VLAN ACL M4100

Similar Questions

• 2 VLAN ACL with what Miss me

  Thanks for reading.
  

  This topology consists of one 6224 and two 2824 Powerconnect switches.
  

  Right now, we're looking to build two VLANs, routed, sharing a small range of IPs on VLAN 20.
  

  Also want to route out to the interwebz for both nets. Do I need a third vlan for that?
  

   Presumably one for each actual route out I would think.
  

  I've entered the following commands into the 6224.
  

  - -
  

  confvlan databasevlan 10vlan 20exitinterface vlan 10ip address 192.168.1.1 /24ip access-group 'BUSINESS'name SALESroutingexitinterface vlan 20ip address 172.16.1.1 /24ip access-goup 'SALES'name BUSINESSroutingexitip access-list SALES permit ip 192.168.1.0 0.0.0.255 anyip access-list SALES permit ip 172.16.1.0 0.0.0.255 anyip access-list BUSINESS permit ip  172.16.1.204 0.0.0.7 anyip access-list BUSINESS permit ip 192.168.1.0 0.0.0.255 anyinterface range 1/g9-1/g16 ---these are untagged in both Vlan 1 and vlan 10switchport mode access each has a PVID of 1 in both Vlans??switchport access vlan 10exitinterface range 1/g17-1/g24 ---these are untagged in vlan 20switchport mode access PVID of 1 or 20 neither changes anythingswitchport access vlan 20exitip routing
  

  - -
  

  From VLAN 10 on the 6224 , all addresses in VLAN 10 and 20 can be pinged.
  

  From VLAN 20 on the 6224 all addresses in VLAN 10 and 20 can be pinged,
  

  2824-1 is connected via its port 24, (a member of vlan 20 in switchport mode access)
  

  to port 24 on the 6224.
  

  Port 1/g23 on 2824-1 is connected to a host at 172.16.1.240. that host can  ping nothing
  

  beyond 172.16.1.1. But if I plug both the switch uplink and the host to a Cisco 3524xl in factory defaul
  

  I can ping everyhthing on the 172.16.1.0 /24 subnet right across the uplink. I'd like to at the least
  

  get help on what the issue is with the pings from the 2824.
  

  The ACLs aren't actually in play but they are intended as part of the config.
  

  thanks in advance for your help.
  

  I think you're on the right track, leave the configuring ACLs for now. Once we have connectivity, then add them in.

  With the connections between the two switches, we use mode Trunk/general instead of the access mode.

  If the 6224 performs the Routing and connects to your external connection. While the connection must have its own dedicated VLAN. The 6224 also has a static route in place, helping to direct traffic on.

  Here's a post with some info to look over.

  en.Community.Dell.com/.../19506015.aspx

  Keep us updated.

  Thank you

• Definition of VLAN ACL blocks all traffic inside of the vlan

  Hello

  I test a 7024 PowerConnect switch, do some VLAN and want to test the traffic between 2 PC connection to the vlan by default. So I put a PC on Port 1 and the other on Port 2.

  I am applying only a permit ICMP any any rule on this vlan. This implies a refusal rule everything.

  But now I can't ssh from one PC to another?

  the ACL is an ibound IP AC, but I thought that this does not affect traffic in the vlan? Or am I wrong thinking?

  We tested this installation type and got the same results as you. It seems to be normal behavior. If I get more specific information to this I will be sure to answer back with her.

• The interface VLAN ACL of inbound traffic?

  Hi, I may be over thinking this, but I have an ACL that is applied when entering an interface vlan. I have a line to allow udp any any newspaper which is temporary. I see hits, but the source ip address is outside the network to the ip address of the destination interface vlan. I expect to see ip source addresses only in the range of ip addresses of 192.168.1.128/25. What do you think? Thank you

  Interface vlan 100

  IP 192.168.1.132 255.255.255.128

  IP access-group ACL_IN in

  Hit of the ACL

  % S: SW1-6-IPACCESSLOGP: list of the allowed ACL_IN 192.168.6.100 (137) udp-> 192.168.1.132 (137), 1 packet

  Hello

  That looks like to me WINS navigation, a response packet.

  And as MS navigation works at level 2, it sends a response to the IP of the router where he sees demand for travel coming - maybe your customers have a configured WINS server address?

  Do not forget
  allow udp any any newspaper

  will match ANY ip src, not only your local subnet and is why your journal entries show the traffic in both directions.

  Rgds

  Ian

• Inter-Vlan ACL

  Hi all

  I'm having some trouble getting the ACL work they way I want. I have a lot of clients in differnet VLAN (vlan 6-10) and my ASA (10.1.99.254) on vlan 99 for internet access. I need VLAN 6-10, to have access to the ASA for internet, but VLAN 6-10 should not have access to the other. For the moment, I do apply the access group of rules in the directon out on the vlan 6 SVI.

  VLAN 6-10.2.1.0/24

  VLAN 7-10.2.2.0/24

  VLAN 8-10.2.3.0/24

  VLAN 9-10.2.4.0/24

  I tried

  10 permit ip 10.1.99.254 0.0.0.255 10.2.0.0 0.0.255.255

  20. denying a whole

  I could do a ping of the ASA and made was not able to access the other vlan. However, I also don't no matter what internet access. DNS responses are not passed without traffic ICMP passed the ASA.

  The switch is a 3560G

  Any help would be appreciated.

  Robert

  The acl should not prevent the devices in the same vlan talk to each other, it will stop devices outside of this vlan only so what you see is not good.

  Regarding your general question, usually you use inbound ACL on the source rather than outgoing ACL on the destination VLAN vlan. You can use either but blocking the packets at the source is the most common approach.

  So if I understand correctly, you need to block all traffic between any vlan 10.2.x.x/24 subnet?

  If so and you are not bothered on the specification of the source IP subnet in each acl.

  extended IP access list

  deny ip any 10.2.0.0 0.0.255.255

  allow an ip

  int vlan 10

  IP access-group to

  So let's say vlan 10 is 10.2.5.0/24. What the foregoing, block any package from clients in the vlan 10 with a IP address of destination of 10.2.x.x. All other packets will be allowed. This same acl could apply to all L3 10.2.x.x VLAN interfaces.

  Note that, in the acl, I used the source of everything rather than "10.2.5.0 0.0.0.255. This is because with 'all' the same acl could be applied to all the 10.2.x.x VLAN entering without any modification. You can if you want to be more specific to a specific acl for each vlan that is to say. for the same example above.

  extended IP access list

  deny ip 10.2.5.0 0.0.0.255 10.2.0.0 0.0.255.255

  IP 10.2.5.0 allow 0.0.0.255 any

  It would be more specific and would stop to any client no 10.2.5.x on this vlan to send packets, but most of communication would not work in all cases that the return should not would be routed packets properly to the customer.  But like I said this makes the unique acl to the vlan specific so you would need different ACLs by vlan.

  A few additional points-

  (1) if clients use DHCP and the DHCP server is a 10.2.x.x device that you need to allow that, before the line to deny

  (2) customers will not be able to ping to their default gateway, that is to say the interface vlan L3. This isn't a problem because the destination IP address is never usually the interface vlan L3, but if you want to be able to do you need an online permit before the line to refuse. Also note that this means that your acl would be different for each vlan, IP because of the vlan L3 is different by vlan

  (3) If you use the same real acl for each interface vlan all hits on the acl will be for all the VLANS so you will not be able to see visits by vlan. This may or may not be important to you. Often, this is why you see unique ACL (in terms of number or name but not necessarily input) use. If you do not want to see the visits by vlan and then simply to reproduce the acl, but with a new name by acl (assuming that you go with the ability to use 'everything' in your ACL).

  Hope all that makes sense. Doubts please ask for more.

  Jon

• PowerConnect 6200 ACL does not seem to work

  Hello

  I have a total of four 6248 s two groups at different locations that are configured with VRRP + OSPF.  I tried to set up a simple ACL on either a VLAN to allow a portion of the traffic and block everything else, but I can't make it work.  I have tried many combinations to try to get this working, but so far without success.  It's just a simple ACL, which should allow the web/http traffic on the 10.1.30.100 server and blocks everything else.

  The only type of ACE that seem to work are either a "deny ip any any" or "permit ip any any" If you try an ACE with a destination host and subnet mask 0.0.0.0 it's just all this blocking.  Has anyone else had problems of the ACL or is it just my incompetence in preventing me from getting the 6200 ACL work properly?  I didn't have this problem, get the ACL list to work on our Cisco 2811 routers, just at the moment where I tried on the PC6248s.

  1. config
  2. int vlan 720
  3. no ip-group vlan720-in in access
  4. output
  5. No list of access-vlan720-en
  6. access-list vlan720-in permit tcp any 10.1.30.100 0.0.0.0 eq 80
  7. int vlan 720
  8. IP access-group vlan720-in in
  9. output
  10. output
  11. copy, run start
  12. There

  Just an update on this issue.  I worked with Dell to determine why the ACL does not seem to work.  We discovered that the 6200 apply ACL to the traffic as a VLAN ACL Cisco card as opposed to a router ACL entry.  This causes the ACL to apply to not only routed or transferred but also traffic switched in the same VLAN.

  This has been the source of my problems that my traffic is not limited to a single 6200.  I developed a simple laboratory to check that the 6200 applied traffic switched in the same VLAN ACL.

  First the 6200 has one ACL applied to VLAN5 both PC1 and PC2 are in VLAN 5.  They are both on the same subnet 192.168.5.0/24.  The ACL has a statement of "permit icmp any one" but nothing else.  The PC1 and PC2 are running Windows XP Pro with IIS is installed for the test.  The firewall on both is disabled.

  PC #1 IP: 192.168.5.2/24
  PC #2 IP: 192.168.5.3/24

  [6200]
  |    |
  |    |
  |   [2950T #2] <-->[PC #2]
  |
  |
  [2950T #1] <-->[PC #1]

  In this scenario PC1 and PC2 can ping each other without problem because of the permit icmp any any statement, but you cannot access the IIS site on each of the other computers.

  Dell said that this is normal and if you want communication VLAN VLAN you 'license ip ' to make it work properly.  I also found that traffic back from other VLANs were also denied because of the ACL applied on all of the incoming traffic.  As a solution, the license statement should be included for ALL traffic back to the limited subnet other subnets.  So in this case "ip enable any ".

  I find it a bit annoying that ACL is applied in the form of maps of VLAN not like real incoming router ACL as they are on similar Cisco devices as the 3750.  So there is a work around.  I hope they can solve the problem in a future update, because I really think that the 6200 is a great device.

  Here you can see the difference between VLAN ACLs cards and router entry ACL where they are applied in what concerns local traffic to VLAN.
  http://www.Cisco.com/en/us/docs/switches/LAN/catalyst3750/software/release/12.2_25_see/configuration/guide/swacl.html#wp1572522

• VLAN between two routers

  Hello. I am trying to solve a practical problem and I can't seem to deliver the VLAN. The presentation is as follows:

  You have two two routers connected to each other. Each router has a switch and each switch has four related generic PC. Each PC on this switch belongs on its own VIRTUAL local network. Thus,.

  Switch 1	Switch 2
  PC A - VLAN 10	PC E - VLAN 10
  PC B - VLAN 20	PC F - VLAN 20
  PC C - VLAN 30	PC G - VLAN 30
  PC D - VLAN 40	PC H - VLAN 40

  So A PC on the router/switch 1 1 can ping ROUTER2/switch 2 E PC and it cannot ping all the others. So on and so forth.

  So I tried to adjust the C VLAN 10 PC to check if the configuration of my work, and it does. But then I tie my router and sub interfaces, set the fa0/1 interface on my switch such as trunk and permit VLAN 10, 20, 30 and 40. Now, all PC on the router can ping each other! That should not happen. Now I don't know what the problem is. Can someone help me?

  I have attached the docx and the tracer file package.

  Sorry that I just realized you don't want connectivity between all computers.

  Which is a relief, because watching your Setup, I didn't see why they wouldn't be able to :-)

  You must use the ACLs on your subinterfaces to allow only the traffic you want.

  If you want to allow any PC from any other PC on the same site to ping but only the PC in the same vlan on the other site, then use an outbound acl on the router serial interfaces.

  If you only want to allow ping between the PC in the same vlan ACL use traffic entering on the subinterfaces.

  Jon

• I have only a single ID and would like to know if its possible to monitor all the VLANS.

  With only one ID I I want to know if it is possible to monitor all my VLAN in the network. I use version 4 ID and VMS MC 1.1.

  If I have to set my internal addresses and those which I define as internal are considered as approved, in the case that I have configure a port in my central switch to monitor all the VLANS in my network and connect the ID to the destination monitor port to sniff all the VLAN, VLAN which I consider as an intern?

  Also, I have switches catalyst 6006 and 6509 with version 5.1 (3) and 12.1 in each case, can I apply for fleeing to take acctions when an attack is detected?

  Is it possible this configuration?

  Thanks for any help-

  I don't know if the ID is used to detect the specific activity you mentioned. You would need to go through our list of signatures to see if it's possible. You can even submit a new assignment and ask this question again.

  As for the actions.

  Cat OS 5.3 should allow you to be able to inject a TCP Reset packets through a span port (requires the parameter enable inpackets).

  In regards to the blocking with Cat OS 5.3, I don't think that this version supports the VACL. You may need to upgrade the version of the OS to chat if you want to block with VACL, and you also need a PFC and an MSFC on the supervisor.

  NOTE: If you have an MSFC making routing you may also block with the traditional router ACL on the MSFC.

  On the IOS running native 6509 (where IOS instead of the traditional CatOS runs on the prime contractor), there may be a problem with TCP resets. I don't know if the port of the monitor (equivalent IOS native span port) will allow the incoming TCP resets. You need to browse the documentation.

  Some versions of native IOS (I think that what you have newer versions) will also allow you to monitor through the capture of Vlan ACLS feature. If the sensor is followed by a VACL Capture port instead of a port monitor then I think that the TCP reset works OK, but I have not tested.

  With native IOS the sensor supports router blocking with the traditional ACL, it does not support blocking with Vlan ACL in native IOS.

  NOTE: The difference between router ACL and Vlan ACL is the Vlan ACL is applied to the vlan and applies to all packages comining and at the exit of the Vlan. While the router ACL is actually applied to the INTERFACE of the Vlan where an IP address has been assigned and only applies to packets routed in or off the Vlan.

  NOTE: Native IOS requires that the master has an MSFC even load the image.

• Question about blade locking JOINT

  We currently have a cisco 6509 with a blade ID managed by Cisco

  Secure Policy Manager. I have three related issues. If I want to

  to activate the blocking feature identified in the CSPM, that is to say: be able to

  automatically block certain types of alerts for a defined period,

  can I perform this function by directing the internal MSFC routing module to

  manage the blocking feature, or do I have to run this function

  with a router or an external firewall. Related question, if we can use the MSFC

  routing module, how do the quick change (road first, spend the rest) type

  feature affect this ability. Are there performance benefits

  to choose one method rather than the other.

  Thank you

  Mike

  The blade of the IDS can be configured in CSPM for blocking on the MSFC that is similar to any other router IOS. It has been tested and is fully supported.

  Alternatively, you can also configure the blade IDS to perform the blocking directly on the controller using Vlan ACL.

  Regarding:

  Related question, if we can use the MSFC

  routing module, how do the quick change (road first, spend the rest) type

  feature affect this ability. Are there performance benefits

  to choose one method rather than the other.

  Every time that the ACL on the MSFC are affected (by a user or the blade IDS), the current stream is double-checked against the new ACL. Feature so it wise works very well with the quick change.

  However, I can't comment on performance when you use the MSFC or another device.

• Material selection/setup help

  I am helping to set up a network in their new premises and want to see if my choice of equipment is correct.  The products of the small business suite seemed to meet our needs better I could say. There are a dizzying number of products to choose from. I did my best.

  Here are the conditions:

  1 need a point of access wireless to manage a connection to Internet only and a connection used to network services Corp. and Internet.

  2. they have two buildings with a fiber multimode link between them.

  3. each building will have security camera with PoE.

  4. remote access to all the VLANS in the buildings (except comments)

  a. PCAnywhere on VLAN30 PC security

  b. file services on VLAN20

  5. all the VLANS need to access to the internet.  I guess the Mgmt VLAN40 wouldn't need it.

  I had planned to purchase the following:

  WAP561 wireless - wanted both 2.4 GHz and 5 GHz of spectrum

  Switch SF300 - 24 p - 1 for each building w / a module 1000Base-SX MGBSX1 for fiber link

  RV320 Router/VPN

  My first attempt to design was to create the VLAN following on all devices

  1 - default VLAN, VLAN native - nothing will use this

  10 - Guest, WAP only, NO cable connections

  20 - corp, WAP and wired

  30 - security, Wired only at this time

  40 - Mgmt, WAP and wired

  Circuits carrying all them VLAN will be used for the AP<->Switch1,

  Router<->Switch1 and Switch2 connections<->Switch1.

  I'm more concerned about the configuration of the router/VPN.

  Until we decide on adding VPN for the project that I thought it wouldn't be hard to do. Disable the Inter-VLAN routing, configure a DHCP pool for each VIRTUAL LAN and everyone stay out of each other. But then I opened my big mouth and asked if they wanted a remote access.

  So, what VPN configuration would allow us to do all the VLANS? PPTP would work better? There are Inter-VLAN routing? If I turn the routing Inter-VLAN would be that this means that might enjoy other VLAN? An access list will allow me to keep the guests of enjambment?

  Any glare issues anyone sees?

  Thank you.

  Mark

  Hi Mark, admittingly I'm not familiar with the new RV320 router or the new WAP. However, I can say that the basic set up should work as expected and you have correctly identified the remote access is the hitch.

  On the previous routers RV PPTP would be easier to get on the network. The real question is, the remote connection what resource t - it need access to? Certainly not a network of comments. In the past, if you wanted to PPTP intervlan communicate that you need to connect in one subnets defined and have the intervlan routing active the PPTP protocol.

  This provides a different scenario. Which means that this would require the access lists on the ports on the switch for the traffic of infiltration should be blocked access to unwanted resources. I don't know if the RV320 supports inter - vlan ACL, I know it has been introduced on the RV220w, but that may be another idea to fight against this concept.

  So I think that consideration for now is, who needs access to that as a remote connection?

  -Tom
  Please mark replied messages useful

• 1.3 the ISE and multiple licensing requirements

  I am building a box of ISE 1.3 and I want to know if the following is feasible

  I have an AD forrest who has several groups of configured users

  1. Corporate
  2. BYOD
  3. demo

  What I want to do, use these groups to assign users wireless to the VLAN correct based on the membership of these groups AND the type of device they are connecting from.

  for example User1 connects to the network wireless from a Mac.  And they belong to the Group of corporate users.  I would like to be put on the vlan corporate.

  However, are they connect from their IPhone device and also belong to the Group BYOD, they get put on VLAN BYOD which has restricted access.

  I guess I should add User1 to the company and the BYOD AD groups, then the terms of use to determine what type of device they use and then create a profile for authorization to manage this VLAN they deleted in.  Then use airespace acl to determine what resources, they have access to.

  Unfortunately, the interface has changed a bit from 1.2 to 1.3, and I don't know if this is feasible.

  I advise to use the BYOD within the ISE feature that uses the device registration. All devices are on (default) RegisteredDevices group identity within the ISE, so that your authorization policy can look if EndPointIdentityGroup = ADGroup RegisteredDevices AND = BYOD then = BYOD VLAN + ACL.

  Put your saved rule BYOD above all others in the list for your rule of Group of companies don't replace the BYOD.

• Fact Compatible with WS-C6500-GDF WS - X 6381-IDS and Native IOS

  I found some puzzled info in the profile for WS - X 6381-IDS:

  Catalyst switch platform

  Requires the Version of operating system of Catalyst 6.1 (1) or (not supported in Cisco IOS® Software top native)

  Record of the characteristics of the policy (PFC) required for the VLAN ACL feature "capture."

  Supervisor 1A and supervisor 2 compatible engines

  Not compatible with crossbar switch fabric!

  The record is published in November 2002. But I can't config them toghter using "Cisco Configuration Tool", and I found more than 12.1 (8A) Native IOS EX already support this module.

  Another question: 6381 manged, "Cisco Secure Policy Manager"OR"Cisco Secure Intrusion detection Director", which is better?

  You refer to the data sheet is incorrect and should be updated.

  The WS - X 6381-IDS is supported in native IOS version 12.1 (8A) EX for Sup2/MSFC2 or later and 12.1 (11) E for Sup1a/MSFC2 if I remember correctly.

  The word "compatible" when they are referenced with the sustainable management of FORESTS has created some confusion. When a card says Cisco's fabric switch crossbar "compatible", it means that the card has additional hardware to connect to new tissue crossbar. The WS - X 6381-ID has no additional hardware to connect to the new fabric crossbar.

  There are several Cisco cards more old which are not 'compatible' crossbar. Much the 48-Port 10/100 line cards that sells some Cisco are not 'compatible' crossbar. All these old maps are called "classic" cards, which means they can only connect to the original 'classic' backplane.

  BUT these "classical" cards (including the WS - X 6381-ID is included), can work in a switch using the sustainable management of FORESTS and are fully supported by Cisco. That's why the WS - X 6381-ID is fully supported in a switch using sustainable management of FORESTS

  The FSM recognizes what cards are 'compatible' and which are 'classic '. If all cards are "compatible" it makes full use of the new fabric of crossbar and can run the switch to higher rates of performance 256Gbps.

  BUT if the SFM detects "compatible" cards and "classic" then run the new fabric of crossbar in what is called "truncated" mode GDF use of new tissue crosses through cards as much as possible when sending packages to the "compatible", but he is still able to send packets on the original backplance for cards 'classic' if necessary (as for the WS - X 6381-ID).

  In this "truncated" mode the sustainable management of FORESTS cannot perform the filling 256 Gbps switch, because he still has the use of basket 32Gbps original when sending packages to the "classic" card

  With regard to the credentials management tools. The Cisco Secure Policy Manager and the Cisco Secure Intrusion Detection Director for Unix are replaced by the latest management tools in SMV 2.1.

  VMS 2.1 is the management of security and VPN version 2.1 Solution. 2.1 machines virtual is a suite of different security management products for security than Cisco product (for example the Pix, VPN concentrator, and Cisco IDS sensors).

  VMS 2.1 contains the Management Center for IDS (IDS MC) which is used to configure the sensors and security (Sec MON) control center used to view IDS alarms.

  IDS MC and s LUN are web-based management tools.

  The tools are installed on a Windows 2000 Server and then can be accessed by multiple users through a standard web browser on their desktop computers.

  VMS 2.1 is part of the collection of works of Cisco products.

  VMS 2.1 was announced about 2 months ago.

  The IDS MC and s lun 2.1 VMS are recommended in the future ID management tools.

  NOTE: The ID MC and s LUN are originally designed for enterprise deployments. If you only have 3 sensors or less and do not want to spend the extra money for VMS 2.1 then you could use the IDM and VEI included with the sensor without any extra cost.

  IDM (Intrusion detection device manager) is a tool to configure basic web browser that is installed on the sensor itself and can be used to configure the single sensor.

  VEI (Intrusion detection observer of events) is program for alarm display based on windows and can receive a maximum of 3 sensors alarms.

  IDM and VEI are not as rich in features as the IDS MC and s Lun, but IDM and VEI are included with the sensor without any extra cost.

• Multi-Maison or no multi home; That is the question

  Hi all

  This isn't technically an ESX question, but it's a question that arises for us due to how it is easy to add additional network cards (and thus the network connections) for virtual machines hosted on our ESX boxes. I'm curious to hear the views of others on the issue.

  Heart - when you have a virtual machine that requires access to several VLANs, do you tend to add additional network cards to the virtual machine that connects them directly to these VLANs, or did you just a NETWORK card and route traffic for VLANs via a router/firewall?

  A VirtualCenter to virtualized server is a perfect example: at the very least this needs access to your local network a LAN VLAN (for administrator access to the VC, to speak with the domain controllers), and VIRTUAL management (to talk to the ESX host) etc. As a general rule, would people connect a NETWORK adapter in the virtual VC machine to one of these two VLANs and access the other VLAN via a router/firewall, or would connect you two network adapters on the computer virtual VC, one in each of VLAN?

  Curious to know how others deal with it - thank you.

  See you soon,.

  Matt Kilham

  Hello

  From a security point of view, you would add no additional network cards in different VLANS. If you do, basically ignore you the router/firewall. It of a securityrisk if the box "breaks" or routing is on accidental. I always put VMs in the VLAN they belong (DMZ, inside, OUTSIDE, regardless of SERVERS) and to determine what can the VLAN ACL and can not do to other virtual local networks and internet. Sometimes I drill smaller holes, like when an application server is outside and inside SQL. I then punch a hole from the application server for SQL server (based on IP addresses) and only opening 1433/tcp.

  Of course, there are a few exceptions. One is an ISA Server. This server is using generally two or three network cards in some segments, since it IS the router/firewall. I use an ISA Server, who has earned two VLAN to its own. So my router determines what input and output (port level), ISA can do the rest (www split on headers, proxy, etc.).

  Another exception, I have at home (sick I know), which is my download WHAT VM is in one VLAN different than the file server. So my VM download a big file, and then I move to the file server. My router has however limited the performance (around 5-6 MB/s), so I gave to the download area a second NETWORK adapter in the same VLAN as the server files (shame on me), now it copies +-30 MB/sec...

  Visit my blog at http://erikzandboer.wordpress.com

• Port / vlan without ACLs

  On a port or vlan has no need of the acl filtering is more effective to have nothing or only allow an ip?  I understand that there is a value default implicit deny ip any one to block whatever it is not allowed in a statement of permit to proceed, but I guess that this applies only if an acl is attributed so I think that if you just allow a whole ip in an acl with out all deny before he better not waste time processor running through a filter acl packets Since there is nothing to reject anyway i.

  Hello Vini, if I interpret correctly, there is no need of an access list as there just no need system resources.

  -Tom
  Please mark replied messages useful

• Compatibility of VLAN with Cisco

  Hello

  We just bought 10 x new Netgear switches (all M4100) to add to an existing Cisco infrastructure.

  Simple configuration with only 6 Valns.

  5: Admin, 30: VOIP, 101: management, 100: a set of Workstations, 102: second series of Workstations, 200: IPTV, 400: Internet, 401: Wireless Management

  All I wanted to do was: 2 last ports each switch netgear = T and all the VLANS. I have not identified all ports if I want to use in the appropriate vlan

  101 of VLAN is my Managementt Vlan. (Need to configure inter vlan routing for this to work)

  I only turned on three switches up to now and all three do not work. They work for a while and that packets but do not receive all.

  What I am doing wrong?

  What I need to get rid of the original vlan1 on the netgear?

  Is that what I need config in the STP to make these compatible with Cisco (300 and 400 series) switches.

  I use an optical backbone on Cisco and Netgear switches.

  Sincere greetings,

  OLAF

  Hi Moussa,.

  Thanks for reaching out.

  We got it working.

  Step 1: upgrade to the latest firmware.

  Step 2: Forget the MISTLETOE.

  We had a few questions about the old firmware - causing links to trunk have some incompatibility with their tag and removed the images between Cisco and Netgear brand.

  After the upgrade of the firmware that we had access to "switchport mode access" and "switchport mode trunk" orders fixing the access port and trunking issues.

  Thank you Mr President,

  OLAF