Monday, 16 July 2012

Here we discuss about the uses of  VLAN access-map. Suppose your company give you a task to block communication between two hosts in a same VLAN. Definitely IP access-list does not going to help you because the communication does not use the vlan gateway. Vlan access-map will do the job for you. on The below figure I have create the scenario.






There are three host connected with a 3560 switch.There IP address is 10.10.10.100 ,10.10.10.50 & 10.10.10.200.All the three hosts are member of vlan 10.The vlan gateway is 10.10.10.1.We need to block the communication between 10.10.10.100 & 10.10.10.200.find the configuration below.After done the configuration try ping from 10.10.10.100 & 10.10.10.200 & vice verse. you will observe a drop. if you ping to 10.10.10.50 you will get a reply. The configuration is simple but the output is very powerful.

vlan access-map deny-IP 20
 action drop
 match ip address 101
vlan access-map deny-IP 30
 action forward

vlan filter deny-IP vlan-list 10

interface FastEthernet0/1
 switchport access vlan 10

interface FastEthernet0/2
 switchport access vlan 10

interface FastEthernet0/8
 switchport access vlan 10

interface Vlan10
 ip address 10.10.10.1 255.255.255.0
Posted by at 1 comment:

Tuesday, 6 March 2012

Overlapping destinations IP address from network


scenario: Suppose your company buys a company . Now your management want you to connect the new company network with the exiting company network. Now you have got a very serious problem. one of your network is overlapping with the new company network. How to go about it. Find the network diagram below. suppose SITEA is your company. SITE A already connected with SITEB.Your  new company is SITEC. SITEB & SITEC having overlapping network i.e 10.10.10.0/24. I have created NAT on SITEC router & the problem get resloved. Find the router configuration below. You can simulated the same scenario on GNS3 & check yourself.


SITEA
!
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname SITEA
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
ip cef
!
!
!
!
no ip domain lookup
!
!
interface Loopback0
 ip address 172.29.55.1 255.255.255.0
!
interface FastEthernet0/0
 ip address 2.2.2.2 255.255.255.0
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 3.3.3.2 255.255.255.0
 duplex auto
 speed auto
!
ip forward-protocol nd
ip route 10.10.10.0 255.255.255.0 3.3.3.1
ip route 192.168.1.0 255.255.255.0 2.2.2.1
!
no ip http server
no ip http secure-server
!
!
!
!
control-plane
!
!
line con 0
 exec-timeout 0 0
 logging synchronous
line aux 0
line vty 0 4
 password cisco
 login
!
!
end
SITEB

version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname SITEB
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
ip cef
!
!
!
!
no ip domain lookup
!
!
!
interface Loopback0
 ip address 10.10.10.1 255.255.255.0
!
interface FastEthernet0/0
 ip address 3.3.3.1 255.255.255.0
 duplex auto
 speed auto
!
interface FastEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
ip forward-protocol nd
ip route 172.29.55.0 255.255.255.0 3.3.3.2
!
no ip http server
no ip http secure-server
!
!
!
!
control-plane
!
!
line con 0
 exec-timeout 0 0
 logging synchronous
line aux 0
line vty 0 4
!
!
end

SITEC
!
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname SMP
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
ip cef
!
!
!
!
no ip domain lookup
!
!
interface Loopback0
 no ip address
 ip nat inside
!
interface FastEthernet0/0
 ip address 2.2.2.1 255.255.255.0
 ip nat outside
 speed 100
 full-duplex
!
interface FastEthernet0/1
 ip address 10.10.10.1 255.255.255.0
 ip nat inside
 duplex auto
 speed auto
!
ip forward-protocol nd
ip route 172.29.55.0 255.255.255.0 2.2.2.2
!
no ip http server
no ip http secure-server
ip nat inside source static network 10.10.10.0 192.168.1.0 /24
!
access-list 50 permit 10.10.10.0 0.0.0.255
!
!
control-plane
!
!
line con 0
 exec-timeout 0 0
 logging synchronous
line aux 0
line vty 0 4
!
!
end

R5
!
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R5
!
boot-start-marker
boot-end-marker
!
!
memory-size iomem 15
no aaa new-model
ip subnet-zero
ip cef
!
!
no ip domain lookup
!
!
!
interface FastEthernet0/0
 ip address 10.10.10.20 255.255.255.0
 speed 100
 full-duplex
!
interface FastEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
no ip http server
ip classless
ip route 0.0.0.0 0.0.0.0 10.10.10.1
!
!
!
line con 0
 exec-timeout 0 0
 logging synchronous
line aux 0
line vty 0 4
 password cisco
 login
!
!
end

On SITEC router Check by excute the following command.

SITEC#sh ip nat translations
Pro Inside global      Inside local       Outside local      Outside global
--- 192.168.1.1        10.10.10.1         ---                ---
--- 192.168.1.2        10.10.10.2         ---                ---
--- 192.168.1.20       10.10.10.20        ---                ---
--- 192.168.1.0        10.10.10.0         ---                ---

Cheers




Posted by at No comments:
Subscribe to: Posts (Atom)