VLAN Traffic restriction

Similar Messages

• Wireshark capture on access port displays different vlan traffic

  Hi Guys,
  i have a nexus 4001i Blade Center Switch where i have a server connected in mode access to a particular vlan.
  when i use wireshark on this port, i see different traffic conversations of different servers in different vlans which seems strange to me.
  anybody have an idea why a server in mode access with wireshark is able to view different vlan traffic? I also see non multicast and non broadcast converations.
  the port the server is connected to is not a monitor port but only in switch port mode access.
  thanks in advance for you feedback

  Hi,
  So it looks like you're getting unicast traffic flooded to all ports. There are a couple of reasons I've come across that can cause this.
  Asymmetric routing: See Unicast Flooding in Switched Campus Networks and/or Case Study #8: Asymmetric Routing and HSRP (Excessive Flooding of Unicast Traffic in Network with Routers That Run HSRP) for details of why it happens and how to prevent it.
  Microsoft Network Load Balancing. As per the Microsoft Troubleshooting NLB:
  In unicast mode (the default Forefront TMG cluster operation mode) NLB induces switch flooding, by design, relaying packets sent to the VIP addresses to all cluster hosts. Switch flooding is part of the NLB strategy for obtaining the best throughput for any specific load of client requests. However, if the NLB interfaces share the switch with other (non-cluster) computers, switch flooding can add to the other computers' network overhead by including them in the flooding and consequently have a detrimental effect on network and/or server performance.
  Regards

• Vlan traffic is not passing through Wireless Bridge

  Hi,
  Recently we have placed wireless bridge in our network (Cisco AIR-BR1410A-E-K9 model). Now after installing the bridge we are facing the issue like only the management interface traffic is reachable through bridge, but not able to reach other vlan traffic.
  like management range is in vlan 1 (which inlcudes AP' Switch and router) and the bridge IP's are also in Vlan 1.
  Switch port is kept in trunk mode both ends of bridge. still other vlan traffic is not reachable, do we have to place any special configuration for this ?
  all the business users are in Vlan 3
  all the sale team users are in vlan 123.
  now problem is other end switches are reachable for me through bridge that is in vlan 1, but vlan 3 and vlan 123 are not reachable for me.users are not getting IP's, when we assigned the static ip address and tested still it is not working.
  i am attaching my wireless bridge configuration in the discussion, please help on this issue.
  Root Bridge ---- Non--Rootbridge--- Cisco Switch--Cisco Switch..
  now i am able to those two switch also, but not able to reach the vlan 3 users who are connected to that switches.

  Hi,
  infrastructure-ssid has been placed at both end still not able to get IP's to the devices.
  I am not able to attach txt files in the reply, could you please let me know your email ID so that i will send the config files to your ID.

• Monitoring VLAN traffic

  I moved from 2500 series routers to a switched network using a Catalyst 3750 and 3560 switches over the course of the last year. In my routed network I used MRTG to monitor traffic on my interfaces. In my switched network environment I have not been able to find a free or low cost tool that will monitor VLAN traffic. Any suggestions?

  I have the same problem and found these links that provided answers:
  http://forums.cacti.net/about29656.html&highlight=
  http://www.experts-exchange.com/Hardware/Networking_Hardware/Switches/Q_23738165.html
  Vlans on 3560s, 3750s and 3550s do not show stats.  The packets are forwarded with the ASIC chips and do not cross the CPU for actual processing.  To actually see the traffic you will need to turn off CEF, which decrases the performance significantly (not recommended, see links above).

• VLAN Traffic Monitoring

  Hi all
  I have a 2900XL core switches which in turn connected to several 2950 switches. All are connected to VLAN 1.
  I have a few questions:
  When people say broadcast traffic should not be more than 20% of the VLAN traffic.
  1. Does it mean the broadcast of a single port in the 2950 switch or the core switch ?
  2. How do i know the VLAN traffic ?
  Any tools etc and how is the setup?
  Hope comeone can help. :)
  Thanks in Advance.
  Alan

  Hi Narayanan,
  This is Guru Prasad.R from Saksoft Ltd. I am working as Network Engineer for past 1 year here. Also i had worked as part-time technical assistace in Networking Environment for 3 years too.
  Since, i am new guy to this networking world i may require your guidance, support for making my career the best one.
  I had finished my CCNA & 2-MCP exams one for Server 03 & another for Exchange Server 03. Also currently i doing with CCNP-Switching[BCMSN] exam.
  Kindly help me to make my career the best one. Expeting your kindness on the same.
  I had noted down ur contact number in Cisco profile. Below given my contact details:
  Guru Prasad.R
  Mobile: +91-9840822258
  Mail id: [email protected]
  Expecting your reply mail for the same.
  Thanks & Regards,
  Guru Prasad .R

• Routing VLAN traffic

  Is it possible to route VLAN traffic?
  We have two buildings, each with several Catalyst 2950s and a 2651 router hosting several VLANS.
  Can we connect the 2651s together and expand the VLANs into the other building?

  HI
  Can u give info about how these two buildings are connected to each-other.and as far routing in concerned u can configure sub-interfaces under u r physical inteface on u r router.Are this 2950's connected in 2651,if they how r u r vlans spread.r u using any sort of vtp.if u r 2950's are connected to 2651 then u can go for sub-interfaces per vlan.
  for example if u r having 3 vlans then u can configure the the physical interface on u r router as
  interface f0/0.1
  encapsulation dot1q 1
  ip address 192.168.1.1 255.255.255.0
  and so on
  Thanks
  Mahmood

• SFE2000 & ACL to stop VLAN traffic

  Hi All,
  I have setup a new SFE2000 switch to work in Layer 3 mode using the IP address 192.168.100.254 on VLAN 1
  Additional VLAN's are:
  VLAN2     192.168.102.x     To be used for guest wireless access
  VLAN3     192.168.103.x
  VLAN4     192.168.104.x
  I would like VLAN1, 2, 3 and 4 to be able to communicate with each other while VLAN2 (Guest) needs to be restricted from everything except web access and dhcp assignment from our server.
  I have been playing with various ACL's in an effort to accomplish this but so far I have drawn a blank in getting this working.
  Can any one draw any light to a managed switch newbie
  Thanks in advance
  James

  I was able to get this working with ACLs and setting a static route from the router (in my case Sonicwall TZ 180) back to the SG300 network. I have enclosed screen shots of the config from the GUI. You need to bind the ACL to whatever
  ports you want to filter the guest traffic either where they would connect a hard wired connection or where you would connect your Wireless AP. The ACL I have created allows VLAN 13 to get a DHCP address and communicate through DNS but nothing else. 192.168.9.254 is the Sonicwall router which I wanted on a different VLAN.
  Hope this helps others with their setup.

• How much VLAN traffic on .1Q trunk

  Hi guys, we have two 6509 connecting to each other with eight L2 links which are .1q trunks. There are VLAN interfaces on both 6509 for vlan10 and vlan20. My question is how to find out how much vlan10 and vlan20 traffic going through on link1? I know we can get the stat on vlan interface, but are there any other ways to check it out on trunk interface?
  6509 - eight .1Q trunks - 6509
  Thanks. Leo

  Hi rapper36,
  From:
  http://blogs.catapultsystems.com/cfuller/archive/2012/06/22/opsmgr-2012-resource-requirements-and-usage-recommendations-for-agent-and-agentless-monitoring-scom.aspx
  OpsMgr 2012 Agentless Monitoring resource requirements:
  Processor: < 1% average increase in processor utilization
  Disk: < 1 average increase in pages per second
  Disk: < 1 MB data (as there is no %programfiles%\System Center Operations Manager folder created)
  Network: < 1 MB data sent and received to the system during installation
  Memory: 14 MB less available memory
  Time to Deploy to Monitored state: 2.5 minutes
  After the agent was appearing as monitored the performance counters gathered prior to the installation were compared to those gathered after installation. The results indicate additional overhead associated with the Operations Manager 2012 agentless monitoring
  after the agent was appearing as monitored.
  Processor:  < 1% average increase in processor utilization
  Disk: < 1 average increase in pages per second
  Disk: < 10 MB
  Network:  < 1 MB/min additional traffic
  Memory:  < 1  MB less available memory
  Natalya
  ### If my post helped you, please take a moment to Vote as Helpful and\or Mark as an Answer

• Per VLAN traffic shaping on ME3400

  Customer side Metro 3400 switch:
  Port is 100Mb, Vlan 80 is 80MbCIR, Vlan81 is 10MbCIR
  want to shape each vlan down to CIR
  what is best configuration to do this? Here is what I tried...
  class-map match-all vlan81
  match vlan 81
  class-map match-all vlan80
  match vlan 80
  policy-map ATTCIR
  class vlan80
  bandwidth 80000
  class vlan81
  bandwidth 10000
  policy-map out-policy
  class class-default
  shape average 90000000
  service-policy ATTCIR
  IMC-OPTEMAN(config)#int gig0/1
  IMC-OPTEMAN(config-if)#service-policy out
  IMC-OPTEMAN(config-if)#service-policy output out-policy
  QoS: Configuration failed. Match VLAN filter is not allowed in classmap of outpu
  t policymap
  IMC-OPTEMAN(config-if)#
  I also try using access-lists and get the following:
  access-list 180 permit ip any 192.168.128.0 0.0.0.255
  access-list 181 permit ip any 192.168.100.0 0.0.0.255
  class-map match-all vlan81
  match access-group 181
  class-map match-all vlan80
  match access-group 180
  policy-map ATTCIR
  class vlan80
  bandwidth 80000
  class vlan81
  bandwidth 10000
  policy-map out-policy
  class class-default
  shape average 90000000
  service-policy ATTCIR
  IMC-OPTEMAN(config-if)#service-policy output out-policy
  Configuration Failed. Can not have ACL based classification in a class-map withi
  n an output policy-map

  thank you!
  Your advice worked perfectly for marking the input traffic. Now I am unable to shape the output traffic the way I want. Since this is 100Mb FastEthernet interface the error message is that I can only shape to 50000000
  here is config I want, and the 10000000 shaping works but ME3400 will not accept
  80000000 class-based shaping on a FastEthernet interface
  class-map match-all vlan81class
  match vlan 81
  class-map match-all vlan81out
  match qos-group 81
  class-map match-all vlan80class
  match vlan 80
  class-map match-all vlan80out
  match qos-group 80
  policy-map vlan80group
  class class-default
  set qos-group 80
  policy-map vlan81group
  class class-default
  set qos-group 81
  policy-map inputgroup
  class vlan80class
  service-policy vlan80group
  class vlan81class
  service-policy vlan81group
  policy-map ATTOPT
  class vlan81out
  shape average 10000000
  class vlan80out
  shape average 80000000

• 1200 Series - Tagged Management VLAN Traffic

  Hi,
  As per my understanding the 1200 Series Access points running IOS (12.2(15)XR) send the management traffic (RADIUS,Accouting NTP etc) un-tagged i.e. using VLAN 1.
  As per our current setup, we assign this un-tagged traffic to a different VLAN (by changing native vlan to x for the Trunk Port) on the cisco switch.
  Is it possible to configure the Access Point to send Management Traffic as tagged with a particular VLAN id ? (Similar to what it does for Wireless Traffic, when SSID are associated to specific VLANs)
  We are trying to set this up with a 3-Com 4400 series switch i have been unable to configure the 3-Com switch, so that it can assign the untagged traffic to different VLAN instead of VLAN 1.
  Regards \\ Naman

  Changing the Native VLAN doesn't make a difference. I can create any VLAN and make it native but management traffic is still being sent un-tagged.
  Below was the setup i tested
  AP--->Trunk Link<->Switch Port(Native VLAN=15)
  Switch Port --->Trunk Link<->Router with VLAN15
  I can make any VLAN as native VLAN on the AP and it doesn't effect the functionality as long as the Switch Native VLAN matches to the corresponding VLAN on the router.

• How to isolate vlan traffic

  I want to create two vlan's, VLAN 1 and VLAN 2. The setup is that VLAN 1 can communicate with VLAN 2, but VLAN 2 don't may have any permission to communicatie with VLAN 1. My switch is a Cisco 3750x. How can I configure this?        

  Hi,
  Don't forget that IP communication is bidirectional and that ACLs are stateless so unless you use a stateful feature like reflexive ACL or firewall feature you can't permit all communication from vlan 1 to vlan 2 and at the same time block from vlan 2 to vlan 1 because then you'll block the reply traffic in response to permitted traffic from vlan 1 to vlan 2.
  On access/distribution switches like 29xx/35xx there is no such feature so your only solution is to do the intervlan routing on a router or firewall and apply filtering policy on this device.
  Regards
  Alain
  Don't forget to rate helpful posts.

• Dropping vlan traffic to an IDS device

  We have a very busy vlan that we're capturing traffic from and sending it to a Gig port connected to an IDS device. Approximately 20% of the traffic is either being dropped by the switch capture port or the IDS device. We've been told 3% dropped traffic is acceptable and we're trying to figure out how to limit the dropped traffic for that vlan. Any ideas? Thanks,
  Dave Magorty
  Network Infrastructure

  Here's a pretty good description that includes an example of what you're trying to do:
  http://www.flukenetworks.com/fnet/en-us/supportAndDownloads/KB/IT+Networking/SuperAgent/How_do_I_limit_traffic_spanned_to_SuperAgent_on_a_Cisco_6500.htm
  note the "layered" application of ACL's and the use of "action forward" and "action forward capture"

• RV220W - VLAN traffic filtering

  Hi all,
  Can I please ask if anyone knows of how to filter traffic between VLANs on the RV220W? I cannot seem to see a way.
  I only have two VLANs. The main VLAN and a seperate VLAN for guest WiFi access. I have inter-VLAN routing disabled on the guest VLAN but I do want guest to have access to a couple of devices on the main VLAN. Printers etc. Also, using a PPTP connection remotely I would like to be able to access the guest VLAN.
  Thanks in advance.
  Damien

  Hi Tom,
  I was under the impression that the RV220W does support full tunnel but then again I might be mistaken.  I have not used the SSL VPN yet but I will give it a try.
  Thanks,
  Jose

• Routing vlan traffic out from SGE2000P

  We have one SGE2000P switch that we are testing in Layer 3. We have a very simple configuration with some vlans that we want to route to our corporate network, but I want to test if there is actually traffic coming out from the up-link port first.
  1- Created the vlans:
  VLAN1:     10.10.1.12 /16 (native)
  VLAN10: 172.16.10.1 /24
  VLAN20:  192.168.0.1 /24
  2- Assigned ports to VLans:
  Port g3 is in Vlan 10
  Port g22 is in Vlan 20
  Port g1 is by default on Vlan 1 (native)
  3 - Connected PCs to Vlans:
  PC connected at g3 has Vlan 10 IP as gateway (172.16.10.1)
  PC connected at g22 has Vlan 20 IP as gateway (192.168.0.1)
  4 - Looks like intervlan routing is working 'cause both PCs can ping each other.
  5 - I added a default route to another testing machine's IP, ie, 0.0.0.0 /0 10.10.0.1 connected to port g1, but the ping doesn't work.
  Now the questions:
  1 - How can I test if there is traffic being routed to port g1 from the vlans ???
  2 - What else do I need to add in the switch config to take traffic out from the vlans to Port g1 ???
  For reference, the sw's running-config:
  console# show running-config
  vlan database
  vlan 10,20
  exit
  interface ethernet g3
  switchport access vlan 10
  exit
  interface ethernet g22
  switchport access vlan 20
  exit
  interface vlan 1
  ip address 10.10.1.12 255.255.0.0          
  exit
  interface vlan 10
  ip address 172.16.10.1 255.255.255.0
  exit
  interface vlan 20
  ip address 192.168.0.1 255.255.255.0
  exit
  ip route 0.0.0.0 0.0.0.0 10.10.0.1 
  console#
  Any help / comment is much appreciated.
  Thanks in advance,
  jose

  Hello Jose,
  In order for a vlan to be active, you will have to have something connected to a port on that vlan. In this case you should be able to add a PC to port g1 and set it to be 10.10.1.1 with gateway of 10.10.1.12.
  If you are looking to add a router in place as the main way out to the internet, you will:
  have to have the router IP be 10.10.1.1
  add a static route in the router for each subnet pointing back to 10.10.1.12
  With the ip route already in there for 0.0.0.0 to 10.10.1.1, you should be able to get online.

• How to enable VLAN traffic in Mac book Pro

  Hi
  i am running Yosemite OS on MACBOOK PRO 13" also windows 8.1 running on parallel V10 (the latest one).
  in my line of work, we use custom tools to communicate with our products, all the tools are based on windows and running in layer 2.
  some of the tools transmits with VLAN ID, i can see that the packets are sent with VLAN but nothing is returned, deeper inspection i found that the retuned packet , that it is also tagged with VLAN, is simply dropped and doesn't reach the windows.
  on a regular windows machine, i can control the VLAN setting in the NIC configuration and typically what the NIC is doing is decapsulation the VLAN.
  How do i do the same on a MAC?
  Please help.
  thanks

  iPhoto does NOT come with the OS. It is a separate App. Yes it is included on every Mac when new.
  Since you are running Snow Leopard 10.6.8 you got 2 DVDs witrh your system. One is for installing the operating system, OS X, and the other is for reinstalling the iLife Apps that come with every Mac.
  So find your original system discs and the Applications disc in particular. Delete, "Move To Trash", the current iPhoto app then reinstall from that Applications disc. Then use Software update to update it to the most current version.