Cisco :: Filter Unnecessary Vlans Going Through Trunk Between N5K And N7K
Jul 27, 2012
We have our aggregation layer here composed of two N7K with vPC between them. Every access switch is a N5K. Security policies state that we have to filter unnecessary vlans going through the trunk between N5K and N7K. So we use the 'switchport trunk allowed vlan 10,20,30' command. My question is: Do I have to include the native vlan id on this command?
I have a test switch (Cisco 3550) that I want to set up with 6 Vlans and 2 trunk ports. I want to be able to access a virtual server conected to the trunk ports from the switch ports. Ports Fa0/1 to 8 are in a vlan port fa0/9 to 16 another vlan etc. Ports Fa0/47 and 48 are the trunk ports. This is a lab environment so the the switch is the only device being used.
I have a ASA 5585 and a Nexus 5596, and i need a sugestion to configure this cenário:
My users in the Vlan 10 need access on the network in the Vlan 20, but this traffic must be filtered for firewall. In the firewall a received a trunk port for Nexus 5596, and i created subinterfaces to receive the Vlans for this trunk.
The gateway for my users is the address for the ASA subinterfaces.
What i do to filter the traffic between the Vlans?
So what we do when we get new laptops, we "prime" it by connecting to the lan via a cable, name the machine and join the domain. This way it automatically gets the certificate and is a domain member. After logging on at least once via a cable, we can then disconnect it and join the wireless network.
During a routine audit, they suggest also using MAC address filtering. I think this is overkill and an administrative nightmare. To manage MAC address filtering on the 5508 and then also manage the domain accounts is unnecessary. Also down the road we want to offer a segregated public hotspot (webauth), and I'm not sure if MAC address filtering would affect that or not.
I've read that MAC address filtering is pretty much useless, because it's so easy to change your mac address even in Windows device manager. I know I was able to do it as a test.
is MAC address filtering worth the hassle to implement and manage? Or is our current layered security approach enough?
Is there really any reason why you wouldn't use spanning-tree portfast on a trunk port other than a trunk between two switches? We have it enabled on all ports except for the fiber trunk between two non-stacked switches and the trunk ports connected to our Astaro firewall.I'd like to enable it on the ports to the firewall unless that would cause issues.
we recently aquired a managed services job and have to do a overhaul of the vlan configs and have a whole dozen WC2948G's trunk between a set of ports as well as trunk out a LAG channel setup to non cisco equipment. the deal is the lacp-channel works properly on both ends but no routing of vlans between ports and between the lag trunk are working.
theres alot of settings in the config and im planning on clearing it and starting from scratch but before i do i want to know where my problem lies.
I've been having this issue for quite some time on my Windows 7 SP3 x64 machine. It's a desktop, connected via ethernet to a TP-Link WR740N router, that also provides wireless coverage. My ISP is a local one (the country is Latvia), and it offers a decent 100 MBps up/down optical fiber internet service. Now for the problem - there is only one home network on my computer, that seems to work, and that is 'Network 2'. Whenever I have to reboot the router for whatever reason, it attempts to reconnect, but sometimes reconnects to a 'Network 3' and once even to a 'Network 4' and 'Network 5'. None of these other networks have internet access. I tried to run the diagnostics tool on the issue, and usually it told me that there's a problem with the default gateway. Additionally, twice I've had the issue of the computer completely freezing when connected to one of the Internet-less networks (eg 'Network 3'), and trying to disable the network adapter, forcing a restart that consequently caused a fail boot - from there on I had to use System Restore to actually get my PC to function.
The way I've been fixing it, apart from random rebooting, reconnecting, and hoping for the best (that it decides it wants 'Network 2'), is by putting in the Resource Mini CD that came with my router, and running the Wizard for the WR740N router. It has 4 steps, the 2nd of which is 'Installing the router' (configuring the network adapter), at which point, my internet starts to work (always connects to 'Network 2'). If, I however, decide to continue this process to the step 'Configure router', and attempt to set up my wireless connection, it will begin to reset itself, and once again connect to 'Network 3', leaving me without internet access.
WE have to deploy ASA5585 in between User vlans & server vlans. we have to find all the ports that needs to be opened on firewall. any tools to do same.
Using ACS 5.2, under Network Resources>Network Devices and AAA Clients>, I can only filter by:
Name NDG:Location NDG:Device Type Description
How can I find a device by its IP Address? or how can I enable this option?
On this link:[URL] I read the following: ''Network Device Filters—Based on the AAA client that processes the request. A network device can be identified by its IP address, by the device name that is defined in the network device repository, or by the NDG'.....
How does the ESW 500 or SF300 line guarantee QoS of voice traffic when trunking switch to switch? I have (2) ESW 500 series switches in series. The phone on switch 1 have no audio issues, but the phones on switch 2 (the last in the series) have intermittent voice quality issues when dialing across a WAN circuit to another office. The phone on switch 1 do not have that issue though they traverse the same circuit. They are all using the same VLAN 100.
We install a stack of C3750x switches rescently. A HP C7000 blade server uplink to C3750x using etherchannel and 802.1Q.If the trunk includes a RSPAN vlan on it by 802.1q default configuration, the VM on HP blade cannot ping the same vlan server on C3750x.If the trunk is configured by "allow vlan" and exclude the RSPAN vlan, then the connection is ok.
Telco provided a BGP connection on MPLS network. When I connect router directly to Telco switch I can see BGP neighbor, so my router BGP config is OK. However, I need to put this router in a diffferent building and want to bring the connection over on a "trunk"; now I loose the BGP neighbor. I'm sure I did this before and it worked OK. I'm trunking between 2 x2950 switches using this config on each switch. [code]
I also configured the trunk as vlan 1214, which is the encapsulation provided by the Telco (dot1Q 1214).
i have plan to deploy cisco WAP321 on my customer, and after rading the document about WAP321, it said the WAP321 support for VLAN ID feature, but i cant find whether it support for trunk port because i would like to connect the WAP 321 LAN port to the cisco SMB switch SG300/SG200. is the trunk port already enable on the WAP 321 LAN port so i dont need to configured it or not ?
i would like to setup a L2 VLAN trunk connection over a VPN. I hear this can be done with a GRE tunnel. I currently have Cisco MWR2941's that i would like to configure the TRUNKs on then push them over a 5520 VPN ( IPSEC Tunnel ) to a 5510. on the other side of the 5510 i will have another MWR2941 to recieve the trunk.
how to configure this trunk or some configuration ideas?
Am I wrong but the only way to filter external routes - type 5 - is with a stub area, and area 0 can't be a stub? As far as I know OSPF can't filter on the route tag, so should I be filtering with a route-map?
My main goal i want to filter certain sites including facebook not to be accessible within the network and block all torrets including maliciuos site. I was advised to get Cisco ASA 5505 which i already got a quote. But now i want to know if is the ASA 5505 good enough for this purpose, is there anything additional required to succesfully overcome my main goal?
Most of our VPN connections are done with our Cisco 3030 and the internet goes out the ASA. We are able to filter all web traffic by doing a a span port for web traffic.
When we move VPN connections to the ASA we will loose the ability to span web traffic becuase its coming in and going out the same interface on the ASA. We will loose the ability to filter web traffic when this happens.
How we can filter web traffic on VPN connections on the ASA. We are using websense. I know there is some integration that can be done with the ASA and websense but it doesn't have all the capabilities as doing a span port for websense to monitor.
is there any way to apply hostname or object network in the syntax? The command gives the option to use hostname or A.B.C.D but doesn't accept the hostname PIX1(config)# filter url except 0.0.0.0 0.0.0.0 ?configure mode commands/options: Hostname or A.B.C.D The address of foreign/external host which is destination for connections requiring filtering Can an FQDN be used as a foreign/external host?
I've got a PIX running 7.2(4) with its outside interface on the Internet. The only thing this PIX is doing is acting as the endpoint for an IPSEC LAN-to-LAN tunnel with an Internet-connected ASA on another network.
I'd like to filter inbound Internet traffic to this PIX so that only the designated ASA can attempt to establish an IPSEC connection -- in other words, I want to prevent any other device on the Internet from even being able to attempt to establish an IPSEC connection to the PIX. As far as I know (and have seen), this can't be done with an access-list on the outside interface, since that access-list doesn't apply to traffic to the PIX itself.
I am working on a Perl script to be ran on our different subnets to see what hosts are down (and make the assumption that if the host is down the IP address is free to be used). This is not being ran on a Linux system, so I can't use grep to filter out everything except down hosts. I know there are modules for Nmap that would make this task easier, but my plan is to install Nmap to our network monitoring server, compile the script for Windows, and have it create the report for what addresses are down. I don't want each person running the script to have to have all the modules installed, etc. Or can you compile the script with the modules in it?
I work at a boarding high school at nights and as such I have a lot of free time. However the internet here is very restricted due to obvious concerns about children and unrestricted access. I have private internet at my room on campus but its too far away to connect to. I was wondering if it would be possible to setup my laptop/tablet to connect to my home computer and access the internet through them without restriction. And if so how would I go about doing that?
I've been studying my inter-vlan routing , mainly in this case routing on a stick. I noticed through packet tracer that the 2960 switch doesn't allow for the '(config-if)#switchport trunk encapsulation' command, but the L3 3560 switch will.I am very concerened about this since VLANs are a main topic. What perspective will Cisco be seeing this from for the CCNA exam, I test in 12 days. I have embedded a packet tracer screen shot for more information in case I didn't word this right (which happens all the time to everyone it seems like in NW'ing now and then if not alot).
I'm trying to configure a 2940 switch to trunk. I just can't get it to work.On the interface I have added: switchport mode trunk The default is encap for this switch is dot1q, so there is no need, or ability to add/change the encap mode. Also all vlans are being allowed by default. I still can't get any port to trunk. Need to get G0/1 to trunk, have also tried to trunk f0/6 to the switch in my office. Also can't find the command to change the management VLAN. I do not use vlan 1 for management. Can I change the Mang VLAN on this switch?
I'm working with an established Network, which has 2 Allied Telesis Switches (1)&(2).I must add another Allied Telesis (3), and a Cisco Switch.If I connect just the Cisco Switch, and the AT(3), it works ok. I mean it trunks. It also works ok if I connect the AT(3) with AT (1) and AT (2). But if I want to connect the Cisco SW with AT(1) and AT(2), or AT(1), AT(2) and AT(3) It doesn´t trunk. Even if I set the Cisco Switch port I use, as a trunk port.I think I have a problem with the vlans already created on AT1 and AT2. But the problem is that I cannot access to the AT console mode.
I have a Cisco SW ( 3560 ) with one Trunk link to my router ( 7606 ), Trunk link is fully utilized so i need to add 2nd Trunk.Shall all move some customers from old trunk to 2nd one and create a new subterface for them ?I am think if i can create bundle and add subinterfaces under this bundle ?Add two GE ports to be memeber of this bundle ?
2 router to connect my phone system to a Sip trunk provider router and to extend my Lan segments so the phone system have internet access.i need it this way because i cant put 2 default gateway in my phone system so the cisco Rv042 is the default gateway of the phone system and i use port fowarding of the UDP ports 5060 to point to the system.and i also use protocol binding of these ports to the Wan 1
Phone system connect to a switchport The sip trunk router connect to the Wan 1 My lan is connected to the Wan 2 Everything is working fine exept this intermittent issue : Each hour or so my sip trunk stop working. to make it start working i need to unplug my Wan 2 connection and wait for 1 minute.
I have a customer with two ASA 5510s. All four ports are used by the following interfaces: inside, outside, dmz, and failover. This customer is looking at getting redundant internet connections, but we don't have any ports to the redundant connection. What I'd like to know is it possible to configure sub interfaces on one of the currently occupied ports (I'm thinking inside) and use one for inside and one for failover. This way I could have the other port free for the redundant internet connection.