  The home network is sometimes defined as the "192.168" network:  these are the computers and printers that you have and use in your home environment.  The network is (most usually) private and (should be) secured with with a passphrase at your router.  The Avast! Software sees the "Home" network as a "safe" environment:  devices connected within the "Home" network are allowed to "talk" (communicate) with one another without undue restrictions.
  Work is the next setting.  The software places some restrictions on this level of communication.  Home users can certainly use this setting -- in many (most) cases, the "Work" setting is a solution that provides for communication and a bit more security for the home network and its devices.
  Public is the strictest setting and is meant to keep your computer safe in a public place:  the library, coffee shop, on a street corner.  Outside "prying eyes" are prevented from peeping and outside communications are restricted.
  If you have set (or left) your Avast! software set to Public, or even Work (and you do not know how to handle the restrictions), then you may have simply locked out the communication between the printer and the computer(s) on your home network.
  Open your Avast! Software and set the security level to either "Home" or "Work".
  You can find out more about how to use the software settings at the Avast! website.
  Advanced Users Only - You will  know if you changed the Rules... this is not something one does by accident.
  If you have changed the rules within the settings, you may have locked yourself out.  Make sure you have both "in" and "out" traffic settings adjusted correctly for each rule you change / adapt / add.
  Kind Regards,
  Dragon-Fur

• Communication between the secondary community VLANs hosts

  Hi Guys,
  The hosts in the secondary community private VLANs are permitted to talk each other. If there is no promiscuous port/host defined, will the community VLAN hosts be able to talk each other?
  Or all the intra-community VLAN traffic is routed via promiscuous port?
  CF

  Hi CF,
  If there is no promiscuous port/host defined, will the community VLAN hosts be able to talk each other?
  I suppose you want to ask whether hosts in different community VLANs will be able to talk to each other if there is no promisc port defined. The answer is - no, they will not be able to communicate, but they would not be able to communicate even if the promisc port was created. Their communication over the promisc port would be allowed only if the device connected to that promisc port was willing to do hairpin routing - that is, receive and forward a packet back the same interface. Usually, you do not want your different community VLANs to communicate to each other - that is why you created them in the first place - so you'd usually make sure that whatever device is connected to a promisc port, it does not do routing or is prevented from hairpin routing via an ACL, for example.
  With respect to mutual communication of hosts in a single community VLAN - these hosts will be able to communicate to each other just as if it was a totally normal VLAN. The existence or non-existence of a promisc port has no influence on this.
  Feel welcome to ask further!
  Best regards,
  Peter

• Communication between servers on different FIs

  Just want to verify communication between UCS servers on same chassis but having active vNICs on different FIs (Diagram attached). I suppose all commuication between server-A & server-B will happen through Layer 2 switch as server-A will generate an ARP request for Server-B, that will be passed over to FI-A and then to L2 switch down to FI-B, where server-B will respond back with it's MAC that will then be passed to Server-A via FI-B to L2 switch to FI-A.I don't expect any traffic between servers A & B be routed via firewall? Is there anything I need to be careful about in this design? Going forward we will have multiple subinterfaces on the firewall for different VLANs and all servers will use Firewall as default gateway.

  you may want to look at the throughput of your firewall for server-server traffic in different VLANs. If your L2 switch is 10G but your firewall is only 1G then you could have a potential bottle neck.

• Communication between : AP and WLAN controller

  Hi,
  The communication between AP and WLAN Controller is ( Data and Control ) UDP.
  Source port 1024 and destination port 12222 and 12223. Actually which device listen to which port or both should listen as control and data can be generated from both the devices.
  How does the user ( wireless client) traffic is switched - if user traffic is a TCP traffic. It will be sent to WLANC and then WLANC forwards it to respective VLAN or default gateway ( depending upon the destination in the packet ).
  Please explain / share the experience.
  any link on cisco.com
  Thanka in advance
  Subodh

  "the LWAPP Control and Data messages are encapsulated in UDP packets that are carried over the IP network. The only requirement is established IP connectivity between the access points and the WLC. The LWAPP tunnel uses the access point's IP address and the WLC's AP Manager interface IP address as endpoints. The AP Manager interface is explained in further detail in the
  implementation section. On the access point side, both LWAPP Control and Data messages use an ephemeral port that is derived from a hash of the access point MAC address as the UDP port. On the WLC side, LWAPP Data messages always use UDP port 12222. On the WLC side, LWAPP Control messages always use UDP port 12223.
  The mechanics and sequencing of Layer 3 LWAPP are similar to Layer 2 LWAPP except that the packets are carried in UDP packets instead of being encapsulated in Ethernet frames."
  Taken from "Cisco 440X Series Wireless LAN Controllers Deployment Guide"

• Communication between two network with the same IP segment

  Good Moorning:
  How can establish communication between the production environment and test environment with the same IP segment using switch Cisco Nexus 5548?

  Carlos
  The short answer is you can't as far as i know. You need to do NAT to able to do this and i don't think the Nexus switches support NAT.
  You need a device that can NAT both address ranges. If prod is always the one that initiates the connection then you need static NAT translations for the test machines and you can dynamicaly NAT prod addresses as they go into the test env.
  But if both prod and test can initiate connections then you need to have static NAT translations for both sides.
  We used a pix firewall for this when we connected our prod and test environments. A firewall is a good choice because you can make the test enviornment the outside interface where all traffic is denied by default. You do not want test affecting prod.
  Jon

• Ports required for communication between Web servers and service applications (the default is HTTP)

  We're using SharePoint 2010, I'm the system admin for a SharePoint farm. We enabled SharePoint Search by adding a Search Service APplication. One of the crawl report timer job is failing every 5 minte with the error "Cannot connect to remote server".
  After digging around, we found that the server running the timer job tries to connect to the SearchAdmin.svc on the index server, over HTTPS / port 32844 However, communication over SSL via a non default port is blocked by our firewall.
  According to this article: https://technet.microsoft.com/en-us/library/cc262849.aspx the default is HTTP for communication
  between web servers. How is it possible that it's trying to connect over SSL?

  Hi,
  Quoted from
  https://technet.microsoft.com/en-us/library/cc262849.aspx#ServiceApp :
  You can change the protocol and port binding for each service application. On the Service Applications page in Central Administration, select the service application, and then click
  Publish.
  Here is an article for configuring Windows firewall port rules for SharePoint using PowerShell in case you need:
  http://www.xylos.com/default.aspx?id=1050
  Regards,
  Rebecca Tu
  TechNet Community Support
  Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact
  [email protected]

• Which is the correct way to filter/block traffic between vlans?

    Hi all. My question is: Which is the correct way to filter/block traffic between vlans?
  i have a more than 15 vlans. I want to block traffic between them except 2 vlans.
  source vlan 3 deny destination vlan 4
  #access-list 100 deny ip 192.168.3.0 0.0.0.255 192.168.4.0 0.0.0.255
  and the oposite:
  #access-list 101 deny ip 192.168.4.0 0.0.0.255 192.168.3.0 0.0.0.255
  I have to do this for all VLANs, ono by one. Is that right?
  Thanks.

  There are a couple of ways to achieve that. I assume that you have a Layer3-Switch. There I would configure one ACL per vlan-interface and allow/deny the traffic as you want. Sadly, the Switches don't support object-groups yet, so you have to use the IP-networks here. Only allow/deny traffic based on networks or hosts. Don't even try to be very granular with permit/denys based on ports. Because the switch-ACLs are not statefull you'll run into problems for the return-traffic if you woulf do that. And the return-traffic of course has to be allowed also.
  Another way: with the help of 802.1x you can deploy port-based ACLs for every user. That takes some time for planning, but is one of the most powerful solutions.
  For more control you could remove the L3-interface from your L3-switch and move that to your router or firewall. These devices support stateful filtering and you can control your traffic much tighter tehn with ACLs on the switch.
  Don't stop after you've improved your network! Improve the world by lending money to the working poor:
  http://www.kiva.org/invitedby/karsteni

• Communication between data centres

  Hi,
  I'm new to vCloudAir & I want to establish communication between 2 datacenters.
  DataCenter.USA -> Gateway (public IP) -> NAT (private IP) -> <Server>, <Client1>
  DataCenter.GER -> Gateway (public IP) -> NAT -> <Client2>
  I'm trying to establish bi-directional connectivity between,
  - server & client2
  - client1 & client2
  Please suggest.
  Vinay

  Hi Vinay.
  You may want to have a look at the tutorials (here: Cloud Computing Tutorials | vCloud Air by VMware)
  Particularly the NAT tutorial: Introduction to Gateway Services: Network Address Translation - VMware vCloud Air)
  Consider also that you will need to configure the firewall services to allow / block traffic to/from those VMs.

• Vlan and firewall rules

  If I have 3 different vlans, are there any problems having different firewall rules between each vlan and the WAN link? I saw an earlier post about some issues with filtering between vlan's but this should'n be the same.
  /Andy

  Yes, this sounds different than the earlier post.
  Firewall rules can be applied for WAN to LAN or vice versa flows.
  As vlans are logically associated with LAN, firewall rules should be applicable for WAN to vlan traffic.
  Using source or destination IP address in the firewall rules should let one to control which rules to be applied for which vlan traffic.
  Regards,
  Richard

• Difference between VLAN

  Hi,
  whats the difference between layer 2 VLAN and Layer 3 VLAN.
  regards
  Neo

  Here's the IEEE 802.1 defintion of VLAN. This is basically your layer 2 VLAN.
  • Provides for the logical grouping of stations (MAC Service Access Points - MSAPs) and/or switch ports, allowing communications as if all stations/ports are on the same physical LAN segment. This includes stations/ports that are physically located on different LANs or segments within the physical boundary of an 802.1D Bridged LAN. A single Bridged LAN may include multiple VLAN “segments”.
  With that said, as the previous poster mentioned, for a host on a VLAN to communicate with a host on another VLAN you need a layer 3 device (router). Often, this is done by a layer 3 switch (like 3550, 6500 etc.). On a layer 3 device you have to create a logical interface, vlan interface on a switch or sub-interface if you are doing router-on-a-stick, to route traffic between VLANs. This is basically your layer 3 VLAN (interface) if you like to call it that way.
  HTH,
  Sundar
  *Please rate all helpful posts.

• Communication between MDS C9134 and C9222i

  Dear Support,
  need your help to fix my setting.
  I have bought now the good 10GBFC Module for connexion between MDS C9134 and C9222i. the trunking is OK between the 2 switches.
  But we have Vsan with zone on each MDS but they cannot communicate.
  Please find in attach my setting.
  Waiting for your feedback urgently
  Best Regards

  Hello Omer,
  Yes, you got it right, LANs are very different from SANs. VLAN concept is similar to VSAN, but there are a few differences. First of all, there is no concept of LAN's VTP in Cisco's SAN-OS (NX-OS). You need to manually create VSANs on all switches. Secondly, "inter VSAN routing (IVR)" is not automatic. You have to configure IVR vsan-topology and IVR zones+zoneset. But in your case, maybe you could just put all devices into the same VSAN and simply control communication between devices using zones. Yes, you could use only VSAN 1 to solve it. Place everything into VSAN 1 and configure zones in VSAN 1 on one of the switches. Place zones into zoneset, activate it, and active zoneset will automatically propagate in VSAN 1 to the other switch.
  Let me know if you have any more questions.
  Regards,
  Roman

• SG500 Slow Performance Between Vlans

  Hello,
  I am having an issue with slow performance between vlan 1 and vlan 10, I have IPv4 routing enabled and I have SVI on vlan 1 and vlan 10 respectfully. Within the same vlan the speed is great. Would it also be a problem with using vlan 1 in production for something like this? Normally I stay away from Vlan 1. 
  Thanks

  Hi Alexandery,
  In my opinion, this thread is related to ASP.NET forum. So please post thread on that forum for more effective response. Thank you for understanding. Please refer to the following link.
  http://forums.asp.net/.
  Regards,
  We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place. &lt;br/&gt; Click
  &lt;a href=&quot;http://support.microsoft.com/common/survey.aspx?showpage=1&amp;scid=sw%3Ben%3B3559&amp;theme=tech&quot;&gt; HERE&lt;/a&gt; to participate the survey.

• Is in PI7.1 possible asynchronous communication between SOAP and ABAPProxy?

  Hi,
  when method execute_asynchronous has disapeared since XI/PI 7.1, is
  there still way how to use ABAP proxy in asynchronous way?
  We need to build asynchronous connection SOAP->PI->ABAP_Proxy.
  In PI, both interfaces are defined as asynchronous (outbound for SOAP and
  inbound for ABAP Proxy).
  Despite of this fact, when message is sent, it is processed
  synchronous way.
  I have set breakpoint in my implementation of method for ABAP Proxy
  message processing. When message is sent and breakpoint is reached,
  whole connection stays open (between SOAP and PI and between PI and
  ABAP Proxy) and waits for processing method (the breakpointed one) to
  return. Only when processing method returns, is connection finelly
  closed.
  If i understand it correctly, this is synchronous behavior. In
  asynchronous behavior, as i understand it, should be connection
  between PI and ABAP Proxy of application server closed immediately
  after message has been delivered. This mean before my processing
  method is even called.
  The same could be said about SOAP and PI communication. Connection
  should be closed immediately after PI has received message. From
  definition of asynchronous communication of PI is obvious, that PI
  should receive message correctly and close connection to sender system
  even when receiver is unreachable. It should deliver message later
  when, receiver system is back on line. So why it keeps connection to
  sender system open while it waits for receiver?
  Why is this happening, when both interfaces are defined as
  asynchronous? Could be the reason for this, if APPLICATION
  ACKNOWLEDGEMENT is set on by default? If so, how can i change it
  to SYSTEM ACKNOWLEDGEMENT, or disable it at all?
  Or is this kind of asynchronous communication even possible since
  XI/PI 7.1 ?
  Processing of message we are sending can take some time, so we dont
  want connection pending open while waiting for finish of
  processing. Thats the reason why we have chose asynchronous model to
  use.

  Quote from How to Use the J2EE SOAP Adapter:
  "If you select Best Effort, the Web service client will receive a response
  message in the SOAP body. Otherwise, the Web service client will not receive a
  response message if no error occurs."
  "if no error occurs" - that is the problem. In either case he still
  waits if some error occure or not. I dont want it. Once PI has
  received message, I want the connection with sender to be closed. If
  there will be error in communication between PI and reciever, I want
  to see it only in PI log. That mean no notification to sender to be
  send about that error.
  Is that possible?

• Communication between Best Buy and Apple

  Where is the communication between these two companies? It's frustrating to have NO CLUE if a phone will come in a day or in 5 weeks. Who at Apple is deciding what they end to what stores? Obviously, Best Buy has to pay for the phones. There has to be some sort of communication. 
  Would it really be that hard for someone high up in Best Buy to communicate with Apple? Maybe a list from each store of their orders and what they are waiting on. Give that to Apple. Apple can give some sort of answer. Exepect this much in this time frame... expect this much later. I mean, something. Instead of leaving everyone in the dark, completely. 
  Someone at Best Buy corporate has to have SOME clue how Apple is shipping and to what stores. To say no one has no clue at all, is nuts. And if it's true... Best Buy needs to get a clue. DO SOME WORK FOR YOUR CUSTOMERS. At least get some truth, so if we need to go elsewhere, we can. It would be better for both sides.

  Apparently since they come on UPS, they don't know when the shipments are coming in or how much. Which I think is bull.
  If that's the case, what I want to know is HOW do they know they received the amount they were expecting? If they don't know how much they're getting or when they're getting a shipment, then what's stopping the delivery man from stealing a box, and they wouldn't know any better? Maybe the higher up manager's know, and they aren't allowed to reveal that info, but there has to be a checks system in there somewhere verifying the stock received.