From: Biggs, Jeff \(M/CIO/BIE\) (JBiggs@usaid.gov)
Date: Fri Nov 16 2007 - 13:57:03 ART
That is the point, the interfaces are both setup as access mode
interfaces:
interface FastEthernet0/0/1
description <<FW01>>
switchport access vlan 48
!
interface FastEthernet0/0/2
description <<FW02>>
switchport access vlan 48
interface Vlan48
ip address 192.168.48.1 255.255.255.0
So there is no trunking going on. There should be no vlan tagging, but
for some reason, with these etherswitch modules we are seeing vlans
getting "tagged".
13:54:41.822389 IP 11.1.11.1.www > 192.168.46.2.53081: . ack 295 win 432
13:54: 41.822838 IP 11.1.11.1.www > 192.168.46.2.53081: P 1:545(544) ack
295 win 432
13:54:41.822842 IP 11.1.11.1.www > 192.168.46.2.53081: F 545:545(0) ack
295 win 432
13:54:41.829957 vlan 48, p 0, IP 192.168.46.2.53081 > 11.1.11.1.www:
.ack 546 win 16378
13:54:41.830001 vlan 48, p 0, IP 192.168.46.2.53081 > 11.1.11.1.www:
F295:295(0) ack 546 win 16378
13:54:41.831561 vlan 48, p 0, IP 192.168.46.2.53082 > 11.1.11.1.www:
S417069398
Jeffrey Biggs
Sr. Network Engineer
USAID
M/CIO/BIE
240-646-5003
jbiggs@usaid.gov <mailto:jbiggs@usaid.gov>
From: Tarun Pahuja [mailto:pahujat@gmail.com]
Sent: Friday, November 16, 2007 11:52 AM
To: Biggs, Jeff (M/CIO/BIE)
Subject: Re: HELP on 4 port etherswitch module.
Jeff,
You want to send traffic with a Vlan tag? if that is the case,
just bundle the interfaces together and send the traffic as native vlan.
If the interfaces are access ports then the security person should not
see any vlan tags on the traffic anyways.
HTH,
Tarun
On Nov 16, 2007 7:43 AM, Biggs, Jeff (M/CIO/BIE) <JBiggs@usaid.gov>
wrote:
But the interfaces are not trunking; they are in access mode, so why
would dot1q come into play here?
Jeffrey Biggs
Sr. Network Engineer
USAID
M/CIO/BIE
240-646-5003
jbiggs@usaid.gov <mailto:jbiggs@usaid.gov>
From: Tarun Pahuja [mailto:pahujat@gmail.com]
Sent: Friday, November 16, 2007 2:10 AM
To: Biggs, Jeff (M/CIO/BIE)
Cc: ccielab@groupstudy.com
Subject: Re: HELP on 4 port etherswitch module.
Ask him if the software supports dot1q trunking. If yes, Send the
interesting traffic in Native Vlan. The concept of Native vlan was
included with dot1q in the initial draft to accommodate backward
compatibility with devices that did not understand or support tagging,
hence native vlan.
HTH,
Tarun
On Nov 15, 2007 8:10 PM, Biggs, Jeff (M/CIO/BIE) <JBiggs@usaid.gov>
wrote:
I have a security person that has a tap on one of our connections that
is hanging off of one of our 4 port Etherswitch modules on a 2811. The
source side from our router is the 192.168 side of the connection. The
complaint from the security person is that they would like the "vlan
tag" removed so there tap software can group the traffic better (go
figure). I believe this is the nature of this card and that there is
nothing we can do about it, but would like to verify this with
documentation if it is out there. Anyone have any ideas?
Router config:
interface FastEthernet0/0/1
description <<FW01>>
switchport access vlan 48
!
interface FastEthernet0/0/2
description <<FW02>>
switchport access vlan 48
!
interface FastEthernet0/0/3
shutdown
!
interface Vlan1
no ip address
!
interface Vlan48
ip address 192.168.48.1 <http://192.168.48.1/> 255.255.255.0
<http://255.255.255.0/>
This is what the TAP is seeing:
13:54:41.822389 IP 11.1.11.1.www > 192.168.46.2.53081: . ack 295 win 432
13:54: 41.822838 IP 11.1.11.1.www > 192.168.46.2.53081: P 1:545(544) ack
295 win 432
13:54:41.822842 IP 11.1.11.1.www > 192.168.46.2.53081: F 545:545(0) ack
295 win 432
13:54:41.829957 vlan 48, p 0, IP 192.168.46.2.53081 > 11.1.11.1.www: .
ack 546 win 16378
13:54:41.830001 vlan 48, p 0, IP 192.168.46.2.53081 > 11.1.11.1.www: F
295:295(0) ack 546 win 16378
13:54:41.831561 vlan 48, p 0, IP 192.168.46.2.53082 > 11.1.11.1.www: S
417069398
Jeffrey Biggs
Sr. Network Engineer
USAID
M/CIO/BIE
240-646-5003
jbiggs@usaid.gov <mailto: jbiggs@usaid.gov>
This archive was generated by hypermail 2.1.4 : Sat Dec 01 2007 - 06:37:30 ART