Configuration of VLAN in PIX

Hello!

These 3 questions:

(1) someone has a link to some samples VLAN?

(2) is not having logical interfaces makes the solution less sure tha having physical interfaces?

(3) what is the diference between physical VLANS and VLAN logical?

Thank you and best regards,

ovieira

Ovieira:

Example of config:

PIX:

interface ethernet1 100full

physical interface ethernet1 vlan10

logical interface ethernet1 vlan20

logical ethernet1 vlan30 interface

nameif ethernet1 DMZ security10

nameif vlan20 MailSvrs security15

nameif vlan30 security20 WWWsvrs

address DMZ IP 192.168.0.1 255.255.255.0

address IP MailSvrs 192.168.1.1 255.255.255.0

address IP WWWsvrs 192.168.2.1 255.255.255.0

Catalyst (PIX ethernet1 port connected to):

Set vlan1

trigger port mode

spantree portfast enable Set

Disable the trunk 1-1005

the trunk Set dot1q 1,10,20,30

adjust the speed of the port 100

Set the full duplex port

(2) from a security point of view, Cisco says that the use of VLAN is actually safer. With any VLANS configured, the PIX sends out packets without a label to any connected switch port. If the switch port is trunking, the switch sends the packet on the vlan native - vlan1 - what makes the vulnerable switch a hacker to inject packets into a different VLAN in vlan native. As a rule, I never use him vlan by default anyway. Assign physical interfaces on the PIX to any vlan other than vlan1. Actually, affect the physical interface to any what vlan is NOT the vlan native port of the switch and you should be good.

(3) the physical and logical interfaces are both objects of software - but the actual physical object is the network card. The physical interfaces operate in both layer 2 and layer-3; logical interfaces only operate at the layer-3. With this in mind, you cannot configure "failover link" or "failover lan' on some logical interfaces because they operate at layer 2"

Hope this helps,

Rich

Tags: Cisco Security

Similar Questions

Need help setting up a configuration of VLAN special using WRVS4400N

Hi guys,.

I need your help on how to implement a configuration of VLAN somehow non-standard.

The situation is the following:

The customer wants a WLAN set up for the company and the other for guests. Now, wouldn't that be not so difficult if we'd be using the internal internet connection. But the WRVS4400N will be used to implement wireless LANs / VLAN only.

The company uses the DHCP protocol on both of their subnets, provided by a Watchguard Firebox XTM510.

Now, what we would do is set up the back door #1 for the connection to the subnet of the client and the #2 for the connection to the optional subnet for the guests. The first problem is that we were not able to configure DHCP forwards to the VLAN2. It works very well on the 1st but the 2nd doesn't allow that either ENabled or disabled, grayed out DHCP.

To work around the problem that he would be allowed to set up DHCP WRVS4400N providing in itself for the subnet invited, but try that didn't work at all.

Is it possible? Thanks in advance!

Best,

Ralph.

RVS4000 Configuration of VLAN

I am trying to set up a couple of VLAN on the RVS4000. The router allows me to enter the VLAN ID without problem, but it doesn't seem to be a screen to set up the network and DHCP component for the new configuration of VLAN. I saved the configuration of the router and printed. There are several VIRTUAL networks in the configuration with the IP addresses starting with 192.168.2.0/24 and increasing unit (192.168.3.0, 192.168.4.0, etc.). These networks VLAN contains the DHCP configuration also. How can I change these addresses. Is it possible that you can not change them and take what's there and use it? When I configured a VLAN with ID 30, is to tie the knots got an address in the 192.168.2.0 subnet, which is not what I wanted. The manual is no help. He said almost nothing about the configuration of VLANS. Is there another source for more information on the configuration of the RVS4000 with VLAN?

Also, I downloaded and installed the new firmware for the router.

Any help is appreciated.

Tony

Forget it. I thought about it. It is on the configuration page and you will need to use the drop-down list for the VLAN configured.

PC6224 Configuration of VLAN

Hello

I am desirous of VLAN my iSCSI data in two separate VLANS and think I understand what to do. I would like to just anyone for the validation test it before I go live and eventually get things horribly wrong.

All i15 labeled ports must be configured as switchport access vlan 15
All i16 labeled ports must be configured as switchport access vlan 16
Four XG ports must be configured as vlan allowed switchport General add 15.16 tag.

So far I think I have it but I'm not sure on how to get the traffic untagged crossing ports XG.
It will do it automatically, or should I set switchport General pvid 1 for these ports, so all untagged traffic goes to the network vlan by default?

I need to set the VLAN on LAG3 or will it not serious because the ports are marked? Or do I not have to label the ports if the OFFSET is the tag? Or I have to mark the two?

Thanks for the help,

Jim.

Put a PVID on a LAG sets going what traffic VLAN not identified.

Cisco asa active multiple interfaces on a single switch without configuration of vlan switch.

I was wondering if there is a work around on cisco asa to have 2 interfaces vlan on a switch. The reason I ask I have a cisco asa 5505 and a dell switch that does not support the configuration of VLANs. I set up 2 interface vlan on a cisco asa and when two interfaces are active my internet drops frequently. I was wondering if there is nothing to configure the asa cisco to make this thing work. Thanks in advance...

Assuming that Dell switch at least linking several interfaces of the ASA to the Dell should translate all media spanning tree protocols, but a bet covering the tree blocking State to avoid a tree covering loop.

If the Dell does not support tree covering weight then you would be in very bad shape each broadcast packet would be will loop indefinitely and cause what we call a 'broadcast storm. "

One way is not good and the other real harm.

How to configure the VLAN-access plan on Cisco 3650

Hello

I would like to configure the VLan-access plan to filter some of the traffic VLAN, but I am unable to run vlan-map command on the cisco L3 3650 v03.06.00E

Hello ahmed,.

According to the command search tool, 3650 v03.06.00E does not support the vlan-access plan.

You will need to catalyst 3650, 3SE to configure "vlan access map.

https://Tools.Cisco.com/support/CLILookup/cltSearchAction.do

Show vlan-plan of access (catalyst 3650, 3SE)

VLAN-access plan (catalyst 3650, 3SE)

I hope this helps.

Please evaluate the useful messages.

Thank you.

Configure the VLAN SG-200-26 2 p using WRVS4400N

I would like to configure two VLANS on my SG-200-26 p switch. Using port 25 for VLAN 1 and port 26 for VLAN 2 from my WRVS4400N. Then assign each port (1-24) to one or the other VLAN.

My router has 2 VLAN private Public (1) (2). Private is conifured wireless 1, 3 & 4 and private ports. Configured public port 2 and public wireless.

Each work fine with different IP on each VLAN.

Can I configure the switch as described above by using port 25 and 26? Y at - it instructions somewhere?

PEOPLEVISON,

Under the terms of a Port VLAN membership, you may need to select a port before joining VLAN...

You can also us Port to VLAN if you wish. Just the VLAN at the top and click on Go. Then check the radio button for Untagged for the ports you want to in this VLAN.

I have no problem with what you're trying to do. Please keep us updated.

-Marty

Configuration of vlan SG 300 - 28 p

Hello

I tried to Setup VLAN on a SG300 - 28 p, but they do not work.

This is my setup:

I want to Switch1 to have 1-10 ports to access the area demilitarized and 11-24 the LAN.

Then I wan to add switch2-4 to expand access to the local network.

Is this possible?

I tested with cisco 2960 switches by saying just what ports forge have access to

DMZ and LAN, but small business switches are different...

I really appreciate the help!

Hi Francisco, assuming that the 2960 worked and there was no difference in configuration then the problem would be that you have not added the VLAN to the trunk. On a catalyst you do not configure the VLANS on a trunk, since all VLAN pass them. On SB switches, that you need to configure the VLANS on the trunk, otherwise only the VLANs native / default works.

-Tom
Please mark replied messages useful

Configuration of VLAN Switch SF302 - 08 p

I have the following Setup using two switches PoE SF302 - 08 p:

1st floor

=========

SWITCH1 # <------->private network

<------->public network

2nd floor

=========

Switch #2 <------->private network

... public network (visible, but devices can't connect)

I tried to do the config in the identical to the #1 switch #2 switch, but something still does not work.

This is probably a configuration issue VLAN, or what?

Thank you.

Ken Watkins

Hi Ken, the interfaces between switches must both vlan of the port.

example of

VLAN 1

VLAN 2

port 1 connects to port 1 of the second switch

config t

interface gi01

switchport mode trunk

switchport trunk allowed vlan add 2

The ports between switches must be vlan unidentified native, all other VLAN Tag. In my example, 1u, 2 t.

-Tom
Please mark replied messages useful

Configure the vlan with SG 300 - 10 p and 520 SA

Hi all

Forgive my ignorance, but I need help with the basic configuration.

For a small office, I bought an appliance of security SA520 (for future VPN with another remote desktop) and a switch of SG 300 - 10 p to connect 3 PCs and 3 IP PHONE. The SA 520 is the router. I have to configure 2 VLANS on the switch:

VLAN2: DATA (for PC)

VLAN3: VOICE (for IP PHONE)

VLAN1: BY DEFAULT.

How can I configure simply all ports?

I would like to configure ports 1-4 on 5 to 8 ports and VLAN2, VLAN3 and G10 port is reserved for the SA520 router.

I want to split VOICE and DATA network.

I think I need to create a trunk on G10 to SA520...

Can someone help me?

Hi Julien,

OK sounds like you use it vlan by default for network management and the vlan 2 for vlan3 for voice and data.

I use a calculator for this, my SA520 is ready at the present time.

Step 1 On the SA520 add vlan 2 and vlan 3 and label them voice and data respectively.

Step 2. Allows you to use the switch port 4 on the SA520 as a port to shared resources to the SG-300.

(my intent is to use vlan1 not tagged vlan tagged 2 and vlan tagged 3 on the uplink of the switch and the SA500.)

To do this, I have to say the SA520 port 4 of the switch will be in trunking and not access mode.

You will need to check the membership of vlan 2 and vlan 3 on switch port 4.

Step 3. Now add a few IPS to VLAN2 and VLAN3

Step 4. Create DHCP scopes if that is what is needed on the SA520

So now I hope that we have the SA520 with the associated IPS VLAN1, VLAN2 and VLAN3

We also have the switch port 4 as a network interface

We are vlan1 reproducing unidentified and vlan2 tag and tag to the SG-300 switch vlan3.

We do the opposite on the SG-300 switch.

If you use G10 as the uplink to the SA520 you'll notice of default port 10 must already be in trunk mode.

Switch ports G10 should be marked for vlan 2 and labelled for vlan3. It will be, default Gi10 untagged for vlan1.

Make sure you keep ports switch is correctly set up.

Best regards, Dave

Configuration of VLAN 'Wi - Fi comments' on ASA 5512

I'm trying to configure a new vlan on my Cisco ASA 5512 running version 8.6 (1) 2. This vlan will give access to AP Wireless 'invited' into my network. I have the configuration of vlan comments through my switches, I am able to devote a switch port to 40 VLANS and acquire an IP address in the network 10.40.10.0/24. Below is an extract from what I think is relevent to the config information. I try to carry the traffic of comments on my ' outside' interface.

Obvious to me miss me another command here. Any help would be appreciated to greatling. If more running-config is required please advise. Thanks in advance!

_________________________________________________________

interface GigabitEthernet0/1.40

Description comments Wireless Network

VLAN 40

nameif guestwireless

security-level 50

IP 10.40.10.5 255.255.255.0

Route outside 0.0.0.0 0.0.0.0 X.X.X.X 1 (public IP address to X.X.X.X)

access extensive list ip 10.40.10.0 guestwireless_access_in allow 255.255.255.0 interface outside

guestwireless MTU 1500

Access-group guestwireless_access_in in the guestwireless interface

dhcpd address 10.40.10.50 - 10.40.10.250 guestwireless

dhcpd dns 8.8.8.8 interface guestwireless

guestwireless enable dhcpd

________________________________________________________

Here is the part of the killing

interface GigabitEthernet0/0

ISP Interface Description

nameif outside

security-level 100

To take

interface GigabitEthernet0/0

security level 0

You do not want the more precarious with the higher level hehe safety interface

Looking for a Networking Assistance?
Contact me directly to [email protected] / * /

I will fix your problem as soon as POSSIBLE.

See you soon,.

Julio Segura Carvajal
http://laguiadelnetworking.com

What configuration of VLAN requires a switch connectivity defined as an access port?

What configuration of VLAN requires a switch connectivity defined as an access port?

By external switch tagging

A bet with the network team - configure the VLANs on Teddy does not work against Cisco?

Hello
We have a great place of Esx and I have a bet with one of the network Admins.
I configured a vSwitch to work with 1 bear. On this vSwitch I configured 1 vlan with a Vlan ID 100
I told the guy from the network to set up the bear side here and he said he has set up 'Access' and not trunk as normally I ask because it's only 1 Vlan.
I said ok and we tried and nothing works, when I configured the Vlan 0 in the Esx, it started working.
Of course we cannot leave it like that and need to Config the Vlan on the Esx.
I told them that once I configured the Vlan on my side there is nothing to do there, and they need to do the thing here.
they say the same thing.
Who is right? It is something they need to configure side here if she's 'access' and not 'trunk '?
or is it something at my side?

This mayble help your network http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1004074 management team

and

http://KB.VMware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalID=1003806

Please, do not forget the points of call of the "useful" or "correct" answers

Mauro Bonder - moderator

Configuration of VLAN interface network invited only.

I'm running CentOS 2.6 and I try to configure the VLANS on a host only interface. I get an error invalid argument of vconfig. VLANs are not supported on host-only networking? I have searched around for a while but you have not found a clear answer.

Interesting, because on my host OpenSUSE 11.1 x 64, the same command vconfig works very well. I have not tested the VLAN later, but certainly not error:

#vconfig add vmnet1 900

VLAN with VID added == 900 to IF -: vmnet1: -.

#

Guy Leech

VMware vExpert 2009

---

If you have found this device or any other answer useful please consider the use of buttons useful or Correct to award points.

Changinf configuration of VLAN from the ESX console

Guys,
I just built 2 ESX 3.5 servers. Unfortunately I forgot to configure the VLAN OK on the console NIC is anyway through the ESX console I don't want to do a reinstall.
Thank you.

> esxcfg-vswitch

Here is a good link

http://VMware-land.com/esxcfg-help.html

Configuration of VLAN in PIX

Similar Questions

Maybe you are looking for