Hi Pedro,

I am trying to troubleshoot this from a systematic way, start from OSI layer 1 and work its way up. When you tell me ping is not working, it didn't really help me to determine the root cause.

Regards,

jerry

hi jerry

I got it, the vlan was missing in the cat/os

Now, I'm not sure if the wap-client vlans needs to be configure in just the switches and/or APs and switches, too.

Hi Pedro,

I don't know the wireless piece of it. Wireless forum should be able to give you some direction.

Regards,

jerry

Hi Jerry,

can you provide guidence on connecting cisco 6509 to a sidewinder firewall?

The firewall is located in front of the cisco 6509.

the firewall has two interfaces, each connected to the cisco 6509. On the firewall ports, I have configured an ip address. On the 6509, each port where firewall is connected is a different vlan.

Can you provide suggestion on how to make it work?

I read in cisco documention that I may need to use mac-address-table static .

Also, does the default route of the cisco 6509 is the sidewinder firewall or the default route of the firewall itself?

thanks

Hi Pedro,

I can't comments on the sidewinder firewall, since I am not familiar with it.

About the static MAC entry, if the 6500 can associate the MAC and the port in the CAM table, I don't think there is a need for that. I also saw you opened another thread, maybe this question should stay in that thread instead.

Is this firewall connected to the Internet router? There is not enough information to made this suggestion.

Regards,

jerry

Jerry,

I got it to work.

The router default-network is 172.31.181.129

However, the firewall has two separate interfaces one for each internal subnet.

The static route on the firewall was pointing to two different vlans. Apperantly, the router can only communicate with a single default-route.

At this time, I'm only concern with security issues.

I need to make sure the vlans do not cross over. I want to be able to manage subnet address and such from inside of the firewall and not the router.

How can I denied a vlan from talking to another vlan inside the router?

Thanks

Hi Pedro,

You can do it with ACL.

Regards,

jerry

Do you think this is going to work?

access-list 199 deny ip 146.186.50.0 0.0.0.255 146.186.27.0 0.0.0.255

access-list 199 permit ip any any

interface vlan 401 (note:this vlan holds 146.186.27.0)

ip address 146.186.50.x 255.255.255.0

ip access-group 199 in

Hi Pedro,

It should. You need to test it and make sure that is the result you want.

Regards,

jerry

Jerry,

What is the purpose of Loopback0?

Another thing..I tried using the ip access-group (list number) to set permissions on the int vlan, however, is not working..the vlan still have access to each other..

Purpose of loopback0? It depends, different people use it for different thing, like OSPF can use it as the router-id. Some people is using loopback0 as the IP address for the device. The reason to use loopback is it will not go down.

So, let's do this as an example. VLAN100 should not talk to VLAN200 but VLAN100 can talk to the rest of the world:

int vlan 100

ip address 10.10.100.1 255.255.255.0

ip access-group 199 in

int vlan 200

ip address 10.10.200.1 255.255.255.0

ip access-group 188 in

access-list 199 deny ip 10.10.100.0 0.0.0.255 10.10.200.0 0.0.0.255

access-list 199 perm ip any any

access-list 188 deny ip 10.10.200.0 0.0.0.255 10.10.100.0 0.0.0.255

access-list 188 perm ip any any

Regards,

jerry

Jerry,

I tried the access-list and it works! Thanks

Now, this is what I like to do...

let's pretend the following subnets..

146.186.27.0 should have access to every other network, with the exception of subnet or host that I do not want them have access the 146.186.27.0 subnet..

From the 146.186.50.0, only one host should have access to 146.186.27.0

And, let say, we have a group of vpn users coming on a subnet 172.28.3.0/24 they should have access to a couple hosts in 146.186.27.0/24 subnet.

How would you do this?

thanks

Ok, so let's say I have been using static route between my firewall and the router.

The static route goes from an ip address in the firewall and an ip address in one of the vlans located in the router.

But, if I understood correctly, the loopback0 can be used for the next hop between the firewall and the router.

If this truth,how is configure:

IP Addres...etc..

Last question, I have seen some of my friends using mac address in the vlan interfaces.

How this enhance security on the network?

Do I created my own mac address between the cisco 3550's and the vlans at the router?

thanks

1) You are trying to create a complicated security policy with ACL and it is not very efficient when doing it in the router. These kind of policy should be done with a firewall. Just couple point to remember, you should build it with the most specific match on the top and least specific at the bottom.

2) Just point the next hop of the firewall address to the loopback IP address. However, since the loopback is not a directly connected interface's IP address, you will need an additional of ip route statement to get this work like

ip route x.x.loopback.1 255.255.255.0 x.x.x.2

ip route y.y.y.0 255.255.255.0 x.x.loopback.1

However, I don't really see any benefit of it though.

3) I don't understand what you are trying to accomplish with what you are describing for the MAC address.

Regards,

jerry

from I have read in cisco literature, there is an option to add a mac address at the interface which prevent any spoofing..