QinQ - injection of VLAN
Hello
We need to inject a part of traffic in the tunnel QinQ routing the traffic of customers. I have not found any documents describing this situation, so I was thinking how do:
-client a MS VLAN ID 100, encapsulation dot1q SP skeleton.
-When I set up a port with VLAN 100 centimetres, it will be a member of the VLAN native clients
-When I "loopback cable" between two interfaces of box SP like this, I will be able to inject VLAN 200 and 300 at tunnel QinQ customers:
interface FastEthernet0/23
switchport access vlan 100
switchport mode dot1q tunnel
switchport nonegotiate
No cdp enable
!
interface FastEthernet0/24
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 200 300
switchport mode trunk
switchport nonegotiate
No cdp enable
I have a lot on the correctness of the approach. Is there any other way how to?
Thanks for the comment. Honza maybe
I think this document explains the feature you're looking for.
Tags: Cisco Support
Similar Questions
-
I have two questions:
(1) 6500 (regardless of the SUP) do not support the standard 802.1ad correct? "QinQ" features are not standard?
(2) can someone help me understand why tagging vlan native is listed as a required step when configuring switchport dot1-tunnel mode?
(http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2S...)
I understand VLANs jump... etc but I do not understand how this relates to the creation of a tunnel port. For me, a tunnel port puts all the data in the provider / S-VLAN defined on the port tunnel with "switchport mode access vlan x" This includes labeled and not marked traffic coming from the CE marking on the port tunnel. I understand best practices for tagging vlan native on the base in general... switches but why the tunnel ports invites and it's necessary?
I'm missing something basic here :)
Thank you!
Hello
AD 2) here is an explanation, I think:
http://www.Cisco.com/c/en/us/TD/docs/switches/Datacenter/SW/5_x/NX-OS/in...
Best regards
Milan
-
4235 IDS Sensor monitoring several VLANS & TCP Reset (packet Injection)
I understand that the 4235 sensor can receive traffic are split to several VLANs than 802. 1 q tags have been placed on the switches (3750 of in this case).
I have two questions (account required to the statement above in correct).
1 is it possible to inject traffic (eg. reset the TCP sessions) in each of VLAN monitored (i.e. the 4235 would mark the package injected with good destination VLAN for the response) or only the native/actual VLAN the SPAN destination.
2. is the traffic carried by the 4235 as coming from multiple virtual interfaces (eg. for the period of INVESTIGATION purpose spoof detection within each VIRTUAL local area network)?
Thanks much for the reading of the same day. Any input greatly appriciated.
On your second question, no. monitored traffic is considered as coming from a single virtual interface. The sensor reads the header of the vlan on the packages wrapped and includes with the alarm and more uses for TCP resets. But, you can apply signatures for traffic VLAN specific sensor is followed.
-
I have only a single ID and would like to know if its possible to monitor all the VLANS.
With only one ID I I want to know if it is possible to monitor all my VLAN in the network. I use version 4 ID and VMS MC 1.1.
If I have to set my internal addresses and those which I define as internal are considered as approved, in the case that I have configure a port in my central switch to monitor all the VLANS in my network and connect the ID to the destination monitor port to sniff all the VLAN, VLAN which I consider as an intern?
Also, I have switches catalyst 6006 and 6509 with version 5.1 (3) and 12.1 in each case, can I apply for fleeing to take acctions when an attack is detected?
Is it possible this configuration?
Thanks for any help-
I don't know if the ID is used to detect the specific activity you mentioned. You would need to go through our list of signatures to see if it's possible. You can even submit a new assignment and ask this question again.
As for the actions.
Cat OS 5.3 should allow you to be able to inject a TCP Reset packets through a span port (requires the parameter enable inpackets).
In regards to the blocking with Cat OS 5.3, I don't think that this version supports the VACL. You may need to upgrade the version of the OS to chat if you want to block with VACL, and you also need a PFC and an MSFC on the supervisor.
NOTE: If you have an MSFC making routing you may also block with the traditional router ACL on the MSFC.
On the IOS running native 6509 (where IOS instead of the traditional CatOS runs on the prime contractor), there may be a problem with TCP resets. I don't know if the port of the monitor (equivalent IOS native span port) will allow the incoming TCP resets. You need to browse the documentation.
Some versions of native IOS (I think that what you have newer versions) will also allow you to monitor through the capture of Vlan ACLS feature. If the sensor is followed by a VACL Capture port instead of a port monitor then I think that the TCP reset works OK, but I have not tested.
With native IOS the sensor supports router blocking with the traditional ACL, it does not support blocking with Vlan ACL in native IOS.
NOTE: The difference between router ACL and Vlan ACL is the Vlan ACL is applied to the vlan and applies to all packages comining and at the exit of the Vlan. While the router ACL is actually applied to the INTERFACE of the Vlan where an IP address has been assigned and only applies to packets routed in or off the Vlan.
NOTE: Native IOS requires that the master has an MSFC even load the image.
-
Hello!
These 3 questions:
(1) someone has a link to some samples VLAN?
(2) is not having logical interfaces makes the solution less sure tha having physical interfaces?
(3) what is the diference between physical VLANS and VLAN logical?
Thank you and best regards,
ovieira
Ovieira:
Example of config:
PIX:
interface ethernet1 100full
physical interface ethernet1 vlan10
logical interface ethernet1 vlan20
logical ethernet1 vlan30 interface
!
nameif ethernet1 DMZ security10
nameif vlan20 MailSvrs security15
nameif vlan30 security20 WWWsvrs
!
address DMZ IP 192.168.0.1 255.255.255.0
address IP MailSvrs 192.168.1.1 255.255.255.0
address IP WWWsvrs 192.168.2.1 255.255.255.0
Catalyst (PIX ethernet1 port connected to):
Set vlan1
trigger port mode
spantree portfast enable Set
Disable the trunk 1-1005
the trunk Set dot1q 1,10,20,30
adjust the speed of the port 100
Set the full duplex port
(2) from a security point of view, Cisco says that the use of VLAN is actually safer. With any VLANS configured, the PIX sends out packets without a label to any connected switch port. If the switch port is trunking, the switch sends the packet on the vlan native - vlan1 - what makes the vulnerable switch a hacker to inject packets into a different VLAN in vlan native. As a rule, I never use him vlan by default anyway. Assign physical interfaces on the PIX to any vlan other than vlan1. Actually, affect the physical interface to any what vlan is NOT the vlan native port of the switch and you should be good.
(3) the physical and logical interfaces are both objects of software - but the actual physical object is the network card. The physical interfaces operate in both layer 2 and layer-3; logical interfaces only operate at the layer-3. With this in mind, you cannot configure "failover link" or "failover lan' on some logical interfaces because they operate at layer 2"
Hope this helps,
Rich
-
Hello
I have two routers (C887VAG2 & ASR1006) connected point to point, I am trying to configure ipsec, but my phase 2 fails and the Protocol gre tunnel remains down. I tried the protection of tunnels of VTI and the application of crypto on the tunnel interface card, when I apply the plan crypo on tunnel interface, I get the error message below
% NOTE: crypto card is configured on the tunnel interface.
Currently, only one card encryption GDOI is supported on the tunnel interface. % NOTE: crypto card is configured on the tunnel interface.
Currently, only one card encryption GDOI is supported on the tunnel interface.I have attached the configs for the two routers, there is no intermediate devices.
-is it possible to get a document that explains what headers are added on the package when vlan and ipsec is used?
-explanation of the difference between vs gre-over-ipsec ipsec-over-option, the process as the package between the router gets encrypted then decrypted at the remote site.
Thanks and greetings
Mpho
% NOTE: crypto map is configured on tunnel interface.
Currently only GDOI crypto map is supported on tunnel interface.
% NOTE: crypto map is configured on tunnel interface.
Currently only GDOI crypto map is supported on tunnel interface.I have attached the configs for both routers, there's no intermediate device.
Since CSCtj63943 we have disabled that possibility in order to avoid to set up something not supported.
On your 2 questions:
Mode of transport
http://www.Cisco.com/en/us/docs/solutions/Enterprise/WAN_and_MAN/QoS_SRND/IPSecQoS.html#wp56035
In tunnel mode
http://www.Cisco.com/en/us/docs/solutions/Enterprise/WAN_and_MAN/QoS_SRND/IPSecQoS.html#wp58618
Of course GRE over IPSEC must be configured in transport mode to avoid:
- Waste costs generals [Save 20 bytes]
- NAT compatibility [without going into too much detail - tunnel mode may not work behind a NAT]
Essentially:
GRE over IPSEC
----------------------------------------------------------------------------------------
| IP header | IPSEC header | Encrypted PAYLOAD. ESP trailer |
-----------------------------------------------------------------------------------------
When the encrypted payload contains:
-----------------------------------------
| GRE header | IP packet |
-----------------------------------------
IPSEC over GRE [supported with GETVPN only]
----------------------------------------------------------------------------------------
| IP header | GRE | IPSEC header | Encrypted PAYLOAD. ESP trailer |
-----------------------------------------------------------------------------------------
When the encrypted payload contains:
-----------------------------------------
| IP packet |
-----------------------------------------
With IPSEC on free WILL, then you 'leak' of information [sees an attacker, it is a GRE traffic and it could start trying to inject blindy some packages by simply sending stuff encapsulated in GRE]
Let me know if that answers your question.
-
Hello
My site has been pulled down by the host. They sent me the following message is displayed:
"We got information that there is injection of SQL code on our server and when we draw the injection point is for your domain. '.
This is the type of attack:
SQL generic sql update injection attempt - GET, SQL union select parameter - possible sql injection attempt - GET parameterThat's why we need to disable your Web site for temporary.
Please, scan your PC and the Web site of local files and make sure that your local files from PC and the site Web is virus-free.
If you have you analyze local files on PC and the website also make sure that there is no virus please update this post once again.
So we can reactivate your website. »Anyone know what I use for scanning for this please?
Thank you
Apple hosts your Web site?
-
App 5.1 server does not not on different VLANS
Helloooo
I just installed a new server and I use the server application. Everything seemed to work fine until I moved my iMac to a VLAN different. Profiles and update settings do not push to the iMac and sit at a stadium in waiting. Also to register the new iMacs on the server I get to the login server window and it crashes it and does not authenticate. Screen opens by saying that I can open a second window and registration. When I try to register, I get an unknown error and that it fails. It seems timeless. I tried to change a lot of settings prescribed by other users, but nothing helped. Someone at - it advice on what could be the problem.
See you soon
Sean
Hello
I took the easy on this way and bring a USB ethernet to my mac so that I have two physical interfaces. An in each VLAN.
There are other ways to do this, and this is a good article:
https://blog.Pivotal.IO/Labs/Labs/using-deploystudio-across-Subnets-a-Path-Not-t Aken
Kind regards
Erik
-
Injection of JavaScript spamming after update
Auto Firefox updated yesterday for me and immediately thereafter, I have been doing javascript injection spam which slows my computer down significantly. In addition, I can no longer use firebug or inspect element due to the spamming.
I ran every virus scan that I start and nothing was found, so the update of firefox is the only thing I can think of as the cause.
This is spam that comes to the past, how can I fix?
"< script id ="dnt-inject-js"src ="https://sc1.checkpoint.com/dev/abine/scripts/inject.js"type =" application/x-javascript">"
Which seems related to the Abine 'DoNotTrackMe' product, potentially provided through its partnership with ZoneAlarm (Check Point). Could check you that you have the latest version? To update the extensions, you can try this:
Open the page modules using either:
- CTRL + SHIFT + a
- "3-bar" menu button (or tools) > Add-ons
In the left column, click Extensions. Then find the "gear" above the list button and ' Check for Updates '.
If it continues to behave strangely, you may have to disable the extension and seek assistance from the Publisher (one which you have a relationship with).
-
I trast for all the app from the appstore
but my last app (syssecinfo)
After cheack my sound say, my phone has some liprary injected (as picture)
If someone can help me remove this file and then I know that app make this file
If your phone is not jailbroken then you have nothing to fear. This app is to create this kind of problem for many, and in reality, there is nothing of what needs to be done. Ignore the results.
-
Satellite Pro U400: How to configure the VLAN for the Marvell Yukon LAN control.
Hi all
I need to access the 2 VLANS with the controller LAN Marvell Yukon 88E8072 for my Satellite Pro U400. I installed the necessary Configuration utility network Marvell tell me after installation, VIRTUAL local network settings must be mounted in the Device Manager (Windows 7, right click on computer, properties, click device/network management adapters/double on Marvell Yukon 88E8072 PCI-E Gigabit Ethernet Controller), I can't find a thing to configure here but wake-on-LAN.Any suggestion? Thank you!
Michael
Hello
I think that in this case, you can use a network switch.
-
2910al - 48G Switch: problem with the VLAN
Hi all,
I write a new message because I don't know what is happening on my SW series 2910al - 48G and v1910 - 48G.
I put on the main core SW VLAN 610 and I put to this VLAN IP addreess 100.110.10.1 24-bit etc and it worked fine until yesterday. I change only PLEASE and I enebale STP - loop protect for ports in the range 1-52. (now I rolback this settings as was before)
STP configuration
Now, every PC that has for a long time what IP range 100.110.10.1 24-bit works fine, but new PC have problem with to get the new IP address. I tested it add a static and same address does not work.
Introduced in second v1910 SW - 48 G VLAN as below
I connect this flexible switch this \port SW 2910 - G 48, 46 (Vlan 610 tag) <>- at v1910-48G\ port 50 SW (Vlan 610 tahgged) other ports on this switch I put not marked.
Configuration file for sw v1910 - 48G looks to below:
#
activate default domain system
#
LLDP enable#
domain system
disable the access limit
Active state
Disable Idle-cut
self-service-url disable#
rstp STP mode
enable STP
#
NULL0 interface
#
GigabitEthernet1/0/1 interface
hybrid type port link
port hybrid vlan tagged 610 620
untagged port hybrid vlan 1
#
interface GigabitEthernet1/0/2
access port vlan 610
#
interface GigabitEthernet1/0/3
access port vlan 610
#
interface GigabitEthernet1/0/4
access port vlan 610
#
interface GigabitEthernet1/0/5
access port vlan 610
#
interface GigabitEthernet1/0/6
access port vlan 610
#
interface GigabitEthernet1/0/7
access port vlan 610
#
interface GigabitEthernet1/0/8
access port vlan 610
#
interface GigabitEthernet1/0/9
access port vlan 610
#
interface GigabitEthernet1/0/10
access port vlan 610
##
interface GigabitEthernet1/0/49
hybrid type port link
port hybrid vlan tagged 610 620
port hybrid vlan 1 10 untagged
#
interface GigabitEthernet1/0/50
hybrid type port link
port hybrid vlan tagged 610 620
port hybrid vlan 1 10 untagged
#
interface GigabitEthernet1/0/51
hybrid type port link
port hybrid vlan tagged 610 620
untagged port hybrid vlan 1
#
interface GigabitEthernet1/0/52
hybrid type port link
port hybrid vlan tagged 610 620
untagged port hybrid vlan 1etc...
Could you help me when I made a mistake?
THX
The problem was that solve this problem.
I have blocked all ports. It was a problem. I change several settings and everything works well.
-
Problem VLAN HP Mini 110-4101er
Hello. We have a level 2 + switch with VLAN. This netbook is unable to obtain an IP address from the DHCP server. Parameters default network has been applied. The same thing with another HP laptop with the same NIC Realtek. But another Acer netbook works fine on the same switch port. We do not know why.
Any help would be appreciated.The problem is resolved. Had to download the new drivers and the utility of diagnosis on the Realtek site. With the help of the utility put in place of VLAN ID 0. Everything works fine.
-
I have a switch are not currently connected to the network, which will be repalce one switch of aging there address static IP address 10.100.6.225 and created a virtual local network 50 that will be for the devices of shoretel, put in place a VIRTUAL LAN, whose 10.100.50.227 and active in IP Routing IP address.
The new switch has a gbic for current media converter will disappear, but I have all ports currently left the vlan1 and ports 1-46 Untagged on vlan 50, if I connect a pc on any port 1-46 I can ping 10.100.6.227 but not 50.227, what don't get me? and how do I configure port 48 which will have a shoretel switch on the network connected on 50?
Thank you
Hi Dakota68,
Sorry for the late reply,
Please check if the VLAN ID 50 is defined as the PVID for ports 1-46 by going to
Switch > VLAN > advanced > Configuration of Port's PVID.
The PVID column for the port 1-46 should say '50' (VLAN ID for VLAN.50)
Please see more on page 113 here PVID:
And Yes, I recommend that you create another virtual local network for servers.
Try and let us know if it works
-
Compatibility of VLAN with Cisco
Hello
We just bought 10 x new Netgear switches (all M4100) to add to an existing Cisco infrastructure.
Simple configuration with only 6 Valns.
5: Admin, 30: VOIP, 101: management, 100: a set of Workstations, 102: second series of Workstations, 200: IPTV, 400: Internet, 401: Wireless Management
All I wanted to do was: 2 last ports each switch netgear = T and all the VLANS. I have not identified all ports if I want to use in the appropriate vlan
101 of VLAN is my Managementt Vlan. (Need to configure inter vlan routing for this to work)
I only turned on three switches up to now and all three do not work. They work for a while and that packets but do not receive all.
What I am doing wrong?
What I need to get rid of the original vlan1 on the netgear?
Is that what I need config in the STP to make these compatible with Cisco (300 and 400 series) switches.
I use an optical backbone on Cisco and Netgear switches.
Sincere greetings,
OLAF
Hi Moussa,.
Thanks for reaching out.
We got it working.
Step 1: upgrade to the latest firmware.
Step 2: Forget the MISTLETOE.
We had a few questions about the old firmware - causing links to trunk have some incompatibility with their tag and removed the images between Cisco and Netgear brand.
After the upgrade of the firmware that we had access to "switchport mode access" and "switchport mode trunk" orders fixing the access port and trunking issues.
Thank you Mr President,
OLAF
Maybe you are looking for
-
Tecra S1 - connection to the samsung TV screen
I am running XP service pack 2 and you want to use a Samsung TV as primary monitor. On the connection and if I re-boot, I see pc screen briefly then just a white screen. Can anyone advise on a possible solution?
-
Satellite M40 (PSM42) - password material
When I bought my satellite last year, I added a password in the BIOS for the boot. Whenever the system is turned on, there is a password prompt before starting. When I tried to get rid of the password once again (in Bios), it did not work. Any ideas?
-
My battery status shows the service battery. I have reset the alert status about 6 months ago, but he will not be reset again. Thinking I need a new battery Apple!
-
Links keep redirecting me to other sites...
When I click on any link in any search engine it redirects me to other sites that are unrelated to what I'm looking for. He did this for a few weeks now. Has it something to do with my current settings or what? Help, please...
-
How long the "rocket" can be connected to full load?
How many time the rocket can be connected to a computer source or power at full load until the battery or the system is affected?