RV042 VLAN to VLAN access?
I have 2 VLANs set up and I know they are set as default to not allow one to communicate to the other. Is there a way to set a rule to allow that? I'd like VLAN1 to be able to access VLAN2, but not the other way around.
The port-based VLAN feature of RV042 does not allow different VLANs to communicate with each other.
To support your scenario, you could try configuring multiple subnets under the Setup>Network page, and then configure Access Rules to restrict the traffic between the multiple subnets.
Similar Messages
-
Hi all,
I've just been testing using Cisco IP Phones with the Linksys SRW224P switch (which do not support CDP and automatic voice VLAN assignment). It's all pretty straightforward, however, I found I needed to enable the "PC Voice VLAN Access" setting for the IP phone to get the PC (attached to the phone) communicating on the network. With this setting disabled, the PC cannot communicate on the network, even if the correct data VLAN ID is configured in the "PC VLAN" setting on the phone. This same issue is also replicated if I disable CDP on a Cisco switch and manually configure the voice VLAN ID on the phone.
Any ideas as to why this is the case? My understanding of the PC Voice VLAN Access setting is that it enables an attached PC to access the voice VLAN (i.e. tag frames with the voice VLAN ID and send on the voice VLAN, and receive frames on the voice VLAN). The traditional port mirroring issues associated with this setting aren't an issue nowadays, as you now have the additional "Span to PC Port" setting to control this.Hi Eric,
Please make sure you are sniffing the correct interface. For example, if you have more than one interface (such as Wireless Ip address or VPN
connection) select the one you want to sniff. Please check the following link, it shows you how to set up a sniffer capture using wireshark:
http://wiki.wireshark.org/CaptureSetup
Regards,
Teresa.
If you find this post helpful, please rate! :) -
Catalyst 3850, VLAN access map example (VACL, layer 2)
Hello there:
Trying to get a simple VLAN access map example working (VACL, layer 2). Want to allow hosts 10.0.0.2 to SSH to 10.0.0.3 (both in vlan 10), but deny all other connectivity from 10.0.0.2 to 10.0.0.3.
access-list test permit tcp host 10.0.0.2 host 10.0.0.3 eq 22
vlan access-map test
match ip address test
action forward
vlan filter test vlan-list 10
However, 10.0.0.2 cannot see 10.0.0.3 whatsoever, w/ this VACL enabled (connectivity works w/ VACL disabled).
From what I've read, there is an implicit deny all at the end, if I understand correctly.
I've played with other variations as well, but without any luck.
What am I missing here?
Also, is there a way to debug this using logs or debug statements? Nothing shows up in the logs.
Thank you.Hi,
You have a problem in that your ACL currently allows the SSH traffic from 10.0.0.2 to 10.0.0.3 but the responses are not allowed to flow back from 10.0.0.3 to 10.0.0.2. That is the most probable reason your VACL does not work as expected.
This modification should correct the behavior:
ip access-list extended TestACL
permit tcp host 10.0.0.2 host 10.0.0.3 eq 22
permit tcp host 10.0.0.3 eq 22 host 10.0.0.2
deny ip host 10.0.0.2 host 10.0.0.3
deny ip host 10.0.0.3 host 10.0.0.2
permit ip any any
vlan access-map TestVACL
match ip address TestACL
action forward
vlan filter TestVACL vlan-list 10
Here, I've made sure that SSH traffic between 10.0.0.2 as a client and 10.0.0.3 as a server is allowed, any other traffic between these two is denied, and every other communication is allowed. Would you mind testing out this modification?
is there a way to debug this using logs or debug statements? Nothing shows up in the logs.
None that I know of. This filtering is done in hardware, independently from CPU, so the CPU has no insight into what's going on in the TCAM during packet filtering.
Best regards,
Peter -
I work in a building that has two separate entities, but both work together to accomplish the same goals. The IT admin before me set us up on separate VLANs through many cisco switches. One lady that works here does work for both entities. There are server shares that she needs to be able to access on both VLANs to do her work. The way it is now, she does Company A's work in the morning and then moves to another office to do work for Company B. My question is, can I tag her switch port with both VLANs and then just add a secondary IP to her PC NIC so she is able to access the server shares from both VLANs?
If you can't ping anything on the other vlan does that mean each vlan does not route to anywhere else eg. other vlans or the internet.
If they do route to other vlans you may find that there are SVIs for both vlans but they have acls applied in which case you could just modify the acl.
Or maybe not.
It is doable ie. servers do this all the time but as Rick says it depends on whether the PC supports tagging.
If it does it is really more a question of how to set that up correctly than a networking issue ie. all you need to do on the network side is setup the port on the switch as a trunk allowing both vlans.
There are however a couple of things to be aware of from the network perspective -
a) if the vlan does route to other subnets then you only want one default gateway ie. the current one. There is no need for another gateway as the PC would be directly connected to the other network anyway and multiple default gateways can lead to unexpected issues.
b) you need to make sure you cannot route between vlans on your PC otherwise this could be a security issue. There is no need for the PC to route between these vlans because it has direct connections to both.
From memory when you setup the trunking there is an option to turn off ip forwarding between those subnets.
Sorry I can't be more specific but it was a while ago that I last did this.
Jon -
I have a asa 5505 that we setup up a vpn connection to recently. Everything on our internal vlan (120) works fine when using the VPN. Although VPN clients cannot access the Voice vlan (200). I have added the voice network to the ACL list and mapped it to the anyconnect connection profile. Still a no go. Any ideas? Config below
interface Vlan2
nameif outside
security-level 0
ip address 255.255.255.252
banner login WARNING!!! This is a private network device. Authorized access only. Unauthorized access is not allowed and will be logged, proper action will be taken.
banner motd Don't access this router without proper authorization.
boot system disk0:/asa914-k8.bin
ftp mode passive
dns domain-lookup outside
dns server-group DefaultDNS
name-server 75.75.75.75
name-server 75.75.76.76
domain-name valleyview.local
object network obj-10.193.5.248
subnet 10.193.5.248 255.255.255.248
object network obj-10.193.5.0
subnet 10.193.5.0 255.255.255.0
object network obj-10.193.5.230
host 10.193.5.230
object network obj-10.193.5.230-02
host 10.193.5.230
object network obj-10.193.5.230-03
host 10.193.5.230
object network obj-10.193.5.77
host 10.193.5.77
object network obj-10.193.5.77-01
host 10.193.5.77
object network obj-10.193.5.230-04
host 10.193.5.230
object network obj-10.193.5.230-05
host 10.193.5.230
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network Exchange
host 10.193.5.230
object network VPN_NETWORK
subnet 192.168.22.0 255.255.255.248
object network Voice_Network
subnet 10.200.1.0 255.255.255.0
description Voice Network
object network VPN_CLIENTS
subnet 192.168.22.0 255.255.255.248
object network NETWORK_OBJ_192.168.22.0_29
subnet 192.168.22.0 255.255.255.248
object-group network DM_INLINE_NETWORK_1
network-object 0.0.0.0 0.0.0.0
network-object object Voice_Network
access-list inside_out extended permit ip host 10.193.5.230 any4
access-list inside_out extended deny tcp 10.193.5.0 255.255.255.0 any4 eq smtp log debugging
access-list inside_out extended permit ip 10.193.5.0 255.255.255.0 any4
access-list inside_out extended permit ip object Voice_Network any
access-list inside_out extended permit ip object VPN_CLIENTS any inactive
access-list extended extended permit gre any4 host 173.163.35.105
access-list oustside_in extended permit gre any4 host 173.163.35.105 inactive
access-list VPNUsers_splitTunnelAcl standard permit 10.193.5.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any4 10.193.5.248 255.255.255.248
access-list inside_nat0_outbound extended permit ip 10.193.5.0 255.255.255.0 10.193.5.248 255.255.255.248
access-list DefaultRAGroup_splitTunnelAcl standard permit any4
access-list VPN_splitTunnelAcl standard permit any4
access-list vvn-vpn_splitTunnelAcl standard permit 10.193.5.0 255.255.255.0
access-list outside_in extended permit tcp any4 host 10.193.5.230 eq www inactiveAs requested
Result of the command: "sh run"
: Saved
ASA Version 9.1(4)
hostname vvnrt0
domain-name valleyview.local
enable password encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd Hex3HvOKW72M49oO encrypted
names
ip local pool VPNIPPool 10.193.5.251-10.193.5.254 mask 255.255.255.0
ip local pool VPN_IP_Pool 192.168.22.1-192.168.22.6 mask 255.255.255.248
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 10.193.5.193 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 255.255.255.252
banner login WARNING!!! This is a private network device. Authorized access only. Unauthorized access is not allowed and will be logged, proper action will be taken.
banner motd Don't access this router without proper authorization.
boot system disk0:/asa914-k8.bin
ftp mode passive
dns domain-lookup outside
dns server-group DefaultDNS
name-server 75.75.75.75
name-server 75.75.76.76
domain-name valleyview.local
object network obj-10.193.5.248
subnet 10.193.5.248 255.255.255.248
object network obj-10.193.5.0
subnet 10.193.5.0 255.255.255.0
object network obj-10.193.5.230
host 10.193.5.230
object network obj-10.193.5.230-02
host 10.193.5.230
object network obj-10.193.5.230-03
host 10.193.5.230
object network obj-10.193.5.77
host 10.193.5.77
object network obj-10.193.5.77-01
host 10.193.5.77
object network obj-10.193.5.230-04
host 10.193.5.230
object network obj-10.193.5.230-05
host 10.193.5.230
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network Exchange
host 10.193.5.230
object network VPN_NETWORK
subnet 192.168.22.0 255.255.255.248
object network Voice_Network
subnet 10.200.1.0 255.255.255.0
description Voice Network
object network VPN_CLIENTS
subnet 192.168.22.0 255.255.255.248
object network NETWORK_OBJ_192.168.22.0_29
subnet 192.168.22.0 255.255.255.248
object-group network DM_INLINE_NETWORK_1
network-object 0.0.0.0 0.0.0.0
network-object object Voice_Network
access-list inside_out extended permit ip host 10.193.5.230 any4
access-list inside_out extended deny tcp 10.193.5.0 255.255.255.0 any4 eq smtp log debugging
access-list inside_out extended permit ip 10.193.5.0 255.255.255.0 any4
access-list inside_out extended permit ip object Voice_Network any
access-list inside_out extended permit ip object VPN_CLIENTS any inactive
access-list extended extended permit gre any4 host 173.163.35.105
access-list oustside_in extended permit gre any4 host 173.163.35.105 inactive
access-list VPNUsers_splitTunnelAcl standard permit 10.193.5.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any4 10.193.5.248 255.255.255.248
access-list inside_nat0_outbound extended permit ip 10.193.5.0 255.255.255.0 10.193.5.248 255.255.255.248
access-list DefaultRAGroup_splitTunnelAcl standard permit any4
access-list VPN_splitTunnelAcl standard permit any4
access-list vvn-vpn_splitTunnelAcl standard permit 10.193.5.0 255.255.255.0
access-list outside_in extended permit tcp any4 host 10.193.5.230 eq www inactive
access-list outside_in extended permit tcp any4 host 10.193.5.230 eq https inactive
access-list outside_in extended permit tcp any4 host 10.193.5.230 eq 987 inactive
access-list outside_in extended permit tcp any4 host 10.193.5.230 eq 4125 inactive
access-list outside_in extended permit tcp any4 host 10.193.5.77 eq 8081 inactive
access-list outside_in extended permit tcp any4 host 10.193.5.77 eq 1099 inactive
access-list outside_in extended permit tcp any4 host 10.193.5.230 eq smtp inactive
access-list outside_in extended permit ip any object Voice_Network
access-list outside_in extended permit ip object VPN_CLIENTS 10.200.1.0 255.255.255.0 inactive
access-list All_VPN_Access extended permit ip object NETWORK_OBJ_192.168.22.0_29 object Voice_Network
access-list All_VPN_Access extended permit ip any object Voice_Network
access-list All_VPN_Access extended permit ip any any
access-list global_access extended permit ip object Voice_Network any
pager lines 24
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-715.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,any) source static any any destination static obj-10.193.5.248 obj-10.193.5.248 no-proxy-arp route-lookup
nat (inside,any) source static obj-10.193.5.0 obj-10.193.5.0 destination static obj-10.193.5.248 obj-10.193.5.248 no-proxy-arp route-lookup
nat (inside,outside) source static any any destination static NETWORK_OBJ_192.168.22.0_29 NETWORK_OBJ_192.168.22.0_29 no-proxy-arp route-lookup
nat (inside,outside) source static DM_INLINE_NETWORK_1 DM_INLINE_NETWORK_1 destination static NETWORK_OBJ_192.168.22.0_29 NETWORK_OBJ_192.168.22.0_29 no-proxy-arp route-lookup
object network obj-10.193.5.230-02
nat (inside,outside) static interface service tcp 4125 4125
object network obj-10.193.5.230-03
nat (inside,outside) static interface service tcp 987 987
object network obj-10.193.5.77
nat (inside,outside) static interface service tcp 1099 1099
object network obj-10.193.5.77-01
nat (inside,outside) static interface service tcp 8081 8081
object network obj-10.193.5.230-04
nat (inside,outside) static interface service tcp smtp smtp
object network obj-10.193.5.230-05
nat (inside,outside) static interface service tcp pptp pptp
object network obj_any
nat (inside,outside) dynamic interface
access-group inside_out in interface inside
access-group outside_in in interface outside
access-group global_access global
route outside 0.0.0.0 0.0.0.0 173.163.35.106 1
route inside 10.200.1.0 255.255.255.0 10.193.5.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server VPNUGRP protocol ldap
aaa-server VPNUGRP (outside) host 10.193.5.230
timeout 5
server-type auto-detect
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable
http 10.193.5.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpool policy
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 10.193.5.0 255.255.255.0 inside
telnet timeout 30
ssh 10.193.5.0 255.255.255.0 inside
ssh 255.255.255.255 outside
ssh timeout 5
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd dns 75.75.75.75 75.75.76.76
dhcpd auto_config outside
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable outside
anyconnect image disk0:/anyconnect-win-3.1.06079-k9.pkg 1
anyconnect enable
tunnel-group-list enable
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
dns-server value 10.193.5.230
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vvn-vpn_splitTunnelAcl
default-domain value valleyview.local
address-pools value VPN_IP_Pool
group-policy DfltGrpPolicy attributes
dns-server value 10.193.5.230
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vvn-vpn_splitTunnelAcl
address-pools value VPN_IP_Pool
group-policy GroupPolicy_Valley_View_VPN internal
group-policy GroupPolicy_Valley_View_VPN attributes
wins-server none
dns-server value 10.193.5.230 75.75.75.75
vpn-tunnel-protocol ssl-client ssl-clientless
default-domain value valleyview.local
split-dns value valleyview.local
address-pools value VPN_IP_Pool
username bcleary password encrypted privilege 15
username bcleary attributes
vpn-group-policy DfltGrpPolicy
username test password encrypted
username morefieldcomm password encrypted
username Vendor password encrypted privilege 0
username Vendor attributes
vpn-group-policy DfltGrpPolicy
username swthomas password encrypted
username compugen password encrypted privilege 15
tunnel-group DefaultRAGroup general-attributes
address-pool VPNIPPool
default-group-policy GroupPolicy_Valley_View_VPN
tunnel-group DefaultRAGroup ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group DefaultWEBVPNGroup general-attributes
default-group-policy GroupPolicy_Valley_View_VPN
tunnel-group Valley_View_VPN type remote-access
tunnel-group Valley_View_VPN general-attributes
address-pool VPN_IP_Pool
default-group-policy GroupPolicy_Valley_View_VPN
tunnel-group Valley_View_VPN webvpn-attributes
group-alias Valley_View_VPN enable
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
smtp-server 10.193.5.230
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:
: end -
I was able to do this before but forgot what the command is to do it.
I don't make changes to the switches often so I forget the commands I dont use regularly.
We have a catalyst 4500 Level 3 switch as our main switch. It has all the vlans and everything already set.
That is connected to a few other switches via fiber, 2960-G switches.
We have one switch upstairs for vlan 2 access
We have one switch downstairs for Vlan 1 access
The Vlan addresses are given out via a DHCP server.
Can someone provide me the process/commands to add Vlan2 to the downstairs switch so one of the ports can get a Vlan 2 address?
I want to say it is trunk or something but I tried and failed.
ThanksThanks, I do remember doing something like that before.
I also remember needing to add all the vlans that need to go through the switch or I have issues :)
I want to confirm switchport trunk allowed vlan add 2 at the interface layer, correct? -
Wlc 5508 management interface vlan - access point vlan
Is it required that the access points are in the same vlan as the management interface on a wlc 5508?
There is a story behind this .. Just yesterday my guy was like "aps wont join" .. I let him hammer away at it .. It was the check box
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
"I'm in a serious relationship with my Wi-Fi. You could say we have a connection." -
2106 wlc different vlan accessibility
I have 1 2106 wlc 6 1131AG LAPs that are going to be placed in three vlans. All three vlans are created and configured on a 3550G switch.
I created two additional virtual interfaces on the WLC, tagged it with appropriate vlan number and connected the port with untagged vlan identifier to a dot1q enabled trunk port on the 3550 switch. That is,
man int - untagged, port 1
vlan2, tagged -2, port 2,3
vlan3, tagged -3, port 4,5
vlan4, tagged - 3, port 6
and port 1 is connected to a trunk port on the 3550G switch with dot1q.
I am not able to reach the created vlan interfaces on the WLC !?1?!
Kindly help?jeff.velten, wouldn't that break the very use of the WLC? documents I referred from cisco recommend to connect the WLC to a trunked port. Like here: http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00805e7a24.shtml
So how are the vlan tags from the wlc not passed on to the trunk port? Is there something I missed, somewhere? -
Hi All,
I can ping successfully to another PC in the same vlan(192.168.168.10, 192.168.168.12, 192.168.168.13), but, can't ping either the management vlan(192.168.168.2) or the router(192.168.168.1). What needs setting to allow vlan3 PCs to do this.? This is not an intended deign or anything, except just playing around etc. Also, vlan2 seems down(act/lshut). Cheers.
coolboarderguy...
vlan2
Cool#sh vlan
VLAN Name Status Ports
1 default active Fa0/5, Fa0/6, Fa0/7
2 highdruid act/lshut Fa0/1, Fa0/2, Fa0/3, Fa0/4
3 slick active Fa0/8, Fa0/9, Fa0/10, Fa0/11,
Fa0/12
1002 fddi-default active
1003 token-ring-default active
1004 fddinet-default active
1005 trnet-default active
VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2
1 enet 100001 1500 - - - - - 0 0
2 enet 100002 1500 - - - - - 0 0
3 enet 100003 1500 - - - - - 0 0
1002 fddi 101002 1500 - - - - - 0 0
1003 tr 101003 1500 - - - - - 0 0
1004 fdnet 101004 1500 - - - ieee - 0 0
1005 trnet 101005 1500 - - - ibm - 0 0Hi coolboarderguy,
Here you go with the solution...You only need to have trunks if you want more than one vlan to pass through between the sitches, or betwen switch and router or between switch and server which can be configured for trunking.
Now your router is on vlan 1 which is a bad design because you have workstation in vlan 3 and router in vlan 1 which at layer 2 are in different logical domain but considering layer 3 you have same subnet for 2 different vlan.
If it is in the same subnet in which your workstations are then it should be in vlan 3.
But incase you want your router to be in differnt vlan and different subnet then you need to have a trunk between the switch and the router and create sub interfaces on router and give encapsulation on subinterfaces. This will enable inter vlan routing to have communication between different vlans.
HTH
Ankur -
RV042 issue remote management access
Installed on two RV042 links with adsl load balance, everything works fine, except that an error occurs during a time I can access the remote management via Web RV042 both the LAN and the WAN, only after a while when accessing the page appears to login, but when you enter your username and password the browser is trying to give an error, the connection to the internet works normal again and I can only access the remote management to disconnect and reconnect the RV042, but updated the firmware the error continues, my RV042 is:
RV042 V03
Firmware v4.1.1.01-sp
I changed the default https port (443), to other ports but the error continues, someone had this problem?
André Szytkohi there,
i can use google translate to try understanding your post. but i think its better for you to explain in english mate
regards, -
Securing Vlans by access lists
Hi,
I have configured some vlans using a cisco catalyst 2950 switch and a cisco 2611 XM router. I configurated the router for intervlan routing with encapsulation 802.1q and all is running good. Now I started with introducing some access policies between vlans by the use of acls but it seemed to me I have not clear the packet filtering mechanism (e.g. inbound versus outbound packets, etc.). I succeded in stopping access between 2 vlan in bidirectional way, but I don't know the best way to permit traffic from vlan1 to vlan2 while stopping traffic from vlan2 to vlan1.
Help me please!check out the following link for information on Securing Networks with Private VLANs and VLAN Access Control Lists :
http://www.cisco.com/en/US/products/hw/switches/ps700/products_tech_note09186a008013565f.shtml -
Muti-vlan network need to access a common networked server
Hi all,
I have a flat network (6500 core with 2950 accesses) consisting of multiple vlans. How do I allow devices on various vlans access to a common server they all interact with?
ThanksThanks for the reply Nick. What do you think about this as a possible solution:
Dedicate a 2950 switch to connect the server and do not configure any VLANs on it. Connect the server directly to this switch and then make connections from this switch to an access port on the existing network for each VLAN which requires server connectivity.
The server connection to the switch would be configured as unprotected (switchport protected)while each port connecting to a VLANed access switch port would be configured protected. Protected ports do not communicate with each other. The server would be able to communicate with each of the protected ports patched to a VLANed access port but these protected ports would not be able to communicate with each other thus maintaining VLAN isolation.
Would this work? -
Dynamic VLAN Assignment with RADIUS Server and Aironet Access Points
Hi Guys,
I would like to go for "Dynamic VLAN Assignment with RADIUS Server and Aironet Access Points 1300". I want the AP to broadcast only 1 SSID. The client find the SSID ->put in his user credential->Raudius athentication->assign him to an specific vlan based on his groupship.
The problem here is that I don't have a AP controller but only configurable Aironet Access Points 1300. I can connect to the radius server, but I am not sure how to confirgure the AP's port, radio port, vlan and SSID.
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml#switch
I go through some references:
3.5 RADIUS-Based VLAN Access Control
As discussed earlier, each SSID is mapped to a default VLAN-ID on the wired side. The IT administrator may wish to impose back end (such as RADIUS)-based VLAN access control using 802.1X or MAC address authentication mechanisms. For example, if the WLAN is set up such that all VLANs use 802.1X and similar encryption mechanisms for WLAN user access, then a user can "hop" from one VLAN to another by simply changing the SSID and successfully authenticating to the access point (using 802.1X). This may not be preferred if the WLAN user is confined to a particular VLAN.
There are two different ways to implement RADIUS-based VLAN access control features:
1. RADIUS-based SSID access control: Upon successful 802.1X or MAC address authentication, the RADIUS server passes back the allowed SSID list for the WLAN user to the access point or bridge. If the user used an SSID on the allowed SSID list, then the user is allowed to associate to the WLAN. Otherwise, the user is disassociated from the access point or bridge.
2. RADIUS-based VLAN assignment: Upon successful 802.1X or MAC address authentication, the RADIUS server assigns the user to a predetermined VLAN-ID on the wired side. The SSID used for WLAN access doesn't matter because the user is always assigned to this predetermined VLAN-ID.
extract from: Wireless Virtual LAN Deployment Guide
http://www.cisco.com/en/US/products/hw/wireless/ps430/prod_technical_reference09186a00801444a1.html
==============================================================
Dynamic VLAN Assignment with RADIUS Server and Wireless LAN Controller Configuration Example
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml#switch
==============================================================
Controller: Wireless Domain Services Configuration
http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_example09186a00801c951f.shtml
Any help on this issue is appreicated.
Thanks.I'm not sure if the Autonomous APs have the option for AAA Override. On the WLC, I can go into the BSSID, Security, Advanced, and there's a checkbox that I would check to allow a Radius server to send back the VLAN.
I did a little research and it looks like the 1300 may give this option but instead is defined as "VLAN Override". I've found the release notes for 12.3(7)JA5 (not sure what version you're running) that give mention and a link to configuring EAP on page 4: http://www.ciscosystems.ch/en/US/docs/wireless/access_point/1300/release/notes/o37ja5rn.pdf
Hope this helps -
I have an issue with a VLAN map I am attempting to use to filter traffic. It is a flat Layer 2 LAN so all hosts are in VLAN 1. I have a number of test machines that I want to deny access to live database servers. To do this I tried the following:
ip access-list extended testboxes
permit ip host x.x.x.x host x.x.x.x
vlan access-map denytest 10
match ip address testboxes
action drop
vlan filter denytest vlan-list 1
Once I apply the VLAN map I lose all connectivity to the switch. Is there something I am missing here?
Thanks
IanUnlike regular IOS standard or extended ACLs that are configured on router interfaces only and are applied on routed packets only, VACLs apply to all packets and can be applied to any VLAN. If a VACL is configured for a certain traffic and that traffic does not match the VACL, the default action is deny. Additionally, VACLs have an implicit deny at the end of the map; a packet is denied if it does not match any ACL entry, and at least one ACL is configured for the packet type. Add an additional permit statement allowing telnet/ssh/or web traffic to the switch:
permit tcp host X.X.X.X host X.X.X.X eq telnet
Best Regards
Francisco -
Best Practices to separate voice and Data vlans
Hello All .
I am coming to the community to get some advices on a specific subject .
One of my customer is actually using vlan access-list to isolate it is data from it is voice vlan traffic .
As most of us knows VLAN ACLs are very difficult to deploy and manage at an access-port level that is highly mobile. Because of these management issues they have been looking for a replacement solution consisting of firewalls but apparently the price of the solution was too high in the sky .
Can someone guide me towards security best practices when it comes to data and voice vlan traffic isolation please ?
thanks
Regards
T.thomas.fayet wrote:Hi again Collin , May I ask you what type of fw / switches / ios version you are using for this topology ? Also is the media traffic going through your fw if one voice vlan wants to talk to another voice vlan ? rgds
Access Switches: 3560
Distro: 4500 or 6500
FW: ASA5510 or Juniper SSG 140 (phasing out the Junipers)
It depends. In the drawing above, no voice traffic would leave the voice enclave until it talks to a remote site. If we add other sites to the drawing, at a minimum call-sig would traverse the firewall and depending on the location of the callers, all voice traffic may cross the firewall. All of that depends on how you have your call managers/vm/voice gateways designed and where the callers are.
Maybe you are looking for
-
How can I set up breakpoints in eclipse for jsp?
I saw somebody can set up breakpoints in eclipse for jsp. But I can not do that on my eclipse. What's the difference? Thanks.
-
Save attached documents in ME23 to content server
Hello, I need to save the attached documents in purchase orders, via ME23 transaction into a content server. I've been reading the DMS documentation, but I don't know if I have to use archivelink technology or basic DMS. I've got the content server i
-
Homesharing between desktop and five different bootable hard drives
My desktop is running tiger. I have an external running Tiger, one running Leopard and three running SL (don't ask why). My iTunes library is on the desktop. Just wanted confirmation that home sharing won't work for me because if I boot an external h
-
Importing JPEG Images from from a Nikon D 200 show in finder thumbnails black bars on two sides, whereas Imports from Canon G5 don´t ? The bars seem to appear in "Finder" thumbnails an "digital images" only but not in Aperture after import. Any idea
-
Mac mini A1176 doesnt start after Security update 2012-001 (10.6.8)
it has istalled 2Gb RAM insted of original 500Mb but it used to work well before the update