VLAN Basics

Discussion in 'Cisco' started by Mark St Laurent, Oct 6, 2005.

  1. I am new to VLAN concepts. I would like to configure my 8 2950 series
    switches with the latest IOS version installed, to incorperate multiple
    VLANS to isolate different departments. I am comming to the conclusion that
    internet traffic generated from each VLAN will require separate trunk ports
    connected to !!their own interface on the router!!. Is there a way around
    this using only C2950C24 series switches and C2811 series router. I've seen
    posts refering to PBR but don't believe this is supported on C2950 being
    layer2 device. How is this typically configered. Currently running 130 + on
    Native VLAN1.

    Thanks
    Mark St Laurent, Oct 6, 2005
    #1
    1. Advertising

  2. In article <sIf1f.9443$>,
    Mark St Laurent <stormrunner'_removethis'@comcast.net> wrote:
    :I am new to VLAN concepts. I would like to configure my 8 2950 series
    :switches with the latest IOS version installed, to incorperate multiple
    :VLANS to isolate different departments.

    OK.

    :I am comming to the conclusion that
    :internet traffic generated from each VLAN will require separate trunk ports
    :connected to !!their own interface on the router!!.

    No, that's not the case at all. When you designate a port as a trunk
    port, you can add multiple VLANs to it, and all the VLAN traffic will
    be multiplexed over the one interface. The method for adding multiple
    VLANs to a port varies a bit, but typically in IOS it involves
    creating "subinterfaces" and telling the subinterface that it is part
    of the VLAN.

    --
    These .signatures are sold by volume, and not by weight.
    Walter Roberson, Oct 6, 2005
    #2
    1. Advertising

  3. Mark St Laurent

    Merv Guest

    You could home 7 of the 2950 to a "master" 2950 and then connect the
    master 2950 to the 2811 router. To have more than one VLAN on a
    particular 2950, you would need to enable trunking between the 2950 and
    the master 2950. The master 2950 would also have trunking enabled
    between iot and the 2811 router. Do not use VLAN 1 when and if you
    move to multiple VLANs.
    Merv, Oct 6, 2005
    #3
  4. I have created for instance on C2950C24 running 12.1(22)EA4 a VLAN 5 and
    enabled 802.1q trunking on fa 0/1 which is the port for 2811 router.On the
    same switch in fa 0/17 which is configured for VLAN 5, when I plug my laptop
    into this port and manually configure IP address to 192.168.1.212 I cannot
    ping the gateway at 192.168.1.253 I realize that once working I should
    configure VLAN5 to 192.168.2.xxx then create another NAT overload on
    external router interface but can't get anything from VLAN 5 FA 0/17 to
    forward to router. Note if I do( no shut )on INT VLAN5 I can then at least
    access the switch (telnet)

    Any help greatly appreciated

    > C2811(192.168.1.253)
    > |
    >_FA 0/1_______________________FA 0/17_____________________________FA 0/26
    >VLAN ALL (VLAN5) |
    >|
    >
    > Laptop(192.168.1.212) |
    >
    >
    > Next Switch


    spanning-tree mode rapid-pvst
    spanning-tree loopguard default
    no spanning-tree optimize bpdu transmission
    spanning-tree extend system-id
    !
    macro global description cisco-global
    !
    interface FastEthernet0/1
    description C2811
    switchport trunk pruning vlan none
    switchport mode trunk
    switchport nonegotiate
    mls qos trust dscp
    auto qos voip trust
    macro description cisco-router
    spanning-tree portfast
    spanning-tree bpduguard enable

    interface FastEthernet0/17
    switchport access vlan 5
    switchport mode access
    !
    interface FastEthernet0/26
    switchport mode trunk
    switchport nonegotiate
    mls qos trust cos
    auto qos voip trust
    macro description cisco-switch
    spanning-tree link-type point-to-point

    !
    interface Vlan1
    ip address 192.168.1.249 255.255.255.0
    no ip route-cache
    !
    interface Vlan5
    no ip address
    no ip route-cache
    shutdown
    !
    ip default-gateway 192.168.1.253

    C2950Cs1#sh vtp status
    VTP Version : 2
    Configuration Revision : 2
    Maximum VLANs supported locally : 250
    Number of existing VLANs : 6
    VTP Operating Mode : Server
    VTP Domain Name :
    VTP Pruning Mode : Disabled
    VTP V2 Mode : Disabled
    VTP Traps Generation : Enabled
    MD5 digest : 0x0C 0x12 0xEB 0x17 0xC7 0xF6 0x63 0x87
    Configuration last modified by 192.224.60.249 at 10-6-05 20:53:29
    Local updater ID is 192.168.1.249 on interface Vl1 (lowest numbered VLAN
    interf
    ace found)

    C2950Cs1#sh vlan

    VLAN Name Status Ports
    ---- -------------------------------- --------- -------------------------------
    1 default active Fa0/2, Fa0/3, Fa0/4, Fa0/5
    Fa0/6, Fa0/7, Fa0/8, Fa0/9
    Fa0/10, Fa0/11, Fa0/12,
    Fa0/13
    Fa0/14, Fa0/15, Fa0/16,
    Fa0/18
    Fa0/19, Fa0/20, Fa0/21
    5 VLAN0005 active Fa0/17
    1002 fddi-default act/unsup
    1003 token-ring-default act/unsup
    1004 fddinet-default act/unsup
    1005 trnet-default act/unsup

    VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1
    Trans2
    ---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
    1 enet 100001 1500 - - - - - 0 0
    5 enet 100005 1500 - - - - - 0 0
    1002 fddi 101002 1500 - - - - - 0 0
    1003 tr 101003 1500 - - - - - 0 0
    1004 fdnet 101004 1500 - - - ieee - 0 0
    1005 trnet 101005 1500 - - - ibm - 0 0

    Remote SPAN VLANs
    ------------------------------------------------------------------------------


    Primary Secondary Type Ports
    ------- --------- ----------------- ------------------------------------------







    "Walter Roberson" <-cnrc.gc.ca> wrote in message
    news:di41ml$i1$...
    > In article <sIf1f.9443$>,
    > Mark St Laurent <stormrunner'_removethis'@comcast.net> wrote:
    > :I am new to VLAN concepts. I would like to configure my 8 2950 series
    > :switches with the latest IOS version installed, to incorperate multiple
    > :VLANS to isolate different departments.
    >
    > OK.
    >
    > :I am comming to the conclusion that
    > :internet traffic generated from each VLAN will require separate trunk
    > ports
    > :connected to !!their own interface on the router!!.
    >
    > No, that's not the case at all. When you designate a port as a trunk
    > port, you can add multiple VLANs to it, and all the VLAN traffic will
    > be multiplexed over the one interface. The method for adding multiple
    > VLANs to a port varies a bit, but typically in IOS it involves
    > creating "subinterfaces" and telling the subinterface that it is part
    > of the VLAN.
    >
    > --
    > These .signatures are sold by volume, and not by weight.
    Mark St Laurent, Oct 6, 2005
    #4
  5. As you can see from above "RE Walter" I believe I have done this but it does
    not work maybe I am missing something quite simple? don't know please
    advise.

    Thanks


    "Merv" <> wrote in message
    news:...
    > You could home 7 of the 2950 to a "master" 2950 and then connect the
    > master 2950 to the 2811 router. To have more than one VLAN on a
    > particular 2950, you would need to enable trunking between the 2950 and
    > the master 2950. The master 2950 would also have trunking enabled
    > between iot and the 2811 router. Do not use VLAN 1 when and if you
    > move to multiple VLANs.
    >
    Mark St Laurent, Oct 6, 2005
    #5
  6. Mark St Laurent

    Merv Guest

    post your router config also
    Merv, Oct 6, 2005
    #6
  7. In article <EFg1f.1555$>,
    Mark St Laurent <stormrunner'_removethis'@comcast.net> wrote:
    >I have created for instance on C2950C24 running 12.1(22)EA4 a VLAN 5 and
    >enabled 802.1q trunking on fa 0/1 which is the port for 2811 router.On the
    >same switch in fa 0/17 which is configured for VLAN 5


    >C2950Cs1#sh vlan


    >5 VLAN0005 active Fa0/17


    You want to trunk VLAN 5 over fa 0/1 but you haven't enabled vlan 5 on
    fa 0/1 .
    --
    "No one has the right to destroy another person's belief by
    demanding empirical evidence." -- Ann Landers
    Walter Roberson, Oct 7, 2005
    #7
  8. My Router Config


    Current configuration : 12404 bytes
    !

    !
    version 12.4
    no service pad
    service tcp-keepalives-in
    service tcp-keepalives-out
    service timestamps debug datetime msec localtime show-timezone
    service timestamps log datetime msec localtime show-timezone
    service password-encryption
    service sequence-numbers
    !
    hostname *************
    !
    boot-start-marker
    boot system flash c2800nm-advsecurityk9-mz.124-3.bin
    boot system flash c2800nm-advsecurityk9-mz.123-8.T6.bin
    boot-end-marker
    !
    security authentication failure rate 3 log
    security passwords min-length 6
    logging buffered 4096 debugging
    logging console critical
    enable secret 5 ***************************
    !
    no aaa new-model
    !
    resource policy
    !
    memory-size iomem 20
    clock timezone Pacific -8
    clock summer-time Pacific date Apr 6 2003 2:00 Oct 26 2003 2:00
    ip subnet-zero
    no ip source-route
    ip tcp synwait-time 10
    !
    !
    ip cef
    ip inspect name DEFAULT100 cuseeme
    ip inspect name DEFAULT100 ftp
    ip inspect name DEFAULT100 h323
    ip inspect name DEFAULT100 icmp
    ip inspect name DEFAULT100 netshow
    ip inspect name DEFAULT100 rcmd
    ip inspect name DEFAULT100 realaudio
    ip inspect name DEFAULT100 rtsp
    ip inspect name DEFAULT100 esmtp
    ip inspect name DEFAULT100 sqlnet
    ip inspect name DEFAULT100 streamworks
    ip inspect name DEFAULT100 tftp
    ip inspect name DEFAULT100 tcp
    ip inspect name DEFAULT100 udp
    ip inspect name DEFAULT100 vdolive
    !
    !
    ip ips sdf location flash://256MB.sdf
    ip ips notify SDEE
    ip ips name sdm_ips_rule_102 list 102
    no ip bootp server
    ip domain name ***************.COM
    ip name-server 206.13.29.12
    ip name-server 206.13.30.12
    ip sla monitor 1
    type echo protocol ipIcmpEcho ***.***.***.***
    ip sla monitor schedule 1 life forever start-time now
    !
    !
    !

    !
    !
    track 123 rtr 1 reachability
    !
    class-map match-any p2p
    match protocol fasttrack
    match protocol gnutella
    match protocol napster
    match protocol http url "\.hash=*"
    match protocol http url "/.hash=*"
    match protocol kazaa2
    !
    !
    policy-map p2p
    class p2p
    police cir 8000 bc 1500 be 1500
    conform-action drop
    exceed-action drop
    !
    !
    !
    bridge irb
    !
    !
    interface Null0
    no ip unreachables
    !
    interface FastEthernet0/0
    description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0/0$$FW_INSIDE$
    ip address 192.168.1.251 255.255.255.0
    ip access-group 100 in
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip nbar protocol-discovery
    ip nat inside
    ip virtual-reassembly
    ip route-cache flow
    ip policy route-map FAILOVER
    duplex auto
    speed auto
    vrrp 1 ip 192.168.1.253
    vrrp 1 priority 254
    vrrp 1 authentication md5 key-string 7 ***************** timeout 30
    no mop enabled
    service-policy input p2p
    service-policy output p2p
    !
    interface FastEthernet0/1
    description $FW_INSIDE$
    ip address 172.18.0.1 255.255.255.252
    ip access-group 101 in
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip nat inside
    ip virtual-reassembly
    ip route-cache flow
    duplex auto
    speed auto
    no mop enabled
    !
    interface Serial0/0/0
    no ip address
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip route-cache flow
    shutdown
    !
    interface ATM0/2/0
    no ip address
    no atm ilmi-keepalive
    dsl operating-mode auto
    !
    interface ATM0/2/0.1 point-to-point
    bridge-group 1
    pvc 0/35
    encapsulation aal5snap
    !
    !
    interface BVI1
    description $FW_OUTSIDE$
    mac-address 0000.****.****
    ip address ***.***.***.177 255.255.255.248
    ip access-group 102 in
    ip verify unicast reverse-path
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip inspect DEFAULT100 out
    ip ips sdm_ips_rule_102 in
    ip nat outside
    ip virtual-reassembly
    ip route-cache flow
    !
    ip classless
    ip route 0.0.0.0 0.0.0.0 ***.***.***.182
    ip route 0.0.0.0 0.0.0.0 192.168.1.252 20
    ip route ***.***.***.125 255.255.255.255 192.168.1.252 permanent
    ip flow-export version 5
    ip flow-export destination 192.168.1.14 2055
    ip flow-top-talkers
    top 10
    sort-by bytes
    cache-timeout 2000
    !
    no ip http server
    ip http access-class 2
    ip http authentication local
    ip http secure-server
    ip http timeout-policy idle 600 life 86400 requests 10000
    ip nat inside source list 1 interface BVI1 overload
    ip nat inside source static 172.18.0.2 ***.***.***.178
    !
    logging trap debugging
    logging 192.168.1.7
    access-list 1 remark INSIDE_IF=FastEthernet0/0
    access-list 1 remark SDM_ACL Category=2
    access-list 1 permit 192.168.1.0 0.0.0.255
    access-list 2 remark HTTP Access-class list
    access-list 2 permit 192.168.1.14 log
    access-list 2 remark SDM_ACL Category=1
    access-list 2 remark HTTP Access-class list
    access-list 2 permit 192.168.1.6 log
    access-list 2 remark HTTP Access-class list
    access-list 2 permit 192.168.1.7 log
    access-list 2 deny any
    access-list 10 permit 192.168.1.14
    access-list 10 permit 192.168.1.6
    access-list 10 permit 192.168.1.7
    access-list 10 deny any
    access-list 100 remark auto generated by SDM firewall configuration
    access-list 100 remark SDM_ACL Category=1
    access-list 100 remark ISPrime (Porn)
    access-list 100 deny ip any 66.230.128.0 0.0.63.255
    access-list 100 deny ip ***.***.***.176 0.0.0.7 any
    access-list 100 deny ip 172.18.0.0 0.0.0.3 any
    access-list 100 deny ip host 255.255.255.255 any
    access-list 100 deny ip 127.0.0.0 0.255.255.255 any
    access-list 100 permit ip any any
    access-list 101 remark auto generated by SDM firewall configuration
    access-list 101 remark SDM_ACL Category=1
    access-list 101 deny ip ***.***.***.176 0.0.0.7 any
    access-list 101 deny ip 192.168.1.0 0.0.0.255 any
    access-list 101 deny ip host 255.255.255.255 any
    access-list 101 deny ip 127.0.0.0 0.255.255.255 any
    access-list 101 permit ip any any
    access-list 102 remark auto generated by SDM firewall configuration
    access-list 102 remark SDM_ACL Category=1
    access-list 102 permit icmp any host ***.***.***.177 echo
    access-list 102 remark Auto generated by SDM for NTP (123)
    time-a.timefreq.bldrd
    oc.gov
    access-list 102 permit udp host 132.163.4.101 eq ntp host ***.***.***.177 eq
    ntp
    access-list 102 remark SBCGlobal DNS
    access-list 102 permit udp host 206.13.30.12 eq domain host ***.***.***.177
    access-list 102 permit udp host 206.13.29.12 eq domain host ***.***.***.177
    access-list 102 deny ip 172.18.0.0 0.0.0.3 any
    access-list 102 deny ip 192.168.1.0 0.0.0.255 any
    access-list 102 permit icmp any host ***.***.***.177 time-exceeded
    access-list 102 permit icmp any host ***.***.***.177 unreachable
    access-list 102 deny ip 10.0.0.0 0.255.255.255 any
    access-list 102 deny ip 172.16.0.0 0.15.255.255 any
    access-list 102 deny ip 127.0.0.0 0.255.255.255 any
    access-list 102 deny ip host 255.255.255.255 any
    access-list 102 deny ip host 0.0.0.0 any
    access-list 102 deny ip any any log
    access-list 103 remark VTY Access-class list
    access-list 103 remark SDM_ACL Category=1
    access-list 103 remark VTY Access-class list
    access-list 103 permit tcp host 192.168.1.6 any eq 22 log
    access-list 103 remark VTY Access-class list
    access-list 103 permit tcp host 192.168.1.6 any eq 22 log
    access-list 103 remark VTY Access-class list
    access-list 103 permit tcp host 192.168.1.14 any range 22 telnet log
    access-list 103 deny ip any any log
    access-list 199 permit ip 192.168.1.0 0.0.0.255 host 206.13.29.12
    access-list 199 permit ip 192.168.1.0 0.0.0.255 host 206.13.30.12
    access-list 199 permit ip 192.168.1.0 0.0.0.255 ***.***.***.*** 0.0.0.255
    access-list 199 permit ip 192.168.1.0 0.0.0.255 ***.***.***.*** 0.0.0.255
    access-list 199 permit ip 192.168.1.0 0.0.0.255 ***.***.***.*** 0.0.0.255
    access-list 199 permit ip 192.168.1.0 0.0.0.255 ***.***.***.*** 0.0.0.255
    access-list 199 permit ip 192.168.1.0 0.0.0.255 ***.***.***.*** 0.0.255.255
    access-list 199 permit ip 192.168.1.0 0.0.0.255 ***.***.***.*** 0.0.31.255
    access-list 199 permit ip 192.168.1.0 0.0.0.255 ***.***.***.*** 0.0.0.255
    access-list 199 permit ip 192.168.1.0 0.0.0.255 ***.***.***.*** 0.0.0.15
    access-list 199 permit ip 192.168.1.0 0.0.0.255 ***.***.***.*** 0.0.0.31
    access-list 199 permit ip 192.168.1.0 0.0.0.255 ***.***.***.*** 0.0.0.15
    access-list 199 permit ip 192.168.1.0 0.0.0.255 ***.***.***.*** 0.0.15.255
    access-list 199 permit ip host 192.168.1.1 any
    access-list 199 permit ip host 192.168.1.2 any
    access-list 199 permit ip host 1192.168.1.145 any
    access-list 199 permit ip host 192.168.1.146 any
    access-list compiled
    snmp-server community ******** RO 10
    snmp-server enable traps tty
    snmp-server host 192.168.1.7 *******
    route-map FAILOVER permit 10
    match ip address 199
    set ip next-hop verify-availability 192.168.1.252 10 track 123
    !
    route-map FAILOVER permit 20
    match ip address 199
    set ip next-hop ***.***.***.182
    !
    !
    !
    control-plane
    !
    bridge 1 protocol ieee
    bridge 1 route ip
    !
    banner exec ^C
    -----------------------------------------------------------------------
    UNAUTHORIZED access is a Federal Offense Punishable by fines and/or
    imprisonment. UNAUTHORIZED users must disconnect immediately. Network
    traffic may be logged or monitored without further notice, the
    resulting logs may be used as evidence in court.
    -----------------------------------------------------------------------

    -----------------------------------------------------------------------
    || ||
    || ||
    |||| ||||
    ..:||||||:..:||||||:..
    c i s c o S y s t e m s

    -----------------------------------------------------------------------
    ^C
    banner login ^C
    Property of **************** Authorized access only!
    Disconnect IMMEDIATELY if you are not an authorized user!^C
    !
    line con 0
    login local
    transport output telnet
    line aux 0
    login local
    transport output telnet
    line vty 0 4
    access-class 103 in
    privilege level 15
    login local
    transport input telnet ssh
    line vty 5 15
    access-class 103 in
    privilege level 15
    login local
    transport input telnet ssh
    !
    scheduler allocate 20000 1000
    ntp clock-period 17179685
    ntp update-calendar
    ntp server 192.168.1.252 source FastEthernet0/0
    ntp server 132.163.4.101 source BVI1 prefer
    !
    end



    "Merv" <> wrote in message
    news:...
    > post your router config also
    >
    Mark St Laurent, Oct 7, 2005
    #8
  9. Mark St Laurent

    Merv Guest

    You would need to enable trunking on the router fast ethernet interface
    that faces the 2950. Given this router is in production you would want
    to save the current config and do this out of hours.


    int fa 0/0.1
    description trunk VLAN 1
    encap dot1q 1 native
    ip address 192.168.1.251 255.255.255.0
    exit

    int fa 0/0.5
    description trunk VLAN 5
    encap dot1q 5
    ip address 192.168.5.251 255.255.255.0
    exit


    You might also want to renumber the BVI interface from 1 to something
    else (ie. not any of the VLAN numbers you plan to use including VLAN 1.
    Merv, Oct 7, 2005
    #9
  10. When I go into CNA Cisco Network Assistant it says that FA0/1 is configured
    for ALL VLAN access," I also found the sh vlan output strange"

    CNA Interface List

    FA0/1 802.1Q Trunk- Nonnegiotate VLAN ALL

    If there is a way via CLI to add VLAN 5 implicitly to FA0/1 what is the
    syntax and is this not redundant. The literature implies that creating 802.1
    trunk allows ALL by definition you can however exclude via cli entries

    Does this apply to what I am doing, It wouldn't be the first time I found
    info that looked right but was'nt applicable to my case
    FYI enhanced image is installed

    Defining the Allowed VLANs on a Trunk
    By default, a trunk port sends traffic to and receives traffic from all
    VLANs. All VLAN IDs, 1 to 4094 when the EI is installed, and 1 to 1005 when
    the SI is installed, are allowed on each trunk. However, you can remove
    VLANs from the allowed list, preventing traffic from those VLANs from
    passing over the trunk. To restrict the traffic a trunk carries, use the
    switchport trunk allowed vlan remove vlan-list interface configuration
    command to remove specific VLANs from the allowed list.





    "Walter Roberson" <-cnrc.gc.ca> wrote in message
    news:di4adt$boh$...
    > In article <EFg1f.1555$>,
    > Mark St Laurent <stormrunner'_removethis'@comcast.net> wrote:
    >>I have created for instance on C2950C24 running 12.1(22)EA4 a VLAN 5 and
    >>enabled 802.1q trunking on fa 0/1 which is the port for 2811 router.On the
    >>same switch in fa 0/17 which is configured for VLAN 5

    >
    >>C2950Cs1#sh vlan

    >
    >>5 VLAN0005 active Fa0/17

    >
    > You want to trunk VLAN 5 over fa 0/1 but you haven't enabled vlan 5 on
    > fa 0/1 .
    > --
    > "No one has the right to destroy another person's belief by
    > demanding empirical evidence." -- Ann Landers
    Mark St Laurent, Oct 7, 2005
    #10
  11. Mark St Laurent

    Merv Guest

    I only use CLI so could not comment on any GUI configuration tool.
    Merv, Oct 7, 2005
    #11
  12. Thank you, I was wondering why a link in the literature did not point to the
    corresponding config on the router if there was one, as obviously there is.
    I searched for 2 days for something like this, will try this tomorrow.

    I am seeing this kind of hardware available for VLAN configs

    VLAN Interface Support · Support for VLAN interface configuration for
    Cisco EtherSwitch® ports


    Is the above method superior to creating sub interfaces on one interface as
    below and if not would it be safe to create 6 or more sub interfaces as
    detailed below.




    "Merv" <> wrote in message
    news:...
    >
    > You would need to enable trunking on the router fast ethernet interface
    > that faces the 2950. Given this router is in production you would want
    > to save the current config and do this out of hours.
    >
    >
    > int fa 0/0.1
    > description trunk VLAN 1
    > encap dot1q 1 native
    > ip address 192.168.1.251 255.255.255.0
    > exit
    >
    > int fa 0/0.5
    > description trunk VLAN 5
    > encap dot1q 5
    > ip address 192.168.5.251 255.255.255.0
    > exit
    >
    >
    > You might also want to renumber the BVI interface from 1 to something
    > else (ie. not any of the VLAN numbers you plan to use including VLAN 1.
    >
    Mark St Laurent, Oct 7, 2005
    #12
  13. Mark St Laurent

    stormrunner Guest

    Thanks Merv this was precisely the problem. Modified the BVI bridge group to
    9 then created sub if's for fa0/0 and moved route-maps and other config
    lines accordingly, worked like a charm. Ethereal packet scans (VLAN5) showed
    CDP, (easily remedied) STP and LOOP replies, I'm not certain if the latter 2
    are a problem or not. Angry PingScan hit entire LAN remedied with ACL deny
    VLAN5 network LAN network. I remember in earlier post you spoke of PBR to
    Internet only (not this topic, in WEP Bsest Practices) that is what I am
    using port 17 VLAN5 for.
    Hung wireless "router", WAN to Int fa0/17 also PAT'd to different wireless
    client range. Ethereal scan from wireless adapter, no Corp LAN traffic.
    Still would like your thoughts on advantages of PBR vs ACL to prevent
    wireless access to Corp LAN.

    Once again thank's for your help.

    "Merv" <> wrote in message
    news:...
    >
    > You would need to enable trunking on the router fast ethernet interface
    > that faces the 2950. Given this router is in production you would want
    > to save the current config and do this out of hours.
    >
    >
    > int fa 0/0.1
    > description trunk VLAN 1
    > encap dot1q 1 native
    > ip address 192.168.1.251 255.255.255.0
    > exit
    >
    > int fa 0/0.5
    > description trunk VLAN 5
    > encap dot1q 5
    > ip address 192.168.5.251 255.255.255.0
    > exit
    >
    >
    > You might also want to renumber the BVI interface from 1 to something
    > else (ie. not any of the VLAN numbers you plan to use including VLAN 1.
    >
    stormrunner, Oct 8, 2005
    #13
  14. Mark St Laurent

    Merv Guest

    If you can accomplish what you want with ACLs that is fine; otherwise
    use PBR
    Merv, Oct 8, 2005
    #14
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Silverstrand

    SCSI Hard Drive Basics

    Silverstrand, Aug 10, 2005, in forum: Front Page News
    Replies:
    0
    Views:
    610
    Silverstrand
    Aug 10, 2005
  2. Silverstrand

    Computer Memory Basics

    Silverstrand, Aug 23, 2005, in forum: Front Page News
    Replies:
    1
    Views:
    629
    PUTALE
    Aug 23, 2005
  3. Silverstrand
    Replies:
    5
    Views:
    741
    unholy
    Sep 28, 2005
  4. Mark St Laurent

    VLAN Basics

    Mark St Laurent, Oct 14, 2005, in forum: Cisco
    Replies:
    0
    Views:
    501
    Mark St Laurent
    Oct 14, 2005
  5. Mark St Laurent

    VLAN Basics

    Mark St Laurent, Oct 14, 2005, in forum: Cisco
    Replies:
    0
    Views:
    609
    Mark St Laurent
    Oct 14, 2005
Loading...

Share This Page