RV042 VLAN to VLAN access?

Similar Messages

• PC Voice VLAN Access

  Hi all,
  I've just been testing using Cisco IP Phones with the Linksys SRW224P switch (which do not support CDP and automatic voice VLAN assignment). It's all pretty straightforward, however, I found I needed to enable the "PC Voice VLAN Access" setting for the IP phone to get the PC (attached to the phone) communicating on the network. With this setting disabled, the PC cannot communicate on the network, even if the correct data VLAN ID is configured in the "PC VLAN" setting on the phone. This same issue is also replicated if I disable CDP on a Cisco switch and manually configure the voice VLAN ID on the phone.
  Any ideas as to why this is the case? My understanding of the PC Voice VLAN Access setting is that it enables an attached PC to access the voice VLAN (i.e. tag frames with the voice VLAN ID and send on the voice VLAN, and receive frames on the voice VLAN). The traditional port mirroring issues associated with this setting aren't an issue nowadays, as you now have the additional "Span to PC Port" setting to control this.

  Hi Eric,
  Please make sure you are sniffing the correct interface. For example, if you have more than one interface (such as Wireless Ip address or VPN
  connection) select the one you want to sniff. Please check the following link, it shows you how to set up a sniffer capture using wireshark:
  http://wiki.wireshark.org/CaptureSetup
  Regards,
  Teresa.
  If you find this post helpful, please rate! :)

• Catalyst 3850, VLAN access map example (VACL, layer 2)

  Hello there:
  Trying to get a simple VLAN access map example working (VACL, layer 2).  Want to allow hosts 10.0.0.2 to SSH to 10.0.0.3 (both in vlan 10), but deny all other connectivity from 10.0.0.2 to 10.0.0.3.
  access-list test permit tcp host 10.0.0.2 host 10.0.0.3 eq 22
  vlan access-map test
     match ip address test
     action forward
  vlan filter test vlan-list 10
  However, 10.0.0.2 cannot see 10.0.0.3 whatsoever, w/ this VACL enabled (connectivity works w/ VACL disabled).
  From what I've read, there is an implicit deny all at the end, if I understand correctly.
  I've played with other variations as well, but without any luck.
  What am I missing here?
  Also, is there a way to debug this using logs or debug statements? Nothing shows up in the logs.
  Thank you.

  Hi,
  You have a problem in that your ACL currently allows the SSH traffic from 10.0.0.2 to 10.0.0.3 but the responses are not allowed to flow back from 10.0.0.3 to 10.0.0.2. That is the most probable reason your VACL does not work as expected.
  This modification should correct the behavior:
  ip access-list extended TestACL
  permit tcp host 10.0.0.2 host 10.0.0.3 eq 22
  permit tcp host 10.0.0.3 eq 22 host 10.0.0.2
  deny ip host 10.0.0.2 host 10.0.0.3
  deny ip host 10.0.0.3 host 10.0.0.2
  permit ip any any
  vlan access-map TestVACL
  match ip address TestACL
  action forward
  vlan filter TestVACL vlan-list 10
  Here, I've made sure that SSH traffic between 10.0.0.2 as a client and 10.0.0.3 as a server is allowed, any other traffic between these two is denied, and every other communication is allowed. Would you mind testing out this modification?
  is there a way to debug this using logs or debug statements? Nothing shows up in the logs.
  None that I know of. This filtering is done in hardware, independently from CPU, so the CPU has no insight into what's going on in the TCAM during packet filtering.
  Best regards,
  Peter

• Multiple VLAN Access for PC

  I work in a building that has two separate entities, but both work together to accomplish the same goals. The IT admin before me set us up on separate VLANs through many cisco switches. One lady that works here does work for both entities. There are server shares that she needs to be able to access on both VLANs to do her work. The way it is now, she does Company A's work in the morning and then moves to another office to do work for Company B. My question is, can I tag her switch port with both VLANs and then just add a secondary IP to her PC NIC so she is able to access the server shares from both VLANs?

  If you can't ping anything on the other vlan does that mean each vlan does not route to anywhere else eg. other vlans or the internet.
  If they do route to other vlans you may find that there are SVIs for both vlans but they have acls applied in which case you could just modify the acl.
  Or maybe not.
  It is doable ie. servers do this all the time but as Rick says it depends on whether the PC supports tagging.
  If it does it is really more a question of how to set that up correctly than a networking issue ie. all you need to do on the network side is setup the port on the switch as a trunk allowing both vlans.
  There are however a couple of things to be aware of from the network perspective -
  a) if the vlan does route to other subnets then you only want one default gateway ie. the current one. There is  no need for another gateway as the PC would be directly connected to the other network anyway and multiple default gateways can lead to unexpected issues.
  b) you need to make sure you cannot route between vlans on your PC otherwise this could be a security issue. There is no need for the PC to route between these vlans because it has direct connections to both.
  From memory when you setup the trunking  there is an option to turn off ip forwarding between those subnets.
  Sorry I can't be more specific but it was a while ago that I last did this.
  Jon

• Anyconnect Vlan access

  I have a asa 5505 that we setup up a vpn connection to recently. Everything on our internal vlan (120) works fine when using the VPN. Although VPN clients cannot access the Voice vlan (200). I have added the voice network to the ACL list and mapped it to the anyconnect connection profile. Still a no go. Any ideas? Config below
  interface Vlan2
   nameif outside
   security-level 0
   ip address  255.255.255.252
  banner login WARNING!!! This is a private network device. Authorized access only. Unauthorized access is not allowed and will be logged, proper action will be taken.
  banner motd Don't access this router without proper authorization.
  boot system disk0:/asa914-k8.bin
  ftp mode passive
  dns domain-lookup outside
  dns server-group DefaultDNS
   name-server 75.75.75.75
   name-server 75.75.76.76
   domain-name valleyview.local
  object network obj-10.193.5.248
   subnet 10.193.5.248 255.255.255.248
  object network obj-10.193.5.0
   subnet 10.193.5.0 255.255.255.0
  object network obj-10.193.5.230
   host 10.193.5.230
  object network obj-10.193.5.230-02
   host 10.193.5.230
  object network obj-10.193.5.230-03
   host 10.193.5.230
  object network obj-10.193.5.77
   host 10.193.5.77
  object network obj-10.193.5.77-01
   host 10.193.5.77
  object network obj-10.193.5.230-04
   host 10.193.5.230
  object network obj-10.193.5.230-05
   host 10.193.5.230
  object network obj_any
   subnet 0.0.0.0 0.0.0.0
  object network Exchange
   host 10.193.5.230
  object network VPN_NETWORK
   subnet 192.168.22.0 255.255.255.248
  object network Voice_Network
   subnet 10.200.1.0 255.255.255.0
   description Voice Network
  object network VPN_CLIENTS
   subnet 192.168.22.0 255.255.255.248
  object network NETWORK_OBJ_192.168.22.0_29
   subnet 192.168.22.0 255.255.255.248
  object-group network DM_INLINE_NETWORK_1
   network-object 0.0.0.0 0.0.0.0
   network-object object Voice_Network
  access-list inside_out extended permit ip host 10.193.5.230 any4
  access-list inside_out extended deny tcp 10.193.5.0 255.255.255.0 any4 eq smtp log debugging
  access-list inside_out extended permit ip 10.193.5.0 255.255.255.0 any4
  access-list inside_out extended permit ip object Voice_Network any
  access-list inside_out extended permit ip object VPN_CLIENTS any inactive
  access-list extended extended permit gre any4 host 173.163.35.105
  access-list oustside_in extended permit gre any4 host 173.163.35.105 inactive
  access-list VPNUsers_splitTunnelAcl standard permit 10.193.5.0 255.255.255.0
  access-list inside_nat0_outbound extended permit ip any4 10.193.5.248 255.255.255.248
  access-list inside_nat0_outbound extended permit ip 10.193.5.0 255.255.255.0 10.193.5.248 255.255.255.248
  access-list DefaultRAGroup_splitTunnelAcl standard permit any4
  access-list VPN_splitTunnelAcl standard permit any4
  access-list vvn-vpn_splitTunnelAcl standard permit 10.193.5.0 255.255.255.0
  access-list outside_in extended permit tcp any4 host 10.193.5.230 eq www inactive

  As requested
  Result of the command: "sh run"
  : Saved
  ASA Version 9.1(4) 
  hostname vvnrt0
  domain-name valleyview.local
  enable password  encrypted
  xlate per-session deny tcp any4 any4
  xlate per-session deny tcp any4 any6
  xlate per-session deny tcp any6 any4
  xlate per-session deny tcp any6 any6
  xlate per-session deny udp any4 any4 eq domain
  xlate per-session deny udp any4 any6 eq domain
  xlate per-session deny udp any6 any4 eq domain
  xlate per-session deny udp any6 any6 eq domain
  passwd Hex3HvOKW72M49oO encrypted
  names
  ip local pool VPNIPPool 10.193.5.251-10.193.5.254 mask 255.255.255.0
  ip local pool VPN_IP_Pool 192.168.22.1-192.168.22.6 mask 255.255.255.248
  interface Ethernet0/0
   switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  interface Vlan1
   nameif inside
   security-level 100
   ip address 10.193.5.193 255.255.255.0 
  interface Vlan2
   nameif outside
   security-level 0
   ip address  255.255.255.252 
  banner login WARNING!!! This is a private network device. Authorized access only. Unauthorized access is not allowed and will be logged, proper action will be taken.
  banner motd Don't access this router without proper authorization.
  boot system disk0:/asa914-k8.bin
  ftp mode passive
  dns domain-lookup outside
  dns server-group DefaultDNS
   name-server 75.75.75.75
   name-server 75.75.76.76
   domain-name valleyview.local
  object network obj-10.193.5.248
   subnet 10.193.5.248 255.255.255.248
  object network obj-10.193.5.0
   subnet 10.193.5.0 255.255.255.0
  object network obj-10.193.5.230
   host 10.193.5.230
  object network obj-10.193.5.230-02
   host 10.193.5.230
  object network obj-10.193.5.230-03
   host 10.193.5.230
  object network obj-10.193.5.77
   host 10.193.5.77
  object network obj-10.193.5.77-01
   host 10.193.5.77
  object network obj-10.193.5.230-04
   host 10.193.5.230
  object network obj-10.193.5.230-05
   host 10.193.5.230
  object network obj_any
   subnet 0.0.0.0 0.0.0.0
  object network Exchange
   host 10.193.5.230
  object network VPN_NETWORK
   subnet 192.168.22.0 255.255.255.248
  object network Voice_Network
   subnet 10.200.1.0 255.255.255.0
   description Voice Network
  object network VPN_CLIENTS
   subnet 192.168.22.0 255.255.255.248
  object network NETWORK_OBJ_192.168.22.0_29
   subnet 192.168.22.0 255.255.255.248
  object-group network DM_INLINE_NETWORK_1
   network-object 0.0.0.0 0.0.0.0
   network-object object Voice_Network
  access-list inside_out extended permit ip host 10.193.5.230 any4 
  access-list inside_out extended deny tcp 10.193.5.0 255.255.255.0 any4 eq smtp log debugging 
  access-list inside_out extended permit ip 10.193.5.0 255.255.255.0 any4 
  access-list inside_out extended permit ip object Voice_Network any 
  access-list inside_out extended permit ip object VPN_CLIENTS any inactive 
  access-list extended extended permit gre any4 host 173.163.35.105 
  access-list oustside_in extended permit gre any4 host 173.163.35.105 inactive 
  access-list VPNUsers_splitTunnelAcl standard permit 10.193.5.0 255.255.255.0 
  access-list inside_nat0_outbound extended permit ip any4 10.193.5.248 255.255.255.248 
  access-list inside_nat0_outbound extended permit ip 10.193.5.0 255.255.255.0 10.193.5.248 255.255.255.248 
  access-list DefaultRAGroup_splitTunnelAcl standard permit any4 
  access-list VPN_splitTunnelAcl standard permit any4 
  access-list vvn-vpn_splitTunnelAcl standard permit 10.193.5.0 255.255.255.0 
  access-list outside_in extended permit tcp any4 host 10.193.5.230 eq www inactive 
  access-list outside_in extended permit tcp any4 host 10.193.5.230 eq https inactive 
  access-list outside_in extended permit tcp any4 host 10.193.5.230 eq 987 inactive 
  access-list outside_in extended permit tcp any4 host 10.193.5.230 eq 4125 inactive 
  access-list outside_in extended permit tcp any4 host 10.193.5.77 eq 8081 inactive 
  access-list outside_in extended permit tcp any4 host 10.193.5.77 eq 1099 inactive 
  access-list outside_in extended permit tcp any4 host 10.193.5.230 eq smtp inactive 
  access-list outside_in extended permit ip any object Voice_Network 
  access-list outside_in extended permit ip object VPN_CLIENTS 10.200.1.0 255.255.255.0 inactive 
  access-list All_VPN_Access extended permit ip object NETWORK_OBJ_192.168.22.0_29 object Voice_Network 
  access-list All_VPN_Access extended permit ip any object Voice_Network 
  access-list All_VPN_Access extended permit ip any any 
  access-list global_access extended permit ip object Voice_Network any 
  pager lines 24
  mtu inside 1500
  mtu outside 1500
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-715.bin
  no asdm history enable
  arp timeout 14400
  no arp permit-nonconnected
  nat (inside,any) source static any any destination static obj-10.193.5.248 obj-10.193.5.248 no-proxy-arp route-lookup
  nat (inside,any) source static obj-10.193.5.0 obj-10.193.5.0 destination static obj-10.193.5.248 obj-10.193.5.248 no-proxy-arp route-lookup
  nat (inside,outside) source static any any destination static NETWORK_OBJ_192.168.22.0_29 NETWORK_OBJ_192.168.22.0_29 no-proxy-arp route-lookup
  nat (inside,outside) source static DM_INLINE_NETWORK_1 DM_INLINE_NETWORK_1 destination static NETWORK_OBJ_192.168.22.0_29 NETWORK_OBJ_192.168.22.0_29 no-proxy-arp route-lookup
  object network obj-10.193.5.230-02
   nat (inside,outside) static interface service tcp 4125 4125 
  object network obj-10.193.5.230-03
   nat (inside,outside) static interface service tcp 987 987 
  object network obj-10.193.5.77
   nat (inside,outside) static interface service tcp 1099 1099 
  object network obj-10.193.5.77-01
   nat (inside,outside) static interface service tcp 8081 8081 
  object network obj-10.193.5.230-04
   nat (inside,outside) static interface service tcp smtp smtp 
  object network obj-10.193.5.230-05
   nat (inside,outside) static interface service tcp pptp pptp 
  object network obj_any
   nat (inside,outside) dynamic interface
  access-group inside_out in interface inside
  access-group outside_in in interface outside
  access-group global_access global
  route outside 0.0.0.0 0.0.0.0 173.163.35.106 1 
  route inside 10.200.1.0 255.255.255.0 10.193.5.1 1 
  timeout xlate 3:00:00
  timeout pat-xlate 0:00:30
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  aaa-server VPNUGRP protocol ldap
  aaa-server VPNUGRP (outside) host 10.193.5.230
   timeout 5
   server-type auto-detect
  user-identity default-domain LOCAL
  aaa authentication ssh console LOCAL 
  aaa authentication http console LOCAL 
  http server enable
  http 10.193.5.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
  crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac 
  crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
  crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
  crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
  crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
  crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
  crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
  crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
  crypto ipsec ikev1 transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac 
  crypto ipsec ikev1 transform-set TRANS_ESP_3DES_SHA mode transport
  crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
  crypto ipsec security-association pmtu-aging infinite
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs 
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map outside_map interface outside
  crypto ca trustpool policy
  crypto ikev1 enable outside
  crypto ikev1 policy 10
   authentication pre-share
   encryption 3des
   hash sha
   group 2
   lifetime 86400
  telnet 10.193.5.0 255.255.255.0 inside
  telnet timeout 30
  ssh 10.193.5.0 255.255.255.0 inside
  ssh  255.255.255.255 outside
  ssh timeout 5
  ssh version 2
  ssh key-exchange group dh-group1-sha1
  console timeout 0
  dhcpd dns 75.75.75.75 75.75.76.76
  dhcpd auto_config outside
  threat-detection basic-threat
  threat-detection statistics host
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
   enable outside
   anyconnect image disk0:/anyconnect-win-3.1.06079-k9.pkg 1
   anyconnect enable
   tunnel-group-list enable
  group-policy DefaultRAGroup internal
  group-policy DefaultRAGroup attributes
   dns-server value 10.193.5.230
   vpn-tunnel-protocol ikev1 
   split-tunnel-policy tunnelspecified
   split-tunnel-network-list value vvn-vpn_splitTunnelAcl
   default-domain value valleyview.local
   address-pools value VPN_IP_Pool
  group-policy DfltGrpPolicy attributes
   dns-server value 10.193.5.230
   split-tunnel-policy tunnelspecified
   split-tunnel-network-list value vvn-vpn_splitTunnelAcl
   address-pools value VPN_IP_Pool
  group-policy GroupPolicy_Valley_View_VPN internal
  group-policy GroupPolicy_Valley_View_VPN attributes
   wins-server none
   dns-server value 10.193.5.230 75.75.75.75
   vpn-tunnel-protocol ssl-client ssl-clientless
   default-domain value valleyview.local
   split-dns value valleyview.local
   address-pools value VPN_IP_Pool
  username bcleary password  encrypted privilege 15
  username bcleary attributes
   vpn-group-policy DfltGrpPolicy
  username test password  encrypted
  username morefieldcomm password encrypted
  username Vendor password  encrypted privilege 0
  username Vendor attributes
   vpn-group-policy DfltGrpPolicy
  username swthomas password  encrypted
  username compugen password  encrypted privilege 15
  tunnel-group DefaultRAGroup general-attributes
   address-pool VPNIPPool
   default-group-policy GroupPolicy_Valley_View_VPN
  tunnel-group DefaultRAGroup ipsec-attributes
   ikev1 pre-shared-key *****
  tunnel-group DefaultWEBVPNGroup general-attributes
   default-group-policy GroupPolicy_Valley_View_VPN
  tunnel-group Valley_View_VPN type remote-access
  tunnel-group Valley_View_VPN general-attributes
   address-pool VPN_IP_Pool
   default-group-policy GroupPolicy_Valley_View_VPN
  tunnel-group Valley_View_VPN webvpn-attributes
   group-alias Valley_View_VPN enable
  class-map inspection_default
   match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
   parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
   class inspection_default
    inspect dns preset_dns_map 
    inspect ftp 
    inspect h323 h225 
    inspect h323 ras 
    inspect rsh 
    inspect rtsp 
    inspect sqlnet 
    inspect skinny  
    inspect sunrpc 
    inspect xdmcp 
    inspect sip  
    inspect netbios 
    inspect tftp 
    inspect ip-options 
  service-policy global_policy global
  smtp-server 10.193.5.230
  prompt hostname context 
  no call-home reporting anonymous
  Cryptochecksum:
  : end

• Add Vlan access

  I was able to do this before but forgot what the command is to do it.
  I don't make changes to the switches often so I forget the commands I dont use regularly.
  We have a catalyst 4500 Level 3 switch as our main switch. It has all the vlans and everything already set.
  That is connected to a few other switches via fiber, 2960-G switches.
  We have one switch upstairs for vlan 2 access
  We have one switch downstairs for Vlan 1 access
  The Vlan addresses are given out via a DHCP server.
  Can someone provide me the process/commands to add Vlan2 to the downstairs switch so one of the ports can get a Vlan 2 address?
  I want to say it is trunk or something but I tried and failed.
  Thanks

  Thanks, I do remember doing something like that before.
  I also remember needing to add all the vlans that need to go through the switch or I have issues :)
  I want to confirm switchport trunk allowed vlan add 2 at the interface layer, correct?

• Wlc 5508 management interface vlan - access point vlan

  Is it required that the access points are in the same vlan as the management interface on a wlc 5508?

  There is a story behind this .. Just yesterday my guy was like "aps wont join" .. I let him hammer away at it .. It was the check box
  "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
  ‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

• 2106 wlc different vlan accessibility

  I have 1 2106 wlc 6 1131AG LAPs that are going to be placed in three vlans. All three vlans are created and configured on a 3550G switch.
  I created two additional virtual interfaces on the WLC, tagged it with appropriate vlan number and connected the port with untagged vlan identifier to a dot1q enabled trunk port on the 3550 switch. That is,
  man int - untagged, port 1
  vlan2, tagged -2, port 2,3
  vlan3, tagged -3, port 4,5
  vlan4, tagged - 3, port 6
  and port 1 is connected to a trunk port on the 3550G switch with dot1q.
  I am not able to reach the created vlan interfaces on the WLC !?1?!
  Kindly help?

  jeff.velten, wouldn't that break the very use of the WLC? documents I referred from cisco recommend to connect the WLC to a trunked port. Like here: http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00805e7a24.shtml
  So how are the vlan tags from the wlc not passed on to the trunk port? Is there something I missed, somewhere?

• Vlan Accessing

  Hi All,
  I can ping successfully to another PC in the same vlan(192.168.168.10, 192.168.168.12, 192.168.168.13), but, can't ping either the management vlan(192.168.168.2) or the router(192.168.168.1). What needs setting to allow vlan3 PCs to do this.? This is not an intended deign or anything, except just playing around etc. Also, vlan2 seems down(act/lshut). Cheers.
  coolboarderguy...
  vlan2
  Cool#sh vlan
  VLAN Name Status Ports
  1 default active Fa0/5, Fa0/6, Fa0/7
  2 highdruid act/lshut Fa0/1, Fa0/2, Fa0/3, Fa0/4
  3 slick active Fa0/8, Fa0/9, Fa0/10, Fa0/11,
  Fa0/12
  1002 fddi-default active
  1003 token-ring-default active
  1004 fddinet-default active
  1005 trnet-default active
  VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2
  1 enet 100001 1500 - - - - - 0 0
  2 enet 100002 1500 - - - - - 0 0
  3 enet 100003 1500 - - - - - 0 0
  1002 fddi 101002 1500 - - - - - 0 0
  1003 tr 101003 1500 - - - - - 0 0
  1004 fdnet 101004 1500 - - - ieee - 0 0
  1005 trnet 101005 1500 - - - ibm - 0 0

  Hi coolboarderguy,
  Here you go with the solution...You only need to have trunks if you want more than one vlan to pass through between the sitches, or betwen switch and router or between switch and server which can be configured for trunking.
  Now your router is on vlan 1 which is a bad design because you have workstation in vlan 3 and router in vlan 1 which at layer 2 are in different logical domain but considering layer 3 you have same subnet for 2 different vlan.
  If it is in the same subnet in which your workstations are then it should be in vlan 3.
  But incase you want your router to be in differnt vlan and different subnet then you need to have a trunk between the switch and the router and create sub interfaces on router and give encapsulation on subinterfaces. This will enable inter vlan routing to have communication between different vlans.
  HTH
  Ankur

• RV042 issue remote management access

  Installed on two RV042 links with adsl load balance, everything works fine, except that an error occurs during a time I can access the remote management via Web RV042 both the LAN and the WAN, only after a while when accessing the page appears to login, but when you enter your username and password the browser is trying to give an error, the connection to the internet works normal again and I can only access the remote management to disconnect and reconnect the RV042, but updated the firmware the error continues, my RV042 is:
  RV042 V03
  Firmware v4.1.1.01-sp
  I changed the default https port (443), to other ports but the error continues, someone had this problem?
  André Szytko

  hi there,
  i can use google translate to try understanding your post. but i think its better for you to explain in english mate
  regards,

• Securing Vlans by access lists

  Hi,
  I have configured some vlans using a cisco catalyst 2950 switch and a cisco 2611 XM router. I configurated the router for intervlan routing with encapsulation 802.1q and all is running good. Now I started with introducing some access policies between vlans by the use of acls but it seemed to me I have not clear the packet filtering mechanism (e.g. inbound versus outbound packets, etc.). I succeded in stopping access between 2 vlan in bidirectional way, but I don't know the best way to permit traffic from vlan1 to vlan2 while stopping traffic from vlan2 to vlan1.
  Help me please!

  check out the following link for information on Securing Networks with Private VLANs and VLAN Access Control Lists :
  http://www.cisco.com/en/US/products/hw/switches/ps700/products_tech_note09186a008013565f.shtml

• Muti-vlan network need to access a common networked server

  Hi all,
  I have a flat network (6500 core with 2950 accesses) consisting of multiple vlans. How do I allow devices on various vlans access to a common server they all interact with?
  Thanks

  Thanks for the reply Nick. What do you think about this as a possible solution:
  Dedicate a 2950 switch to connect the server and do not configure any VLANs on it. Connect the server directly to this switch and then make connections from this switch to an access port on the existing network for each VLAN which requires server connectivity.
  The server connection to the switch would be configured as “unprotected” (switchport protected)while each port connecting to a VLANed access switch port would be configured “protected”. Protected ports do not communicate with each other. The server would be able to communicate with each of the protected ports patched to a VLANed access port but these protected ports would not be able to communicate with each other thus maintaining VLAN isolation.
  Would this work?

• Dynamic VLAN Assignment with RADIUS Server and Aironet Access Points

  Hi Guys,
  I would like to go for "Dynamic VLAN Assignment with RADIUS Server and Aironet Access Points 1300". I want the AP to broadcast only 1 SSID. The client find the SSID ->put in his user credential->Raudius athentication->assign him to an specific vlan based on his groupship.
  The problem here is that I don't have a AP controller but only configurable Aironet Access Points 1300. I can connect to the radius server, but I am not sure how to confirgure the AP's port, radio port, vlan and SSID.
  http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml#switch
  I go through some references:
  3.5  RADIUS-Based VLAN Access Control
  As discussed earlier, each SSID is mapped to a default VLAN-ID on the wired side. The IT administrator may wish to impose back end (such as RADIUS)-based VLAN access control using 802.1X or MAC address authentication mechanisms. For example, if the WLAN is set up such that all VLANs use 802.1X and similar encryption mechanisms for WLAN user access, then a user can "hop" from one VLAN to another by simply changing the SSID and successfully authenticating to the access point (using 802.1X). This may not be preferred if the WLAN user is confined to a particular VLAN.
  There are two different ways to implement RADIUS-based VLAN access control features:
  1. RADIUS-based SSID access control: Upon successful 802.1X or MAC address authentication, the RADIUS server passes back the allowed SSID list for the WLAN user to the access point or bridge. If the user used an SSID on the allowed SSID list, then the user is allowed to associate to the WLAN. Otherwise, the user is disassociated from the access point or bridge.
  2. RADIUS-based VLAN assignment: Upon successful 802.1X or MAC address authentication, the RADIUS server assigns the user to a predetermined VLAN-ID on the wired side. The SSID used for WLAN access doesn't matter because the user is always assigned to this predetermined VLAN-ID.
  extract from: Wireless Virtual LAN Deployment Guide
  http://www.cisco.com/en/US/products/hw/wireless/ps430/prod_technical_reference09186a00801444a1.html
  ==============================================================
  Dynamic VLAN Assignment with RADIUS Server and Wireless LAN Controller Configuration Example
  http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml#switch
  ==============================================================
  Controller: Wireless Domain Services Configuration
  http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_example09186a00801c951f.shtml
  Any help on this issue is appreicated.
  Thanks.

  I'm not sure if the Autonomous APs have the option for AAA Override.  On the WLC, I can go into the BSSID, Security, Advanced, and there's a checkbox that I would check to allow a Radius server to send back the VLAN.
  I did a little research and it looks like the 1300 may give this option but instead is defined as "VLAN Override".  I've found the release notes for 12.3(7)JA5 (not sure what version you're running) that give mention and a link to configuring EAP on page 4: http://www.ciscosystems.ch/en/US/docs/wireless/access_point/1300/release/notes/o37ja5rn.pdf
  Hope this helps

• VLAN Map issue

  I have an issue with a VLAN map I am attempting to use to filter traffic. It is a flat Layer 2 LAN so all hosts are in VLAN 1. I have a number of test machines that I want to deny access to live database servers. To do this I tried the following:
  ip access-list extended testboxes
  permit ip host x.x.x.x host x.x.x.x
  vlan access-map denytest 10
  match ip address testboxes
  action drop
  vlan filter denytest vlan-list 1
  Once I apply the VLAN map I lose all connectivity to the switch. Is there something I am missing here?
  Thanks
  Ian

  Unlike regular IOS standard or extended ACLs that are configured on router interfaces only and are applied on routed packets only, VACLs apply to all packets and can be applied to any VLAN. If a VACL is configured for a certain traffic and that traffic does not match the VACL, the default action is deny. Additionally, VACLs have an implicit deny at the end of the map; a packet is denied if it does not match any ACL entry, and at least one ACL is configured for the packet type. Add an additional permit statement allowing telnet/ssh/or web traffic to the switch:
  permit tcp host X.X.X.X host X.X.X.X eq telnet
  Best Regards
  Francisco

• Best Practices to separate voice and Data vlans

  Hello All .
  I am coming to the community to get some advices on a specific subject .
  One of my customer is actually using vlan access-list to isolate it is data  from it is voice vlan traffic .
  As most of us knows VLAN ACLs are very difficult to deploy and manage at an access-port level that is highly mobile. Because of these management issues they have been looking for a replacement solution consisting of firewalls but apparently the price of the solution was too high in the sky .
  Can someone guide me towards security best practices when it comes to data and voice vlan traffic isolation please ?
  thanks
  Regards
  T.

  thomas.fayet wrote:Hi again Collin , May I ask you what type of fw / switches / ios version you are using for this topology ? Also is the media traffic going through your fw if one voice vlan wants to talk to another voice vlan ? rgds
  Access Switches: 3560
  Distro: 4500 or 6500
  FW: ASA5510 or Juniper SSG 140 (phasing out the Junipers)
  It depends. In the drawing above, no voice traffic would leave the voice enclave until it talks to a remote site. If we add other sites to the drawing, at a minimum call-sig would traverse the firewall and depending on the location of the callers, all voice traffic may cross the firewall. All of that depends on how you have your call managers/vm/voice gateways designed and where the callers are.