Re: VLAN question [7:32626]
Nabil, in my opinion it would not be to any advantage. Seems like more administrative overhead to keep up with. [EMAIL PROTECTED] wrote: Greetings all, Just for clarification purposes, are there any advantages/disadvantages or a specific purpose to change the mtu size for a vlan(Ethernet Vlans)? I looked everywhere on Cisco's page, no luck. Thanks..Nabil Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=32631t=32626 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: VLAN question [7:32626]
Unless you have a very specific need for it, I would not waste the time wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Greetings all, Just for clarification purposes, are there any advantages/disadvantages or a specific purpose to change the mtu size for a vlan(Ethernet Vlans)? I looked everywhere on Cisco's page, no luck. Thanks..Nabil Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=32643t=32626 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Vlan Question [7:4038]
Brad Shifflett wrote: The user is a very high political figure who is real cautious about security and paranoid. I like the idea of a seperate nic in the server and two subnets. The cost of switches could be a deciding factor. Thanks for the input guys! I hope he doesn't figure out that if the server gets compromised, he may be compromised along with it... =) Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=4038t=4038 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Vlan Question [7:4038]
Brad Shifflett wrote: The user is a very high political figure who is real cautious about security and paranoid. I like the idea of a seperate nic in the server and two subnets. The cost of switches could be a deciding factor. Thanks for the input guys! I hope he doesn't figure out that if the server gets compromised, he may be compromised along with it... =) It rather puzzles me how much emphasis the paranoid put on physical protection, yet don't seem to consider end-to-end encryption. Some of the military security guidelines do insist on physically separate switches, patch panels, etc. Remember, though, that they may have defined their environments for situations where the operators may have the minor distractions of being shot at. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=4050t=4038 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Vlan Question
LOL... can you say obsessive compulsive Maybe he was into security but not a DRA plan one without the other doesn't do much good. ""Howard C. Berkowitz"" [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... At 03:01 PM 3/22/2001 -0800, you wrote: The user is a very high political figure who is real cautious about security and paranoid. I like the idea of a seperate nic in the server and two subnets. The cost of switches could be a deciding factor. Thanks for the input guys! Brad It's scary to find someone that's paranoid and demanding about security, yet doesn't want to pay for it. I'd like to assume that such a person, of course, have done everything they should about making their host secure, including encrypting the sensitive files, rather than just obsessing about the network. Of course, I've also had a customer that insisted on being BGP multihomed to two providers, connected to one provider at two sites and having redundant SONET local loops at one of the site, yet only had one physical server. Yes, they had a tape backup on the server. No, they had no spare machine to which they could restore the tape. -Original Message- From: Howard C. Berkowitz [mailto:[EMAIL PROTECTED]] Sent: Thursday, March 22, 2001 12:44 PM To: [EMAIL PROTECTED] Subject: Re: Vlan Question At 02:01 PM 3/22/2001 -0600, you wrote: We'll he could be wanting to isolate consultants to their own VLAN but have a need to update files on the server. In our case we have auditors come in from time to time and so we don't want them in with the rest of the world so we isolate them in their own VLAN and then setup an access list. They are only here temporary. So I could see how this is a legit question. but if the server isn't on the same VLAN, how do they get to it? How does it get to them? Routing between VLANs, and VLAN-aware NICs, are pretty much the only alternatives. VLANs were introduced to isolate groups, but there's nothing magical about them. If there is sensitive data around, you also want host-level security. ""Howard C. Berkowitz"" [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... At 08:26 AM 3/22/2001 -0800, you wrote: Scenario: Got a client who has a person on the network that does not want to be on the network but wants access to the server. I'm somewhat confused. First, if he is somehow hidden, how does the server send back to the client? Second, if he is on one VLAN/subnet and the server is on another, sounds like a fairly basic routing application. Another would be to have a VLAN-aware NIC on the server. Without further information, this sounds like a user whim rather than a real requirement. There's a flavor of the user wanting security by obscurity. My thought was to install a switch, setup to Vlans, one for all the users (10 or so) and the second Vlan for the 1 user by himself. This way no one can get to his machine, then setup an access list to permit his Vlan to access the first Vlan and deny all the other users to his Vlan. Does this sound right? Anything I am missing? Seeing if I understand Vlans correctly or not. Brad Shifflett [EMAIL PROTECTED] Micromenders, Inc. _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Vlan Question
Why wouldn't you just put the one person on a different subnet and then use ACL's to control traffic flow? What will deploying VLANs get you that subnetting wouldn't? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Brad Shifflett Sent: March 22, 2001 9:27 AM To: Groupstudy (E-mail) Subject: Vlan Question Scenario: Got a client who has a person on the network that does not want to be on the network but wants access to the server. My thought was to install a switch, setup to Vlans, one for all the users (10 or so) and the second Vlan for the 1 user by himself. This way no one can get to his machine, then setup an access list to permit his Vlan to access the first Vlan and deny all the other users to his Vlan. Does this sound right? Anything I am missing? Seeing if I understand Vlans correctly or not. Brad Shifflett [EMAIL PROTECTED] Micromenders, Inc. _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Vlan Question
Brad I expect you know - but you must have a layer3 device (router) between the two Vlans you can then apply access lists to the vlan interfaces on the router. What about dual NIC's in the server one connected to the Lan the other to the single user It would be a lot cheeper just don't allow the cards on the same network and don't let them forward (route) between each other. hope that's of some help - Original Message - From: "Brad Shifflett" [EMAIL PROTECTED] To: "Groupstudy (E-mail)" [EMAIL PROTECTED] Sent: Thursday, March 22, 2001 4:26 PM Subject: Vlan Question Scenario: Got a client who has a person on the network that does not want to be on the network but wants access to the server. My thought was to install a switch, setup to Vlans, one for all the users (10 or so) and the second Vlan for the 1 user by himself. This way no one can get to his machine, then setup an access list to permit his Vlan to access the first Vlan and deny all the other users to his Vlan. Does this sound right? Anything I am missing? Seeing if I understand Vlans correctly or not. Brad Shifflett [EMAIL PROTECTED] Micromenders, Inc. _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Vlan Question
At 08:26 AM 3/22/2001 -0800, you wrote: Scenario: Got a client who has a person on the network that does not want to be on the network but wants access to the server. I'm somewhat confused. First, if he is somehow hidden, how does the server send back to the client? Second, if he is on one VLAN/subnet and the server is on another, sounds like a fairly basic routing application. Another would be to have a VLAN-aware NIC on the server. Without further information, this sounds like a user whim rather than a real requirement. There's a flavor of the user wanting security by obscurity. My thought was to install a switch, setup to Vlans, one for all the users (10 or so) and the second Vlan for the 1 user by himself. This way no one can get to his machine, then setup an access list to permit his Vlan to access the first Vlan and deny all the other users to his Vlan. Does this sound right? Anything I am missing? Seeing if I understand Vlans correctly or not. Brad Shifflett [EMAIL PROTECTED] Micromenders, Inc. _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Vlan Question
We'll he could be wanting to isolate consultants to their own VLAN but have a need to update files on the server. In our case we have auditors come in from time to time and so we don't want them in with the rest of the world so we isolate them in their own VLAN and then setup an access list. They are only here temporary. So I could see how this is a legit question. ""Howard C. Berkowitz"" [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... At 08:26 AM 3/22/2001 -0800, you wrote: Scenario: Got a client who has a person on the network that does not want to be on the network but wants access to the server. I'm somewhat confused. First, if he is somehow hidden, how does the server send back to the client? Second, if he is on one VLAN/subnet and the server is on another, sounds like a fairly basic routing application. Another would be to have a VLAN-aware NIC on the server. Without further information, this sounds like a user whim rather than a real requirement. There's a flavor of the user wanting security by obscurity. My thought was to install a switch, setup to Vlans, one for all the users (10 or so) and the second Vlan for the 1 user by himself. This way no one can get to his machine, then setup an access list to permit his Vlan to access the first Vlan and deny all the other users to his Vlan. Does this sound right? Anything I am missing? Seeing if I understand Vlans correctly or not. Brad Shifflett [EMAIL PROTECTED] Micromenders, Inc. _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Vlan Question
At 02:01 PM 3/22/2001 -0600, you wrote: We'll he could be wanting to isolate consultants to their own VLAN but have a need to update files on the server. In our case we have auditors come in from time to time and so we don't want them in with the rest of the world so we isolate them in their own VLAN and then setup an access list. They are only here temporary. So I could see how this is a legit question. but if the server isn't on the same VLAN, how do they get to it? How does it get to them? Routing between VLANs, and VLAN-aware NICs, are pretty much the only alternatives. VLANs were introduced to isolate groups, but there's nothing magical about them. If there is sensitive data around, you also want host-level security. ""Howard C. Berkowitz"" [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... At 08:26 AM 3/22/2001 -0800, you wrote: Scenario: Got a client who has a person on the network that does not want to be on the network but wants access to the server. I'm somewhat confused. First, if he is somehow hidden, how does the server send back to the client? Second, if he is on one VLAN/subnet and the server is on another, sounds like a fairly basic routing application. Another would be to have a VLAN-aware NIC on the server. Without further information, this sounds like a user whim rather than a real requirement. There's a flavor of the user wanting security by obscurity. My thought was to install a switch, setup to Vlans, one for all the users (10 or so) and the second Vlan for the 1 user by himself. This way no one can get to his machine, then setup an access list to permit his Vlan to access the first Vlan and deny all the other users to his Vlan. Does this sound right? Anything I am missing? Seeing if I understand Vlans correctly or not. Brad Shifflett [EMAIL PROTECTED] Micromenders, Inc. _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Vlan Question
The user is a very high political figure who is real cautious about security and paranoid. I like the idea of a seperate nic in the server and two subnets. The cost of switches could be a deciding factor. Thanks for the input guys! Brad -Original Message- From: Howard C. Berkowitz [mailto:[EMAIL PROTECTED]] Sent: Thursday, March 22, 2001 12:44 PM To: [EMAIL PROTECTED] Subject: Re: Vlan Question At 02:01 PM 3/22/2001 -0600, you wrote: We'll he could be wanting to isolate consultants to their own VLAN but have a need to update files on the server. In our case we have auditors come in from time to time and so we don't want them in with the rest of the world so we isolate them in their own VLAN and then setup an access list. They are only here temporary. So I could see how this is a legit question. but if the server isn't on the same VLAN, how do they get to it? How does it get to them? Routing between VLANs, and VLAN-aware NICs, are pretty much the only alternatives. VLANs were introduced to isolate groups, but there's nothing magical about them. If there is sensitive data around, you also want host-level security. ""Howard C. Berkowitz"" [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... At 08:26 AM 3/22/2001 -0800, you wrote: Scenario: Got a client who has a person on the network that does not want to be on the network but wants access to the server. I'm somewhat confused. First, if he is somehow hidden, how does the server send back to the client? Second, if he is on one VLAN/subnet and the server is on another, sounds like a fairly basic routing application. Another would be to have a VLAN-aware NIC on the server. Without further information, this sounds like a user whim rather than a real requirement. There's a flavor of the user wanting security by obscurity. My thought was to install a switch, setup to Vlans, one for all the users (10 or so) and the second Vlan for the 1 user by himself. This way no one can get to his machine, then setup an access list to permit his Vlan to access the first Vlan and deny all the other users to his Vlan. Does this sound right? Anything I am missing? Seeing if I understand Vlans correctly or not. Brad Shifflett [EMAIL PROTECTED] Micromenders, Inc. _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Vlan Question
At 03:01 PM 3/22/2001 -0800, you wrote: The user is a very high political figure who is real cautious about security and paranoid. I like the idea of a seperate nic in the server and two subnets. The cost of switches could be a deciding factor. Thanks for the input guys! Brad It's scary to find someone that's paranoid and demanding about security, yet doesn't want to pay for it. I'd like to assume that such a person, of course, have done everything they should about making their host secure, including encrypting the sensitive files, rather than just obsessing about the network. Of course, I've also had a customer that insisted on being BGP multihomed to two providers, connected to one provider at two sites and having redundant SONET local loops at one of the site, yet only had one physical server. Yes, they had a tape backup on the server. No, they had no spare machine to which they could restore the tape. -Original Message- From: Howard C. Berkowitz [mailto:[EMAIL PROTECTED]] Sent: Thursday, March 22, 2001 12:44 PM To: [EMAIL PROTECTED] Subject: Re: Vlan Question At 02:01 PM 3/22/2001 -0600, you wrote: We'll he could be wanting to isolate consultants to their own VLAN but have a need to update files on the server. In our case we have auditors come in from time to time and so we don't want them in with the rest of the world so we isolate them in their own VLAN and then setup an access list. They are only here temporary. So I could see how this is a legit question. but if the server isn't on the same VLAN, how do they get to it? How does it get to them? Routing between VLANs, and VLAN-aware NICs, are pretty much the only alternatives. VLANs were introduced to isolate groups, but there's nothing magical about them. If there is sensitive data around, you also want host-level security. ""Howard C. Berkowitz"" [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... At 08:26 AM 3/22/2001 -0800, you wrote: Scenario: Got a client who has a person on the network that does not want to be on the network but wants access to the server. I'm somewhat confused. First, if he is somehow hidden, how does the server send back to the client? Second, if he is on one VLAN/subnet and the server is on another, sounds like a fairly basic routing application. Another would be to have a VLAN-aware NIC on the server. Without further information, this sounds like a user whim rather than a real requirement. There's a flavor of the user wanting security by obscurity. My thought was to install a switch, setup to Vlans, one for all the users (10 or so) and the second Vlan for the 1 user by himself. This way no one can get to his machine, then setup an access list to permit his Vlan to access the first Vlan and deny all the other users to his Vlan. Does this sound right? Anything I am missing? Seeing if I understand Vlans correctly or not. Brad Shifflett [EMAIL PROTECTED] Micromenders, Inc. _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: VLAN question
The only solution that jumps to my mind is remote bridging - the following links will give you some basic info about it: http://www.cisco.com/warp/public/701/37.html http://www.cisco.com/univercd/cc/td/doc/cisintwk/ito_doc/bridging.htm There's no mention of how VLANs work over a WAN link, though. Good luck - Bradley J. Wilson CCNP, CCDA, MCSE, CNX, NNCSS, MCT, CTT - Original Message - From: Shane Stockman To: [EMAIL PROTECTED] Sent: Thursday, February 22, 2001 12:22 PM Subject: VLAN question I will just like to enquire whether it is possible to have a VLAN split over 2 lans divided by a point-to-point Frame-relay wan. VV LL AA N 4MEG WAN N 50 50 At both LANs there is Vlan50 Is this possible ? Any suggestions on implementations would be appreciated and possible problems to avoid Thanks _ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: VLAN question
Yes, you could do this with IRB, but why would you want to? This seems like it would be more trouble than it's worth... Is there a specific application that you are using that requires one broadcast domain? If so, you need to get rid of it! :) Brant I. Stevens Internetwork Solutions Engineer Thrupoint, Inc. 545 Fifth Avenue, 14th Floor New York, NY. 10017 646-562-6540 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Shane Stockman Sent: Thursday, February 22, 2001 7:23 AM To: [EMAIL PROTECTED] Subject: VLAN question I will just like to enquire whether it is possible to have a VLAN split over 2 lans divided by a point-to-point Frame-relay wan. VV LL AA N 4MEG WAN N 50 50 At both LANs there is Vlan50 Is this possible ? Any suggestions on implementations would be appreciated and possible problems to avoid Thanks _ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
