This output makes it clear
Sw#show mac-address-table
Destination Address Address Type VLAN Destination Port
------------------- ------------ ---- --------------------
c202.0928.0000 Self 1 Vlan1
c200.0928.0000 Dynamic 10 FastEthernet1/1
c201.0928.0000 Dynamic 20 FastEthernet1/2
c201.0928.0000 Dynamic 10 FastEthernet1/3
c200.0928.0000 Dynamic 20 FastEthernet1/4
As you can see same mac address is present in both vlans
On Tue, Feb 8, 2011 at 3:13 PM, imran ali <immrccie_at_gmail.com> wrote:
> Thanks for replies.
> great answers !!
> i forgot sw will make actions based on VLAN ID :-) . i was thinking of "
> mac address " all time .
>
>
> On Tue, Feb 8, 2011 at 3:10 PM, Carlos G Mendioroz <tron_at_huapi.ba.ar>wrote:
>
>> On any decent(*) switch, CAM tables are per vlan.
>> So no, it can not pass the FW (or else, my first point
>> would have worked, i.e., you would be able to talk between
>> different VLANs.
>>
>> -Carlos
>> P.S.
>> AFAIK, all current cisco switches are decent in this sense,
>> but it was not always like that :) Old 1900s would have
>> vlan jumping because of single CAM table.
>>
>> imran ali @ 08/02/2011 08:51 -0300 dixit:
>>
>>> Thanks Carlos
>>>
>>> Great answer.
>>>
>>> can you kindly explain this.
>>>
>>> --> when PC B (VLAN 2) sends any traffic to PC A (vlan 1) . The switch
>>> records the mac address in its cam table.
>>>
>>> when PC A sends any unicast traffic to PC B it will be send directly to
>>> port connected to PC B and not to FW . The SW will end up sending traffic
>>> to port connected to PC B directly . As it has learned mac address from
>>> that port .
>>>
>>> thus bypassing the FW.??
>>>
>>>
>>> On Tue, Feb 8, 2011 at 2:19 PM, Carlos G Mendioroz <tron_at_huapi.ba.ar<mailto:
>>> tron_at_huapi.ba.ar>> wrote:
>>>
>>> Picture this:
>>>
>>> 1) Have a switch with 2 vlans, some hosts connected at vlan A and some
>>> at vlan B. This is all that there is.
>>>
>>> Q: Can a host from vlan A talk to a host from vlan B ?
>>> A: No!
>>> (Do not follow if you do not agree)
>>>
>>> 2) Now get a cable (i.e. a cross patch), put one end on a vlan A port,
>>> and the other at a vlan B port.
>>>
>>> Q: Can a host from vlan A talk to a host from vlan B ?
>>> A: Yes!
>>> (Do not follow if you do not agree)
>>>
>>> 3) Now replace the cable with an intelligent switch, that decides
>>> packet by packet if it will let it go from one port to the other.
>>> (e.g. an ASA in transparent mode)
>>>
>>> You can call vlan A the "inside", vlan B the "outside" and the ASA
>>> is "the only door" to go from one side to the other.
>>>
>>> -Carlos
>>>
>>> imran ali @ 08/02/2011 05:31 -0300 dixit:
>>>
>>> Hi group ,
>>>
>>> access pc's and servers are having ip addresses from a same
>>> subnet ie they
>>> are sharing same broadcast domain..
>>>
>>> now i need to implement transparent mode asa firewall.
>>>
>>> but on switch i need to define two different vlans one for
>>> access pc's and
>>> one for servers . just want to know the logic behind this .
>>>
>>> thanks
>>>
>>>
>>> Blogs and organic groups at http://www.ccie.net
>>>
>>>
>>> _______________________________________________________________________
>>> Subscription information may be found at:
>>> http://www.groupstudy.com/list/CCIELab.html
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> -- Carlos G Mendioroz <tron_at_huapi.ba.ar <mailto:tron_at_huapi.ba.ar
>>> >>
>>> LW7 EQI Argentina
>>>
>>>
>>>
>> --
>> Carlos G Mendioroz <tron_at_huapi.ba.ar> LW7 EQI Argentina
Blogs and organic groups at http://www.ccie.net
Received on Tue Feb 08 2011 - 15:23:04 ART
This archive was generated by hypermail 2.2.0 : Tue Mar 01 2011 - 07:01:49 ART