Transparent vlan and management of remote switch

Similar Messages

• Transparent FW and pinging to remote device

  Hi everyone,
  I was reading about transparent FW  it says
  Unlike a transparent switch, however, the device will not flood frames out interfaces for an unknown MAC address destination. Instead the ASA will respond with an ARP request for a directly connected device. If the destination is remote, the ASA will attempt to ping the remote device.
  Question
  How ASA  will  ping the remote device will it ping by static route config on ASA ?
  Say we have transparent FW between 2 switches  and  one side say switch1 has a server is connected to it.
  How ASA  will ping this server?
  Now we can say this server as remote device if it is on different subnet then the ASA interface?
  Seems ASA  will have mac address of directly connected inetrfaces.
  Thanks
  Mahesh

  Hi,
  I actually configured one of my ASA5505 as Transparent last night and tested it abit.
  I had NO default route on the ASA5505 and the connections from the host behind the Transparent firewall worked just fine. Though I didnt use any management connection to the ASA other than console cable.
  I guess for remote management connections and certain traffic originated by the ASA itself, the default route is needed BUT not for the actual host traffic through the ASA. The host already has a default gateway configured and it will ARP for its MAC address through the Transparent ASA and already knows where to forward the traffic to reach the remote host. ASA just has to determine where to forward the traffic.
  I enabled several debugs on the ASA and it would indeed seem that when the ASA still has absoletely no knowledge of MAC address behind its "inside" or "outside" it will at the start use Traceroute.
  I will post the debugs shortly.
  EDIT: Debugs
  L2-FIREWALL(config)# sh debug
  debug l2-indication  enabled at level 255
  debug mac-address-table  enabled at level 255
  debug arp-inspection  enabled at level 255
  debug icmp trace enabled at level 255
  debug arp  enabled at level 1
  I first issued a "clear mac-address-table" and after that I initiated ICMP Echo to a remote network.
  My IP addresses were
  192.168.103.1 Host default gateway - MACaca0.1679.6d1b
  192.168.103.2 ASA5505 IP address
  192.168.103.3 Host IP address - MAC 1cc1.debe.80c5
  192.168.101.1 Remote Host
  f1_tf_process_l2_learn:learn indication , cur_ifc inside, new_ifc inside
  mac_address: 1cc1.debe.80c5
  add_l2fwd_entry: Going to add MAC 1cc1.debe.80c5.
  add_l2fwd_entry: Added MAC 1cc1.debe.80c5 into bridge table thru inside.
  add_l2fwd_entry: Sending LU to add MAC 1cc1.debe.80c5.
  f1_tf_process_l2_miss:MISS indication ip address 165a8c0, Vlan: 1,mac_address aca0.1679.6d1b
  MISS IND: Skipping learning for same interface
  f1_tf_process_l2_miss:IP address belongs to differentsubnet. Sending ICMP traceroute
  icmp_mktracert: Block allocated
  ICMP echo request from 192.168.103.2 to 192.168.101.1 ID=4388 seq=0 len=32
  f1_tf_process_l2_learn:learn indication , cur_ifc outside, new_ifc outside
  mac_address: aca0.1679.6d1b
  add_l2fwd_entry: Going to add MAC aca0.1679.6d1b.
  add_l2fwd_entry: Added MAC aca0.1679.6d1b into bridge table thru outside.
  add_l2fwd_entry: Sending LU to add MAC aca0.1679.6d1b.
  ICMP echo reply from 192.168.101.1 to 192.168.103.2 ID=4388 seq=0 len=32
  ICMP echo request from inside:192.168.103.3 to outside:192.168.101.1 ID=1 seq=244 len=32
  ICMP echo reply from outside:192.168.101.1 to inside:192.168.103.3 ID=1 seq=244 len=32
  ICMP echo request from inside:192.168.103.3 to outside:192.168.101.1 ID=1 seq=245 len=32
  ICMP echo reply from outside:192.168.101.1 to inside:192.168.103.3 ID=1 seq=245 len=32
  ICMP echo request from inside:192.168.103.3 to outside:192.168.101.1 ID=1 seq=246 len=32
  ICMP echo reply from outside:192.168.101.1 to inside:192.168.103.3 ID=1 seq=246 len=32
  - Jouni

• Users VLAN and Management VLAN

  is it possible to separate two VLANs:
  one is running for the users VLAN connects to the clients
  one is for management purpose.
  Is there a sample code available for access points, bridges, and switches?
  I am really appreciated that

  Hi,
  You can configure VLANs on enterprise access points.
  What you need to do is configure the access point with its managment IP address, set this as the native vlan and then add the other VLAN or VLANs.
  Then on the switch that the access point is connected to you need to configure a trunk port and make sure that the native vlan is the same VLAN you set as native on the access point.
  As an example if the Access point has an IP address for managment vlan 20, we set this VLAN as native and then we add the other VLAN or VLANs, and on the switch you configure the port as a trunk port with the same native VLAN 20.
  Note, native vlan is the same as untagged vlan. When we confgure a trunk port this will tag all vlans except the native vlan or untagged vlan that needs to be the same between directly connected devices.

• About the Native Vlan and Management Vlan.

  I wanted to know that Management vlan and Native vlan can be different vlan id or  both should be same vlan id. Why should not be native vlan 1.

  The use of a native VLAN is generally frowned upon now as there are some well known security exploits that leverage this untagged VLAN. Cisco often recommends setting the Native VLAN to an unused VLAN in your infrastructure in order to render it useless for attacks.
  It is also recommended that you create a separate VLAN for your Management traffic and that this VLAN be tagged (therefore not a Native VLAN).
  Native Vlan is the vlan which will be sent untagged even in Trunk links. Consider a Trunk link configured between two switches SWA and SWB, if a system in vlan1 of SWA is sending a frame via SWB, then this frame will be received as untagged by SWB, then switch B decides that the untagged frame is from native vlan 1 and handles accordingly. By default native vlan is 1, this can also be changed as per requirement.
  Example: In the below figure if a IP phone and system are connected toa switch port as below, the the Phones will  send its frames tagged with vlan 10 where as the frames sent by system will be untagged. So here the the corresponding switch port should be configured as native vlan 20. So that it can recognise and handle the frames from system and IP phone properly.
  a
  Management vlan is different, it means that this vlan will be used for management purposes like Logging into the switch for management, Monitoring the switch,collecting Syslog ans SNMP traps, etc will be done by management vlan IP. This also by default vlan 1 in cisco. So as Antony said the it is always a Best practice and security measure to not use the default vlan and use custom vlans.
  Hope this helps !

• VLAN trunking, native vlan and management vlan

  Hello all,
  In our situation, we have 3 separate vlans: 100 for management vlan and 101 for data and 102 for voice.
  We have an uplink which is trunked using .1Q. Our access ports has the data vlan as the native. Based on our design, what should be the native vlan for this uplink trunk? Should it be the management vlan or the data vlan? Thanks for your help.

  To answer this question you must remember what the native vlan is. Native is where untagged packets are sent, i.e. packets without a dot1Q tag. It is there mainly for compatibility. On an access port it has no function while normal traffic is not tagged and sent to the vlan that is configured for the port. Traffic for the voice vlan is an exception to this general rule.
  Native vlan setting only plays a role on trunk links where most of the traffic carries a tag. As explained, it is then used as the vlan for untagged traffic.
  When you do not consider this a security breach, you may configure the data-vlan as native. Use another vlan (why not vlan1?) in the case where you want to isolate this traffic.
  I find it good design practice to use the same native vlan throughout the network. This keeps things clear and it's better for anyone who is not completely obsessed with security. The latter kind of people can always find a reason to mess things up, both for themselves and for others;-)
  Regards,
  Leo

• 1300 bridge with native and management vlan in different vlans

  Hello,
  We are going to set up a wireless bridge between two 1300 accesspoints. In our network the native vlan and the management vlan are different vlan's. Will we be able to manage the ap and switch at the "remote" site? Do we have to set up two ssid's, one for native and one for management?
  regards,
  Rutger

  Too answer my own question:
  I don't think it is possible. Things work fine by making our management vlan the native vlan on switches and ap's involved. Management IP address on the BVI1 interface and everything works!
  Rutger

• Transparent mode ASA and management

  I have just installed a new ASA5512 in transparent mode. This is the first time I have done this type of installation and have been having some issues getting remote management to the device. I have configured a BVI interface for management with an IP of 10.252.255.25.
  The network looks like this......
  172.19.130.5 --- LAN --- Router --- MPLS --- Router 10.252.255.30 ---- ASA Gi0/1 ---- ASAGi0/0 ----- Switch to LAN ---- 10.252.0.0 clients
  So, from my management workstation on 172.19.130.5 I can ping the router at 10.252.255.30, I can also ping and manage the client machines on the 10.252.0.0 network on the other side of the ASA but I cant manage the ASA on 10.252.255.25. It going to be something I haven't done so any help would be greatly appreciated.
  Please see config attached.
  Murray

  So I have managed to get the very helpful guy on site to capture some packets. When I try to SSH to the device no packets are captured, however, if I try to SSH to an IP on the other side of the FW I get packets being captured as shown below.
  I have gone over the config but still can't find a problem, I'm close to pulling my hair out on this one.
  TEE-FDC-FW01# cap capin int inside match tcp any any eq 22
  TEE-FDC-FW01# sh cap capin
  6 packets captured
  1: 15:41:50.028852 10.64.68.32.20472 > 10.252.200.13.22: S 4240694991:4240694991(0) win 8192
  2: 15:41:50.030317 10.252.200.13.22 > 10.64.68.32.20472: R 0:0(0) ack 4240694992 win 0
  3: 15:41:50.563447 10.64.68.32.20472 > 10.252.200.13.22: S 1154043407:1154043407(0) win 8192
  4: 15:41:50.564820 10.252.200.13.22 > 10.64.68.32.20472: R 0:0(0) ack 1154043408 win 0
  5: 15:41:51.094508 10.64.68.32.20472 > 10.252.200.13.22: S 386805799:386805799(0) win 8192
  6: 15:41:51.095667 10.252.200.13.22 > 10.64.68.32.20472: R 0:0(0) ack 386805800 win 0
  6 packets shown
  Sent from Cisco Technical Support iPad App

• Cisco Transparent firewall and cisco switch issues.

  Dears,
  I have a very plain scenario
   LAN cisco switch <2 vlans>  ----------> cisco transparent firwall with bvi interface ------------>  crypto box ---------> cisco router ------ <remote/other site>
  i have vlan 61 configured on bvi interface of firewall, crypto box and also on the switch port and vlan of 61 is up up .
  The issue is i can connect remotely to cisco transparent firewall but cannot ping or connect to cisco switch. ???????????
  Need to know some trobuleshooting tips and basic settings that i need to verify. I simply want lan switch with 2 vlans to pass through the cisco transparent firewall and go to other site/remote site.

  Well,
  i have put the inspection icmp turned on for the sessions , and the version i am using is 9.1 
  moreover, i have put u p the ACLs for inbound and outboudn traffic, and while i ping across the firewall from the inside interface towards outside interface PC, i can see packet counts increasing on the acl , during the show access-llist command.
  i have requested the client to verify his part. do let me know further tips if you have any.
  [ moreover we cannot try to use packet-tracer from cli in transparent mode ]

• How to manage dell-2816 switch from remote network..?

  Hi,
  According to below diagram how can i manage the dell-2816 switch from other network. It has management ip only worked on default vlan and default vlan is not editable also not routed ,we can only access the switch to connect laptop directly to switch port and if the port has default-vlan id-1 .
  switch to switch trunk doing problem but when using the pvid as a access vlan ID then trunk is working between dell to juniper hope so cisco also work. But the major issue is remote manageability and also snmp , If switch does not getting ping from remotely then how the snmp will work ..?
  Thanks
  Mamdud
  <ADMIN NOTE: Email id removed per privacy policy>

  You would need a layer 3 device on the network that would route between the different networks/VLANs. Without a device performing VLAN routing, your only other option is to be on the VLAN 1 network.
  If you have a client with dual nic ports, you may be able to assign 1 port the VLAN 1 network. The other port would be on the network with the rest of the devices.

• Any advantages to setting the AP-Manager and Management interface to an untagged vlan?

  Any advantages to setting the AP-Manager and Management interface to an untagged vlan? Currently, our controllers have their management and ap-manager interfaces on the same untagged vlan. Would it be wise to change this? Are there any gotchyas I should be aware of?

  No really, there won't be a problem. Management an AP-manager can be on different vlans.
  The vlan you chose to untag is the vlan you should declare as native on the switch, that's it.
  No advantage in having interfaces configured in a way or another.
  Some people want the management to be in a "management" subnet and the ap-manager will be in the subnet with all the APs. Some others have several AP subnets so the ap-manager is in the same as management ... no importance whatsoever as long as the config is coherent.
  The only thing that is worth considering is the size of AP subnet to me. If you give a /16 for APs and have 1000 APs in a single subnet, ARP and broadcast storms will be hitting the fan. But the vlan tag/untags that you chose are not important
  To rate an answer, click on the stars below it. 1 for not so useful and 5 for very useful.
  Nicolas
  ===
  Don't forget to rate answers that you find useful.

• Video conferencing, voice, VLAN and Catalyst 2950, 3500 and 6500 switches

  We have a Cat6500 with MSFC in the COre/Distribution, mix of 2950 and 3524XL in the closets in the HQ. Every closet will be on one VLAN. There are 5 remote sites on a Frame with 768 CIR. There will be one Polycom VC station in the HQ per closet, one Polycom per remote site. Additionally, every PC everywhere will be using desktop NetMeeting for VC. CallManager and IP Phones will be everywhere. My questions are:
  1. should I put the Polycom on the same VLAN as the PC's with COS set to 4 at layer 2 and IP Precedence set to 4 at layer3? IP Phones are already on a seperate voice VLAN .
  2. Should I put Polycom on it's own VLAN and seperate from the PC VLANs? If I do it this way should I set COS and IP precedence for the PC's with NetMeeting?
  3. any sample config. for the Catalyst switches?
  Thanks!
  Chris

  Chris,
  Check out this IP telephony design guide. Hope it is of some help to you:
  http://www.cisco.com/univercd/cc/td/doc/product/voice/ip_tele/network/

• VLANs - Default, Native and Management

  Okay, please help in understanding the concept of VLANs by confirming whether the following is true or not, and based on that please help me to clear my doubts.
  Default vlan - Always Vlan 1 on a switch and cannot be changed. It's purpose is to account the interfaces/ports which are not assigned with a vlan explicitly.
  Native vlan - By default, it is also vlan 1 in a switch, but can be changed. Frames belonging to the native vlan are sent across the trunk link untagged. It's sole purpose is to provide back ward compatibility to the devices that doesn't understand frame tagging, as per 802.1q.
  Management vlan- for managing switches.
  Now my doubts ::
  1. Can anyone please draw and explain a scenario in which NATIVe vlan comes into use, so that I can understand its purpose completely.
  2. Management vlan- how they are created/assigned and is used ?

  Hello
  From a security perspective its best practice to not use vlan1 whatsoever as it well documented that all cisco switches default to this vlan.
  Also it is best to define a native vlan that will be not used.
  This is due to something I think is called ( double tagging or vlan hopping) - and it when a hacker knowing that vlan 1 is untagged and the default vlan  can apply an outer tag to a encapsulated packet and send this into your network, then when this outer tag is stripped away the native vlan1 is seen by the switch which is excepted into your network.and sent on its merry way toward its destination.
  So to negate this threat it is best to either tagged ALL vlans or define a unused native vlan  and a tagged management vlan and not allow the native vlan to cross any trunks
  example:
  vlan 1 = shutdown
  vlan 10 = management
  vlan 11-49 - user vlans
  vlan 50 = native
  conf t
  vlan 2-50
  exit
  int vlan 1
  shut
  int vlan 10
  ip address x.x.x.x y.y.y.y.y
  interface gig x/x
  switchport trunk encapsulation dot1q
  switchport trunk native vlan 50
  switchport trunk allowed vlan 2-49
  res
  Paul

• Flexconnect AP - dynamic VLAN and local/central switched via radius possible?

  Hello at all,
  is it possible to tell a flexconnect ap if the client at a single ssid should get local switched or central switched and if central switched, which vlan it should use?
  All I got so far was either central switched with dynamic vlan assignment or local switched with static vlan (because it falls back to the default static vlan configured at the ap if the radius assigned vlan doesn't exist), but I need a flexconnect ap that puts client a into the local switched vlan a and client b to the central switched vlan b, both in the same ssid. Is there a radius attribute to tell a flexconnect ap how to handle this while non flexconnect aps ignore it?
  To be more detailed:
  At the central location all APs are running in local-mode, radius assigns different vlans to the clients (different departments), lets say client a = vlan 100, client b = vlan 200 and this works fine. At the remote locations the APs are running in flexconnect-mode with default vlan 10 so that the authenticated clients can break out locally and use the local infrastructure for printing and file storage. At this locations radius also says client a = vlan 100, but client a should be forwarded to local vlan 10 (which already works because there is no vlan 100 configured at the ap so the default static configuration with vlan 10 is used), while client b should stay at vlan 200 and should be central switched to the controller because it isn't allowed to access the local infrastructure. How could this be done? Creating another ssid isn't a valid option.
  Thank you,
  Christian

  Hi Christian.
  This is what 7.3 mobility design document tells about "FlexConnect VLAN Based Central Switching" which is listed in above slide.
  "From release 7.3 onwards, traffic from FlexConnect APs can be switched centrally or locally depending on the presence of a VLAN on a FlexConnect AP.
  In controller software release 7.2, AAA override of VLAN (Dynamic VLAN assignment) for locally-switched WLANs puts wireless clients on the VLAN provided by the AAA server. If the VLAN provided by the AAA server is not present at the AP, the client is put on a WLAN mapped VLAN on that AP and traffic switches locally on that VLAN. Further, prior to release 7.3, traffic for a particular WLAN from FlexConnect APs can be switched Centrally or Locally depending on the WLAN configuration."
  FlexConnect VLAN Central Switching Summary
  Traffic flow on WLANs configured for Local Switching when FlexConnect APs are in connected mode are as follows:
  •If the VLAN is returned as one of the AAA attributes and that VLAN is not present in the FlexConnect AP database, traffic will switch centrally and the client is assigned this VLAN/Interface returned from the AAA server provided that the VLAN exists on the WLC.
  •If the VLAN is returned as one of the AAA attributes and that VLAN is not present in the FlexConnect AP database, traffic will switch centrally. If that VLAN is also not present on the WLC, the client will be assigned a VLAN/Interface mapped to a WLAN on the WLC.
  •If the VLAN is returned as one of the AAA attributes and that VLAN is present in the FlexConnect AP database, traffic will switch locally.
  •If the VLAN is not returned from the AAA server, the client is assigned a WLAN mapped VLAN on that FlexConnect AP and traffic is switched locally.
  Traffic flow on WLANs configured for Local Switching when FlexConnect APs are in standalone mode are as follows:
  •If the VLAN returned by the AAA server is not present in the FlexConnect AP database, the client will be put on a default VLAN (that is, a WLAN mapped VLAN on a FlexConnect AP). When the AP connects back, this client is de-authenticated and will switch traffic centrally.
  •If the VLAN returned by the AAA server is present in the FlexConnect AP database, the client is placed into a returned VLAN and traffic will switch locally.
  •If the VLAN is not returned from the AAA server, the client is assigned a WLAN mapped VLAN on that FlexConnect AP and traffic will switch locally.
  Enjoy your weekend & I am sure you will be able to get this working.
  HTH
  Rasika
  *** Pls rate all useful responses ****

• I just got a new computer and i still have to use old comp to update and manage apps. how do i switch over to my new comp?

  i got a new comp yet i still have to use my old one to update and manage apps on my iphone 4. how do i switch it over?

  What I do when I get a new computer is the first time I turn it on is use Setup Assistant. Once Setup Assistant has finished doing its thing, the new computer is just like my old one.
  Allan

• Help config vlan and inter routing vlan on 2 switches SF300-24 ???

  Dear Cisco!
  now we have 2 switches: SF300-24
  on one SF300-24 we config it at layer 3 mode with VLAN configuration same as following
  VLAN ID 2 (ports: 2 -6) have ip interface  192.168.2.254/24
  VLAN ID 3 (ports: 7 - 10) have ip interface  192.168.3.254/24
  VLAN ID 4 (ports 11- 15 ) have ip interface  192.168.4.254/24
  and VLAN 1 default have IP address: 192.168.1.200
  DHCP relay  - DHCP server 192.168.3.1
                     - DHCP relay: VLAN2; VLAN3; VLAN4
  ip route: 0.0.0.0   0.0.0.0  192.168.3.1
  all ports of VLAN2, VLAN3, VLAN4 set access mode.
  and another SF300-24
  was configed at layer 2. We config VLAN ID 2 ̣̣̣have ports  2 -6; VLAN ID 3 ports 7 -10; VLAN ID 4 port 11-15 ,too.
  And we use port 26 on 2 switches SF300-24 is trunk mode then we connect both SF300-24 switches.
  But on SF300-24 layer 2 cann't inderstand VLAN from Sf300-24 layer 3!!!
  Could you please help me check this situation?
  How to config VLAN on 2 switches SF300-24 Layer 3 and SF300-24 layer 2?
  Thanks!
  See you soon!

  Son Nquyen,
  First i would upgrade to 1.1.8 since the 1.0.0.27 was beta code.
  Next when when connecting both switches together each port will need set via Trunk mode with proper native vlan and tagged vlan traffic. What's the configuration of your trunk ports on each switch?
  Thanks,
  Jasbryan.