Routing between different vlan's

We have a Cat-3550 switch that has another vlan (vlan2) defined in addition to the Management Vlan (Vlan1). A 2600 router is patched into a Vlan1 port on the switch out of its inside interface (FE0). In addition to the router, an NT machine is patched into a Vlan2 port on the switch.From the NT machine, I am unable to ping the other interface (FE1) of the router.
Can someone please shed the light as to why ?
thanks.

I think I understand, but correct me if I'm wrong. You have 2 VLANs only, 1 and 2. You have Fa0/0 patched to a VLAN 1 access port on a switch and it has the address of the VLAN1 gateway. You have F0/1 patched to a VLAN 2 port on another switch, and has the address of the VLAN 2 gateway. This should work straight off, no need for a trunk between the router and the switch.
If it does not work, it probably means that the trunk(s) between the two switches is/are not working correctly. From the machine on VLAN 1, can you ping the VLAN 1 gateway address? My guess is that you can. From a machine on VLAN 2, can you ping the VLAN 2 gateway? My guess is that you cannot. In that case, the trunk(s) between the two switches is/are not carrying VLAN 2 correctly. To test this, define another VLAN 2 access port on the switch where F0/1 is patched, and try pinging the gateway from there - I guess it will work.
But that's enough guessing for the moment. What actually happens when you try these tests?
Kevin Dorrell
Luxembourg

Similar Messages

Multicast Does not work between different VLANS

Hi,
I have problems with multicast. On the same VLAN i can see the SAP announcement in VLC and play, but on different VLAN i can see SAP but i cant play it. The play turn to pause and the video doesn´t appear.
I have 2 Cisco 6500 switch CORE with GLBP configured but not working. In the second switch i have all interfaces in shutdown. The first core switch have L3 routing enable.
The Global configurations:
ip multicast-routing.
I have the transmitter PC on vlan 51 i transmit to 230.0.0.50 group an im trying to recive on vlan 80. The vlans configurations are:
Vlan 51
ip address x.x.31.254 255.255.255.0
ip pim sparse-dense-mode
Vlan 80
ip address x.x.80.1 255.255.255.0
ip pim sparse-dense-mode
I have 2 Cisco 2960 (L2 only) for the access.
The principal commands outputs are:
CORE1#show ip mroute | inc 230.0.0.50
(*, 230.0.0.50), 01:50:50/00:02:21, RP 0.0.0.0, flags: DC
CORE1#
CORE 1
interface Vlan1
ip address x.x.1.1 255.255.0.0
ip access-group 101 out
no ip unreachables
ip pim sparse-dense-mode
mls rp ip
interface Vlan51
ip address x.x.31.254 255.255.255.0
ip access-group 151 out
ip helper-address x.x.x.x
ip helper-address x.x.x.x
no ip unreachables
ip pim sparse-dense-mode
mls rp ip
interface Vlan80
ip address x.x.80.1 255.255.255.0
ip access-group 150 out
no ip unreachables
ip pim sparse-dense-mode
glbp 80 ip x.x.80.254
glbp 80 timers 5 18
glbp 80 timers redirect 600 7200
glbp 80 priority 254
glbp 80 preempt delay minimum 60
glbp 80 authentication text glbpkey
glbp 80 forwarder preempt delay minimum 60
CORE2
interface Vlan1
ip address x.x.1.4 255.255.0.0
ip access-group 101 out
no ip unreachables
ip pim sparse-dense-mode
mls rp ip
interface Vlan51
ip address x.x.31.2 255.255.255.0
ip access-group 151 out
ip helper-address x.x.x.x
ip helper-address x.x.x.x
no ip unreachables
ip pim sparse-dense-mode
shutdown
mls rp ip
glbp 51 ip x.x.31.254
glbp 51 timers 5 18
glbp 51 timers redirect 600 7200
glbp 51 preempt delay minimum 60
glbp 51 authentication text glbpkey
glbp 51 forwarder preempt delay minimum 60
interface Vlan80
ip address x.x.80.2 255.255.255.0
ip access-group 150 out
no ip unreachables
ip pim sparse-dense-mode
shutdown
mls rp ip
glbp 80 ip x.x.80.254
glbp 80 timers 5 18
glbp 80 timers redirect 600 7200
glbp 80 preempt delay minimum 60
glbp 80 authentication text glbpkey
glbp 80 forwarder preempt delay minimum 60
end
Someone can help?
Thanks,
Alfredo

Hi johnd...
Im using VLC 1.1.2 (i can not update because i have a DVDT2 card to capture the digital terrestrial television and it only work in this version). I have all the firewalls down.
This is the output for the show ip igmp snooping groups on the 2960.
80 230.0.0.50 igmp v2 Gi1/0/21, Gi1/0/24
Port G1/0/21 is where the receiver is conected and the 24port is the trunk.
Jon, i revert and this is the output. I put the ip pim rp-address the same of the lookpback that i create previously.
(*, 230.0.0.50), 00:37:46/00:02:19, RP 192.168.230.230, flags: SJC
Incoming interface: Null, RPF nbr 0.0.0.0
Outgoing interface list:
Vlan80, Forward/Dense, 00:09:52/00:00:00
The strange thing is that I have more than 40 vlans and it only fail in some vlans like 80.

Having problem pinging from Switch to Router and between different VLANs

It has been resolved.

Hi Asif,
Can you provide the following output:
On the router:
sh cdp neigh
sh int trunk
sh ip int br
sh int status | inc conn
Assuming the switch config is identical apart from the VLAN99 SVI's, from SW1:
sh int trunk
sh ip int br
cheers,
Seb.

SG300: How to set up routing between VLANs?

I have recently purchased a Cisco SG300-10. I need it to perform routing between two VLANs on the switch. Seems like this should be quick and easy to do from the built in GUI. When I configure it according to the documentation, it does not ropute between the VLANs.
I have set the system mode to L3 (for level 3 switching).
I have followed the instructions on pages 26 through 33 of the attached PDF (which I obtained from the Cisco site). I used the same ports on the switch and the same IP addresses as shown in the document.
Everything works until I attempt the step "ping 10.1.1.10" on page 33. This is the step to verify the level 3 switching between the 2 PCs (on separate VLANs).
The switch Firmware Version (Active Image): 1.3.5.58
I have attached the running configuration from the switch. It is the file named "running-config.txt".
The 2 PCs that I am using are running Windows 7 and Windows 8.

Hi jkst,
There is a very minimum requirement to obtain layer 3 intervlan routing
1- 2 VLAN in layer 3 mode assigned an IP address
config t
vlan database
vlan 2
int vlan 1
ip address 192.168.1.1 /24
int vlan 2
ip address 192.168.2.1 /24
2 - Active link state on each VLAN - Define a port for the second vlan then connect an IP device to that port and another device to another port since the rest of the ports will default to vlan 1
config t
int gi2
switchport mode access
switchport access vlan 2
3 - Assign your device #1 that connects to any port an ip address on the same subnet as vlan 1
Computer in vlan 1 IP info=
192.168.1.100
255.255.255.0
192.168.1.1
Computer in vlan 2 IP info-
192.168.2.100
255.255.255.0
192.168.2.1
Assuming these devices respond to ping and do not have external wireless communication, this will provide basic IP connectivity through the switch across vlans.
-Tom
Please mark answered for helpful posts

Traffic Between 2 Ports on Different VLANs on the Same Switch

Hi,
This question probably results from a flaw in my understanding of network layer 2 versus layer 3 and VLANs so any additional context in that regard would be very welcome
If I've got 2 systems on difference VLANs that are connected to ports on the same switch (e.g. 2950), with that switch being connected via an uplink to a router or layer 3 switch and i want to pass traffic between the 2 systems (e.g. copy a file from a folder shared on one system to another), will the traffic pass directly from one port on the 2950 to the other? Or will it need to go through the uplink? I guess it will need to go through the uplink initially as layer 3 needs to be involved for inter-VLAN routing but wondering if layer 2 MAC address will ultimately be learned, allowing traffic to pass directly between the systems, not over the uplink.
Thanks in advance,
cisco_reader.

If the hosts are on different Layer 2 Vlans and you want to pass data between them, that data needs to be 'Routed'.
In order to Route data from one Layer 2 Vlan to another, you need a device capable of Layer 3 Routing. That device can be a traditional Router or can be something called a Layer 3 switch.
A 2950 switch is Layer 2 only so has the ability to create many Layer 2 Vlans which is what you have done. In order to route traffic between those Vlans, you can either use a router or a L3 switch.
If you decided to use a router, look up something called 'Router on a Stick' which involves creating a Trunk link from the 2950 to the Router and then setting up Subinterfaces on the Routers port to act as the 'Default Gateway' for each of your Vlans.

VLAN's on 3524 VLAN enable issue (I don't want to route between them)

I have segmented a 3524 switch into three different VLANs. One is the managment VLAN 1 and the other two are for my Test Lab and Production network. I don't want either VLAN to see the other (router between them). My problem is my VLAN10 and VLAN12 will not come out of a shutdown state. They stay administratively down even after I issue the no shut command from within the VLAN Interface. What am I doing wrong here?

My guess is that you created 3 SVI's instead of creating the layer 2 vlans that you need . Do a show vlan ", do all 3 of your vlans show up ? If you created 3 different layer 3 SVI's , (conf t , interface vlan 10 and or 12 then the switch will only enable 1 because this is strictly used to manage the switch . To create your vlans I believe on this switch you need to use the vlan database. At the switch prompt type vlan database, enter. Then type vlan 10 , hit enter , then type vlan 12 and hit enter . This activates the layer 2 vlans .Exit out to the command line and do a show vlan and see if all 3 show up now.Apply the vlans to the ports as needed . These should now show up when you do a "show vlan" . I think you gettting confused between the layer 3 SVI's and the layer 2 vlans .

Prevent routing between 2 logical networks without a VLAN

Background: We have some older hubs in our network. As such, we cannot implement a VLAN yet. We have a 10/100 ethernet network across our campus for our production users. We have multiple buildings on the campus and one physical network. We are installing Cisco 1100 WAPs to provide our guests with wireless internet access. Our DHCP server is configured to hand out 192.168.1.x addresses to our guests. Our DHCP server has 192.168.0.x reservations for our production machines.
Questions:
1) Would this ACL prevent traffic from routing between the 192.168.0.x and 192.168.1.x networks?
access-list 105 deny ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
2) Does anyone have a better solution for preventing our guests from accessing our production machines? Once all the hubs are replaced with switches, we plan to implement a VLAN.
TIA,
Mark

Are you sure you want to protect your Guest WLAN from your production Network, not the otherway round? Your access-list states that the .0 network (production) is not allowed to access the .1 (wlan) network. Then, i don't see in your config the activation of any of your access-list. They are just defined without being activated on any of your interfaces. Plus there is missing the allow at the end of the access-list, because there is an implicite deny at the end of any access-list.

Can router dhcp different addresses to different vlans for wireless clients

is it possible for the router to hand out different ip's to wireless clients on different vlans?

Yes, the router needs to have a dhcp pool on each subnet and have an "interface Vlan x" for each vlan. It will then assign ips to clients in different vlans.
One vlan per SSID.

Cisco ASA 5505 Routing between internal networks

Hi,
I am new to Cisco ASA and have been configuring my new firewall but one thing have been bothering. I cannot get internal networks and routing between them to work as I would like to. Goal is to set four networks and control access with ACL:s between those.
1. Outside
2. DMZ
3. ServerNet1
4. Inside
ASA version is 9.1 and i have been reading on two different ways on handling IP routing with this. NAT Exempt and not configuring NAT at all and letting normal IP routing to handle internal networks. No matter how I configure, with or without NAT I cannot get access from inside network to DMZ or from ServerNet1 to DMZ. Strange thing is that I can access services from DMZ to Inside and ServerNet1 if access list allows it. For instance DNS server is on Inside network and DMZ works great using it.
Here is the running conf:
interface Ethernet0/0
switchport access vlan 20
interface Ethernet0/1
switchport access vlan 20
interface Ethernet0/2
switchport access vlan 19
interface Ethernet0/3
switchport access vlan 10
switchport trunk allowed vlan 10,19-20
switchport trunk native vlan 1
interface Ethernet0/4
switchport access vlan 10
interface Ethernet0/5
switchport access vlan 10
switchport trunk allowed vlan 10-11,19-20
switchport trunk native vlan 1
switchport mode trunk
interface Ethernet0/6
switchport access vlan 10
switchport trunk allowed vlan 10-11,19-20
switchport trunk native vlan 1
switchport mode trunk
interface Ethernet0/7
switchport access vlan 10
interface Vlan10
nameif inside
security-level 90
ip address 192.168.2.1 255.255.255.0
interface Vlan11
nameif ServerNet1
security-level 100
ip address 192.168.4.1 255.255.255.0
interface Vlan19
nameif DMZ
security-level 10
ip address 192.168.3.1 255.255.255.0
interface Vlan20
nameif outside
security-level 0
ip address dhcp setroute
ftp mode passive
clock timezone EEST 2
clock summer-time EEDT recurring last Sun Mar 3:00 last Sun Oct 4:00
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network obj-192.168.2.0
subnet 192.168.2.0 255.255.255.0
object network obj-192.168.3.0
subnet 192.168.3.0 255.255.255.0
object network DNS
host 192.168.2.10
description DNS Liikenne
object network Srv2
host 192.168.2.10
description DC, DNS, DNCP
object network obj-192.168.4.0
subnet 192.168.4.0 255.255.255.0
object network ServerNet1
subnet 192.168.4.0 255.255.255.0
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group network RFC1918
object-group network InternalNetworks
network-object 192.168.2.0 255.255.255.0
network-object 192.168.3.0 255.255.255.0
object-group service DM_INLINE_SERVICE_1
service-object tcp destination eq domain
service-object udp destination eq domain
service-object udp destination eq nameserver
service-object udp destination eq ntp
object-group service DM_INLINE_TCP_1 tcp
port-object eq www
port-object eq https
port-object eq ftp
port-object eq ftp-data
object-group service rdp tcp-udp
description Microsoft RDP
port-object eq 3389
object-group service DM_INLINE_TCP_2 tcp
port-object eq ftp
port-object eq ftp-data
port-object eq www
port-object eq https
object-group service DM_INLINE_SERVICE_2
service-object tcp destination eq domain
service-object udp destination eq domain
object-group network DM_INLINE_NETWORK_1
network-object object obj-192.168.2.0
network-object object obj-192.168.4.0
access-list dmz_access_in extended permit ip object obj-192.168.3.0 object obj_any
access-list dmz_access_in extended deny ip any object-group InternalNetworks
access-list DMZ_access_in extended permit object-group TCPUDP object obj-192.168.3.0 object DNS eq domain
access-list DMZ_access_in extended permit object-group TCPUDP object obj-192.168.3.0 object-group DM_INLINE_NETWORK_1 object-group rdp
access-list DMZ_access_in extended deny ip any object-group InternalNetworks
access-list DMZ_access_in extended permit tcp object obj-192.168.3.0 object obj_any object-group DM_INLINE_TCP_2
access-list inside_access_in extended permit ip object obj-192.168.2.0 object-group InternalNetworks
access-list inside_access_in extended permit object-group TCPUDP object obj-192.168.2.0 object obj_any object-group rdp
access-list inside_access_in extended permit tcp object obj-192.168.2.0 object obj_any object-group DM_INLINE_TCP_1
access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_1 object Srv2 object obj_any
access-list inside_access_in extended permit object-group TCPUDP object obj-192.168.2.0 object obj-192.168.3.0 object-group rdp
access-list ServerNet1_access_in extended permit object-group DM_INLINE_SERVICE_2 any object DNS
access-list ServerNet1_access_in extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu ServerNet1 1500
mtu inside 1500
mtu DMZ 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-711-52.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,DMZ) source static obj-192.168.2.0 obj-192.168.2.0 destination static obj-192.168.2.0 obj-192.168.2.0 no-proxy-arp
object network obj_any
nat (inside,outside) dynamic interface
nat (DMZ,outside) after-auto source dynamic obj_any interface destination static obj_any obj_any
nat (ServerNet1,outside) after-auto source dynamic obj-192.168.4.0 interface
access-group ServerNet1_access_in in interface ServerNet1
access-group inside_access_in in interface inside
access-group DMZ_access_in in interface DMZ
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.2.0 255.255.255.0 inside
http 192.168.4.0 255.255.255.0 ServerNet1
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh 192.168.4.0 255.255.255.0 ServerNet1
ssh 192.168.2.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous

Hi Jouni,
Yep, Finnish would be good also =)
In front of ASA is DSL modem, on the trunk ports is Hyper-V host that uses the trunk ports so that every VM has their VLAN ID defined in the VM level. Everything is working good on that end. Also there is WLAN Access Pois on one of the ASA ports, on the WLAN AP there is the management portal address on DMZ that i have been testing agains (192.168.3.4)
If i configure Dynamic PAT from inside to the DMZ then the traffic starts to work from inside to all hosts on DMZ but thats not the right way to do it so no shortcuts =)
Here is the conf now, still doesnt work:
interface Ethernet0/0
switchport access vlan 20
interface Ethernet0/1
switchport access vlan 20
interface Ethernet0/2
switchport access vlan 19
interface Ethernet0/3
switchport access vlan 10
switchport trunk allowed vlan 10,19-20
switchport trunk native vlan 1
interface Ethernet0/4
switchport access vlan 10
interface Ethernet0/5
switchport access vlan 10
switchport trunk allowed vlan 10-11,19-20
switchport trunk native vlan 1
switchport mode trunk
interface Ethernet0/6
switchport access vlan 10
switchport trunk allowed vlan 10-11,19-20
switchport trunk native vlan 1
switchport mode trunk
interface Ethernet0/7
switchport access vlan 10
interface Vlan10
nameif inside
security-level 90
ip address 192.168.2.1 255.255.255.0
interface Vlan11
nameif ServerNet1
security-level 100
ip address 192.168.4.1 255.255.255.0
interface Vlan19
nameif DMZ
security-level 10
ip address 192.168.3.1 255.255.255.0
interface Vlan20
nameif outside
security-level 0
ip address dhcp setroute
ftp mode passive
clock timezone EEST 2
clock summer-time EEDT recurring last Sun Mar 3:00 last Sun Oct 4:00
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network obj-192.168.2.0
subnet 192.168.2.0 255.255.255.0
object network obj-192.168.3.0
subnet 192.168.3.0 255.255.255.0
object network DNS
host 192.168.2.10
description DNS Liikenne
object network Srv2
host 192.168.2.10
description DC, DNS, DNCP
object network obj-192.168.4.0
subnet 192.168.4.0 255.255.255.0
object network ServerNet1
subnet 192.168.4.0 255.255.255.0
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group network RFC1918
object-group network InternalNetworks
network-object 192.168.2.0 255.255.255.0
network-object 192.168.3.0 255.255.255.0
object-group service DM_INLINE_SERVICE_1
service-object tcp destination eq domain
service-object udp destination eq domain
service-object udp destination eq nameserver
service-object udp destination eq ntp
object-group service DM_INLINE_TCP_1 tcp
port-object eq www
port-object eq https
port-object eq ftp
port-object eq ftp-data
object-group service rdp tcp-udp
description Microsoft RDP
port-object eq 3389
object-group service DM_INLINE_TCP_2 tcp
port-object eq ftp
port-object eq ftp-data
port-object eq www
port-object eq https
object-group service DM_INLINE_SERVICE_2
service-object tcp destination eq domain
service-object udp destination eq domain
object-group network DM_INLINE_NETWORK_1
network-object object obj-192.168.2.0
network-object object obj-192.168.4.0
object-group network DEFAULT-PAT-SOURCE
description Default PAT source networks
network-object 192.168.2.0 255.255.255.0
network-object 192.168.3.0 255.255.255.0
network-object 192.168.4.0 255.255.255.0
access-list dmz_access_in extended permit ip object obj-192.168.3.0 object obj_any
access-list dmz_access_in extended deny ip any object-group InternalNetworks
access-list DMZ_access_in extended permit object-group TCPUDP object obj-192.168.3.0 object DNS eq domain
access-list DMZ_access_in extended permit object-group TCPUDP object obj-192.168.3.0 object-group DM_INLINE_NETWORK_1 object-group rdp
access-list DMZ_access_in extended deny ip any object-group InternalNetworks
access-list DMZ_access_in extended permit tcp object obj-192.168.3.0 object obj_any object-group DM_INLINE_TCP_2
access-list inside_access_in extended permit ip object obj-192.168.2.0 object-group InternalNetworks
access-list inside_access_in extended permit object-group TCPUDP object obj-192.168.2.0 object obj_any object-group rdp
access-list inside_access_in extended permit tcp object obj-192.168.2.0 object obj_any object-group DM_INLINE_TCP_1
access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_1 object Srv2 object obj_any
access-list inside_access_in extended permit object-group TCPUDP object obj-192.168.2.0 object obj-192.168.3.0 object-group rdp
access-list ServerNet1_access_in extended permit object-group DM_INLINE_SERVICE_2 any object DNS
access-list ServerNet1_access_in extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu ServerNet1 1500
mtu inside 1500
mtu DMZ 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-711-52.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (any,outside) after-auto source dynamic DEFAULT-PAT-SOURCE interface
access-group ServerNet1_access_in in interface ServerNet1
access-group inside_access_in in interface inside
access-group DMZ_access_in in interface DMZ
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.2.0 255.255.255.0 inside
http 192.168.4.0 255.255.255.0 ServerNet1
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh 192.168.4.0 255.255.255.0 ServerNet1
ssh 192.168.2.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous

IDSM-2 inline between multible VLAN

Hi,
I have a coreswitch 6509 which is include IDSM-2 actully the core switch handle the traffice between the usres VLANs and the server Vlan (vlan 11)
The users Vlan are (Vlan 2 , 3, 4, 5, 6 and 7). I need to configure the core switch and IDSM to be inline between the Users VLANs and the Server farm Vlan to inspect the traffic comming from the useres.
as my understanding I can use the ISDM inline mode between multible Vlan but unfortunattly my test to drop the ICMP request to server is faild.
Kindly advice if that available or it should be only in promisecouse mode.
also if there any sample of succesfully configuration.
my configuration is as below:
Core-SW-RYD#sh run | in intr
intrusion-detection module 9 data-port 1 trunk allowed-vlan 2-7,11
intrusion-detection module 9 data-port 2 trunk allowed-vlan 2-7,11
intrusion-detection module 9 data-port 1 autostate include
intrusion-detection module 9 data-port 2 autostate include
intrusion-detection module 9 data-port 1 portfast 1
intrusion-detection module 9 data-port 2 portfast 1
VLAN Name                             Status    Ports
1    default                          active    Gi9/2, Gi9/3, Gi9/4, Gi9/5, Gi9/6
2    Food-D-VLAN                      active
3    Comm-D-VLAN                      active
4    Emar-D-VLAN                      active
5    Finance-D-VLAN                   active
6    Glucose-D-VLAN                   active
7    IT-D-VLAN                        active    Gi1/3
11   servers-Vlan                     active    Gi1/2, Gi1/4, Gi1/5, Gi1/6, Gi1/7, Gi1/8, Gi1/9, Gi1/10, Gi1/12, Gi1/13
                                                Gi1/14, Gi1/15, Gi1/16, Gi1/17, Gi1/18, Gi1/19, Gi1/20, Gi1/21, Gi1/22
                                                Gi1/23, Gi1/24, Gi1/25, Gi1/26, Gi1/27, Gi1/28, Gi1/29, Gi1/31, Gi1/32
                                                Gi1/33, Gi1/34, Gi1/35, Gi1/36, Gi1/37, Gi1/38, Gi1/39, Gi1/41, Gi1/42
                                                Gi1/43, Gi1/44, Gi1/45, Gi1/46, Gi1/47, Gi1/48, Gi2/10, Gi2/11, Gi2/12
                                                Gi2/13, Gi2/15, Gi2/16, Gi2/18, Gi2/19, Gi2/20, Gi2/21, Gi2/22, Gi2/23
                                                Gi2/24, Gi3/1, Gi3/2, Gi3/3, Gi3/4, Gi3/5, Gi3/6, Gi3/7, Gi3/8, Gi3/9, Gi3/10
                                                Gi3/11, Gi3/12, Gi3/13, Gi3/14, Gi3/15, Gi3/16, Gi3/17, Gi3/18, Gi3/19
                                                Gi3/20, Gi3/21, Gi3/22, Gi3/23, Gi3/24
your support will be highly appreciated.
Best Regards,
Magdy

Hi Mohamed.
with inline mode, you can only bridge vlans in pairs uniquely!. so you can only bridge vlan 11 to another single vlan. and remember since they are bridged, that means the 2 vlans need to have the same ip subnet.
but looking at your requirements, i'm guess the different vlans are on different ip subnet ranges.
In that case, you'll need to do promiscuous mode.
However in promiscuous mode, you can only do acl blocking. and first packet will pass successfully but will trigger the sensor to configure the router to create an acl, and further packets will be dropped.
However if you redesign a bit you can use promiscuous mode. for example create a new layer 2 vlan (let's say 14), move the servers to this vlan.
You only need to trunk vlan11 and vlan14 to the idsm module, then create a single vlan-pair on the IPS which bridges vlan11 and vlan 14. then configure the signature to drop packets inline. SInce now for the clients who need to contact the servers need to pass traffic to vlan11, and the idsm is in the middle between vlan 11 and 14, then it should drop pings to the servers.
Regards,
Fadi.

Routing between SSIDs

I have an Aironet 1242AG AP,
I am interested in creating two different SSIDs with different security levels (eg. No Enc. and WPA2 Enc.).
I am also interested in routing between the two (such that one will function like a "backup" connection, which sees and connects to everything that the other one sees and connects to).
Can I please get some examples of configuration? And maybe some written guide?

Creating 2 different SSID's on one AP with different encryption is only possible if you use VLAN's on the switch and AP.

Problem of routing between inside and outside on ASA5505

I have a ASA5505 with mostly factory default configuration. Its license allows only two vlan interfaces (vlan 1 and vlan 2). The default config has interface vlan 1 as inside (security level 100), and interface vlan 2 as outside (security level 0 and using DHCP).
I only changed interface vlan 1 to IP 10.10.10.1/24. After I plugged in a few hosts to vlan 1 ports and connect port Ethernet0/0 (default in vlan 2) to a live network, here are a couple of issues I found:
a) One host I plugged in is a PC, and another host is a WAAS WAE device. Both are in vlan 1 ports. I hard coded their IP to 10.10.10.250 and 10.10.10.101, /24 subnet mask, and gateway of 10.10.10.1. I can ping from the PC to WAE but not from WAE to the PC, although the WAE has 10.10.10.250 in its ARP table. They are in the same vlan and same subnet, how could it be? Here are the ping and WAE ARP table.
WAE#ping 10.10.10.250
PING 10.10.10.250 (10.10.10.250) from 10.10.10.101 : 56(84) bytes of data.
--- 10.10.10.250 ping statistics ---
5 packets transmitted, 0 packets received, 100% packet loss
WAE#sh arp
Protocol Address Flags Hardware Addr Type Interface
Internet 10.10.10.250 Adj 00:1E:37:84:C9:CE ARPA GigabitEthernet1/0
Internet 10.10.10.10 Adj 00:14:5E:85:50:01 ARPA GigabitEthernet1/0
Internet 10.10.10.1 Adj 00:1E:F7:7F:6E:7E ARPA GigabitEthernet1/0
b) None of the hosts in vlan 1 in 10.10.10.0/24 can ping interface vlan 2 (address in 172.26.18.0/24 obtained via DHCP). But on ASA routing table, it has both 10.10.10.0/24 and 172.26.18.0/24, and also a default route learned via DHCP. Is ASA able to route between vlan 1 and vlan 2? (inside and outside). Any changes I can try?
Here are ASA routing table and config of vlan 1 and vlan 2 (mostly its default).
ASA# sh route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is 172.26.18.1 to network 0.0.0.0
C 172.26.18.0 255.255.255.0 is directly connected, outside
C 127.1.0.0 255.255.0.0 is directly connected, _internal_loopback
C 10.10.10.0 255.255.255.0 is directly connected, inside
d* 0.0.0.0 0.0.0.0 [1/0] via 172.26.18.1, outside
interface Vlan1
nameif inside
security-level 100
ip address 10.10.10.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
interface Ethernet0/0
switchport access vlan 2
All other ports are in vlan 1 by default.

I should have made the config easier to read. So here is what's on the ASA and the problems I have. The ASA only allows two VLAN interfaces configured (default to Int VLAN 1 - nameif inside, and Int VLAN 2 - nameif outside)
port 0: in VLAN 2 (outside). DHCP configured. VLAN 2 pulled IP in 172.26.18.0/24, default gateway 172.26.18.1
port 1-7: in VLAN 1 (inside). VLAN 1 IP is 10.10.10.1. I set all devices IP in VLAN 1 to 10.10.10.0/24, default gateway 10.10.10.1
I have one PC in port 1 and one WAE device in port 2. PC IP set to 10.10.10.250 and WAE set to 10.10.10.101. PC can ping WAE but WAE can't ping PC. Both can ping default gateway.
If I can't ping from inside interface to outside interface on ASA, how can I verify inside hosts can get to outside addresses and vise versa? I looked at ASA docs, but didn't find out how to set the routing between inside and outside. They are both connected interfaces, should they route between each other already?
Thanks a lot

How to use different Vlans outside another gateway in sg-300 28?

dear all
how shall i use different vlans outside another gateway in sg-300 28?
Example:
vlan2 192.168.2.0/24 gateway 192.168.2.1 outside router gateway 192.168.2.254
vlan3 192.168.3.0/24 gateway 192.168.3.1 outside router gateway 192.168.3.254
should me doing in sg-300 28?
thanks.

Hi Amin,
Leave the switch in Layer 2 mode
Cable VLAN2 to the to the outside router gateway 192.168.2.254 interface
cable VLAN3 to the to the outside router gateway 192.168.3.254 interface
Excuse the rough diagram
Make the port going to the outside router gateway, untagged in the vlans they will be transporting. (I am assuming that the router gateway is not vlan aware.)
IP hosts will most likely get DHCP from the router gateway. The IP hosts will then automatically send IP traffic to the router gateway.
VLAN 1 in my switch, could then be the only interface within the switch that has a IP address associated with it, for management purposes.
I can see from you post, that English is not your first language, if you want to speak to someone, you can ask a question by going to;
www.cisco.com/go/sbsc
regards Dave

Mapping in interconnect between different Business Objects

I want to know how to do transformation and mapping between different business objects in interconnects.
Always,We have a very complex SQL,when We do intergration
with Oracle interconnect ,We use DB Adapter or Jdbc Adapter,but the complex SQL have to be excuted in the resource DB or the destination DB which may be a big pressure to them ,I think can We use different Business Objects, and do the Mappings in interconnect,so the big pressure will be on the interconnect server just like the ETL tools, But I just find that Interconnect can do tranformation and mapping in one Business Object ,how can I do? Is anyone meet this problem like me ?thanks for discussion.

For me, Business Objects are logical groupings of business processes. For example, we have a Business Object called "Maintain_Employees". Under this we have 1 Procedure (Create_Employee) and 2 Events (Update_Employee and Delete_Employee).
We have 1 Oracle system interfacing with 23 other legacy systems. Some of these legacy systems will be using this "Maintain_Employees" Business Object (Common View), and our main transformations will be between the Common View and the legacy Application Views.
We are using a number of techniques to assist in "validating" data in the InterConnect. The main ones are using 'Cross Reference Tables (XREF)' and 'DatabaseOperation' transformations. By using 'Content Based Routing' we are able to send the right message to the right legacy system, and therefore do the right transformation/validation on the message payload. However, this is only a small part of a complex puzzle.
I also have the "problem" of having "very complex SQL" on our Oracle system too. This is not unusual when using the InterConnect.
To my mind, the InterConnect does 2 main operations. Firstly, it performs some message transformation (mapping), and secondly, it acts as a transportation engine (routing) using the adapters.
The remainder of the effort required to create or consume the message resides with the Applications themselves. Whether it is parsing an XML CLOB payload, inserting data into staging tables, writing to log files, pre-processing data, calling API's or something else, your Application side programming and processing overhead can get large.
The trade off it to ask the question, do I want to be able to track and manage messages from start to finish in high detail? Or can I trust that all message payload data will be consumed with no additional processing on the Application side?
My experience has shown that the bottleneck is always at the Application side, and almost never in the InterConnect.
The short answer to your first question is "You are right. Mappings can take place only between Application Views and Common Views only - not between Business Objects.".
To answer your second question "Probably everyone reading this forum has this problem. The intelligence that is able to really interpret message data, validate it and process it is only found in the Application, not the InterConnect. You could, however, use the Workflow engine within OAI in order to provide additional pre-validation, human interaction and logic, but this too could be complex."
At my current client, we are architecting an Application OAI Message handling schema. This will contain staging tables, pre-processing tables, "OAI" wrapper PL/SQL scripts, "APPS" wrapper PL/SQL scripts and Message Logging and Exception tables. Ours will be a complex set of PL/SQL processes too.
I hope this helps, just in letting you know that you are not alone with this problem.
I wonder if anyone else would like to share how they have architected their InterConnect and Application side mapping and transformation solutions.

AP On Different Vlan Than Controller

I have a 5508 controller at our headquarters and am installing some 3502 AP's at a remote branch. Unfortunatly, the remote branch has a different Vlan setup for some reason and the vlan that is used for the WLC (90) is designated for telephony at this branch. Can I put the AP's on a different VLAN (10) without having any issues? I will still use DHCP option 43 to point them back to the controller. Below are the configs for the WLC interfaces and what I am proposing for the AP interfaces:
WLC Config
interface GigabitEthernet1/1/38
description WLC01
switchport
switchport trunk encapsulation dot1q
switchport trunk native vlan 90
switchport trunk allowed vlan 1,10,50,90,91,390,410-413,610-613,800,810,811
switchport mode trunk
channel-group 5 mode on
interface GigabitEthernet1/1/39
description WLC01
switchport
switchport trunk encapsulation dot1q
switchport trunk native vlan 90
switchport trunk allowed vlan 1,10,50,90,91,390,410-413,610-613,800,810,811
switchport mode trunk
channel-group 5 mode on
interface Port-channel5
switchport
switchport trunk encapsulation dot1q
switchport trunk native vlan 90
switchport trunk allowed vlan 1,10,50,90,91,390,410-413,610-613,800,810,811
switchport mode trunk
AP Interface Config
interface GigabitEthernet1/0/1
description *** Access Point AP001 ***
switchport access vlan 10
switchport mode access
spanning-tree portfast
Will this work?

Hi Pat,
When deciding to do LOCAL mode or CENTRAL SWITCH mode you need to consider a few items:
1) NAT -- If there is a NAT between both locations almost all customers would rather LOCAL mode. Reason being is the ability to access local resources without nat issues. Remember, central model has all traffic and IP addressing coming from the main office.
2) Internet / Main office connection - If the remote office is on a MPLS for exmaple. Using local switching is reartly used becuase if you lose the conenction with the main office you have bigger issues then having wireless access.
These are the 2 questions my customers always look at ...
I hope this helps...

Routing between different vlan's

Similar Messages

Maybe you are looking for