Cisco :: How To Secure Vlan Server
Jan 21, 2011
due to goverment regs i need to secure the server vlan at work. i was using a acl applied to the vlan, but thought adding an ASA would provide better security. I had done some brief review of my design and options. I was thinking of using vrf and connect to exsisting ASA 5520. i would need to add the server subnet vrf to the global routing table. seems to get tricky. I am currently testing just adding the firewall to a vlan with a client. No vrf. This seems to working ok but the inbound and outbound rules have to be adjusted more than i realized. I was expecting traffic inaitiated outbound to flow unrestircted and filter on the inbound.
View 7 Replies
ADVERTISEMENT
Jan 10, 2013
i've been using a VPN to connect to my home network from elsewhere for a few months. It's set up as follows:
PPTP
Maximum Strength Encryption
EAP-MSCHAP-v2 Authentication
Now I find out that MSCHAPv2 authentication has been broken and is no longer considered secure (even by Microsoft), so I want to change the protocol I'm using to make it secure.
However, I've spent 3 hours now researching this and I cannot for the life of me figure out how to use a better protocol on my Windows Server 2012 home server. I've tried setting up PEAP authentication (still PPTP) a la Microsoft's recommendation document, but it requires a certificate. I've created a self-signed certificate but it seems I can't issue certificates (via this method) without being a member of a domain, so I'm stuck. I can't even get started with L2TP since I can't find the option for it.
My question is this: Is there a way to setup a secure VPN server using Windows Server 2012 without a domain? If so, how do I do this?
View 1 Replies
View Related
Feb 20, 2012
i have a catalyst 3750, in this switch i have 3 vlan, i need to secure trafic between vlans but im confused ,should i use ACL or VACL to secure ?which is the best ?if i use ACL to secure and limit ports between vlan, which is the best practice to apply the acl ( on th inside or outside of interface)
View 2 Replies
View Related
Sep 16, 2012
I using IOS c2950-i6k2l2q4-mz.121-22.EA14.bin but no support command "ip http secure-server" and I not connect switch by CNA. How I fix ? Or IOS C2950 support ip http secure-server and ssh ver2 ?
View 1 Replies
View Related
Sep 5, 2012
i now learning about SSLVPN, and i already install license in 1941 with SSL and security9 License, i learning how to make a gateway for SSLVPN full tunnel, but i meet an obstacles, when i go to my wan ip address https://wan ip address, the browser give this
SSL connection error Unable to make a secure connection to the server. This may be a problem with the server, or it may be requiring a client authentication certificate that you don't have.
Error 107 (net::ERR_SSL_PROTOCOL_ERROR): SSL protocol error
[code]...
View 1 Replies
View Related
Nov 13, 2008
I have SSH and SCP enabled on the ASA 5510. I can SSH fine into the device. However, I cannot copy files to the device usng WinSCP. Used all options but nothign seems to work. I see the log authentication successful, but then WinSCP reports no response from ASA.
View 5 Replies
View Related
Feb 3, 2007
We have several ASA 5510 firewalls which are being used as VPN gateways.RSA SecurID is the authentication mechanism using native SDI connectivity. No ACS server is being used.Is it possible to assign user Group and other attributes (such as ACL), using the SecurID RADIUS server? I know this is what the Cisco ACS is for, but is it possible using the RSA RADIUS server itself?
View 11 Replies
View Related
May 7, 2013
I am trying to configure interface vlan1 to get an ip address from dhcp by entering the commnad ip address dhcp ios rejects the dhcp portion of my command as not recognised although it is referred to in Cisco manuals.my IOS version is c2950-i6k2l2q4-mz.121-22.EA14.bin.I get the same problem when I try to configure ip http secure-server on the switch. Is this a known bug or whether I have the correct IOS version for these commands?
View 6 Replies
View Related
Jul 12, 2011
When setting up my e1000 router for a secure domain it automatically opened a non secure one that my neighbors are using. How can I cancel it?
View 2 Replies
View Related
Sep 5, 2012
I have built two servers,a cacti server and a syslog server.They are both in vlan 30.Both servers can ping each other and can ping the gateway.Now the problem is the cacti server can ping hosts in vlan 100 but the syslog server cant.I am using a subnet mask of 255.255.255.248.
View 1 Replies
View Related
Aug 2, 2012
I am an intern and do not want to compromise the network. I was asked to prepare a step by step guide to connecting to a server from 2 different VLAN's. I am using a Trendnet TEG-2248WS B1.0R switch. that is all of the information that I was given.
View 1 Replies
View Related
Jan 17, 2013
I'm looking to implement a single proxy server for two different VLANs. Both VLAN have outgoing traffic configured through different ISP i.e. traffic for users on VLAN1 is routed through ISP1 and traffic for users on VLAN2 is routed through ISP2. Inter-VLAN communication is enabled. The proxy server should route internet traffic for users in VLAN1 through ISP1 and for users in VLAN2 traffic should be routed through ISP2.
View 6 Replies
View Related
Oct 6, 2011
I have a sg300-52 in layer 3 mode. I have 2 Dell access switches that connect to the sg300 in 4 port LAGs each. Connectivity works as expected.Servers are on their own VLAN, and plugged directly into the sg300. When somebody starts a file copy from their client workstation off a file server, the server VLAN drops everything except for the file copy. Even drops packets on its own vlan, (server to server communication) until the file copy is complete. Seems like the VLAN is rate limited somehow.
View 3 Replies
View Related
Jan 5, 2011
I have a question regarding CSS loadbalancer. Let's say there are 2 vlans in CSS:
1. Vlan 10: 10.1.1.0/24 as external interface, interface where most of the clients are coming from.
2. Vlan 20: 10.1.2.0/24 for real server vlan.
Virtual IP 10.1.1.10 is created in CSS on behalf of two real servers (10.1.2.11 & .12) in Vlan 20. Client from Vlan 10 can http access to 10.1.1.10 successfully.
In Vlan 20 there's also few clients which need to access servers via virtual IP. Vlan 20 Client PC (10.1.2.101) can ping 10.1.1.10, but can't access 10.1.1.10 http service.
Is there any way for CSS to forward service request coming from Server vlan to be send back to the same segment?
View 9 Replies
View Related
May 5, 2012
I possess a RV220W (firmware 1.0.3.5) but I can't seem to work with the PPTP server on one VLAN only.
My default VLAN is in 192.168.1.1/24. I created a VLAN ID 10 in 192.168.50.1/24 inter-vlan routing : disabled and Device Management : disabled. (Menu Networking > LAN > VLAN Membership and Multiple VLAN Subnets).
Then I configured a PPTP server on the IP range 192.168.50.200 to 192.168.50.210.
To finish I created my user. (Menu VPN > IPSEC > VPN Users).
The PPTP tunnel is working, but on all my local network and not only the VLAN ID 10.
View 3 Replies
View Related
Apr 6, 2012
I have a Nexus 5548 installed (layer 2 device only) with several 10G ports supporting IBM P770 systems and a TSM (Tivoli Storage Manager) system on a single VLAN. All of the Nexus 5548 ports are configured for jumbo frames. I was ask to install a new server on the same VLAN as the others but as 1G port without jumbo frames to allow communications with the TSM server. I'm assuming that the 1G port for this new server without jumbo frames configured on the Nexus 5548 will not be unable to communicate with the TSM server that is on the same VLAN with it's Nexus 5548 10G port configure using jumbo frames.
View 5 Replies
View Related
Mar 24, 2011
I have a PIX-515E that I'm trying to configure for what I thought would be a simple task. I've been playing with VMWare ESXi on a Dell PowerEdge 1850 in a lab environment. The server's IPMI is bound to one of its two physical interfaces, which I've connected to Ethernet 1 on the firewall. The interface has the following configuration:
PIX Version 7.2(4)!interface Ethernet1 nameif FrontEnd security-level 40 no ip address!interface Ethernet1.2 vlan 2 nameif IPMI security-level 90 ip address 172.16.0.161 255.255.255.224
The server's baseboard manager has been configured to tag its traffic on VLAN 2, priority left at 0 (default), and its IP address appears in the firewall's ARP cache; however, here's what I get for a ping response: Sending 5, 100-byte ICMP Echos to 172.16.0.164, timeout is 2 seconds:?????Success rate is 0 percent (0/5)
View 1 Replies
View Related
Oct 29, 2011
I'm trying to set up VLANs in my network.So the first device after the internet cloud is my ISP modem/router. I don't really use the router part. The second device is my Linksys WRT54G router with DD-WRT firmware on it.Between the two, there is a subnet just for them. After the DD-WRT router, there is a subnet for my LAN.The third device is my netgear GS108T switch (with vlan support) to which almost all my computers are hooked up. One of those computers is my server that is domain controller and has the roles as shown in the image. What I would like to do is to create several virtual machines in Hyper-V. The trick is that I want to isolate them from the rest of my network. They should be able to access (and be accessed) from the internet but not the rest of my network. So my whole network should be in the same VLAN but each VM should be individually in separate VLANs.
1) I've allready created the VLANs on my Netgear Switch. I know my DD-WRT also has VLAN support. Do I need to create the same VLANs on that also?
2) How to configure the VLAN part of the Hyper-V server? (by the way, my server OS is Windows Server 2008 R2 with the hyper-v role, it's not the bare-metal hyper-v)Should my Virtual Switch be in VLAN 10 and my VMs in the other VLANs?Should the port (on the netgear switch) in which my server is connected, be in VLAN 10 (so that my server is accessible from every other computer in the network)?
View 6 Replies
View Related
Jan 28, 2013
I am going to creat VLANs very 1st time therefore for test purpose I have following simple scnerio.I have created 2 VLANs , VLAN2 and VLAN3 on Cisco Catalyst 2960 series switch. Ports 1-12 is assigned to VLAN2 and Ports 13-24 are assiged to VLAN3. Now I have configured DHCP on Microsoft Server 2003 defining 2 scopes with following configurations.
Scope 1 for VLAN 2--- Range is 172.16.0.17 to 172.16.0.30 with subnet mask=255.255.255.240 . Server IP address 172.16.0.17
( Note: Address 172.16.0.17 is excluded from dhcp server Scope 1 and give to the MS server itself)
Scope 2 for VLAN 3----Range is 172.16.0.33 to 172.16.0.46 with subnet mask=255.255.255.240 .
Now in Cisco 2960 series switches, under Vlan 2 and Vlan 3, I have following configurations...
interface Vlan2
ip address 172.16.0.30 255.255.255.240
ip helper-address 172.16.0.17
interface Vlan3
ip address 172.16.0.46 255.255.255.240
ip helper-address 172.16.0.17
Now the problem is when i connect a client computer to any port from 1-12, It gets correct IP address from Scope 1 but when I connect a computer to any port from 13-24, it does not get the ip address.
Further I want to do inter VLAN comunication as well for that purpose i Have an ISR 2900 series router. What further configuration i will have to do on router for inter vlan communication.
View 3 Replies
View Related
Apr 24, 2013
I have a Cisco ASA 5505 with the base License. I want to split my network and add a new Internet Access, the first network in Orange works fine. My question is how can i access the file server from the second network (192.168.X.0 /24) ? The 3 switches are Cisco SF300-24P.
View 7 Replies
View Related
Jun 2, 2012
I was searching a lot , but I couldn't find any good example, how to configure DHCP server for our wireless clients on Cisco Autonomous AP. I'm looking for example how to configure Dot 11 radios and BVI interfaces.
I have no problem to configure DHCP server on BVI 1 and VLAN 1 ( native VLAN ) interfaces, but there is a problem with other BVI's and VLANs. Maybe this feature isn't supported? Maybe DHCP server feature is supported to work just with default BVI and native VLAN?
View 4 Replies
View Related
Nov 14, 2012
We have configured following commands on switch to fallback to local Vlan if both radius server (policy persona's) is found dead. For test purpose we shutdown both servers (policy persona's) but fallback didn't work. We have 3750 switch running image 12.2(55)SE6 having following configuration.We do not know whether we configured switch in proper way or do we need to modify it. [code]
View 5 Replies
View Related
May 12, 2011
We are trying to config vlan 10 for data and vlan 20 for voice on the same port - port 1 of swtich SF300-24P to run both data and voice on different vlans.Do I have to add vlan 10 as an untagged vlan to port 1 and add vlan 20 as an tagged vlan to port 1?If I do not want to assign the native vlan 1 to port 1, how can I remove it ? The GUI page - assign VLAN to port does not allow to remove it.Aslo, what mode shall I set up on port 1? General, trunk or access ?
View 18 Replies
View Related
Jan 12, 2013
How do I submit an RFE (Request For Enhancement) to the Cisco SBR team to encourage them to implement the missing support for VLAN to VLAN firewall rules that was available in the RVS4000 (See [URL]) and that was supposedly added to a beta release of the RV220W firmware (See [URL])?
View 1 Replies
View Related
Jan 10, 2012
Between our hosting and a customer we have an extended vlan, traveling on a fiber, between two cisco 3560 switches.The thing is, that we want to create one or more vlans inside that extended vlan, in some way if possible?
View 3 Replies
View Related
Jan 10, 2013
I have two networks at two sites with a dot1q trunk between the two L3 switches at both sites (no routers involved)
SITE A - Cisco 3750 L3 - VLAN ID 50
10.10.50.0/24
SITE B - Cisco 3750 L3 - VLAN ID 50
10.20.50.0/24
I would like to extend the SITE A VLAN to SITE B so that I can move hosts from SITE A to SITE B without needing to change their IP address but the vlan ID is already in use. Obviously the easy solution is to change the VLAN ID for one or other of the sites but both sites contain hosts that run 24/7. Is there a way to join two VLANs with different IDs together.So for example I create a new VLAN 60 at SITE B and associate it with VLAN 50 at SITE A.
View 4 Replies
View Related
Aug 12, 2012
We have 6509 VSS with FWSM Module and we have created two context on it, one is INTERNALL CONTEXT othe is EXTERNALL Context? We have spanned various VLANS in switches and FWSM context level. All VLAN Gateways are configured in context level.
Activity description : We had planned migration of these devices into a new Datacenter, it was a planned activity. During migration of devices from one Dc to a new DC we broke the VSS and kept the primary running and removed the secondary switch and migrated this secondary to new DC and powered this device ON in the new DC and checked all the config was very much fine but this device was OFF network as secondary was brought to new DC just to limit the downtime during the primary switch movement.
During the activity ( Primary switch movement )We powered off the Primary switch and mean time before shifting into new Data center We had brought up secondary switch which was already existing in the DC was put live in the network and it was working fine without any issues.
Later we had moved Primary into new data center and tried to put into VSS with the secondary , during this period the secondary device into went into RECOVERY MODE and primary device was not responding and devices went off network and immediatly we removed the VSL link and brought up primary into production network without secondary online in the network ( Without VSS just stand alone switch ) network started working, but bringing up the primary we found that some of the VLANS in the FWSM was deleted and some VLAN had misconfiguration ( example : say original VLAN ip 10.200.112.1 has become 10.300.13.1 ) also some of the access list as well as SVI was deleted making configuration mismatch.
Wanted to know while syncronization b/n primary and secondary switch in VSS if we pull out VSL link would create this type of issues.
View 1 Replies
View Related
Feb 2, 2011
I have set up 2 DHCP pools and 2 VLANs (1 *the native* for data / 1 VLAN for voice). When I use the command "switchport voice vlan 20" the port disapear from the show vlan brief list. When I use the "switchport access vlan 20" it shows up in the show vlan brief in the correct VLAN and gives the phone an IP. I assume that using the access instead of the voice is wrong and the phones would not configure correctly. But when I use the access the phone goes to the next step and tells me the TFTP files are not found. Why does the port disapear from the VLAN list?
View 8 Replies
View Related
Mar 31, 2013
i need to solves this little problem on 2960S lan BASE but i dont know if it is possible.
Uplink port config for gi 1/0/28 is:
switchport mode trunk
switchport trunk alloved vlan 10,11
but on interface gi 1/0/1 i want to have data from vlan 10 tagged as VLAN 20.
At this time i have solved this issue very primitively
I have set up gi 1/0/2 as int mode acces, acces vlan 20 and i have connected gi 1/0/2 with gi 1/0/3 with eth cable. int gi 1/0/3 is switchpor mode acces, switchport acces vlan 10
View 4 Replies
View Related
Sep 16, 2012
I have a 3750G switch in my production network that only has VLAN 1 on it. All ports are in a default state and VLAN 1 is disabled. The switch is passing traffic but shouldn't having the default VLAN shut down cause the ports not to pass traffic? If I start to create VLANs will that cause the switch to stop passing traffic?
View 4 Replies
View Related
Oct 12, 2011
I'm wanting to setup a Virtual Office scenario. Everything is working fine except for 802.1x...I can get the 881 to authenticate things connected to it, but I don't have the options of guest-vlan or auth-fail vlan.Idea is if the users takes the router home and someone, either accidentally or on pupose, connects an unauthorized Laptop, they stay off the Corp network but can get to the internet still.I found this link on Cisco's site: [URL]That link shows them configuring a guest vlan right on the fa0-3 ports of an 881W. I dont have that option on mine. I can only configure 802.1x on the vlan interface. I have 802.1x working, for things that connect to vlan1, but I would like to have a "fallback" setup.
EZVPN_Remote(config-if)#int fa1
EZVPN_Remote(config-if)#dot
EZVPN_Remote(config-if)#dot1?
dot1q
EZVPN_Remote(config-if)#dot1
[code]....
View 1 Replies
View Related
Jun 13, 2011
I am trying to setup a L2tpv3 VLAN-to-VLAN tunnel.My setup has two Cisco 890 router with Cisco IOS Software version 15.0(1) M4. These routers are connected directly on FastEthernet port 8.
One linux machine is connected on FastEthernet port 0 on each router. The two linux machines are on same vlan. I am trying to establish a vlan-to-vlan tunnel between the routers and send traffic between the linux machines.
I followed the case study 11.4 from [URL] and configured the l2tp-class and pseudowire-class. However, the vlan interface configuration is different on 890 router.
I configured a vlan interface as follows.
(config)#vlan 200
(config)# interface FastEthernet 0
#shutdown
#switchport access vlan 200
(config)# interface vlan 200
I don't see the 'xconnect' command in this context. What's wrong with my configuration?
View 3 Replies
View Related
Nov 20, 2012
We have a low bandwith (15-20 Mbit/s) to the ASA from our Client vlan. If i connect the Client to the same vlan as the ASA is, the bandwith (90 Mbit/s) is good.
Here are the Layer 3 Design:
Client -> vlan 2 - Switch - vlan 7 -> vlan 1 - ASA 5505 -> ISP
The Layer 2 Design:
Client -> Gig2/0/13 - Switch - Gig4/0/43 -> Eth0/1 ASA5505 -> ISP
IP Address:
Client: 172.16.2.10Vlan2: 172.16.2.1Vlan7: 172.16.7.1ASA: 172.16.7.2
I assuming the switch has a problem with routing ?It is a stacked Switch with following members:
switch 1 provision ws-c3750g-12sswitch 2 provision ws-c3750g-24tsswitch 3 provision ws-c3750g-24tsswitch 4 provision ws-c3750x-48
And we have following error message in the log from the switch:
%PLATFORM_UCAST-4-PREFIX:
One or more specific prefixes could not be programmed into TCAM and are being covered by a less specific prefix, and the packets may be software forwarded I first get the idea that the switch is overloaded with router traffic. Thats why i assuming i have to check the sdm templates, but i'm not sure if this resolves the issue.
Here are the relevant config:
ASA Interface on the Switch:
interface GigabitEthernet4/0/43description ASA-inside LANswitchport access vlan 7switchport mode accessspanning-tree portfast
Client Interface on the Switch:
interface GigabitEthernet3/0/1switchport access vlan 2switchport mode accessswitchport port-securityswitchport port-security aging time 2switchport port-security violation restrictswitchport port-security aging type inactivitymacro description cisco-desktopspanning-tree portfastspanning-tree bpduguard enable
[code]...
View 2 Replies
View Related
