Thanks for replies.
great answers !!
i forgot sw will make actions based on VLAN ID :-) . i was thinking of "
mac address " all time .
On Tue, Feb 8, 2011 at 3:10 PM, Carlos G Mendioroz <tron_at_huapi.ba.ar> wrote:
> On any decent(*) switch, CAM tables are per vlan.
> So no, it can not pass the FW (or else, my first point
> would have worked, i.e., you would be able to talk between
> different VLANs.
>
> -Carlos
> P.S.
> AFAIK, all current cisco switches are decent in this sense,
> but it was not always like that :) Old 1900s would have
> vlan jumping because of single CAM table.
>
> imran ali @ 08/02/2011 08:51 -0300 dixit:
>
>> Thanks Carlos
>>
>> Great answer.
>>
>> can you kindly explain this.
>>
>> --> when PC B (VLAN 2) sends any traffic to PC A (vlan 1) . The switch
>> records the mac address in its cam table.
>>
>> when PC A sends any unicast traffic to PC B it will be send directly to
>> port connected to PC B and not to FW . The SW will end up sending traffic
>> to port connected to PC B directly . As it has learned mac address from
>> that port .
>>
>> thus bypassing the FW.??
>>
>>
>> On Tue, Feb 8, 2011 at 2:19 PM, Carlos G Mendioroz <tron_at_huapi.ba.ar<mailto:
>> tron_at_huapi.ba.ar>> wrote:
>>
>> Picture this:
>>
>> 1) Have a switch with 2 vlans, some hosts connected at vlan A and some
>> at vlan B. This is all that there is.
>>
>> Q: Can a host from vlan A talk to a host from vlan B ?
>> A: No!
>> (Do not follow if you do not agree)
>>
>> 2) Now get a cable (i.e. a cross patch), put one end on a vlan A port,
>> and the other at a vlan B port.
>>
>> Q: Can a host from vlan A talk to a host from vlan B ?
>> A: Yes!
>> (Do not follow if you do not agree)
>>
>> 3) Now replace the cable with an intelligent switch, that decides
>> packet by packet if it will let it go from one port to the other.
>> (e.g. an ASA in transparent mode)
>>
>> You can call vlan A the "inside", vlan B the "outside" and the ASA
>> is "the only door" to go from one side to the other.
>>
>> -Carlos
>>
>> imran ali @ 08/02/2011 05:31 -0300 dixit:
>>
>> Hi group ,
>>
>> access pc's and servers are having ip addresses from a same
>> subnet ie they
>> are sharing same broadcast domain..
>>
>> now i need to implement transparent mode asa firewall.
>>
>> but on switch i need to define two different vlans one for
>> access pc's and
>> one for servers . just want to know the logic behind this .
>>
>> thanks
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>>
>>
>>
>>
>>
>>
>>
>>
>> -- Carlos G Mendioroz <tron_at_huapi.ba.ar <mailto:tron_at_huapi.ba.ar
>> >>
>> LW7 EQI Argentina
>>
>>
>>
> --
> Carlos G Mendioroz <tron_at_huapi.ba.ar> LW7 EQI Argentina
Blogs and organic groups at http://www.ccie.net
Received on Tue Feb 08 2011 - 15:13:41 ART
This archive was generated by hypermail 2.2.0 : Tue Mar 01 2011 - 07:01:49 ART