AP point native vlan issue
Hi Guys
Lil help is appreciated as iam very new to wireles......we got ap that i configure and prob is on switch side i have native vlan as 12 which is managment vlan and BVI1 has ip from vlan 12 ....i have vlan 112 and has ssid for it and 103 and ssid which is for staff ....when i make radio 103 native and physical inetrface fa 0.1 native then staff can access internet and everything but when i make vlan 12 mangment one native it cant access anything...shouldnt native vlan has to be same....also vlan 112 host cannot connect at all.... vlan 103 radius server is 10.201.9.92 and configured correctly but staff in vlan 103 connect only when i make its radio interface to native not physicall fa 0 and starnge things is once i make vlan 103 native it works but ip address is assigned from vlan 12 which is native on switch end....vlan 112 user are not getting ip address when i i do debug dhcp detail can see users from 112 try but dont get ip address...please see my configs. Pure switching enviroment so dont need ip helpeer address. many thanks
Hi Mohammad,
Try modifying the configuration as below.
interface Dot11Radio0.12
encapsulation dot1Q 12 native
no ip route-cache
bridge-group 1
interface Dot11Radio0.103
encapsulation dot1Q 103
no ip route-cache
bridge-group 103
interface Dot11Radio0.112
encapsulation dot1Q 112
no ip route-cache
bridge-group 112
interface Dot11Radio0.204
encapsulation dot1Q 204
no ip route-cache
bridge-group 204
interface Dot11Radio1.12
encapsulation dot1Q 12 native
no ip route-cache
bridge-group 1
interface Dot11Radio1.103
encapsulation dot1Q 103
no ip route-cache
bridge-group 103
interface Dot11Radio1.112
encapsulation dot1Q 112
no ip route-cache
bridge-group 112
interface Dot11Radio1.204
encapsulation dot1Q 204
no ip route-cache
bridge-group 204
interface FastEthernet0.12
encapsulation dot1Q 12 native
bridge-group 1
interface FastEthernet0.103
encapsulation dot1Q 103
bridge-group 103
interface FastEthernet0.112
encapsulation dot1Q 112
bridge-group 112
interface FastEthernet0.204
encapsulation dot1Q 204
bridge-group 204
Regards
Najaf
Please rate when applicable or helpful !!!
Similar Messages
-
QoS / Native VLAN Issue - Please HELP! :)
I've purchased 10 Cisco Aironet 2600 AP’s (AIR-SAP2602I-E-K9 standalone rather than controller based).
I’ve configured the WAP’s (or the first WAP I’m going to configure and then pull the configuration from and push to the others) with 2 SSID’s. One providing access to our DATA VLAN (1000 – which I’ve set as native on the WAP) and one providing access to guest VLAN (1234). I’ve configured the connecting DELL switchport as a trunk and set the native VLAN to 1000 (DATA) and allowed trunk traffic for VLAN’s 1000 and 1234. Everything works fine, when connecting to the DATA SSID you get a DATA IP and when you connect to the GUEST SSID you lease a GUEST IP.
The problem starts when I create a QoS policy on the WAP (for Lync traffic DSCP 40 / CS5) and try to attach it to my VLAN’s. It won’t let me attach the policy to VLAN 1000 as it’s the native VLAN. If I change VLAN 1000 on the WAP to NOT be the native VLAN I can attach the policies however wireless clients can no longer attach to either SSID properly as they fail to lease an IP address and instead get a 169.x.x.x address.
I'm sure I'm missing something basic here so please forgive my ignorance.
This is driving me insane!
Thanks to anyone that provides assistance. Running config below and example of the error...
User Access Verification
Username: admin
Password:
LATHQWAP01#show run
Building configuration...
Current configuration : 3621 bytes
! Last configuration change at 02:37:59 UTC Mon Mar 1 1993 by admin
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname LATHQWAP01
logging rate-limit console 9
aaa new-model
aaa authentication login default local
aaa authorization exec default local
aaa session-id common
no ip routing
dot11 syslog
dot11 vlan-name Data vlan 1000
dot11 vlan-name Guest vlan 1234
dot11 ssid LatitudeCorp
vlan 1000
authentication open
authentication key-management wpa version 2
wpa-psk ascii
dot11 ssid LatitudeGuest
vlan 1234
authentication open
authentication key-management wpa version 2
guest-mode
wpa-psk ascii
crypto pki token default removal timeout 0
username admin privilege 15 password!
class-map match-all _class_Lync0
match ip dscp cs5
policy-map Lync
class _class_Lync0
set cos 6
bridge irb
interface Dot11Radio0
no ip address
no ip route-cache
encryption vlan 1234 mode ciphers aes-ccm
encryption vlan 1000 mode ciphers aes-ccm
ssid LatitudeCorp
ssid LatitudeGuest
antenna gain 0
stbc
station-role root
interface Dot11Radio0.1000
encapsulation dot1Q 1000 native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
interface Dot11Radio0.1234
encapsulation dot1Q 1234
no ip route-cache
bridge-group 255
bridge-group 255 subscriber-loop-control
bridge-group 255 spanning-disabled
bridge-group 255 block-unknown-source
no bridge-group 255 source-learning
no bridge-group 255 unicast-flooding
service-policy input Lync
service-policy output Lync
interface Dot11Radio1
no ip address
no ip route-cache
encryption vlan 1234 mode ciphers aes-ccm
encryption vlan 1000 mode ciphers aes-ccm
ssid LatitudeCorp
ssid LatitudeGuest
antenna gain 0
no dfs band block
stbc
channel dfs
station-role root
interface Dot11Radio1.1000
encapsulation dot1Q 1000 native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
interface Dot11Radio1.1234
encapsulation dot1Q 1234
no ip route-cache
bridge-group 255
bridge-group 255 subscriber-loop-control
bridge-group 255 spanning-disabled
bridge-group 255 block-unknown-source
no bridge-group 255 source-learning
no bridge-group 255 unicast-flooding
service-policy input Lync
service-policy output Lync
interface GigabitEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
interface GigabitEthernet0.1000
encapsulation dot1Q 1000 native
no ip route-cache
bridge-group 1
bridge-group 1 spanning-disabled
no bridge-group 1 source-learning
interface GigabitEthernet0.1234
encapsulation dot1Q 1234
no ip route-cache
bridge-group 255
bridge-group 255 spanning-disabled
no bridge-group 255 source-learning
service-policy input Lync
service-policy output Lync
interface BVI1
ip address 10.10.1.190 255.255.254.0
no ip route-cache
ip default-gateway 10.10.1.202
ip http server
ip http authentication aaa
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
bridge 1 route ip
line con 0
line vty 0 4
transport input all
end
LATHQWAP01#conf
Configuring from terminal, memory, or network [terminal]? t
Enter configuration commands, one per line. End with CNTL/Z.
LATHQWAP01(config)#int dot11radio1.1000
LATHQWAP01(config-subif)#ser
LATHQWAP01(config-subif)#service-policy in
LATHQWAP01(config-subif)#service-policy input Lync
set cos is not supported on native vlan interface
LATHQWAP01(config-subif)#Hey Scott,
Thank you (again) for your assistance.
So I' ve done as instructed and reconfigured the WAP. I've added an additional VLAN (1200 our VOIP VLAN) and made this the native VLAN - so 1000 and 1234 are now tagged. I've configure the BVI interface with a VOIP IP address for management and can connect quite happily. I've configured the connecting Dell switchport as a trunk and to allow trunk vlans 1000 (my DATA SSID), 1200(native) and 1234 (MY GUEST SSID). I'm now back to the issue where when a wireless client attempts to connect to either of my SSID's (Guest or DATA) they are not getting a IP address / cannot connect.
Any ideas guys? Forgive my ignorance - this is a learning curve and one i'm enjoying.
LATHQWAP01#show run
Building configuration...
Current configuration : 4426 bytes
! Last configuration change at 20:33:19 UTC Mon Mar 1 1993 by Cisco
version 15.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname LATHQWAP01
logging rate-limit console 9
enable secret 5
no aaa new-model
no ip source-route
no ip cef
dot11 syslog
dot11 vlan-name DATA vlan 1000
dot11 vlan-name GUEST vlan 1234
dot11 vlan-name VOICE vlan 1200
dot11 ssid LatitudeCorp
vlan 1000
authentication open
authentication key-management wpa version 2
mobility network-id 1000
wpa-psk ascii
dot11 ssid LatitudeGuest
vlan 1234
authentication open
authentication key-management wpa version 2
mbssid guest-mode
mobility network-id 1234
wpa-psk ascii
no ids mfp client
dot11 phone
username CISCO password
class-map match-all _class_Lync0
match ip dscp cs5
policy-map Lync
class _class_Lync0
set cos 6
bridge irb
interface Dot11Radio0
no ip address
encryption vlan 1000 mode ciphers aes-ccm
encryption vlan 1234 mode ciphers aes-ccm
ssid LatitudeCorp
ssid LatitudeGuest
antenna gain 0
stbc
mbssid
station-role root
interface Dot11Radio0.1000
encapsulation dot1Q 1000
bridge-group 255
bridge-group 255 subscriber-loop-control
bridge-group 255 spanning-disabled
bridge-group 255 block-unknown-source
no bridge-group 255 source-learning
no bridge-group 255 unicast-flooding
service-policy input Lync
service-policy output Lync
interface Dot11Radio0.1200
encapsulation dot1Q 1200 native
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
interface Dot11Radio0.1234
encapsulation dot1Q 1234
bridge-group 254
bridge-group 254 subscriber-loop-control
bridge-group 254 spanning-disabled
bridge-group 254 block-unknown-source
no bridge-group 254 source-learning
no bridge-group 254 unicast-flooding
service-policy input Lync
service-policy output Lync
interface Dot11Radio1
no ip address
encryption vlan 1000 mode ciphers aes-ccm
encryption vlan 1234 mode ciphers aes-ccm
ssid LatitudeCorp
ssid LatitudeGuest
antenna gain 0
peakdetect
no dfs band block
stbc
mbssid
channel dfs
station-role root
interface Dot11Radio1.1000
encapsulation dot1Q 1000
bridge-group 255
bridge-group 255 subscriber-loop-control
bridge-group 255 spanning-disabled
bridge-group 255 block-unknown-source
no bridge-group 255 source-learning
no bridge-group 255 unicast-flooding
service-policy input Lync
service-policy output Lync
interface Dot11Radio1.1200
encapsulation dot1Q 1200 native
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
interface Dot11Radio1.1234
encapsulation dot1Q 1234
bridge-group 254
bridge-group 254 subscriber-loop-control
bridge-group 254 spanning-disabled
bridge-group 254 block-unknown-source
no bridge-group 254 source-learning
no bridge-group 254 unicast-flooding
service-policy input Lync
service-policy output Lync
interface GigabitEthernet0
no ip address
duplex full
speed auto
interface GigabitEthernet0.1000
encapsulation dot1Q 1000
bridge-group 255
bridge-group 255 spanning-disabled
no bridge-group 255 source-learning
service-policy input Lync
service-policy output Lync
interface GigabitEthernet0.1200
encapsulation dot1Q 1200 native
bridge-group 1
bridge-group 1 spanning-disabled
no bridge-group 1 source-learning
interface GigabitEthernet0.1234
encapsulation dot1Q 1234
bridge-group 254
bridge-group 254 spanning-disabled
no bridge-group 254 source-learning
service-policy input Lync
service-policy output Lync
interface BVI1
mac-address 881d.fc46.c865
ip address 10.10. 255.255.254.0
ip default-gateway 10.10.
ip forward-protocol nd
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
bridge 1 route ip
line con 0
line vty 0 4
login local
transport input all
sntp server ntp2c.mcc.ac.uk
sntp broadcast client
end
LATHQWAP01# -
Native VLAN issue on 2900XL/3500XL
I currently have TAC case open on this but I thought I would go ahead and start a thread here and see what others think...
We currently have over 200 2900/3500XL's left in our production environment. We recently finished our yearly IOS upgrade and moved all these series switches to the latest IOS (WC13), most of them had WC10.
After the upgrade (reload of the switches) we noticed many of the switches lost their CDP neighbor info. The switches are otherwise working fine, trunks are still up and users are having no issue. However this is wreaking havco on Cisco works "Topology Services". The CDP neighbor info is simply gone. Also when you do a debug CDP packet on the switches you never see any of the switches "receive" CDP packets back only send them.
Our standard config is to use a native VLAN of 999 and not include it on the trunks (per Cisco best practice). Basically what we have noticed is the only way to get CDP to work with any WC IOS past 10 is to include the native VLAN on the trunk.
My question is why would Cisco revert back to this as a default (non best practice)?
One more interesting thing is when a 2900/3500XL running WC13 is trunked (connected) to anything else (2950, 3750, 4506, etc) the CDP info works and shows up fine.We have seen some of this also , just on nontrunked links back to routers or mls's . A lot of the time i have been to get them to work by doing a "clear interface F0/X on both sides . I don't know if this would be disruptive on a trunk link or not as we don't trunk these old boxes . You have to do the clear command on both sides of the link if one side does not work , you may have to wait for the cdp timers after the clear command to see if it worked or not . May not work at all on a trunk link I don't know but it's something to try to if it will kick start the cdp process. Personally I think it is a bug but they probably won't fix it because these are EOL and EOS .
-
1240AG Access Point/Native VLAN/VLAN Problem
Need to setup several SSID's with different Encryption levels. The access point connects to a plain D-link switch, not able to define a truck on the switch which is causing problems when only one of the SSID's is set for Native VLAN (DHCP server cannot be contacted with the other SSID's).
Anyway to get around this problem !!!!Nope.... you need to be able to define the vlans on the switch. You need a switch where you can configure a dot1q trunck and then you can make this work. Right now, you can only have one.
-
Strange VLAN issue on aironet access points
I'm setting up some access points for WPA. I've ran into a strange issue. The client VLAN (VLAN that the users will be put into) is 1, and the native VLAN is 10. The RADIUS server is in VLAN 1 (but I have a test RADIUS server in VLAN 10 as well). I can connect from the access point to a RADIUS server in either VLAN, and from the RADIUS servers to the access point as well. When I point to a RADIUS server in VLAN10 authentication works fine. If I point to a RADIUS server that is located in VLAN1, and I put the wireless clients in VLAN10 it works fine. But for some reason when I have the RADIUS server and the clients in VLAN (1) and the native (BVI1) interface in VLAN 10 the authentication packets never seem to get to the RADIUS server. It is as if the authentication is being sources out of the wrong VLAN. I can?t find any docs to say that this isn?t a supported configuration.
Hi Shannon,
have a look here:
http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_example09186a00801d0815.shtml#apconfig
- - - Snipp - - -
Significance of Native VLAN
When you use an IEEE 802.1Q trunk port, all frames are tagged except those on the VLAN configured as the "native VLAN" for the port. Frames on the native VLAN are always transmitted untagged and are normally received untagged. Therefore, when an AP is connected to the switchport, the native VLAN configured on the AP must match the native VLAN configured on the switchport.
Note: If there is a mismatch in the native VLANs, the frames are dropped.
This scenario is better explained with an example. If the native VLAN on the switchport is configured as VLAN 12 and on the AP, the native VLAN is configured as VLAN 1, then when the AP sends a frame on its native VLAN to the switch, the switch considers the frame as belonging to VLAN 12 since the frames from the native VLAN of the AP are untagged. This causes confusion in the network and results in connectivity problems. The same happens when the switchport forwards a frame from its native VLAN to the AP.
- - - Snapp - - -
Best regards,
Frank -
Requirement for Native VLAN on Flexconnect Access Point
Hi All,
Just looking at AP configuration using 5508 WLC.
We have APs deployed at all branch sites connected over a corporate L3 WAN to a Data Centre which houses the WLC(s)
When setting the AP for Flexconnect mode there is a requirement that one native VLAN must be configured for each FlexConnect AP. If the AP is attached to a L2 switch and I want to enable multiple VLAN Mappings then I would need to add these VLANs to the allowed VLAN list on a trunk link between the AP and the switch (802.1Q) on the branch site.
Normally if I configured a trunk link I would never add the Native VLAN to the trunk and never use it for any traffic. In this case it would appear that I MUST use the native VLAN (which seems to go against my better judgement). So my question (after all this) is: What must the AP use the Native VLAN?
Thanks All.This has always been a standard practice for access points that has to connect to a trunk port. This goes back to the autonomous access points and also with FlexConnect and Mesh if your setting up Ethernet bridging. Wired side is different from the wireless side as you have noticed.
Please rate helpful post and Cisco Support Community will donate to Kiva
Scotty -
H-REAP Issues: Clients get dropped onto Native VLAN on one AP
Hi,
I have a wireless deployment consisting of 2 WLC's centrally located in two data centres, with WCS managing the WLC's. There are currently two sites with wireless. Each site is it's own AP Group with different SSIDs at both sites.
The site where I am having an issue with H-REAP has 48 AP's installed across a number of floors.
The problem I am experiencing is that when clients get associated to one specific AP, they will successfully connect to the SSID, but are getting dropped into the native VLAN (VLAN 23) instead of the VLAN (VLAN 22) that is mapped to the SSID. The clients get an IP address from the native VLAN and can access the corporate network, but due to firewall rules they cannot get access to some key corporate assets, as the native VLAN (VLAN 23) is not included in a specific firewall group for wireless clients. Clients connected to the same SSID but on a different AP are getting dropped into the correct VLAN (VLAN 22).
The switchport configuration for the one AP that is having issues is specifically below:
interface GigabitEthernet5/47
description *** Wireless AP ***
switchport access vlan 23
switchport trunk native vlan 23
switchport trunk allowed vlan 22,23
switchport mode trunk
spanning-tree portfast trunk
spanning-tree bpduguard enable
spanning-tree guard root
However, this configuration is the same across all AP connected switchports. The switchport is trunking correctly:
show int gi5/47 trunk
Port Mode Encapsulation Status Native vlan
Gi5/47 on 802.1q trunking 23
Port Vlans allowed on trunk
Gi5/47 22-23
Port Vlans allowed and active in management domain
Gi5/47 22-23
Port Vlans in spanning tree forwarding state and not pruned
Gi5/47 22-23
I have attached a screenshot of the AP configuration from WCS. As can be seen, the AP is configured for H-REAP, with the Native VLAN set, and the SSID-to-VLAN mappings also set.
I have tried doing a configuration reset on this AP and re-configuring it from scratch, but it still exhibits the same behaviour.
Does anyone have any ideas on what I can do to resolve this problem?
Thanks in advance.I have built an interface of the 2106 for VLAN5 and the interfaces for the 2106 and the bridges are built as trunks and all vlans are allowed. If I plug in a laptop on the 3560 in the new building, and the port is assigned to VLAN5, I get an address and can surf out just fine. I will scrub the 2106 & 3750 configs and try and upload them. To further test I moved the DHCP scope onto the 2106 and my wireless client is able to get an address from the 2106, I can ping the interface on the 2106 (192.168.5.2) I just cant connect to the 3750 switch.
-
1532 Autonomous Outdoor link DFS and vlans issue
Hi all,
I have a fresh installation of a Point to Point (1km distance) link using autonomous Aps 1532 and directional antennas 14dbi.
The regulatory domain is Europe and the only usable channels are 100 104 108 112 116 132 136 140 (DFS channels).
The link is near military area and DFS is triggered very often which causes frequent disconnections near every minute.
From the logs i see that there is no available channel:
%DOT11-6-DFS_TRIGGERED: DFS: triggered on frequency 5540 MHz
%DOT11-2-NO_CHAN_AVAIL_NON_OCCP: Interface Dot11Radio1, no channel available.
So if all channels are occupied by the radars why carrier busy test does show anything?
ROOT#dot11 dot11Radio 1 carr bu
Frequency Carrier Busy %
5500 0
5520 0
5540 0
5560 0
5580 0
5660 0
5680 0
5700 0
The second issue is regarding vlans.
3 Vlans: Data vlan 1 ,Voice vlan 2 , Management vlan 100 (native vlan for bridging).
After rebooting the non-root bridge data vlan 1 doesn't works even though management and voice are ok.
The workaround i found is to manually change the bridge group to different number.
After the change connectivity is comes back... (maybe bug???)
interface Dot11Radio1.2
encapsulation dot1Q 2
bridge-group 2
bridge-group 2 spanning-disabled
interface Dot11Radio1.4
encapsulation dot1Q 1
bridge-group 4
bridge-group 4 spanning-disabled
interface Dot11Radio1.100
encapsulation dot1Q 100 native
bridge-group 1
bridge-group 1 spanning-disabled
Any thoughts?
Best regards,
Christos.Below is the output from one of my APs in the -E regulatory domain:
Carrier Set: ETSI (OFDM) (EU) (-E)
Uniform Spreading Required: Yes
Configured Frequency: 0 MHz Channel 0
Allowed Frequencies: 5180(36) 5200(40) 5220(44) 5240(48) 5260(52) 5280(56) 5300(60) 5320(64) 5500(100) 5520(104) 5540(108) 5560(112) 5580(116) 5660(132) 5680(136) 5700(140)
Listen Frequencies: 5180(36) 5200(40) 5220(44) 5240(48) 5260(52) 5280(56) 5300(60) 5320(64) 5500(100) 5520(104) 5540(108) 5560(112) 5580(116) 5660(132) 5680(136) 5700(140) 5745(149) 5765(153) 5785(157) 5805(161) 5825(165)
It seems to be a limitation of the 1530 series:
http://www.cisco.com/c/en/us/products/collateral/wireless/aironet-1530-series/data_sheet_c78-728356.html
Frequency Band and 20-MHz Operating Channels
-E Domain:
● 2.401 to 2.4835 GHz; 13 channels
● 5.470 to 5.725 GHz; 8 channels
Regarding your issue with vlan 1, I can't see anything wrong in your configuration. This could indeed be a bug. I made a little research in the bug tool, but couldn't find anything related.
However, you should check the following before opening a case with the TAC:
check the logs from the AP immediately after a reboot
check your switch port status on each side
Is the bridge setting a loop in your network? I have worked on architectures with redundant wireless bridge uplinks using STP. A STP blocked port for vlan 1 could be a lead in that case.
Moreover, in your configuration, I can't see the usual bridge-group configuration under your subinterfaces. Not sure if this is of any use here as you have a 1532 AP, but I would try to add it for each subinterface:
interface GigabitEthernet0.100
encapsulation dot1Q 100 native
no ip route-cache
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
interface Dot11Radio0.100
encapsulation dot1Q 100 native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled -
Hi!
I have a particular installation on a customer site.
The management vlan is the number 1 (which is the native vlan) for the whole network and all the switches tag the native vlan.
So when I plug my AP on a port of a switch configured in trunk mode, it doesn't work.
How can I resolve this issue?
ThanksYes, you can specify the native VLAN, though I am not sure if that will enable tagging of that VLAN or not. You might have to try it yourself to see. See the following link for pictures of the pages in question.
http://www.cisco.com/en/US/products/ps6087/products_tech_note09186a0080736123.shtml#t12
Because I think it will require a reboot after enabling HREAP but before setting up VLAN support, you might need to set it as an access port while making the changes.
1. Do not use VLANs for your H-REAP deployment and set the access point switch ports as Access ports in the VLAN you want your users to be in. The AP will need an IP in the user VLAN, but that is not usually a problem. If you do not need multiple user VLANs from different SSIDs, this will be the easiest option.
2. Disable native VLAN tagging for the ports with APs with the command I listed above. -
The difference between IEEE802.1Q Native VLAN sub-interface and Physical interface?
Hello
I think the following topologies are supported for Cisco Routers
And the Physical interface also can be using as Native VLAN interface right?
Topology 1.
R1 Gi0.1 ------ IEEE802.1Q Tunneling L2SW ------ Gi0 R2
R1 - configuration
interface GigabitEthernet0.1
encapsulation dot1Q 1 native
ip address 10.0.0.1 255.255.255.0
Topology 2.
R1 Gi0 ------ IEEE802.1Q Tunneling L2SW ------ Gi0 R2
interface GigabitEthernet0
ip address 10.0.0.1 255.255.255.0
And is it ok to use the physical interface and sub-interface with dynamic routing such as EIGRP or OSPF etc?
R1 Gi 0 ---- Point to Multipoint EIGRP or OSPF ---- Gi0 R2 / R3
Gi 0.20--- Point to Point EIGRP or OSPF --- Gi0.10 R4 (same VLAN-ID)
R1 - configuration
interface GigabitEthernet0
ip address 10.0.0.1 255.255.255.0
interface GigabitEthernet8.20
encapsulation dot1Q 20
ip address 20.0.0.1 255.255.255.0
Any information is very appreciated. but if there is any CCO document please let me know.
Thank you very much and regards,
Masanobu HiyoshiHello,
The diagram is helpful.
If I am getting you correctly, you have three routers interconnected by a switch, and you want them to operate in a hub-and-spoke fashion even though the switch is capable of allowing direct communication between any of these routers.
Your first scenario is concerned with all three routers being in the same VLAN, and by using neighbor commands, you force these routers to establish targeted EIGRP adjacencies R1-R2 and R1-R3, with R1 being the hub.
Your second scenario is concerned with creating one VLAN per spoke, having subinterfaces for each spoke VLAN created on R1 as the router, and putting each spoke just in its own VLAN.
Your scenarios are not really concerned with the concept of native VLAN or the way it is configured, to be honest. Whether you use a native VLAN in either of your scenarios, or whether you configure the native VLAN on a subinterface or on the physical interface makes no difference. There is simply no difference to using or not using a native VLAN in any of your scenarios, and there is no difference to the native VLAN configuration being placed on a physical interface or a subinterface. It's as plain as that. Both your scenarios will work.
My personal opinion, though, is that forcing routers on a broadcast multi-access segment such as Ethernet to operate in a hub-and-spoke fashion is somewhat artificial. Why would you want to do this? Both scenarios have drawbacks: in the first scenario, you need to add a neighbor statement for each spoke to the hub, limiting the scalability. In the second scenario, you waste VLANs and IP subnets if there are many spokes. The primary question is, though: why would you want an Ethernet segment to operate as a hub-and-spoke network? Sure, these things are done but they are motivated by specific needs so I would like to know if you have any.
Even if you needed your network to operate in a hub-and-spoke mode, there are more efficient means of achieving that: Cisco switches support so-called protected ports that are prevented from talking to each other. By configuring the switch ports to spokes as protected, you will prevent the spokes from seeing each other. You would not need, then, to configure static neighbors in EIGRP, or to waste VLANs for individual spokes. What you would need to do would be deactivating the split horizon on R1's interface, and using the ip next-hop-self eigrp command on R1 to tweak the next hop information to point to R1 so that the spokes do not attempt to route packets to each other directly but rather route them over R1.
I do not believe I have seen any special CCO documents regarding the use of physical interfaces or subinterfaces for native VLAN or for your scenarios.
Best regards,
Peter -
Does the dot1q native VLAN need to be defined on the switch?
I understand the issues with using VLAN 1 as the native VLAN on a dot1q trunk. I follow best practices and change the native VLAN to a VLAN that does not carry any other traffic (switchport trunk native vlan x). I usually go a step further and do not define the VLAN in the switch configuration. This way if traffic bleeds into the native VLAN because it is untagged then it cannot go anywhere. So if I use VLAN 999 as the native VLAN, I do not create VLAN 999 on the switch. I’m curious if anyone else does this or if there are any thoughts on whether this is a good or bad practice?
If you are tagging your native VLAN but do not have that VLAN in the vlan database - it makes no difference if the VLAN exists or not in my opinion. All the vlans on your trunks would be tagged anyway.
It seems like a clever idea, but not sure if it provides any benefit. -
Wireless AP native vlan and switch trunk
Hi,
I am unable to ping my ap, i think it is due to the multiple vlan issues, can provide some advise, my config for the ap and switch is as below
AP Config
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname hostname
logging rate-limit console 9
enable secret 5 $1$ZxN/$eYOf/ngj7vVixlj.wjG2G0
no aaa new-model
ip cef
dot11 syslog
dot11 ssid Personal
vlan 2
authentication open
authentication key-management wpa version 2
guest-mode
wpa-psk ascii 7 070E26451F5A17113741595D
crypto pki token default removal timeout 0
username Cisco password 7 1531021F0725
bridge irb
interface Dot11Radio0
no ip address
encryption vlan 2 mode ciphers aes-ccm tkip
ssid Personal
antenna gain 0
stbc
beamform ofdm
station-role root
no dot11 extension aironet
interface Dot11Radio0.2
encapsulation dot1Q 2
bridge-group 2
bridge-group 2 subscriber-loop-control
bridge-group 2 spanning-disabled
bridge-group 2 block-unknown-source
no bridge-group 2 source-learning
no bridge-group 2 unicast-flooding
interface Dot11Radio0.100
encapsulation dot1Q 100 native
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
interface Dot11Radio1
no ip address
encryption vlan 2 mode ciphers aes-ccm tkip
ssid Personal
antenna gain 0
no dfs band block
stbc
beamform ofdm
channel dfs
station-role root
interface Dot11Radio1.2
encapsulation dot1Q 2
bridge-group 2
bridge-group 2 subscriber-loop-control
bridge-group 2 spanning-disabled
bridge-group 2 block-unknown-source
no bridge-group 2 source-learning
no bridge-group 2 unicast-flooding
interface Dot11Radio1.100
encapsulation dot1Q 100 native
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
interface GigabitEthernet0
no ip address
duplex auto
speed auto
interface GigabitEthernet0.2
encapsulation dot1Q 2
bridge-group 2
bridge-group 2 spanning-disabled
no bridge-group 2 source-learning
interface GigabitEthernet0.100
encapsulation dot1Q 100 native
bridge-group 1
bridge-group 1 spanning-disabled
no bridge-group 1 source-learning
interface BVI1
ip address 192.168.1.100 255.255.255.0
ip default-gateway 192.168.1.1
ip forward-protocol nd
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
bridge 1 route ip
line con 0
line vty 0 4
password 7 01181101521F
login
transport input all
end
Switch Port config
interface FastEthernet1/0/10
switchport trunk native vlan 100
switchport mode trunkI will re-check the routing again but could it be some bridging issues ?
interface GigabitEthernet0
no ip address
duplex auto
speed auto
**** unable to put up this command on the giga port
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
I try to put this command on the gigaethernet port but it does not allow me, could this be the bridging issue ? -
Nexus 1010 + 1000v control vlan issue
Hi,
I have Nexus 1000v installed on nexus 1010. The nexus 1010 is in cluster and working fine. I have made network uplink option 3.
My VSM is configured to be on L3 mode. Hence I set control and packet vlan to 1 (on vsm). while creating the VSB too I have choosen control and packet vlan to be 1 (keeping in mind my mode will be L3).
Now The vsm is not coming up in HA. The redandancy log says degraded mode is true.
Is it because, the control packet coming from VSM after reaching the N1010, the packets are getting tagged with vlan 1. Since I have not set any native vlan on 1010, might be control vlan 1 is also tagged one. Is it this the case ?
help needed on this issue.
regards
Prasad KControl vlan is a totally seperate VLAN then your System Console. The VLAN just needs to be available to the ESX host through the upstream physical switch and then make sure the VLAN is passed on the uplink port-profile that you assign the ESX host to.
We only need an interface on the ESX host if you decide to use L3 control. In that instance you would create or use an existing VMK interface on the ESX host. -
Option "Native VLAN ID" doesn't show up
Hi all:
I'm configuring several AP in a WLC 5508. All of them are in FlexConnect with VLAN Mapping and the most are 1131 and I can configure Native VLAN and VLAN mapping option. However, I just added a 2702 AP to the WLC and I found out the "Native VLAN ID" option under FlexConnect tab is missing (attach screenshoot). Is it because of the model of the AP or config issue?.
As you can see in the screenshoot, AP is in a FlexConnect Group. In it I can't configure Native VLAN for the APs.
Thanks all
FranciscoThis issue is bug# CSCus64073 - 1700/2700 APs native vlan
field missing in Flex tab
• The workaround is to “untick vlan support (in the Advanced tab) and tick it back,
then field will show again”
• If this is unsuccessful, configure the native vlan through the cli with the
following commands:
- config ap disable ap <AP_Name>
- config ap flexconnect vlan native 8 <AP_Name>
- config ap enable ap <AP_Name>
- show ap config general <AP_Name> should show correct native vlan -
Quesiton about PVID , SA520, Native VLAN
Is PVID the same thing as "native vlan"? Can the native VLAN be changed on a SA520? Currently I believe it to be 1, I'd like to change the native VLAN to 10.
I have a scenario where I have a prexisting production LAN of 192.168.1.0/24 . It's a small organization (a church), but they purchased 3 Aironet 1130ag units. They want to have a "private" WLAN that is part of 192.168.1.0/24 , and a guest WLAN of a different subnet (I chose 192.168.20.0/24) . The two should never meet. There will likely never be a guest computer connected via ethernet. Guest computers would always have to connect wirelessly.
I accomplished this to a point.
I left VLAN 1 on the SA520 192.168.75.0/24 subnet as default.I created a VLAN 10 , 192.168.1.0/24 subnet, and I created a VLAN 20, 192.168.20.0/24 subnet.
VLAN Recap:
VLAN 1 , 192.168.75.0/24
VLAN 10, 192.168.1.0/24
VLLAN 20, 192.168.20.0/34
Ports 1-3 of the SA520 are members of VLAN 1, 10, and 20 (cannot remove membership of VLAN1, which is pretty annoying).
The Aironets have been configured correctly.
SSID: Priv is part of VLAN 10
SSID: Pub is part of VLAN 20
Both are secured by WPA, and when I connect, the proper DHCP subnet passes from the firewall through to the wireless client, for each respective SSID.
Ultimately, I'd like the SBS 2003 server to handle DHCP for VLAN 10, and have the SA520 handle DHCP for VLAN 20, but i'll take what I can get.
Here's my challenge:
The original production LAN is connected via an unmanged switch.
I'd like to trunk the unmanaged switch to Port 4 on the SA520. However, since the PVID (native vlan?) of SA520 is 1, and I cannot make Port 4 on the SA520 ony a member of VLAN 10, then anything traffic coming from the unanaged switch will automatically be tagged with VLAN1, correct? Thus causing the already existing production network to start receiving DHCP from the firewall in the 192.168.75.0/24 range.
Any ideas or help on the above?
What I would do if I had a managed switch on the production LAN:
If I had a managed switch on the production LAN, what I think I would do is make one port a trunk port, connect that port to Port 4 on the SA520, then make all the rest of the ports on the managed switch access ports, and members of VLAN 10. Am I on the right track there?
Hiccups when setting up the WAP:
I would have changed the VLAN 1 on SA520 to 192.168.1.0/24 subnet, and only created a second subnet, but there was a challenge with that and the WAP's.
Cannot change the VLAN the dot11radio0 is a part of. There's not encapsulation command.
Could not broadcast the SSID's successfully and secure via WPA unless the SSID's were on VLAN's other than 1. The dot11radio0 would go into a "reset" state.
Could change the VLAN subinterfaces of dot11radio0 were on, for example dot11radio0.10 is a member of VLAN 10. Dot11radio0.20 is a member of VLAN2.
In any event, it's working, but the rest of the infrastructure is the challenge.
Here's one of my WAP configs as an example:
Building configuration...
Current configuration : 2737 bytes
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname WAP2
enable secret 5 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXx
no aaa new-model
no ip domain lookup
dot11 syslog
dot11 ssid CASPRIV
vlan 10
authentication open
authentication key-management wpa
mbssid guest-mode
wpa-psk ascii 7 107E1B101345425A5D4769
dot11 ssid CASPUB
vlan 20
authentication open
authentication key-management wpa
mbssid guest-mode
wpa-psk ascii 7 132616013B19066968
username Cisco password 7 0802455D0A16
bridge irb
interface Dot11Radio0
no ip address
no ip route-cache
encryption vlan 20 mode ciphers aes-ccm
encryption vlan 10 mode ciphers aes-ccm
ssid CASPRIV
ssid CASPUB
mbssid
channel 6
station-role root
bridge-group 1
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
interface Dot11Radio0.10
encapsulation dot1Q 10
ip address 192.168.1.5 255.255.255.0
no ip route-cache
bridge-group 10
bridge-group 10 subscriber-loop-control
bridge-group 10 block-unknown-source
no bridge-group 10 source-learning
no bridge-group 10 unicast-flooding
bridge-group 10 spanning-disabled
interface Dot11Radio0.20
encapsulation dot1Q 20
ip address 192.168.20.3 255.255.255.0
no ip route-cache
bridge-group 20
bridge-group 20 subscriber-loop-control
bridge-group 20 block-unknown-source
no bridge-group 20 source-learning
no bridge-group 20 unicast-flooding
bridge-group 20 spanning-disabled
interface Dot11Radio1
no ip address
no ip route-cache
shutdown
encryption mode ciphers aes-ccm
ssid CASPRIV
dfs band 3 block
channel dfs
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
interface FastEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
interface FastEthernet0.10
encapsulation dot1Q 10
no ip route-cache
bridge-group 10
no bridge-group 10 source-learning
bridge-group 10 spanning-disabled
interface FastEthernet0.20
encapsulation dot1Q 20
no ip route-cache
bridge-group 20
no bridge-group 20 source-learning
bridge-group 20 spanning-disabled
interface BVI1
no ip address
no ip route-cache
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
bridge 1 route ip
line con 0
line vty 0 4
login localHello Paul,
You have a lot going on here so forgive me if I miss something.
PVID is for Primary/Port Vlan ID. It is used to identify the vlan on a port and can be used to change the native vlan of a port. You can change the PVID on port 4 of the SA520 to be vlan 10 if you need to.
The simplest setup would be for you to have your private network all be on the native vlan 1 and set your guest to be on another vlan. All of this would be possible without any problem on the SA520. Unfortunately I do not have much experience with the Aironet APs but they should allow you to continue this configuration onto the wireless network. For assistance with the Aironet APs I would have to refer you to someone more familiar.
I do hope this helps with setting your network.
Maybe you are looking for
-
I purchased a movie from the itunes store, it had errors (25) in the down load, and it does not allow me to down load again. I just get directed to the Store, and Check for available downloads, which when selected again informes me that 25 errors occ
-
Hi all. I've been registered to the forum for a couple of years, but this my first post. I'll try to give as much info as I can. NIPXIe-1082 chassis slot 1: PXIe-8133 Embedded Controller slot 2-3: PXIe-6363 X-Series Multifunction DAQ slot 4: TB-435
-
Hi guys, Does anyone have any good material / suggestions on the following points concerning XI and it's ability to support an ESA: 1) BPM/BPEL modelling 2) integration with adapaters and routings 3) integration for business activity monitoring 4) cr
-
How to run applets on the internet?
I want my applet class run on the Internet but not in the Internet browser but instead maybe in appletviewer or something else...For example in java.sun.com the chatroom is an applet and it doesn't run in browser as I understand.because when I clicke
-
Forms 10g BI Graph Bean - Is there way of printing the graph ?
Hi All, A simple "nice to have" requirement : after producing a graph on the Form using the BI Graph Bean, is there a way of printing it ? Regards, Steve