Prevent routing between 2 logical networks without a VLAN

Background: We have some older hubs in our network. As such, we cannot implement a VLAN yet. We have a 10/100 ethernet network across our campus for our production users. We have multiple buildings on the campus and one physical network. We are installing Cisco 1100 WAPs to provide our guests with wireless internet access. Our DHCP server is configured to hand out 192.168.1.x addresses to our guests. Our DHCP server has 192.168.0.x reservations for our production machines.
Questions:
1) Would this ACL prevent traffic from routing between the 192.168.0.x and 192.168.1.x networks?
access-list 105 deny ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
2) Does anyone have a better solution for preventing our guests from accessing our production machines? Once all the hubs are replaced with switches, we plan to implement a VLAN.
TIA,
Mark

Are you sure you want to protect your Guest WLAN from your production Network, not the otherway round? Your access-list states that the .0 network (production) is not allowed to access the .1 (wlan) network. Then, i don't see in your config the activation of any of your access-list. They are just defined without being activated on any of your interfaces. Plus there is missing the allow at the end of the access-list, because there is an implicite deny at the end of any access-list.

Similar Messages

Cisco ASA 5505 Routing between internal networks

Hi,
I am new to Cisco ASA and have been configuring my new firewall but one thing have been bothering. I cannot get internal networks and routing between them to work as I would like to. Goal is to set four networks and control access with ACL:s between those.
1. Outside
2. DMZ
3. ServerNet1
4. Inside
ASA version is 9.1 and i have been reading on two different ways on handling IP routing with this. NAT Exempt and not configuring NAT at all and letting normal IP routing to handle internal networks. No matter how I configure, with or without NAT I cannot get access from inside network to DMZ or from ServerNet1 to DMZ. Strange thing is that I can access services from DMZ to Inside and ServerNet1 if access list allows it. For instance DNS server is on Inside network and DMZ works great using it.
Here is the running conf:
interface Ethernet0/0
switchport access vlan 20
interface Ethernet0/1
switchport access vlan 20
interface Ethernet0/2
switchport access vlan 19
interface Ethernet0/3
switchport access vlan 10
switchport trunk allowed vlan 10,19-20
switchport trunk native vlan 1
interface Ethernet0/4
switchport access vlan 10
interface Ethernet0/5
switchport access vlan 10
switchport trunk allowed vlan 10-11,19-20
switchport trunk native vlan 1
switchport mode trunk
interface Ethernet0/6
switchport access vlan 10
switchport trunk allowed vlan 10-11,19-20
switchport trunk native vlan 1
switchport mode trunk
interface Ethernet0/7
switchport access vlan 10
interface Vlan10
nameif inside
security-level 90
ip address 192.168.2.1 255.255.255.0
interface Vlan11
nameif ServerNet1
security-level 100
ip address 192.168.4.1 255.255.255.0
interface Vlan19
nameif DMZ
security-level 10
ip address 192.168.3.1 255.255.255.0
interface Vlan20
nameif outside
security-level 0
ip address dhcp setroute
ftp mode passive
clock timezone EEST 2
clock summer-time EEDT recurring last Sun Mar 3:00 last Sun Oct 4:00
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network obj-192.168.2.0
subnet 192.168.2.0 255.255.255.0
object network obj-192.168.3.0
subnet 192.168.3.0 255.255.255.0
object network DNS
host 192.168.2.10
description DNS Liikenne
object network Srv2
host 192.168.2.10
description DC, DNS, DNCP
object network obj-192.168.4.0
subnet 192.168.4.0 255.255.255.0
object network ServerNet1
subnet 192.168.4.0 255.255.255.0
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group network RFC1918
object-group network InternalNetworks
network-object 192.168.2.0 255.255.255.0
network-object 192.168.3.0 255.255.255.0
object-group service DM_INLINE_SERVICE_1
service-object tcp destination eq domain
service-object udp destination eq domain
service-object udp destination eq nameserver
service-object udp destination eq ntp
object-group service DM_INLINE_TCP_1 tcp
port-object eq www
port-object eq https
port-object eq ftp
port-object eq ftp-data
object-group service rdp tcp-udp
description Microsoft RDP
port-object eq 3389
object-group service DM_INLINE_TCP_2 tcp
port-object eq ftp
port-object eq ftp-data
port-object eq www
port-object eq https
object-group service DM_INLINE_SERVICE_2
service-object tcp destination eq domain
service-object udp destination eq domain
object-group network DM_INLINE_NETWORK_1
network-object object obj-192.168.2.0
network-object object obj-192.168.4.0
access-list dmz_access_in extended permit ip object obj-192.168.3.0 object obj_any
access-list dmz_access_in extended deny ip any object-group InternalNetworks
access-list DMZ_access_in extended permit object-group TCPUDP object obj-192.168.3.0 object DNS eq domain
access-list DMZ_access_in extended permit object-group TCPUDP object obj-192.168.3.0 object-group DM_INLINE_NETWORK_1 object-group rdp
access-list DMZ_access_in extended deny ip any object-group InternalNetworks
access-list DMZ_access_in extended permit tcp object obj-192.168.3.0 object obj_any object-group DM_INLINE_TCP_2
access-list inside_access_in extended permit ip object obj-192.168.2.0 object-group InternalNetworks
access-list inside_access_in extended permit object-group TCPUDP object obj-192.168.2.0 object obj_any object-group rdp
access-list inside_access_in extended permit tcp object obj-192.168.2.0 object obj_any object-group DM_INLINE_TCP_1
access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_1 object Srv2 object obj_any
access-list inside_access_in extended permit object-group TCPUDP object obj-192.168.2.0 object obj-192.168.3.0 object-group rdp
access-list ServerNet1_access_in extended permit object-group DM_INLINE_SERVICE_2 any object DNS
access-list ServerNet1_access_in extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu ServerNet1 1500
mtu inside 1500
mtu DMZ 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-711-52.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,DMZ) source static obj-192.168.2.0 obj-192.168.2.0 destination static obj-192.168.2.0 obj-192.168.2.0 no-proxy-arp
object network obj_any
nat (inside,outside) dynamic interface
nat (DMZ,outside) after-auto source dynamic obj_any interface destination static obj_any obj_any
nat (ServerNet1,outside) after-auto source dynamic obj-192.168.4.0 interface
access-group ServerNet1_access_in in interface ServerNet1
access-group inside_access_in in interface inside
access-group DMZ_access_in in interface DMZ
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.2.0 255.255.255.0 inside
http 192.168.4.0 255.255.255.0 ServerNet1
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh 192.168.4.0 255.255.255.0 ServerNet1
ssh 192.168.2.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous

Hi Jouni,
Yep, Finnish would be good also =)
In front of ASA is DSL modem, on the trunk ports is Hyper-V host that uses the trunk ports so that every VM has their VLAN ID defined in the VM level. Everything is working good on that end. Also there is WLAN Access Pois on one of the ASA ports, on the WLAN AP there is the management portal address on DMZ that i have been testing agains (192.168.3.4)
If i configure Dynamic PAT from inside to the DMZ then the traffic starts to work from inside to all hosts on DMZ but thats not the right way to do it so no shortcuts =)
Here is the conf now, still doesnt work:
interface Ethernet0/0
switchport access vlan 20
interface Ethernet0/1
switchport access vlan 20
interface Ethernet0/2
switchport access vlan 19
interface Ethernet0/3
switchport access vlan 10
switchport trunk allowed vlan 10,19-20
switchport trunk native vlan 1
interface Ethernet0/4
switchport access vlan 10
interface Ethernet0/5
switchport access vlan 10
switchport trunk allowed vlan 10-11,19-20
switchport trunk native vlan 1
switchport mode trunk
interface Ethernet0/6
switchport access vlan 10
switchport trunk allowed vlan 10-11,19-20
switchport trunk native vlan 1
switchport mode trunk
interface Ethernet0/7
switchport access vlan 10
interface Vlan10
nameif inside
security-level 90
ip address 192.168.2.1 255.255.255.0
interface Vlan11
nameif ServerNet1
security-level 100
ip address 192.168.4.1 255.255.255.0
interface Vlan19
nameif DMZ
security-level 10
ip address 192.168.3.1 255.255.255.0
interface Vlan20
nameif outside
security-level 0
ip address dhcp setroute
ftp mode passive
clock timezone EEST 2
clock summer-time EEDT recurring last Sun Mar 3:00 last Sun Oct 4:00
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network obj-192.168.2.0
subnet 192.168.2.0 255.255.255.0
object network obj-192.168.3.0
subnet 192.168.3.0 255.255.255.0
object network DNS
host 192.168.2.10
description DNS Liikenne
object network Srv2
host 192.168.2.10
description DC, DNS, DNCP
object network obj-192.168.4.0
subnet 192.168.4.0 255.255.255.0
object network ServerNet1
subnet 192.168.4.0 255.255.255.0
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group network RFC1918
object-group network InternalNetworks
network-object 192.168.2.0 255.255.255.0
network-object 192.168.3.0 255.255.255.0
object-group service DM_INLINE_SERVICE_1
service-object tcp destination eq domain
service-object udp destination eq domain
service-object udp destination eq nameserver
service-object udp destination eq ntp
object-group service DM_INLINE_TCP_1 tcp
port-object eq www
port-object eq https
port-object eq ftp
port-object eq ftp-data
object-group service rdp tcp-udp
description Microsoft RDP
port-object eq 3389
object-group service DM_INLINE_TCP_2 tcp
port-object eq ftp
port-object eq ftp-data
port-object eq www
port-object eq https
object-group service DM_INLINE_SERVICE_2
service-object tcp destination eq domain
service-object udp destination eq domain
object-group network DM_INLINE_NETWORK_1
network-object object obj-192.168.2.0
network-object object obj-192.168.4.0
object-group network DEFAULT-PAT-SOURCE
description Default PAT source networks
network-object 192.168.2.0 255.255.255.0
network-object 192.168.3.0 255.255.255.0
network-object 192.168.4.0 255.255.255.0
access-list dmz_access_in extended permit ip object obj-192.168.3.0 object obj_any
access-list dmz_access_in extended deny ip any object-group InternalNetworks
access-list DMZ_access_in extended permit object-group TCPUDP object obj-192.168.3.0 object DNS eq domain
access-list DMZ_access_in extended permit object-group TCPUDP object obj-192.168.3.0 object-group DM_INLINE_NETWORK_1 object-group rdp
access-list DMZ_access_in extended deny ip any object-group InternalNetworks
access-list DMZ_access_in extended permit tcp object obj-192.168.3.0 object obj_any object-group DM_INLINE_TCP_2
access-list inside_access_in extended permit ip object obj-192.168.2.0 object-group InternalNetworks
access-list inside_access_in extended permit object-group TCPUDP object obj-192.168.2.0 object obj_any object-group rdp
access-list inside_access_in extended permit tcp object obj-192.168.2.0 object obj_any object-group DM_INLINE_TCP_1
access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_1 object Srv2 object obj_any
access-list inside_access_in extended permit object-group TCPUDP object obj-192.168.2.0 object obj-192.168.3.0 object-group rdp
access-list ServerNet1_access_in extended permit object-group DM_INLINE_SERVICE_2 any object DNS
access-list ServerNet1_access_in extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu ServerNet1 1500
mtu inside 1500
mtu DMZ 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-711-52.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (any,outside) after-auto source dynamic DEFAULT-PAT-SOURCE interface
access-group ServerNet1_access_in in interface ServerNet1
access-group inside_access_in in interface inside
access-group DMZ_access_in in interface DMZ
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.2.0 255.255.255.0 inside
http 192.168.4.0 255.255.255.0 ServerNet1
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh 192.168.4.0 255.255.255.0 ServerNet1
ssh 192.168.2.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous

HT1549 How to do file sharing between OS X platforms without airport, airdrop, or router.

How do you do file sharing between OS X platforms without: airport, airdrop, a router, or existing intranet?

All Macs for many years have included Airport WiFi. You should be able to create an Ad-Hoc network between any 2 Macs and transfer files via file sharing
The Airport icon on the menu bar -> Create Network on one Mac. On the other Mac, choose -> Join Other network.
Besides a Firewire cable, you should also be able to connect an ethernet cable between any 2 Macs and they should see each other.
There is always a USB thumb drive and sneaker-net (hand carry files between systems via the Thumb Drive).
You could get a WiFi router, and use it to create a local network where all the Macs in the home could see each other. That will work even if you do not have an internet connection.
You could get an ethernet switch and plug all the Macs into the switch via ethernet cables and they would all see each other.

Is it possible to perform network data encryption between Oracle 11g databases without the advance security option?

Is it possible to perform network data encryption between Oracle 11g databases without the advance security option?
We are not licensed for the Oracle Advanced Security Option and I have been tasked to use Oracle Network Data Encryption in order to encryption network traffic between Oracle instances that reside on remote servers. From what I have read and my prior understanding this is not possible without ASO. Can someone confirm or disprove my research, thanks.

Hi, Srini Chavali-Oracle
As for http://www.oracle.com/technetwork/database/options/advanced-security/advanced-security-ds-12c-1898873.pdf?ssSourceSiteId… ASO is mentioned as TDE and Redacting Sensitive Data to Display. Network encryption is excluded.
As for Network Encryption - Oracle FAQ (of course this is not Oracle official) "Since June 2013, Net Encryption is now licensed with Oracle Enterprise Edition and doesn't require Oracle Advanced Security Option." Could you clarify this? Thanks.

Routes and ACLs between NVGRE VM Networks for single tenant

We're running into a situation where multiple tenants need NVGRE VM Networks with multiple routed/ACL'd subnets. These tenants have multi-tier services that need a perimeter network.
We can accomplish this for these tenants with VLAN VM Networks by deploying virtual firewalls/routers to their VM networks or by managing their firewall/routers between VM networks. We do this by deploying a front-end perimeter VLAN VM Network, a back-end
perimeter VLAN VM Network, and an internal VLAN VM Network. This all works well and is secure. The only problem is that it doesn't scale well because the tenant is taking up three VLANs; and its also a burden to provision.
NVGRE VM Networks could solve all our problems IF we had a way of doing the following:
Give a tenant multiple NVGRE VM Networks. It seems like this is possible today, but they're completely isolated with no routing capabilities which doesn't meet our needs most of the time.
We need the ability to route between multiple NVGRE VM Networks. This is currently not possible from what I can tell because no default gateway is used for VMs within a single VM Network on the same host.
We need the ability to create ACL rules between routed NVGRE VM Networks.
The last part of this is that we need to be able to assign multiple internet-facing IP addresses to a client's NVGRE VM network for NAT/ACL rules. This would mean that we could have 4x different services deployed within a front-end perimeter VM Network
and each of those services could have a unique public IP that is either being load balanced to a service or pointing directly to a service.
The NVGRE based VMM private cloud isn't production ready for us until we can check these boxes.
I'm willing to think outside the box if anyone has any alternative solutions to these problems.
Thank you for taking the time to read this and help.

We know that there are some challenges in order to realize all scenarios with the NVGRE solution today. The feedback is registered, and I recommend to read up on the Windows Server technical preview to get a look into the future.
Here's a short blog post I wrote on what's already public: http://kristiannese.blogspot.no/2014/10/scratching-surface-of-networking-in.html
As you can see, we get a new Windows Server Role (Network Controller) that will be responsible for several virtual network functions.
If you also search through the content from TechEd, you should get more insight.
-kn
Kristian (Virtualization and some coffee: http://kristiannese.blogspot.com )

Can I share files between two different networks at same location?

Until TWC can offer DOCSIS 3.0 later this year or next...
- In my home I have a closet where all my audio, video and network come together.
- I have two cable modems from Time Warner
- Modem A goes to a WRT320N; 192.168.0.1
-- This router connects all my "heavy" downloads, ie. DirecTV receivers, Netflix, home server w/videos, gaming, etc.
- Modem B goes to a E2000; 192.168.1.1
-- This router connects my everyday use computers so they don't suffer poor speeds from all the traffic on Modem A
My question is, how or can I somehow share files between these two routers without the need for hitting the modems? Obviously I can just push files over the Internet but I am doing it at a much slower speed due to upload restrictions on the modem.
Thank you for any help on this!

The easiest way would be to assign LAN IP 192.168.1.2 to the WRT320N and disable the DHCP server. Then assign static IP addresses in 192.168.1.* to all devices connected to the WRT at the moment, e.g. 192.168.1.10, 255.255.255.0, gateway 192.168.1.2, DNS 192.168.1.2 (or DNS servers of your ISP).
Now you can connect a LAN port of the WRT to a LAN port of the E2000. All DHCP clients get the IP address from the E2000 which will assign the E2000 as gateway, i.e. they use the E2000 for internet. All other devices will have static IP addresses and use the WRT as gateway.

Logical network to physical network mapping (subnets and VLANS) in SCVMM 2012 R2

In much of the blogs, documentation and literature on VMM, there are examples of deploying multiple logical networks onto one physical network i.e. Cluster (logical) + Storage (logical) + Backup (logical) + Live Migration (logical) + Management
(logical) on top of Datacenter (physical).
Does this mean it would be possible to have one (physical) flat VLAN-less network with one subnet and then have all those logical networks (with subnets and VLANs) on top of it? Even with a simple unmanaged L2 switch that doesn't support VLANs itself?
If not, just how do you map multiple logical networks to just one physical network? How does that work in practice? Is a L3 switch needed to route traffic between logical networks for example?

Hi. VMM Networking may be overwhelmed for the most, at first. But you really need to understand the modeling here and how things are related to each other. Especially if using NIC teaming in WS 2012 (and R2) together with this mix.
I suggest that you read the following whitepaper where we explain how to setup networking in VMM (also to support network virtualization, but that is absolutely not mandatory): http://gallery.technet.microsoft.com/Hybrid-Cloud-with-NVGRE-aa6e1e9a
-kn
Kristian (Virtualization and some coffee: http://kristiannese.blogspot.com )

Logical Network issue

I am using SCVMM in windows 2012 R2 standard and Hyper-V role enabled in Windows 2008 R2 sp2.
I've created logical netwok in VMM but here it is not deploying the local switch in hyper-v, I need some assistance on logical network communication between vmm & hyper-v.

It's hard to tell where you are in the jungle of configuration here, but I would recommend you to read the following whitepaper which covers the entire setup of the logical network/logical switch deployment to the hosts:
https://gallery.technet.microsoft.com/Hybrid-Cloud-with-NVGRE-aa6e1e9a
I did also do this session at TechEd last year, showing how this should be deployed from the ground up:
http://channel9.msdn.com/Events/TechEd/Europe/2014/CDP-B327
And last but not least, here's a Powershell script (purely demo based, unpolished, ripped rout out of an open - ongoing editing ISE session :-) ) that shows how these things are related to eachother:
https://gallery.technet.microsoft.com/SCVMM-Fabric-Controller-a1edf8a7
-kn
Kristian (Virtualization and some coffee: http://kristiannese.blogspot.com )

One logical network per VLAN?

I am not using network virtualization and currently using traditional VLANs. Now what I did currently is I have one logical network, one network site, and in that network site contains all my VLAN's (23 right now).
What I noticed is when I create a cloud I can't choose the network... I can only choose the logical switch which will give that cloud complete access to all VLAN's right?
So in my situation would it be better to just create a logical switch for each VLAN we have? Keep in mind this is a multi-tenant environment so that is why there are so many VLANs.
Most of the videos I find go into Network Virtualization which is not what I'm trying to do :-(

Hi se
This is how I do it (I don't have WLSE):
- Create a ssid per vlan in the AP.
- Configure switch to AP connection as a trunk.
- If needed, configure helper addresses in switch.
If you need routing between VLANs, you will need a router, afaik AP cannot do it.
HTH

Logical Switch and Logical Network

Hello All...................I have Hyper-V Failover Cluster based on 5 Hosts and I am managing it with VMM 2012 R2. I was slightly confused with respect to Logical Network and Logical Switch in the Fabric Settings. I would appreciate if someone could
shed a little light on the difference between them. Also, while there is a Logical Network defined by default (Name of the Virtual Switch of Hosts), there is nothing defined in the Logical Switch. Which one is mandatory? Logical Network or Logical
Switch? Can I delete the default Logical Network?

Hi Nick,
Please find below link for the whitepaper mentioned by Kristian.
https://gallery.technet.microsoft.com/Hybrid-Cloud-with-NVGRE-aa6e1e9a
For a complete reference please refer below series. This covers VMM 2012 SP1 but should be fine with R2 as well.
http://blogs.technet.com/b/scvmm/archive/2013/01/08/virtual-networking-in-vmm-2012-sp1.aspx
Logical Network is defined for easier management and used in Network Virtualization where as Logical switch is used to configure networking in multiple Hosts rather than creating individual Virtual switches in each host. If it were me I'll leave the
default logical network as there is no harm of doing nothing in it.
I hope this will shed some light into your situation.
Thanks,
Janaka
Janaka Rangama MCT MIEEE MBCS (Please take a moment to Vote as Helpful and/or Mark as Answer, where applicable.)

Problem of routing between inside and outside on ASA5505

I have a ASA5505 with mostly factory default configuration. Its license allows only two vlan interfaces (vlan 1 and vlan 2). The default config has interface vlan 1 as inside (security level 100), and interface vlan 2 as outside (security level 0 and using DHCP).
I only changed interface vlan 1 to IP 10.10.10.1/24. After I plugged in a few hosts to vlan 1 ports and connect port Ethernet0/0 (default in vlan 2) to a live network, here are a couple of issues I found:
a) One host I plugged in is a PC, and another host is a WAAS WAE device. Both are in vlan 1 ports. I hard coded their IP to 10.10.10.250 and 10.10.10.101, /24 subnet mask, and gateway of 10.10.10.1. I can ping from the PC to WAE but not from WAE to the PC, although the WAE has 10.10.10.250 in its ARP table. They are in the same vlan and same subnet, how could it be? Here are the ping and WAE ARP table.
WAE#ping 10.10.10.250
PING 10.10.10.250 (10.10.10.250) from 10.10.10.101 : 56(84) bytes of data.
--- 10.10.10.250 ping statistics ---
5 packets transmitted, 0 packets received, 100% packet loss
WAE#sh arp
Protocol Address Flags Hardware Addr Type Interface
Internet 10.10.10.250 Adj 00:1E:37:84:C9:CE ARPA GigabitEthernet1/0
Internet 10.10.10.10 Adj 00:14:5E:85:50:01 ARPA GigabitEthernet1/0
Internet 10.10.10.1 Adj 00:1E:F7:7F:6E:7E ARPA GigabitEthernet1/0
b) None of the hosts in vlan 1 in 10.10.10.0/24 can ping interface vlan 2 (address in 172.26.18.0/24 obtained via DHCP). But on ASA routing table, it has both 10.10.10.0/24 and 172.26.18.0/24, and also a default route learned via DHCP. Is ASA able to route between vlan 1 and vlan 2? (inside and outside). Any changes I can try?
Here are ASA routing table and config of vlan 1 and vlan 2 (mostly its default).
ASA# sh route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is 172.26.18.1 to network 0.0.0.0
C 172.26.18.0 255.255.255.0 is directly connected, outside
C 127.1.0.0 255.255.0.0 is directly connected, _internal_loopback
C 10.10.10.0 255.255.255.0 is directly connected, inside
d* 0.0.0.0 0.0.0.0 [1/0] via 172.26.18.1, outside
interface Vlan1
nameif inside
security-level 100
ip address 10.10.10.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
interface Ethernet0/0
switchport access vlan 2
All other ports are in vlan 1 by default.

I should have made the config easier to read. So here is what's on the ASA and the problems I have. The ASA only allows two VLAN interfaces configured (default to Int VLAN 1 - nameif inside, and Int VLAN 2 - nameif outside)
port 0: in VLAN 2 (outside). DHCP configured. VLAN 2 pulled IP in 172.26.18.0/24, default gateway 172.26.18.1
port 1-7: in VLAN 1 (inside). VLAN 1 IP is 10.10.10.1. I set all devices IP in VLAN 1 to 10.10.10.0/24, default gateway 10.10.10.1
I have one PC in port 1 and one WAE device in port 2. PC IP set to 10.10.10.250 and WAE set to 10.10.10.101. PC can ping WAE but WAE can't ping PC. Both can ping default gateway.
If I can't ping from inside interface to outside interface on ASA, how can I verify inside hosts can get to outside addresses and vise versa? I looked at ASA docs, but didn't find out how to set the routing between inside and outside. They are both connected interfaces, should they route between each other already?
Thanks a lot

How can I use Airport Express to create a standalone Wi-Fi network without Internet Access so I can browse web pages on the local network? I will be using MAMP as my server (Apache)

I would like to create my own Wi-Fi standalone network at an upcoming tradeshow where there will be NO internet access.
Currently, I run and develop sites on my iMac use MAMP to manage my sites locally. Using MAMP, I run my sites as though they are on the internet although everything is local.
I purchased an Airport Express hoping I could create a standalone network so that the iMac would broadcast its website to whatever device connects to it such as my iPhone, iPad and MacBookPro.
However, after setting up the network successfully (I have a green light on the Airport Express, and there is NO internet going through it), I am not able to go any further by logging into the iMac's websites from the other machines. Form my MacBookPro Finder, I can look at files and folders using afp://10.0.1.2, from the Find/Go/Connect to Server utility, but I can't browse the website that is running on the iMac via the Safari browser.
Can anyone help me configure my MacBookPro (or iPad, or iPhone) to run the website on the iMac when they are all on the same network?
Thanks so much!!

1) connecting the TC using a ethernet cable from one of the two modem's LAN ports to the TC's WAN port
2) create a new Wi-Fi network using the TC ?
Does someone already create a new Wi-Fi network using its TC connected by Ethernet on a modem/router device ? How do you set up the DHCP (and NAT) ? Which range did you use ?
This is easy enough to do..
Plug the TC directly into a computer.. without other connections to do the setup.
Using the newly installed 5.6 utility.
Bridge the TC.
Create a wireless network.
This is an older screen shot and I would set security to WPA2 Personal only not WPA/WPA2 Personal as shown above.
I do recommend you use wireless names that are short, no spaces, pure alphanumeric.
Update the TC..
Now plug it into the modem router.. it will be a part of the network without doing NAT and DHCP itself.. which you do not want.. that leads to double NAT issues.. but it is a WAP that provides access to devices on both 2.4ghz and 5ghz bands directly to the main router.

How do I add a WRT310N to my existing BEFSR81 network without getting IP conflicts?

How can I add a WRT310N to my existing BEFSR81 wired network without IP conflicts? I have used the setup disk that came with the WRT310 and everything seem to work correctly. The I noticed my wired printer had a IP address conflict and my laptop would connect wirelessly. I have tried to use the "cascading a linksys routher to another linksys router" but the WRT310 does not have the same web access as described. Any help would be appreciated.

You can cascade both the router together via an Ethernet cable.However you can not use the CD for one router to setup another router.Check this link for cascading two router.

Can I use Apple TV on network without internet connection?

I'm helping someone who has an Apple TV (version1) and their router and internet connection is down. We need to use the AppleTV today to stream a video from her mac to the TV connected to the Apple TV for a presentation. Can we just hook up the Mac and the AppleTV to a switch via Ethernet (or connnect wirelessly to an AirPort Base station) and stream the video without being connected to the internet?

Welcome to the Apple Community.
You can't just use a switch, but you can use a router or wifi access point without access to the internet, but you will need a DHCP server to give each device on the network an IP address.
You may also be able to connect the Mac and Apple TV directly with an ethernet cable, I've tested this with the Apple TV 1, but not with the Apple TV 2.

Can I print from my iPad to a printer on my network without using my desktop computer as a server?

I am looking for a simple way to print from my iPad to the printer connected to our in-home network without buying a new printer or requiring that one of my computers be used as the "server." I looked into Printopia, but it appears to require going through one of the printers that is already connected via the network to our printer.

Bummer. Just when I think Apple has dealt with everything, I have an issue that they have not addressed. I'm not clever enough to know why they have not made this feature a part of iOS, but it seems a pretty simple idea. If my desktop and laptop can communicate with my printer through my wireless network, it would seem a logical extension that my iOS devices could as well. Oh well...

Prevent routing between 2 logical networks without a VLAN

Similar Messages

Maybe you are looking for