VTP v2 Transparent mode forwarding
All,
As part of my recertification, i am studying VTP (again) and i ran into the following question:
I know VTP v1 switches in transparent mode only forward VTP advertisements if the domain name is the same and if the version is the same (so only v1 gets forwarded and only if the domain name matches)
I know VTP v2 has a feature called: version-independent forwarding: a VTP v2 transparent switch will forward VTP v2 packets as well as VTP v1 packets.
BUT what about the domain name ? Does it still need to match ?
Will a VTP v2 Transparent Switch in domain "Cisco" forward a VTP v1 or v2 advertisement of domain "TEST" ???
regards,
Geert
Ok. Thx. Let us believe the documentation.
Although it is not really clear why this feature is called "version dependent transparent mode" and not "version independent transparent mode". To me it seems more logical - since it forwards v1 and v2 - to be version independent...
So in the following situation:
SW1 ---- trunk --- SW2 ----- trunk----- SW3
Server Transparent Client
VLANS 1,2,3
Domain TEST Domain Cisco Domain TEST
If SW2 is running VTP v1 --> SW3 does not know any VLANs
If SW2 is running VTP v2 --> SW3 does see VLANS 1,2,3
Geert
Similar Messages
-
VTP transparent mode and using VTP domain
Hi all,
Need to ask question when using VTP transparent mode is it good idea to use VTP domain name and password?
I know for switches in transparent mode they act as independent of each other.
So need to know why we should use vtp domain and password with transparent mode?
thanks
maheshMahesh,
I know this 2 years later, but it will help others who will come across this. If you have a Transparent switch mixed with Server and Clients switches. This is your concern....... If you do not put the Transparent switch in the same domain, then it will not forward VLAN changes to other swithces.
So Sw1(Server-CCIE Domain) <-------> Sw2(Transparent-CCIE Domain) <-------> Sw3(Client-CCIE Domain)
The above will work because the Transparent switch is in the same domain. This means that SW3 will get any Vlan changes that are done on SW1.
Now lets look at it the other way.........
Sw1(Server-CCIE Domain) <-------> Sw2(Transparent-Null Domain) <-------> Sw3(Client-CCIE Domain)
Two things are going to happen here
1) The transparent switch is not on same domain, so SW3 will never get any updates when changes to Vlans are done on SW1. So if I add one vlan to SW1, and that make the Configuration Revision increase to the value of 10, that means SW3's Revision will still be 9, and will remain that way until the issue is corrected.
2) If you are dynamically negotiating trunks, this will never happen due to the mismatch domains. Meaning that your trunks will never come up because you did not put your Transparent switch in the same domain.
Kiel Martin -
The difference between VTP server and transparent mode on Catalyst Switch.
Hello
I have a question about the difference between VTP server mode and VTP transparent mode on general catalyst switch.
Basically VTP server mode can create and modify VLAN configuration but actually there is not any VLAN configuration through running-config, is it true? When I checked it on Cat3550, certainly there is not VLAN configuration on VTP server mode. But VTP transparent can create VLAN and configuration but does not synchronize with other switch VLAN status. I appreciate any related information and reason of the VTP server mode specification, thank you very much.
[VTP Transparent mode]
3550#sh vtp status
VTP Version : 2
Configuration Revision : 0
Maximum VLANs supported locally : 1005
Number of existing VLANs : 27
VTP Operating Mode : Transparent
VTP Domain Name :
VTP Pruning Mode : Disabled
VTP V2 Mode : Disabled
VTP Traps Generation : Disabled
*omit
3550#
3550#sh run
Building configuration...
*omit
vlan 99
name TEST-VLAN
[VTP Server mode]
3550#sh vtp status
VTP Version : 2
Configuration Revision : 0
Maximum VLANs supported locally : 1005
Number of existing VLANs : 27
VTP Operating Mode : Server
VTP Domain Name :
VTP Pruning Mode : Disabled
VTP V2 Mode : Disabled
VTP Traps Generation : Disabled
*omit
3550#
3550#sh run
Building configuration...
*no VLAN like above configuration on VTP transparent mode.
Best Regards,
Masanobu HiyoshiHi mhiyoshi,
3550#sh vtp status
VTP Version : 2
Configuration Revision : 0
Maximum VLANs supported locally : 1005
Number of existing VLANs : 27
VTP Operating Mode : Transparent
VTP Domain Name :
VTP Pruning Mode : Disabled
VTP V2 Mode : Disabled
VTP Traps Generation : Disabled
*omit
3550#
3550#sh run
Building configuration...
*omit
vlan 99
name TEST-VLAN
The above out put indicates that Vlan is created and then mode changed to transparent. i.e why revision no is 0.
3550#sh vtp status
VTP Version : 2
Configuration Revision : 0
Maximum VLANs supported locally : 1005
Number of existing VLANs : 27
VTP Operating Mode : Server
VTP Domain Name :
VTP Pruning Mode : Disabled
VTP V2 Mode : Disabled
VTP Traps Generation : Disabled
*omit
3550#
3550#sh run
Building configuration...
*no VLAN like above configuration on VTP transparent mode.
This indicates that vlan never created in server mode nor learnt from another switch as revision no is 0 -
VTP change from server mode to transparent mode
Hi,
We have a VTP domain in which all switches are in transparent mode. However, several have the wrong domain name or mode. As a result, some errors are being displayed in the log. I would like to change the VTP configuration in those switches. They are all in a production network. Which would be the best way to do it without causing problems to the network?
Regarding the switches which are in mode server and have a wrong domain name, should I change firstly the mode to transparent and then the domain name? Is there any risk of losing the vlan configuration?
Thanks in advance.Disclaimer
The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
Liability Disclaimer
In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
Posting
You write, all switches are in transparent mode, but also regarding those in server mode - i.e. which is it?
"Safest" would be to switch a server (or client) mode switch to transparent before changing domain name. If you switch domain name first, yes you expose having shared VLAN information changed. -
VTP Transparent Mode in 2924XL/3524XL
I have a 2924XL ver12.0(5)WC11 connected to two 3550 ver12.1(22)EA5 via 802.1Q trunks. They are all in the same VTP domain. The 2924XL is in VTP Client mode & the two 3550s are in VTP Server mode. There are only 6 vlans - 1, 223, 1002, 1003, 1004, & 1005. I am attempting to change all switches to VTP Transparent mode.
Starting w/the 2924XL, when I change mode from VPT Client mode to VTP Transparent mode, the interfaces w/the trunk links immediately bounce & when they come back up, communication is only established thru VLAN1 & am no longer to communicate to devices in VLAN223.
Connection was restored when I reconfigured the 2924XL back to VTP Client mode.
What is causing this problem & what is the proper way to convert to Transparent mode w/o interruption of service?
Thanks!Humm ...
well, please help me to understand the problem.
The VTP Client saves the vlan infos in RAM, and not in NVRAM like VTP Server ... when you change the VTP mode Client to Transparent, why you lose you vlan infos?
If you do a "sh vlan" on one of your switches that is in client mode, then change it to be in transparent mode, none of them would disappear.
It will simply stop listening to vtp messages regarding the creation and deletion of vlans.
Then, of course, you have to create the vlan database in NVRAM ...
Thanks for your support
Regards
Andrea -
Move a switch from VTP client mode to VTP transparent mode
Hi,
Does anybody have an experience / knowledge if I move a switch from VTP client mode to VTP transparent mode, should I re-create all the VLANs on this switch?
Thank you!Hi there,
The VTP and the VLANs are seperate beasts.
The switch has a vlan database which is held in a seperate file to the config. If you type "sh flash" you'll see it in there.
VTP passes around the VLAN information and the switch stores it in the vlan database. If you remove the switch from the VTP domain, then VTP will not be able to update this file and it will remain exactly as it was.
In short - if you've got 20 vlans, when you go to VTP transparent, you'll still have 20 vlans
Regards,
LH
Please rate all posts -
Hi,
in order to configure transparent mode in ASR5k to disable authentication and to allow everyone what is the appropriate commandso co
in SAMI module we used used to configure 'access-mode non-transparent' under the APN
what is the equivalent in ASR5k?
we have configured the following 2 commands and we still have authentication failure for the GTP user
aaa authentication subscriber none
apn {apn_name}
authentication allow-noauthHi,
If you use transparent instead of server or client, there should be no problem wit copy run start. (The difference is that in this case your switch doesn't participate in the VTP communication, only forward the received messages and doesn't update its vtp db).
During the copy running-config startup-config did you get some error message? (not enough space or something) PLease first check the flash with the show flash command.
Or try to save your running to flas not to startup config: copy running flash:test.cfg
If you need more help please send me output of show flash at least...
bye
FCS
Please rate me if I helped. -
Transparent Mode - running-config are not saved to Startup-config, Normal ?
I config a switch to be a Transparent Mode, then I issue the copy run start command, then I issue the show start-up command, however the Running-config is not copy to the start-up config
Is it Normal for the switch ???
vtp mode transparent
int fa0/1
switchport mode access
switchport access vlan 5
int fa0/2
switchport mode access
switchport access vlan 6Hi,
If you use transparent instead of server or client, there should be no problem wit copy run start. (The difference is that in this case your switch doesn't participate in the VTP communication, only forward the received messages and doesn't update its vtp db).
During the copy running-config startup-config did you get some error message? (not enough space or something) PLease first check the flash with the show flash command.
Or try to save your running to flas not to startup config: copy running flash:test.cfg
If you need more help please send me output of show flash at least...
bye
FCS
Please rate me if I helped. -
Cisco ASA 5512 Transparent mode
Hi all - hope this is the right place to ask this question-
I'm having trouble understanding how to configure an ASA 5512X in what should be a really easy way -
I simply want the ASA to be a transparent Layer 2 "bump" in a routed link between two networks, and then I'll use the Management interface to actually see the firewall ASDM,Syslog, configure, etc.
I have the interfaces set up thusly:
interface GigabitEthernet0/0
nameif UnTrustedNetwork
security-level 0
interface GigabitEthernet0/1
nameif TrustedNetwork
security-level 100
interface Management0/0
nameif ManagementAccess
security-level 100
ip address 192.168.X.Y 255.255.255.0
management-only
I cannot figure out how to install a default route so that interface Management0/0 with it's IP of 192.168.X.Y can be reached from
other networks, like 10.6.X.Y, etc.
I thought the point of a Management interface was that you could set things up in such a way that the Management interface
was the only way you could access the firewall, and you did not have to have IP addresses on the Gig interfaces,
(at least not in transparent mode, for NAT you obviously would have to)
I tried to add a static route entry to 10.6.X.Y , but
when I typed "route.." my only available destination interfaces were either TrustedNetwork or UnTrustedNetwork ??
How do I configure the Management interface for non-local subnets to be reachable on the firewall in transparent mode?transparent firewall is configured differently from routed mode.
here's a basic config required:
firewall transparent (erases the current config; does not require a reboot)
interface BVI1
ip address 192.168.10.10 255.255.255.0
interface GigabitEthernet0
nameif outside
bridge-group 1
security-level 0
interface GigabitEthernet1
nameif inside
bridge-group 1
security-level 100
route outside 0.0.0.0 0.0.0.0 192.168.10.254
route inside 10.0.0.0 255.0.0.0 192.168.10.100
I think that you need a BVI interface with an IP address before the ASA starts forwarding traffic
The old syntax (pre 8.3 or 8.2 not sure) forces only 2 interfaces and no BVI was configured... the IP was assigned in global config.
Hope that helps,
Patrick -
Rather unconventional design that i am trying to test with transparent mode firewall.... attached diagram
Clients [VLAN 100] connected on L3 Switch with SVI as default gateway
Firewall using one physical port which is sub-interfaced with INSIDE-100 and OUTSIDE-200 interfaces
What's working
- ICMP when initiated from L3 Switch SVI to Client VLAN 100 works fine as i can see traffic through firewall
What's not working
- Packet inspection when ICMP initiated from Client 10.x.100.10 to Client 10.x.100.20 does not go through firewall
As L3 Switch is holding arp and mac, client to client will work. This is where i would like transparent firewall to be the bump and have all client to client traffic go through the firewall. Note the default gateway for the clients is on the L3 switch which cannot be changed.
Will appreciate your comments. I will rather not want to go the routed mode path and test to see if any solution with transparent mode works.Okay so lets discuss the use of subinterface from ASA point of view first.
the subinterface with vlan in transparent mode is only used for carrying traffic from one interface and pass it on to other interface. It doesn't exactly work like switch where traffic received on one vlan will be only passed in same vlan. To avoid the confusion Cisco now term it as BVI. Where you can keep two separate vlan under same BVI. What this does it say I have following configuation on ASA
interface gi0/1.100
vlan 100
nameif inside
bridge-group 10
interface gi0/1.200
vlan 200
bridge-group 10
nameif outside
So this BVI interface bridges between vlan 100 and 200. It means if traffic is coming from vlan 100, ASA switches vlan 100 with vlan 200 and forwards the traffic
so there points to remember
1) transparent firewall is a switch with two interface with layer 2 capability.
2) transparent firewall cannot be used for routing
3) transparent firewall cannot do U-TURN of traffic (if you will do a "same-secuirty traffic permit intra-interface " it will give you error)
Now coming to the topic of discussion.
vlan 200, vlan 100
client 1 (vlan 100)------ switch -----------------------gi0/1 ASA
10.x.10.100 /24) | trunk
|
|
client 2 (vlan 200) 10.x.10.200/24
okay now 10.x.10.100 has to ping 10.x.10.200
1) Client find the destination is same network. So no question of default gateway coming into picture. client 1 will try to find mac address of client 2. Hence it will send an arp broadcast
2) Switch receives arp broadcast on vlan 100. Switch sends this broadcast to all interface which is in vlan 100 (this is important). On the trunk link switch will add vlan tag 100 in broadcast mac address.
3) ASA will receive this broadcast and since it is mac with vlan tag 100, it it will mark it in inside interface.
here ASA will have the information
inside mac address of client
4) Now since it is BVI, so ASA will simply change the broadcast mac with vlan 200.
5) When the switch will get this brodcast, since it has received it from vlan 200. So it will forward it out of all interface with vlan 200. (This is where in Amar's case since there is no interface in vlan 200, ARP dies here.)
6) Client 2 will now receive arp broadcast opens it and finds it related to it.
This procedure will be repeated since client 2 also needs client 1 mac address.
Any other questions? -
Transparent Mode using WCCP v2
Dear All,
Greetings. Please correct me if I am wrong. When to use GRE and when to use L2 redirection is depends on the router/switch?
What are the parameters to be configured in Transparent Redirection 'Load-Balacing Method' and 'Forwarding Method' when using GRE?
Please help me to understand more on GRE and L2 redirection when in transparent mode, and configuration in S-Series.
Many Thanks,
ezekielEzekiel,
L2 is the preferred method when possible, since GRE adds an extra 28 bytes of overhead. For L2 to be possible, the WSA must be directly connected to the router / WCCP device.
If the WSA is more then 1 hop away, GRE MUST be used.
The major difference between Hashing and Masking is that if Masking is supported, the router / switch will consume less CPU building the load balancing tables.
It's recommended that you set the WSA to use "Hashing or Masking". The WSA will then negotiate with the WCCP router which to use. If your router supports both, Masking is preferred.
Hope this helps.
Please help regarding WCCP v2.
My company had 2 routers & 2 WSA. Each WSA is directly connected to the each router.
Can I use both WCCP L2 & GRE? If possible, can give some examples? -
Cisco 2960S Configured in Transparent mode
I have a Cisco 2960S gig switch configured in transparent mode with multiple vlans configured. I have printers that I can ping, the ports shows up but on the printer it says offline. Any idea what could be causing this?
If your printer and your PCs are all in the same subnet and only the printer is not working then VTP mode Transparent has nothing to do with your issue.
I'd be keen to know if you have a firewall blocking anything from the IP address of the printer? Maybe the IP subnet mask or default gateway of the printer is not working?
What do you get when you do a "sh mac-address interface <PRINTER port>"? -
CISCO SWITCH IN TRANSPARENT MODE
hello everyone,
i have a 2960 compact switch. i wanted to know whether its possible to make this switch transparent. the requirement is that whenever the switch is connected to any lan, it should be able to access the lan without any configuration being made.No it is not at all dumb.
Transparent mode means the switch does not learns vlans using VTP.
it will just pass vlan tagged packets even for vlans it does not "know".
but then again, where must the switch send it to?
your options are
- trunk port with all vlan allowed
- access port with configured access vlan (but then the vlan must be known)
As john allready pointed out most attached devices need connection to an access port
or they must be able to process vlan tagged packets themself and be attached to a trunk port
a partial solution is
- configure one port as a vlan trunk (connected to another trunk port)
- for every vlan configure a number of ports as access port
if you have sufficient ports you may configure a number of ports in each of the vlans (you mentioned 12 ?)
Your limitations are the vlans you configured and the number of access ports configured for each vlan.
eg a 48 (+1 uplink) port switch with 4 ports in each vlan. -
ASA Transparent Mode For Multiple Subnets
I am looking to replace a FortiGate firewall which is currently working in transparent mode handling mutiple subnets with ASA 5515. Currently, I am testing transparent mode configuration on ASA 5505, and it will not forward any traffic that is not in the same subnet as IP address assigned to BV interface.
For example, the following configuration works.
10.0.0.3/24 (computer) ---> 10.0.0.2/24 (firewall) ---> 10.0.0.1/24 (computer)
However, the following does not work
10.0.0.3/24 (computer) ---> 10.10.0.2/24 (firewall) ---> 10.0.0.1/24 (computer)
I thought that transparent mode is just a bump in the wire, so why does the IP address/subnet assigned to BV interface affects the traffic? Is the ASA capable of handling other/multiple subnets in transparent mode other than the subnet assigned to BV interface?
By the way, I used to run PIX 515E 7.2(2) transparent mode filtering multiple subnets. The current ASA 5505 is on 9.0(1). Is it the limitation on the ASA 5505 model but not on the more powerful ASA model?
Thank youThank you @ttemirgaliyev, I tried but multiple context is not supported by ASA 5505.
I have an example of PIX configuration in transparent mode filtering multiple subnets. I was using this configuration in production environment in the past. I am wondering if ASA 5510 or higher can handle this setup.
: Saved
: Written by enable_15 at 10:57:25.766 UTC Wed Jul 16 xxxx
PIX Version 7.2(2)
firewall transparent
hostname pixfirewall
enable password xxxxxxxxxx encrypted
names
interface Ethernet0
nameif outside
security-level 0
interface Ethernet0.1
vlan 1
no nameif
no security-level
interface Ethernet1
nameif inside
security-level 100
interface Ethernet1.1
no vlan
no nameif
no security-level
passwd xxxxxxxxxx encrypted
ftp mode passive
access-list outside extended permit udp any host 10.0.0.210
access-list outside extended permit udp any host 10.0.0.3
access-list outside extended permit tcp any host 10.0.0.110 eq smtp
access-list outside extended permit tcp any host 10.0.0.110 eq www
access-list outside extended permit tcp any host 10.0.0.57 eq smtp
access-list outside extended permit tcp any host 10.0.0.57 eq www
access-list outside extended permit tcp any host 10.0.0.75 eq www
access-list outside extended permit tcp any host 10.0.0.75 eq ftp
access-list outside extended permit tcp any host 10.0.0.75 eq 5003
access-list outside extended permit tcp any host 10.0.0.75 eq 403
access-list outside extended permit tcp any host 10.0.0.75 eq 407
access-list outside extended permit tcp any host 10.0.0.76 eq ftp
access-list outside extended permit tcp any host 10.0.0.2 eq pcanywhere-data
access-list outside extended permit udp any host 10.0.0.2 eq pcanywhere-status
access-list outside extended permit tcp any host 10.0.10.61
access-list outside extended permit tcp any host 10.0.10.62
access-list outside extended permit tcp any host 10.0.10.63
access-list outside extended permit tcp any host 10.0.10.64
access-list outside extended permit tcp any host 10.0.13.225 eq ftp
access-list outside extended permit tcp host 192.168.4.30 host 10.0.17.254 eq telnet
access-list outside extended permit tcp any host 10.0.13.225 eq telnet
access-list outside extended permit tcp any host 10.0.10.61 eq 50
access-list outside extended permit udp any host 10.0.10.61 eq isakmp
access-list outside extended permit tcp any host 10.0.10.62 eq 50
access-list outside extended permit udp any host 10.0.10.62 eq isakmp
access-list outside extended permit tcp any host 10.0.10.63 eq 50
access-list outside extended permit udp any host 10.0.10.63 eq isakmp
access-list outside extended permit tcp any host 10.0.10.64 eq 50
access-list outside extended permit udp any host 10.0.10.64 eq isakmp
access-list outside extended permit tcp any host 10.0.0.219
access-list outside extended permit udp any host 10.0.0.219
access-list outside extended permit udp any host 10.0.10.61
access-list outside extended permit udp any host 10.0.10.62
access-list outside extended permit udp any host 10.0.10.63
access-list outside extended permit udp any host 10.0.10.64
access-list outside extended permit icmp any host 10.0.10.29
access-list outside extended permit tcp any host 10.0.10.29 eq ftp
access-list outside extended permit tcp any gt 1023 host 10.0.10.29 eq ftp-data
access-list outside extended permit tcp any host 10.0.0.110 eq pop3
access-list outside extended permit tcp any host 10.0.0.57 eq pop3
access-list outside extended permit tcp any host 10.0.10.27 eq pcanywhere-data
access-list outside extended permit udp any host 10.0.10.27 eq pcanywhere-status
access-list outside extended permit tcp any host 10.0.10.31 eq pcanywhere-data
access-list outside extended permit udp any host 10.0.10.31 eq pcanywhere-status
access-list outside extended permit tcp any host 10.0.0.222 eq pcanywhere-data
access-list outside extended permit udp any host 10.0.0.222 eq pcanywhere-status
access-list outside extended permit icmp any host 10.0.10.28
access-list outside extended permit tcp any host 10.0.10.28 eq pptp
access-list outside extended permit gre any host 10.0.10.28
access-list outside extended permit ip any host 10.0.10.28
access-list outside extended permit ip any host 10.0.10.29
access-list outside extended permit tcp any host 10.0.10.25 eq 8234
access-list outside extended permit tcp any host 10.0.17.217 eq 8234
access-list outside extended permit tcp any host 10.0.17.217 eq 8235
access-list outside extended permit tcp any host 10.0.17.217 eq www
access-list outside extended permit ip any host 10.0.10.36
access-list outside extended permit ip any host 10.0.10.37
access-list outside extended permit ip any host 10.0.10.38
access-list outside extended permit ip any host 10.0.10.39
access-list outside extended permit ip any host 10.0.10.40
access-list outside extended permit ip any host 10.0.10.41
access-list outside extended permit tcp any host 10.0.0.235 eq www
access-list outside extended permit tcp any host 10.0.10.2 eq www
access-list outside extended permit tcp any host 10.0.10.2 eq 3389
access-list outside extended permit tcp host 192.168.1.234 host 10.0.0.211 eq 4899
access-list outside extended permit tcp any host 10.0.0.211 eq www
access-list outside extended permit tcp any host 10.0.10.35 eq www
access-list outside extended permit tcp any host 10.0.10.36 eq www
access-list outside extended permit tcp any host 10.0.10.37 eq www
access-list outside extended permit tcp any host 10.0.10.38 eq www
access-list outside extended permit tcp any host 10.0.10.39 eq www
access-list outside extended permit tcp any host 10.0.10.40 eq www
access-list outside extended permit tcp any host 10.0.10.41 eq www
access-list outside extended permit tcp any host 10.0.0.110 eq https
access-list outside extended permit tcp any host 10.0.0.57 eq https
access-list outside extended permit tcp any host 10.0.0.75 eq https
access-list outside extended permit tcp any host 10.0.17.217 eq https
access-list outside extended permit tcp any host 10.0.0.234 eq 220
access-list outside extended permit tcp any host 10.0.0.235 eq https
access-list outside extended permit tcp any host 10.0.10.2 eq https
access-list outside extended permit tcp any host 10.0.0.211 eq https
access-list outside extended permit tcp any host 10.0.10.35 eq https
access-list outside extended permit tcp any host 10.0.10.36 eq https
access-list outside extended permit tcp any host 10.0.10.37 eq https
access-list outside extended permit tcp any host 10.0.10.38 eq https
access-list outside extended permit tcp any host 10.0.10.39 eq https
access-list outside extended permit tcp any host 10.0.10.40 eq https
access-list outside extended permit tcp any host 10.0.10.41 eq https
access-list outside extended permit tcp any host 10.0.10.35 eq 8234
access-list outside extended permit tcp any host 10.0.10.36 eq 8234
access-list outside extended permit tcp any host 10.0.10.37 eq 8234
access-list outside extended permit tcp any host 10.0.10.38 eq 8234
access-list outside extended permit tcp any host 10.0.10.39 eq 8234
access-list outside extended permit tcp any host 10.0.10.40 eq 8234
access-list outside extended permit tcp any host 10.0.10.41 eq 8234
access-list outside extended permit tcp any host 10.0.10.35 eq 8235
access-list outside extended permit tcp any host 10.0.10.36 eq 8235
access-list outside extended permit tcp any host 10.0.10.37 eq 8235
access-list outside extended permit tcp any host 10.0.10.38 eq 8235
access-list outside extended permit tcp any host 10.0.10.39 eq 8235
access-list outside extended permit tcp any host 10.0.10.40 eq 8235
access-list outside extended permit tcp any host 10.0.10.41 eq 8235
access-list outside extended permit udp any host 10.0.0.222
access-list outside extended permit gre any any
access-list outside extended permit ip host 10.0.10.28 any
access-list outside extended permit ip host 10.0.0.211 any
access-list outside extended permit ip host 10.0.10.35 any
access-list outside extended permit ip host 10.0.10.36 any
access-list outside extended permit ip host 10.0.10.37 any
access-list outside extended permit ip host 10.0.10.38 any
access-list outside extended permit ip host 10.0.10.39 any
access-list outside extended permit ip host 10.0.10.40 any
access-list outside extended permit ip host 10.0.10.41 any
access-list outside extended permit ip host 10.0.0.222 any
access-list outside extended permit ip host 10.0.0.234 any
access-list outside extended permit icmp host 10.0.0.234 any
access-list outside extended permit tcp any host 10.0.0.235 eq 3389
access-list outside extended permit ip host 10.0.0.254 any
access-list outside extended permit tcp any host 10.0.0.2 eq 3389
access-list outside extended permit tcp any host 10.0.13.240 eq 5900
access-list outside extended permit udp any host 10.0.13.240 eq 5900
access-list outside extended permit tcp any host 10.0.13.240 eq 3283
access-list outside extended permit udp any host 10.0.13.240 eq 3283
access-list outside extended permit tcp any host 10.0.13.240 eq ssh
access-list outside extended permit tcp any host 10.0.10.12 eq www
access-list outside extended permit tcp any host 10.0.0.212 eq www
pager lines 24
mtu outside 1500
mtu inside 1500
ip address 10.0.0.230 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
access-group outside in interface outside
route outside 0.0.0.0 0.0.0.0 10.0.0.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
snmp-server host inside 10.0.0.234 community xxxx
no snmp-server location
no snmp-server contact
snmp-server community xxxx
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 60
console timeout 0
prompt hostname context
Cryptochecksum:c887f562a196123a335c5ebeba0ad482
: end -
ASA Transparent mode multicast traffic in 8.2 and 8.4
Hi,
When i configure 8.2 in trasparent mode and deploy the a network that was wrok on EIGRP after that i found the neighborship was stop when i allow the mutlicast address and prtocol on outside interface it was start the working But when i deploy an ASA with 8.4 IOS and then allow the multicast address and protocol both the interface (Inside and outside) after that it was start working.
So i want to know that what the reasion to allow multicast address and protocol on 8.4 IOS for both interface. I am not able to find any answer for this.Hi Mahesh,
By default ASA in transparent mode do not allow any packets not having a valid EtherType greater than or equal to 0x600. As per my knowledge this concept remain same for all versions of ASA. Most control plane protocols are denied.
ASA in transparent mode only allows ARP, broadcast traffic, TCP and UDP inspected unicast traffic.
For EIGRP to work through transparent firewall, we need to open ACLs in both direction for multicast and unicast both type of EIGRP traffic on all versions of ASA Firewall.
Maybe you are looking for
-
Is there a way to use REST service to query data from a forms collection?
I want to query and retrieve data from a SharePoint forms collection. I have a forms library that has multiple documents all being created using the same template. I need to query and retrieve data from it using oData/ReST API. I could see the /_vti_
-
How do I get new Mac Pro to "find" my HP LaserJet 1200n?
I have been using my HP LaserJet 1200n with my G5. The ethernet cable from the printer is plugged into my Airport Extreme Base Station. On the G5 I have checked the box "Share this Printer", and its location is given as "Local Zone". I have added a n
-
Nokia N8 Belle - Wi-Fi Problems
Hello, This problem is starting to be super annoying with the Wireless Connection on Nokia N8-00 with Belle ! Everytime when I'm connection the phone on my wireless router, and I am trying to download something in OVI Store or other application, conn
-
Po line item undelete after GR&IR copletion
hi gurus, pls give me sugesition related to PO line item is deleted after completion of GR&IR,now user is asking to undelete the line item is it possible to undelete the line item,if possible please give me suggesition how it is possible. Rega
-
Example: If I'm typing in www.mozilla.com, when I get to www.mo, it drops down a list of all the sites I've previously gone to that start with that.