LISTSERV - CLEANACCESS Archives - LISTSERV.MIAMIOH.EDU

CLEANACCESS Archives

August 2006

CLEANACCESS@LISTSERV.MIAMIOH.EDU

	LISTSERV Archives
	CLEANACCESS Home
	CLEANACCESS August 2006

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: OOB VG problem
From:	"Nagle, Benjamin D" <[log in to unmask]>
Reply To:	Perfigo SecureSmart and CleanMachines Discussion List <[log in to unmask]>
Date:	Mon, 21 Aug 2006 08:19:30 -0400
Content-Type:	text/plain
Parts/Attachments:	text/plain (184 lines)

Did you check to make sure that the user role UNAUTHENTICATED doesn't
have an ALLOW IP ANY/ANY in it?  I made that mistake once!

Ben
 

> -----Original Message-----
> From: Perfigo SecureSmart and CleanMachines Discussion List 
> [mailto:[log in to unmask]] On Behalf Of Don Click
> Sent: Monday, August 21, 2006 7:47 AM
> To: [log in to unmask]
> Subject: Re: OOB VG problem
> 
> While my nics share the same ip, they are using different 
> native vlans.  I also find it as you discribe.. 
> 
> ________________________________
> 
> From: Perfigo SecureSmart and CleanMachines Discussion List 
> on behalf of Ken Nelson
> Sent: Sat 8/19/2006 10:36 AM
> To: [log in to unmask]
> Subject: Re: OOB VG problem
> 
> 
> 
> When i talked to tac on my OOB vgw problem way back, one of 
> the things they had me do was change the trusted and 
> untrusted interfaces on the CAS to be on different unused 
> vlans.  Either they have to be different or tac just wanted 
> to make sure.  I know the vgw setup shows them the same, but 
> i rarely find cisco docs to be 100% accurate.  They always 
> leave out some little detail or show a picture of one thing 
> but the explaination shows another.
> 
> Ken Nelson
> Network Manager
> Marietta College
> 
> 
> Don Click wrote:
> > Yes, in a VG, you can have the same IP on both network cards.
> >
> >
> > -----Original Message-----
> > From: Perfigo SecureSmart and CleanMachines Discussion List 
> > [mailto:[log in to unmask]] On Behalf Of Simon Bell
> > Sent: Friday, August 18, 2006 3:46 PM
> > To: [log in to unmask]
> > Subject: Re: OOB VG problem
> >
> > I'm not sure if that's a typo or my unfamiliarity with VG, 
> but is your 
> > trusted and untrusted supposed to have the same IP?
> >
> >  
> > From:         Don Click <[log in to unmask]>
> > To:   <[log in to unmask]>
> > Date:         8/18/2006 3:56 PM
> > Subject:      Re: OOB VG problem
> >
> > Hmm this is getting me to thinking.. Im *STILL* not working 
> in a oob, 
> > vgw setup.  Ill try to describe my setup for you guys to pick over:
> >
> > CAM:
> > 10.223.4.246 (Vlan 4)
> >
> >
> > CAS: 10.223.250.100 (VLAN 250)
> > NETWORK TAB:
> > Out of Band Virtual Gateway
> > Trusted:
> > IP:  10.223.250.100
> > Sub: 255.255.255.0
> > Gate: 10.223.250.100
> > Set Management VLAN ID = <none aka UNCHECKED>
> > 
> > Untrusted:
> > IP:  10.223.250.100
> > Sub: 255.255.255.0
> > Gate: 10.223.250.100
> > DHCP Passthrough
> > 
> > ADVANCED TAB:
> > MANGAGED SUBNETS:
> > 10.223.250.100/255.255.255.0  Main Subnet  Vlan -1
> > 10.223.5.249/255.255.255.0    DIS Subnet   Vlan 510
> >
> > 
> > VLAN MAPPING:
> > 510/5
> >
> >
> > 6509 CONFIG:  (CAT OS)
> > CLEAN INTERFACE:
> >  description CAServer2-ETHO
> >  clear trunk 8/8  1-4,6-249,251-1025
> >  set trunk 8/8  on dot1q 5,250,1026-4094
> > 
> > DIRTY INTERFACE:
> >  description CAServer2-ETH1
> > clear trunk 8/10 1-509,511-4094
> > set trunk 8/10 on dot1q 510
> >
> > Now - I *ALSO* have a MSFC in this 6509 that is the location of the 
> > default gateway (10.223.5.252).
> >
> >
> > My issue - ALL traffic passes - nothing is blocked if you are not 
> > logged in or authenticated.. (Unathenticated users have 
> full access.).
> >
> > -----Original Message-----
> > From: Perfigo SecureSmart and CleanMachines Discussion List 
> > [mailto:[log in to unmask]] On Behalf Of Nagle, Benjamin D
> > Sent: Friday, August 18, 2006 2:13 PM
> > To: [log in to unmask]
> > Subject: Re: OOB VG problem
> >
> > Changing the mananged subnets didn't work, but what it 
> appears to have 
> > been was that the spanning-tree priority on my dirty vlan 
> was not set 
> > properly.  After it was set to the correct priority 
> everything started 
> > working again.
> >
> > Thanks for the reply though Alok!
> >
> > Ben
> > 
> >
> >  
> >> -----Original Message-----
> >> From: Perfigo SecureSmart and CleanMachines Discussion List 
> >> [mailto:[log in to unmask]] On Behalf Of Alok Agrawal
> >> (alagrawa)
> >> Sent: Wednesday, August 16, 2006 10:30 AM
> >> To: [log in to unmask]
> >> Subject: Re: OOB VG problem
> >>
> >> Hi Ben,
> >> >From your config below, it looks like vlans 71,83 are the clean
> >>    
> > vlans
> >  
> >> and vlans 171,183 is the untrusted/dirty vlans.
> >>
> >> In your Managed subnet, we have the vlans configured as the clean 
> >> vlans.
> >> Managed subnet is for the vlans that exist on the dirty 
> side, hence 
> >> delete the configured managed subnet and configure new managed
> >>    
> > subnets
> >
> >  
> >> with the vlan as vlan171 and vlan183 instead and see if that helps.
> >>
> >> Currently configured MANGAGED SUBNETS:
> >>    
> >>> 172.16.246.127/255.255.254.0 - Main Subnet (-1) 
> >>> 10.1.8.10/255.255.255.0 TEST 1 (Vlan 71)
> >>>      
> >> 10.1.10.10/255.255.255.0 TEST
> >>    
> >>> 2 (VLAN 83)
> >>>      
> >> Change this to
> >> 172.16.246.127/255.255.254.0 - Main Subnet (-1) 
> >> 10.1.8.10/255.255.255.0 TEST 1 (Vlan 171) 10.1.10.10/255.255.255.0 
> >> TEST 2 (VLAN 183)
> >>
> >> regards
> >> -Alok
> >>
> >>
> >>    
> >
> >  
> 
>

ATOM RSS1 RSS2

LISTSERV.MIAMIOH.EDU