Vlan hopping issue btw 2950 (Access) & Cat 6K (Distribution)

Similar Messages

• VLan setup for a 2950 and 2611

  Im trying to setup a real basic VLan setup for 1 2950 switch. I would like to have 3 Vlans on it including the default Vlan. So my understanding is that for all 3 of the VLans to talk to each other I will need a router to be the layer 3 device that routes the Vlans.
  On my 2611 it looks like this:
  interface Ethernet0/0
  no ip address
  full-duplex
  interface Ethernet0/0.1
  encapsulation dot1Q 1 native
  ip address 172.16.10.1 255.255.255.0
  no snmp trap link-status
  interface Ethernet0/0.2
  encapsulation dot1Q 2
  ip address 172.16.20.1 255.255.255.0
  no snmp trap link-status
  interface Ethernet0/0.3
  encapsulation dot1Q 3
  ip address 172.16.30.1 255.255.255.0
  no snmp trap link-status
  Then my 2950 looks like this:
  interface FastEthernet0/1
  description Connection to router
  switchport mode trunk
  speed 10
  duplex full
  interface FastEthernet0/2
  switchport access vlan 2
  interface FastEthernet0/3
  switchport access vlan 3
  interface Vlan1
  ip address 172.16.10.2 255.255.255.0
  no ip route-cache
  ip default-gateway 172.16.10.1
  Ok so as it currently stands the switch and router will not talk to each other at all. From the switch I can not ping the router and vice a versa. If I plug a laptop into one of the ports using VLan1 I can ping the switch IP 172.16.10.2 but obviously can not ping the default gateway which is the router...
  I didnt think this looked very hard but for some reason it does not want to work for me at all...
  Any ideas?
  LR

  I have two things you might try. First set your trunking interface on your switch to auto.
  interface fastethernet 0/1
  speed auto
  duplex auto
  This will help to make sure that the ethernet on the 2611 will negotiate the duplex with the switch. I've had issues with 2611's trying to do full duplex on there ethernet ports.
  Another Option turn on CDP on your router and switch and do a show cdp neighbor to make sure there plugged into the right ports.
  Three you could move the vlan 1 ip address on the 2611 to the main interface. Example below. Then try pinging the switch. Your other tagged vlans should still work at that point. Also if you have multiple switches make sure to setup Vlan Trunk Protocol see NOTE A.
  no interface Ethernet0/0.1
  no encapsulation dot1Q 1 native
  no ip address 172.16.10.1 255.255.255.0
  no snmp trap link-status
  interface Ethernet0/0
  ip address 172.16.10.1 255.255.255.0
  NOTE A
  Add the following commands to each switch to setup your Vlan Trunk Protocol. These are pretty much the minimum amount of commands you can use to setup VTP.
  vtp domain CISCO1
  vtp version 2

• Vlan config issues

  I have a 6509 with a vlan 105 configure. I have also added a vlan 100. vlan 100 and 105 work for internal routing. vlan 105 workstation can get to the internet. however any vlan 100 workstation can not access the internet. A tracert from a workstation on vlan 100 stops at the 6509. attached is the 6509 config, i have included IP just because they already have changed.
  any ideas? Does the port connecting to my firewall have to allow all vlan traffic? if so how do i do this.
  thanks,

  Hi,
  Please provide more information on setup( other devices, connectivity diagram) to have a clear idea, so that we can help you.
  From the config provided, i could see the following default route
  ip route 0.0.0.0 0.0.0.0 10.175.105.3
  What is 10.175.105.3 ? Is this your firewall / WAN router??
  Also what is the need for this static route.?
  ip route 10.175.100.0 255.255.255.0 10.175.105.3
  10.175.100.0/24 is the subnet for vlan 100, which a directly connected network on this switch. Hence you dont need that route. Remove that route.
  Finally whatever device is 10.175.105.3, please add a route in that device for vlan 100 so that traffic can reach vlan 100.
  The route that you should add in 10.175.105.3 is
  ip route 10.175.100.0 255.255.255.0 10.175.105.1.
  Hope this helps.
  -VJ

• Vlan Hopping attack

  Hello, 
           I know what a vlan hopping attack is...i understand it but....Why on earth will an access port be accepting Tagged frames???? 
          It is understood that the clients or End systems must not and will not send tagged Data frames if they are on access ports??  because they dont
          have any info in what VLAN they are in... why does the switch even accept vlan tagged frames from an access port? please enlighten me :) 
  Thank u
  Regards 
  Ahmed Mukhtar

  Hi Ahmed,
  I think you are looking at this in a different way..
  Like you imagined, if the port is hard coded to be an Access Port, and done that correctly, attacker will not be able to do the VLAN Hopping..
  So in an ideal world, end system connected to an access port is not expected to accept Tagged packets..  Even if someone configured the end system to accept Tagged packets(which is easily achievable) it will hear no traffic on other VLANs ( as the access port only sends out untagged packets). 
  But the situation changes when you leave your ports on a setting that would allow anyone to use that port either use as a trunk or as an access port.   In this situation attacker will leverage this dynamic nature of the port and will negotiate a trunk between the switch and start hopping between VLAN looking for interesting traffic..
  I guess the most important thing to understand is..  in the  attackers world, you cant expect the "end system" to behave and act like an "ethical" end system that would obey the TCP/IP protocol stack... be it a PC or a switch or some other BOX the attacker is using, it will have manipulated protocol stack that can act as a PC or a switch or what ever it wants to be.. (ex If you get a PC and change the protocol stack to send BPDUs and DTP etc..  how would the switch on the other end know it is a PC it is really talking to.. 
  Hopefully this helps you to look at this in a different way.
  Please don't forget to rate helpful answers..

• VLAN Hopping on Native VLAN

  Hi,
  Is it possible to send tagged frames on a switched port which is configured as access with the VLAN ID equal to the native VLAN to do VLAN Hopping ???
  What are the best practices to avoid VLAN Hopping ????

  Hello,
  I think what you describe is a doubel encapsulated VLAN hopping attack.
  The document below talks about preventing this and other VLAN hopping attacks:
  Layer 2 -- The Weakest Link
  Security Considerations at the Data Link Layer
  http://www.cisco.com/en/US/about/ac123/ac114/ac173/ac222/about_cisco_packet_feature09186a0080142deb.html
  Hacking Layer 2: Fun with Ethernet Switches
  http://www.blackhat.com/presentations/bh-usa-02/bh-us-02-convery-switches.pdf
  Regards,
  GP

• Issue with assistive access not keeping permissions

  Since a recent upgrade (likely from OS X 10.9.x to 10.10.2) I've had issues with Assistive Access blocking Automator and Applescript from interaction with dialogs.
  If I run my script or my Automator workflow (which basically has the same script in it) I get the error:
  System Events got an error: Automator is not allowed assistive access. (in the case of Automator).
  If I open Automator, and then untick and retick the Automator entry in the Accessibility options within Security & Privacy (System Preferences), then workflow can run again. It continues to work until I Quit Automator. Then it's as if OS X no longer trusts Automator to be the same app I gave Accessibility permissions to.  And the situation repeats. It's much as if it were not code-signed. The exact same issue plays out with Apple Script.
  I came across this info, which I hoped would solve the problem, but it made no difference: http://macscripter.net/viewtopic.php?id=43394 and http://bit.ly/1x3SRmc
  In my Accessibility permissions I now have:
  Script Editor
  Automator
  1Password 5 (which the script interacts with)
  com.apple.security.agentStub.xpc (in case that's being called up and triggering the Accessibility issue)
  osascript (in case that's handling the script and triggering the Accessibility issue)
  SecurityAgent.xpc (in case that was triggering the Accessibility issue)
  I added all these because the post at http://bit.ly/1x3SRmc     indicated that anything Apple Script is interacting with needs Accessibility access permissions.
  My script is as follows:
  set appName to "SecurityAgent"
  set passApp to "1Password 5" (* set this to the name of your password manager *)
  tell application "System Events"
    if not (exists window 1 of process appName) then -- test if SecurityAgent window exists
    set answer to display dialog "The password dialog was not found. Please check." buttons {"Ok"}
    return -- abort if SecurityAgent window does not exist
    end if
  end tell
  tell application "System Events"
    set position of window 1 of process appName to {10, 10}
  -- move SecurityAgent window out of the way
  end tell
  activate application passApp
  tell application "System Events"
    tell application "SystemUIServer"
    set answer to display dialog "Make sure correct 1Password item is actively selected (i.e. click it again if it was previously selected), then click “Continue” to proceed." buttons {"Continue"}
    end tell
    tell process passApp
    (* If you are not using 1Password, you may need to change the menu item clicks, below, to whatever is correct in your particular password manager *)
    click menu item "copy password" of menu "item" of menu bar 1
    delay 1
    set appData to the clipboard
    end tell
    tell application "System Events"
    tell process appName
    set value of text field 1 of window 1 to appData
    if exists (text field 2 of window 1) then
    set value of text field 2 of window 1 to appData
    if exists checkbox 1 of window 1 then
    if value of checkbox 1 of window 1 is 1 then
    click checkbox 1 of window 1
    end if
    end if
    set value of checkbox 1 of window 1 to 0
    delay 1 (* gives  a moment to see what's going on *)
    click button "OK" of window 1
    else
    if value of checkbox 1 of window 1 is 1 then
    click checkbox 1 of window 1
    end if
    delay 1 (* gives  a moment to see what's going on *)
    click button "OK" of window 1
    end if
    end tell
    end tell
  end tell
  In Automator it would appear the script is generating an error as soon as it reaches line 5, "if not (exists window 1 of process appName) then"
  I would greatly appreciate some assistance in resolving this issue.

  Starting with Mavericks, Apple changed the way that the accessibility works (see Using AppleScript with Accessibility and Security features in Mavericks) - each individual application needs to be given access, instead of a global option.  A regular AppleScript application saves properties and global variables with the script, which makes it a new application as far as the system security is concerned, so it needs to be re-added to the accessibility list.  To work with this new security feature, you need to code-sign your AppleScript application or make the script(s) in the bundle read-only so that they don't get changed (note that an AppleScript-based project in Xcode does not modify the application bundle by saving properties and globals).

• Spanning vlans across access switches in distribution block.... please help

  Hi All
  Can someone please explain why Cisco states that in a Campus Hierarchical modle if Vlans are spanned across Access switches in a distribution block, then the Distrubution to distribution link should be Layer 2. Is this really necesary or just a recommendation, and if so why? Can't this link be a L3 link when spanning vlans across Access switches in distribution block, as I understand the benefit of having a L3 distribution to distribution link so that SPT is avoided.
  Please help

  Hello,
  The cisco recommended design is L3 links, but these is only possible if you have no vlans you need to span over the hole network.
  It depends on your topology or what you want achieve.
  If you need for one or more vlan's spanned the LAN, you need to use a layer 2 connection between all switches and between distribution too.
  In my company we have for example a few vlans for restricted areas, like device management or else, so we can't use L3 Links in the distribution area because these vlan's are terminated at the firewall. I think these is good thing.
  I would recommend you if you don't have to span one or more vlan's across the network to use L3 Links, specially in the case of redundancy way's. So you need no spanning-tree, but need to use other protocols like GLBP or else. The works faster and are not so confusing (for some people) as STP.
  best regards,
  Sebastian

• I have a new Macbook pro and need to run some Windows software, it appears "Parallel" should work well from what I've have read. Will I have any issues or problems accessing and printing from various printers on my Windows 7 network within Parallel?

  I have a new Macbook pro and need to run some Windows software, it appears "Parallel" should work well from what I've have read. Will I have any issues or problems accessing and printing from various printers on my Windows 7 network within Parallel? Is Parallel in fact the best way to go?

  First, back up all data immediately, as your boot drive might be failing.
  There are a few other possible causes of generalized slow performance that you can rule out easily.
  Reset the System Management Controller.
  If you have many image or video files on the Desktop with preview icons, move them to another folder.
  If applicable, uncheck all boxes in the iCloud preference pane.
  Disconnect all non-essential wired peripherals and remove aftermarket expansion cards, if any.
  Check your keychains in Keychain Access for excessively duplicated items.
  If you have more than one user account, you must be logged in as an administrator to carry out this step.
  Launch the Console application in the same way you launched Activity Monitor. Make sure the title of the Console window is All Messages. If it isn't, select All Messages from the SYSTEM LOG QUERIES menu on the left. If you don't see that menu, select
  View ▹ Show Log List
  from the menu bar.
  Select the 50 or so most recent entries in the log. Copy them to the Clipboard (command-C). Paste into a reply to this message (command-V). You're looking for entries at the end of the log, not at the beginning.
  When posting a log extract, be selective. Don't post more than is requested.
  Please do not indiscriminately dump thousands of lines from the log into this discussion.
  Important: Some personal information, such as your name, may appear in the log. Anonymize before posting. That should be easy to do if your extract is not too long.

• Cisco sg200 voice vlan dhcp issue

  i have cisco sg200 50p connected to cisco 3750 switch. i just wanted to separate voice (vlan2) and data (vlan1) VLANS. I created vlan 2 as my voice VLAN and separate dhcp server for vlan 2 to give ip addresses to phones. however the ip phone connected to my voice vlan (vlan 2) is not receiving ip address from my dhcp server in vlan 2.
  the dhcp server is connected to 3750 switch with an access port (vlan2-voice)
  two switches are connected via trunk ports and allowed vlan 1&2
  ip phone is connected to sg200 via access port (vlan 2) - 
  note - there is no pc connected to ip phone
  I really appreciate if anyone can help me with this issue

  Hi Tom
  Thank you for the support. The phone is now getting the IP from the DHCP on its own VLAN (vlan2 )  according to  your configuration. However i need to configure the auto voice VLAN based on OUI feature which is in SG200 switch. 
  The problem is, the switch not allowed me to configure auto voice vlan feature when the port connected to IP phone is in ACCESS mode (it has to be a trunk). I know according to cisco catlyst guidelines this is totally incorrect bcz they say  "Voice VLAN is only supported on access ports and not on trunk ports, even though the configuration is allowed"
  I think its not valid for Small business switches . Anyway, when i make the said port  TRUNK it works (by assigning 1U & 2T- automatically).But the phone does not  get an IP address from my DHCP server then. 
  Can you help me with this if I am missing some configuration. Thank you once again

• Strange VLAN issue on aironet access points

  I'm setting up some access points for WPA. I've ran into a strange issue. The client VLAN (VLAN that the users will be put into) is 1, and the native VLAN is 10. The RADIUS server is in VLAN 1 (but I have a test RADIUS server in VLAN 10 as well). I can connect from the access point to a RADIUS server in either VLAN, and from the RADIUS servers to the access point as well. When I point to a RADIUS server in VLAN10 authentication works fine. If I point to a RADIUS server that is located in VLAN1, and I put the wireless clients in VLAN10 it works fine. But for some reason when I have the RADIUS server and the clients in VLAN (1) and the native (BVI1) interface in VLAN 10 the authentication packets never seem to get to the RADIUS server. It is as if the authentication is being sources out of the wrong VLAN. I can?t find any docs to say that this isn?t a supported configuration.

  Hi Shannon,
  have a look here:
  http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_example09186a00801d0815.shtml#apconfig
  - - - Snipp - - -
  Significance of Native VLAN
  When you use an IEEE 802.1Q trunk port, all frames are tagged except those on the VLAN configured as the "native VLAN" for the port. Frames on the native VLAN are always transmitted untagged and are normally received untagged. Therefore, when an AP is connected to the switchport, the native VLAN configured on the AP must match the native VLAN configured on the switchport.
  Note: If there is a mismatch in the native VLANs, the frames are dropped.
  This scenario is better explained with an example. If the native VLAN on the switchport is configured as VLAN 12 and on the AP, the native VLAN is configured as VLAN 1, then when the AP sends a frame on its native VLAN to the switch, the switch considers the frame as belonging to VLAN 12 since the frames from the native VLAN of the AP are untagged. This causes confusion in the network and results in connectivity problems. The same happens when the switchport forwards a frame from its native VLAN to the AP.
  - - - Snapp - - -
  Best regards,
  Frank

• Ip phone and pc VLAN security issue - ISE 1.0

  Hello there.
  We are about to implement IP phones to our current network and during testing I have found 2 issues.
  1- ip phone connects to a protected port using ISE mab authentication for the data network.
  The voice VLAN is set up static on the port. The pc VLAN is given by ISE profiling.
  Then the issue is that once the pc connects to the VLAN it belongs to from the ip phone it leaves open that vlan on that port which means that if I connect another pc it will get the original VLAN the port had open up the connection with. This is a big security issue as computers that should not be allowed on specific VLAN can access them this way.
  2- once the connection is up and running on the port for both the phone and the pc, there is re-authentication Happening every minute to ISE. The Authentication logs are getting so many messages for just one port. So once we convert from 2 ip phones to 500, that is definitely going to generate a lot of unnecessary traffic.
  Let me know your thoughts...thanks
  Port config info....below
  interface GigabitEthernet0/2
  description Extra port by Camilos Desk
  switchport mode access
  switchport voice vlan 220
  srr-queue bandwidth share 1 30 35 5
  priority-queue out
  authentication event fail action next-method
  authentication event server alive action reinitialize
  authentication host-mode multi-auth
  authentication open
  authentication order mab dot1x
  authentication port-control auto
  authentication periodic
  authentication timer reauthenticate server
  mab
  mls qos trust cos
  snmp trap mac-notification change added
  auto qos trust
  spanning-tree portfast
  end

  On # 1
  You have the make sure that
  "authentication host-mode multi-domain" command is under each port
  This will allow one voice vlan and only one PC vlan at any given time. If you disconnect a PC and connect onother PC mac address to it, the phone will reinitialize to accept or reject the new mac based on its profile.
  On #2
  I have not found a solution. But what I have found after deployment is that it has happend only on 2 VOIP phones, out of 70 that we have as of now. So it might to be related to ISE.
  On the other hand we are not using Cisco phones but mitel. So this might be a whole issueon itself.
  Hope this helps.

• VLAN & Connecting 3560 to 2950

  This is a first time try for me.
  I'm trying to connect the main switch here (3560) to two 2950s via fiber on SFP ports. The connection lights are green at both ends (3560 and 2950 ends) but I can't ping.
  The 3560 switch has 3 VLANS configured: 10, 12 and 15. I'm only dealing with VLAN 10 which has a subnet of 172.16.1.* and an IP of 172.16.1.1.
  I tried to assign SFP ports on the 3560 49 and 50 to be considered part of VLAN 10 but when I look at the port status page it says they are "trunk".
  The one 2950 I want to communicate to is IP address 172.16.1.20. The 2950 does not have VLAN configured - but I thought I wouldn't need to do that. There's a device connected to the 2950 with an IP address of 172.16.1.21 which we need to communicate with.
  Thanks.

  Hi,
  No, when i said that when connecting 2 cisco switches, they need to be connected via a trunk connection, and all the VLANs should be defined on both switches.
  I meant that if you are using for example VLAN 10 and 13, you need to define both VLANs on both switches.
  As for the trunk connection (between 2 trunk ports between to cisco switches) - the trunk is a link that can move traffic from all VLANs between 2 Cisco switches, meaning that if a frame from VLAN 10 needs to go from switch 1 to switch 2, it can go over the trunk, and also if another frame belonging to VLAN 13 it can also use the trunk to go from switch1 to switch2, the trunk port is not bind to a VLAN, it can have all VLANs flowing over it to go from a switch to another.
  NOTE: Any switch port can be configured as a trunk port (having all VLANs flowing over it - Used to connect 2 switches) or as an ordinary access port in only 1 VLAN (used to connect to client workstations).
  HTH, i hope that i've been informative, please do rate all helpful replies,
  Mohammed Mahmoud.

• Vlan Mismatch WS-C6506 & 2950

  Hi guys,
  I am having problem. I am not sure about this issue. Recently, I have new switch(2950) plugin into the Core switch. However, it keep generating log every 30 mins on my core switch. any idea about this problem?
  2005 Jul 01 22:51:15 GMT+2 +07:00 %CDP-4-NVLANMISMATCH:Native vlan mismatch dete
  cted on port 3/22
  Core> (enable) show port 3/22
  * = Configured MAC Address
  Port Name Status Vlan Duplex Speed Type
  3/22 2950 connected 210 full 100 100BaseFX MM
  Core> (enable) show trunk 3/22
  * - indicates vtp domain mismatch
  # - indicates dot1q-all-tagged enabled on the port
  Port Mode Encapsulation Status Native vlan
  3/22 off negotiate not-trunking 210
  Port Vlans allowed on trunk
  3/22 1-1005,1025-4094
  Port Vlans allowed and active in management domain
  3/22 210
  Port Vlans in spanning tree forwarding state and not pruned
  3/22
  core#show ver
  WS-C6506 Software, Version NmpSW: 7.6(7)
  Copyright (c) 1995-2004 by Cisco Systems
  NMP S/W compiled on May 6 2004, 23:21:07
  System Bootstrap Version: 7.1(1)
  System Boot Image File is 'bootflash:cat6000-sup2k8.7-6-7.bin'
  System Configuration register is 0x102
  Core--->2950
  2950#show vla
  VLAN Name Status Ports
  1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4
  Fa0/5, Fa0/6, Fa0/7, Fa0/8
  Fa0/9, Fa0/10, Fa0/11, Fa0/12
  Fa0/13, Fa0/14, Fa0/15, Fa0/16
  Fa0/17, Fa0/18, Fa0/19, Fa0/20
  Fa0/21, Fa0/22, Fa0/23, Fa0/24
  Fa0/25, Fa0/26
  2950#show vtp st
  VTP Version : 2
  Configuration Revision : 0
  Maximum VLANs supported locally : 250
  Number of existing VLANs : 5
  VTP Operating Mode : Transparent
  VTP Domain Name : access
  VTP Pruning Mode : Disabled
  VTP V2 Mode : Disabled
  VTP Traps Generation : Disabled
  MD5 digest : 0xB6 0x18 0x3A 0xBA 0xC7 0x54 0x71 0x55
  Configuration last modified by 0.0.0.0 at 0-0-00 00:00:00

  Hi guys,
  Thanks for promptly replied. However I had tried to harded core on 2950 Vlan 210(every interfaces). No luck. The core switch still flooding the log. Correct If I am wrong. Since my 2950 is configured as transparent. It shouldn't broadcast the VLAN info. Am I right? This is not the switch connected to the VLAN 210. I have another switch 210 connected to Core. But it doesn't generate the log.
  Core(enable) show vlan
  VLAN Name Status IfIndex Mod/Ports, Vlans
  1 default active 5 2/23-24
  3/9,3/18,3/23-24
  4/28,4/38-40
  5/9-48
  5 ServerFarm active 112 4/1-9,4/11-27,4/29-30,4/
  33-37,4/43
  5/1-8
  20 External active 10 4/10,4/41,4/44-48
  30 External2 active 11
  80 DMZ active 114 4/42
  100 User1 active 12
  120 User2 active 13 2/1-21
  3/1-8,3/10-17,3/19-21
  210 VLAN0210 active 116 2/22
  3/22
  4/31-32
  Core# (enable) show vlan 210
  VLAN Name Status IfIndex Mod/Ports, Vlans
  210 VLAN0210 active 116 1/1-2
  2/22<<
  3/22<<
  4/31-32
  15/1
  Core> (enable) show port 2/22
  * = Configured MAC Address
  Port Name Status Vlan Duplex Speed Type
  2/22 SwitchA connected 210 full 100 100BaseFX MM

• SQL Issue with MS Access

  Hello;
  I have an SQL query:
  Select year, sum(group1) as A from table1 where name in ('test1', 'test2') group by year;
  When I run it through SQL editor in MS Access it returns the years and sum and a total of 5 rows.
  When I pass this command through Java: Connection.createStatement and executeQuery
  I can print the values and it prints 5 rows but after printing it hangs.
  When i get the size of result set :
  while(rs.next())
  resultSetSize ++;
  System.out.println(rs.getInt(1) + "\t" +resultSetSize);
  It shows the result set as size of 10, when i print the values it stops at 5. I am not sure where the issue is.
  I think since my where condition is have 2 values it might be causing problem.
  If I just put 1 value after my where condition, then the java code runs fine.
  Can anyone tell me what the issue is here or where am I going wrong?
  Thanks for your help.
  Edited by: yesmein on Apr 23, 2009 5:58 AM

  Thanks for the suggestion. I checked the code. Indeed I was not printing an exception. When I printed the exception this is what i get:
  Exception is: java.sql.SQLException: [Microsoft][ODBC Driver Manager] Invalid cursor state
  hope this helps to guide me on how to solve this issue.
  Below is the code:
  public static void TestQuery()
  String query="SELECT year, sum(group1) as A FROM table1 WHERE name in ('test1', 'test2') ";
  Connection conn = ConnectDB1.getDBConnection(); //this gets the database parameters from a properties file
  Statement stat = conn.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE,ResultSet.CONCUR_READ_ONLY);
  ResultSet rs = stat.executeQuery(query);
  int resultSetSize=0;
  while(rs.next())
  resultSetSize ++;
  System.out.println(rs.getInt(1) + "\t" +resultSetSize);
  rs.beforeFirst();
  System.out.println("Size of result set: " +resultSetSize);
  while(rs.next())
  System.out.println(rs.getInt(1) + "\t" + rs.getInt(2) );
  rs.close();
  stat.close();
  conn.close();
  System.out.println("End of program");
  catch (Exception e){System.out.println("Exception is: " +e);}
  }

• VLAN Map issue

  I have an issue with a VLAN map I am attempting to use to filter traffic. It is a flat Layer 2 LAN so all hosts are in VLAN 1. I have a number of test machines that I want to deny access to live database servers. To do this I tried the following:
  ip access-list extended testboxes
  permit ip host x.x.x.x host x.x.x.x
  vlan access-map denytest 10
  match ip address testboxes
  action drop
  vlan filter denytest vlan-list 1
  Once I apply the VLAN map I lose all connectivity to the switch. Is there something I am missing here?
  Thanks
  Ian

  Unlike regular IOS standard or extended ACLs that are configured on router interfaces only and are applied on routed packets only, VACLs apply to all packets and can be applied to any VLAN. If a VACL is configured for a certain traffic and that traffic does not match the VACL, the default action is deny. Additionally, VACLs have an implicit deny at the end of the map; a packet is denied if it does not match any ACL entry, and at least one ACL is configured for the packet type. Add an additional permit statement allowing telnet/ssh/or web traffic to the switch:
  permit tcp host X.X.X.X host X.X.X.X eq telnet
  Best Regards
  Francisco