On any decent(*) switch, CAM tables are per vlan.
So no, it can not pass the FW (or else, my first point
would have worked, i.e., you would be able to talk between
different VLANs.
-Carlos
P.S.
AFAIK, all current cisco switches are decent in this sense,
but it was not always like that :) Old 1900s would have
vlan jumping because of single CAM table.
imran ali @ 08/02/2011 08:51 -0300 dixit:
> Thanks Carlos
>
> Great answer.
>
> can you kindly explain this.
>
> --> when PC B (VLAN 2) sends any traffic to PC A (vlan 1) . The switch
> records the mac address in its cam table.
>
> when PC A sends any unicast traffic to PC B it will be send directly to
> port connected to PC B and not to FW . The SW will end up sending
> traffic to port connected to PC B directly . As it has learned mac
> address from that port .
>
> thus bypassing the FW.??
>
>
> On Tue, Feb 8, 2011 at 2:19 PM, Carlos G Mendioroz <tron_at_huapi.ba.ar
> <mailto:tron_at_huapi.ba.ar>> wrote:
>
> Picture this:
>
> 1) Have a switch with 2 vlans, some hosts connected at vlan A and some
> at vlan B. This is all that there is.
>
> Q: Can a host from vlan A talk to a host from vlan B ?
> A: No!
> (Do not follow if you do not agree)
>
> 2) Now get a cable (i.e. a cross patch), put one end on a vlan A port,
> and the other at a vlan B port.
>
> Q: Can a host from vlan A talk to a host from vlan B ?
> A: Yes!
> (Do not follow if you do not agree)
>
> 3) Now replace the cable with an intelligent switch, that decides
> packet by packet if it will let it go from one port to the other.
> (e.g. an ASA in transparent mode)
>
> You can call vlan A the "inside", vlan B the "outside" and the ASA
> is "the only door" to go from one side to the other.
>
> -Carlos
>
> imran ali @ 08/02/2011 05:31 -0300 dixit:
>
> Hi group ,
>
> access pc's and servers are having ip addresses from a same
> subnet ie they
> are sharing same broadcast domain..
>
> now i need to implement transparent mode asa firewall.
>
> but on switch i need to define two different vlans one for
> access pc's and
> one for servers . just want to know the logic behind this .
>
> thanks
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>
> --
> Carlos G Mendioroz <tron_at_huapi.ba.ar <mailto:tron_at_huapi.ba.ar>>
> LW7 EQI Argentina
>
>
-- Carlos G Mendioroz <tron_at_huapi.ba.ar> LW7 EQI Argentina Blogs and organic groups at http://www.ccie.netReceived on Tue Feb 08 2011 - 09:10:49 ART
This archive was generated by hypermail 2.2.0 : Tue Mar 01 2011 - 07:01:49 ART