1200: Native VLAN & Management VLAN
I want to keep the management VLAN and native VLAN seperate. Is this the correct setup when using VLAN 999 as the native VLAN and VLAN 100 for the management VLAN.
Management VLAN 100 (10.100.0.0/24)
### Trunk SW ###
description "AP"
switchport trunk encapsulation dot1q
switchport trunk native vlan 999
switchport trunk allowed vlan
switchport mode trunk
switchport nonegotiate
speed 100
duplex full
### AP ###
interface Dot11Radio0
no ip address
no ip route-cache
encryption vlan 99 key 1 size 128bit 7 3831CB248113D952741376BEC352 transmit-key
encryption vlan 99 mode wep mandatory
encryption vlan 11 mode ciphers tkip
ssid xoxoxo
vlan 11
authentication open eap eap_methods
authentication network-eap eap_methods
authentication key-management wpa
ssid xxx
vlan 99
authentication network-eap eap_methods
speed basic-1.0 basic-2.0 basic-5.5 basic-11.0
rts threshold 2312
station-role root
interface Dot11Radio0.11
encapsulation dot1Q 11
no ip route-cache
bridge-group 11
bridge-group 11 subscriber-loop-control
bridge-group 11 block-unknown-source
no bridge-group 11 source-learning
no bridge-group 11 unicast-flooding
bridge-group 11 spanning-disabled
interface Dot11Radio0.99
encapsulation dot1Q 99
no ip route-cache
bridge-group 99
bridge-group 99 subscriber-loop-control
bridge-group 99 block-unknown-source
no bridge-group 99 source-learning
no bridge-group 99 unicast-flooding
bridge-group 99 spanning-disabled
interface dot11radio 0.999
encapsulation dot1q 999 native
interface dot11radio 0.100
encapsulation dot1q 100
interface FastEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
ntp broadcast client
interface FastEthernet0.11
encapsulation dot1Q 11
no ip route-cache
bridge-group 11
no bridge-group 11 source-learning
bridge-group 11 spanning-disabled
interface FastEthernet0.99
encapsulation dot1Q 99
no ip route-cache
bridge-group 99
no bridge-group 99 source-learning
bridge-group 99 spanning-disabled
interface fastethernet 0.999
encapsulation dot1q 999 native
interface fastethernet 0.100
encapsulation dot1q 100
interface BVI100
ip address 10.100.0.110 255.255.255.0
no ip route-cache
ip default-gateway 10.100.0.1
This looks correct to me. Do you have a non_root bridge on their other side?
Are you able to trunk all 4 VLANS with this config?
Similar Messages
-
1200 Series - Tagged Management VLAN Traffic
Hi,
As per my understanding the 1200 Series Access points running IOS (12.2(15)XR) send the management traffic (RADIUS,Accouting NTP etc) un-tagged i.e. using VLAN 1.
As per our current setup, we assign this un-tagged traffic to a different VLAN (by changing native vlan to x for the Trunk Port) on the cisco switch.
Is it possible to configure the Access Point to send Management Traffic as tagged with a particular VLAN id ? (Similar to what it does for Wireless Traffic, when SSID are associated to specific VLANs)
We are trying to set this up with a 3-Com 4400 series switch i have been unable to configure the 3-Com switch, so that it can assign the untagged traffic to different VLAN instead of VLAN 1.
Regards \\ NamanChanging the Native VLAN doesn't make a difference. I can create any VLAN and make it native but management traffic is still being sent un-tagged.
Below was the setup i tested
AP--->Trunk Link<->Switch Port(Native VLAN=15)
Switch Port --->Trunk Link<->Router with VLAN15
I can make any VLAN as native VLAN on the AP and it doesn't effect the functionality as long as the Switch Native VLAN matches to the corresponding VLAN on the router. -
Native VLAN, Management VLAN
Is the Native VLAN only used to communicate 802.1q information? Does CDP go over the Native VLAN? Is there a breakdown of what traverses the Native VLAN and the Management VLAN? I have a customer that has their management vlan different than the native vlan.
I think it does more than what you say:
802.1Q standard is more than just a tagging mechanism. It also defines a unique spanning tree instance running on the native VLAN for all the VLANs in the network.
Here is the link:
http://www.cisco.com/en/US/products/hw/switches/ps700/products_tech_note09186a008012ecf3.shtml#basic_char
I just suspect there is more to the Native VLAN and I want a document that will provide more information on Cisco's Website. -
1300 bridge with native and management vlan in different vlans
Hello,
We are going to set up a wireless bridge between two 1300 accesspoints. In our network the native vlan and the management vlan are different vlan's. Will we be able to manage the ap and switch at the "remote" site? Do we have to set up two ssid's, one for native and one for management?
regards,
RutgerToo answer my own question:
I don't think it is possible. Things work fine by making our management vlan the native vlan on switches and ap's involved. Management IP address on the BVI1 interface and everything works!
Rutger -
WPA321 VLAN / Management VLAN
Hey all,
i have a Network with multiple VLANs, VLAN 19-23 is for the WLAN (one per floor) because of security Reasons. All Switches got 192.168.1.xx IP Adresses. The VLANS have 192.168.19.xx to 192.168.23.xx So my WPA321 for example has the IP 192.168.19.2 (WIth VLAN 19 for WLAN Traffic) How can i set it up the way that the clients get the 192.168.19.xx IPs but the Router itself lies on the 192.168.1.xx network?
Thanks in advance!Are you talking about an autonomous AP right?
With regards to your case, you need to configure using the MBSSID setup,
ASSUME: VLAN20 MGMT VLAN
dot11 ssid VLAN119
vlan 19
authentication open -just a sample, configure as you desire
mbssid guest-mode
interface dot11radio 0
ssid VLAN19
mbssid
bridge-group 1 -already default, but just in case
interface dot11radio 0.19
encapsulation dot1q 19
bridge-group 2
interface gig0/0
encapsulation dot1q 19
bridge group 2
interface bvi 1
ip address 10.10.19.10 255.255.255.0 -ip mgmt of AP
AT SWITCH
interface f0/1
switchport mode trunk
switchport trunk native vlan 20
pretty much explainable your WLAN traffic gets tag with VLAN19 and since the native vlan is 20,
well you guessed it you can manage your AP -
VLANs - Default, Native and Management
Okay, please help in understanding the concept of VLANs by confirming whether the following is true or not, and based on that please help me to clear my doubts.
Default vlan - Always Vlan 1 on a switch and cannot be changed. It's purpose is to account the interfaces/ports which are not assigned with a vlan explicitly.
Native vlan - By default, it is also vlan 1 in a switch, but can be changed. Frames belonging to the native vlan are sent across the trunk link untagged. It's sole purpose is to provide back ward compatibility to the devices that doesn't understand frame tagging, as per 802.1q.
Management vlan- for managing switches.
Now my doubts ::
1. Can anyone please draw and explain a scenario in which NATIVe vlan comes into use, so that I can understand its purpose completely.
2. Management vlan- how they are created/assigned and is used ?Hello
From a security perspective its best practice to not use vlan1 whatsoever as it well documented that all cisco switches default to this vlan.
Also it is best to define a native vlan that will be not used.
This is due to something I think is called ( double tagging or vlan hopping) - and it when a hacker knowing that vlan 1 is untagged and the default vlan can apply an outer tag to a encapsulated packet and send this into your network, then when this outer tag is stripped away the native vlan1 is seen by the switch which is excepted into your network.and sent on its merry way toward its destination.
So to negate this threat it is best to either tagged ALL vlans or define a unused native vlan and a tagged management vlan and not allow the native vlan to cross any trunks
example:
vlan 1 = shutdown
vlan 10 = management
vlan 11-49 - user vlans
vlan 50 = native
conf t
vlan 2-50
exit
int vlan 1
shut
int vlan 10
ip address x.x.x.x y.y.y.y.y
interface gig x/x
switchport trunk encapsulation dot1q
switchport trunk native vlan 50
switchport trunk allowed vlan 2-49
res
Paul -
VLAN trunking, native vlan and management vlan
Hello all,
In our situation, we have 3 separate vlans: 100 for management vlan and 101 for data and 102 for voice.
We have an uplink which is trunked using .1Q. Our access ports has the data vlan as the native. Based on our design, what should be the native vlan for this uplink trunk? Should it be the management vlan or the data vlan? Thanks for your help.To answer this question you must remember what the native vlan is. Native is where untagged packets are sent, i.e. packets without a dot1Q tag. It is there mainly for compatibility. On an access port it has no function while normal traffic is not tagged and sent to the vlan that is configured for the port. Traffic for the voice vlan is an exception to this general rule.
Native vlan setting only plays a role on trunk links where most of the traffic carries a tag. As explained, it is then used as the vlan for untagged traffic.
When you do not consider this a security breach, you may configure the data-vlan as native. Use another vlan (why not vlan1?) in the case where you want to isolate this traffic.
I find it good design practice to use the same native vlan throughout the network. This keeps things clear and it's better for anyone who is not completely obsessed with security. The latter kind of people can always find a reason to mess things up, both for themselves and for others;-)
Regards,
Leo -
About the Native Vlan and Management Vlan.
I wanted to know that Management vlan and Native vlan can be different vlan id or both should be same vlan id. Why should not be native vlan 1.
The use of a native VLAN is generally frowned upon now as there are some well known security exploits that leverage this untagged VLAN. Cisco often recommends setting the Native VLAN to an unused VLAN in your infrastructure in order to render it useless for attacks.
It is also recommended that you create a separate VLAN for your Management traffic and that this VLAN be tagged (therefore not a Native VLAN).
Native Vlan is the vlan which will be sent untagged even in Trunk links. Consider a Trunk link configured between two switches SWA and SWB, if a system in vlan1 of SWA is sending a frame via SWB, then this frame will be received as untagged by SWB, then switch B decides that the untagged frame is from native vlan 1 and handles accordingly. By default native vlan is 1, this can also be changed as per requirement.
Example: In the below figure if a IP phone and system are connected toa switch port as below, the the Phones will send its frames tagged with vlan 10 where as the frames sent by system will be untagged. So here the the corresponding switch port should be configured as native vlan 20. So that it can recognise and handle the frames from system and IP phone properly.
a
Management vlan is different, it means that this vlan will be used for management purposes like Logging into the switch for management, Monitoring the switch,collecting Syslog ans SNMP traps, etc will be done by management vlan IP. This also by default vlan 1 in cisco. So as Antony said the it is always a Best practice and security measure to not use the default vlan and use custom vlans.
Hope this helps ! -
VWLC clients getting DHCP address from management VLAN
Hi,
We have a strange scenario whereby some wireless employees are obtaining addresses from the management VLAN.
Some details:
DHCP managed by MS DHCP 2008 R2 (in remote data centre)
Cisco vWLC AIR-CTVM-K9 running v7.6.110.0
AP's are a mix of 2602 and 3702 (46 and 2 of each respectively)
SSID's are employee, guest, and production devices (all mapped to their own interface with relevant VLAN tag as per normal)
AP's all in FlexConnect mode as per vWLC caveats
Some employees are receiving addresses in the wireless management VLAN. This network only has six DHCP addresses available as it is solely for AP's, WLC and HSRP gateway. Obviously this gets exhausted very quickly leaving us with a scenario where clients are not obtaining DHCP addresses.
I understand that with FlexConnect mode, it will assign IP's from the native VLAN. What I don't understand is why most clients receive addresses in the correct VLAN, but a handful do not, and then cannot get an address from DHCP. Obviously the ideal scenario would be to put the AP's into local mode but unless this has changed in a SW release then I don't believe it's possible...
My question is: How do I get ALL the employees to obtain addresses from their interface and not the management VLAN?
Thanks in advance.Hi,
I think we need a closer look to your configurarion to eliminate some possibilities:
- What is the WLAN security you choose?
- What is the interface that is configured under the WLAN?
- Does your WLAN have local switching enabled?
- If your security is using RADIUS server, do you have AAA override enabled under the WLAN config?
- If your security is using RADIUS server, do you send any attributes to the users?
- You have eliminate that clients that got management vlan IPs are always on same AP or they can be on any AP.
HTH
Amjad -
Wireless AP Management VLAN and BVIs
Hi All,
I've been looking around and I can't find a solution to what I am trying to achieve and I was hoping the community may have had more luck than I have.
I'm looking to have my management VLAN for my AP setup as a tagged BVI but I'm struggling to get it setup. I can set it up fine using BVI1 and having it just accessed on the native VLAN but I see this as a security flaw, I don't really want direct access into my management network on the switch.
Now there may be a better way of preventing this but I am, at least compared to many, still fairly new to Cisco and this seems to be the best approach. Please see below for my current config, hopefully you can let me know where I am going wrong.
Also, as a note, at the moment I am mainly focusing on the management security of the AP before I check the wifi config, hence the radios still being shutdown so there may also be small errors in this. I have also removed some elements which are not relevant.
version 15.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname AP01
no ip source-route
no ip cef
dot11 syslog
dot11 ssid <Guest secure network SSID>
vlan 30
authentication open
authentication key-management wpa version 2
guest-mode
wpa-psk ascii <key>
dot11 ssid <Internal Secure SSID>
vlan 10
authentication open
authentication key-management wpa version 2
wpa-psk ascii <key>
ip ssh version 2
bridge irb
interface Dot11Radio0
no ip address
no ip route-cache
shutdown
encryption vlan 10 mode ciphers aes-ccm tkip
encryption vlan 30 mode ciphers aes-ccm tkip
ssid <Guest secure network SSID>
ssid <Internal Secure SSID>
antenna gain 0
packet retries 64 drop-packet
channel 2437
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 port-protected
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
interface Dot11Radio0.10
encapsulation dot1Q 10
no ip route-cache
bridge-group 10
bridge-group 10 subscriber-loop-control
bridge-group 10 spanning-disabled
bridge-group 10 block-unknown-source
no bridge-group 10 source-learning
no bridge-group 10 unicast-flooding
interface Dot11Radio0.30
encapsulation dot1Q 30
no ip route-cache
bridge-group 30
bridge-group 30 subscriber-loop-control
bridge-group 30 spanning-disabled
bridge-group 30 block-unknown-source
no bridge-group 30 source-learning
no bridge-group 30 unicast-flooding
interface Dot11Radio1
no ip address
no ip route-cache
shutdown
encryption vlan 10 mode ciphers aes-ccm tkip
encryption vlan 30 mode ciphers aes-ccm tkip
ssid <Guest secure network SSID>
ssid <Internal Secure SSID>
antenna gain 0
peakdetect
no dfs band block
packet retries 64 drop-packet
channel dfs
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 port-protected
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
interface Dot11Radio1.10
encapsulation dot1Q 10
no ip route-cache
bridge-group 10
bridge-group 10 subscriber-loop-control
bridge-group 10 spanning-disabled
bridge-group 10 block-unknown-source
no bridge-group 10 source-learning
no bridge-group 10 unicast-flooding
interface Dot11Radio1.30
encapsulation dot1Q 30
no ip route-cache
bridge-group 30
bridge-group 30 subscriber-loop-control
bridge-group 30 spanning-disabled
bridge-group 30 block-unknown-source
no bridge-group 30 source-learning
no bridge-group 30 unicast-flooding
interface GigabitEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
no keepalive
interface GigabitEthernet0.10
encapsulation dot1Q 10
no ip route-cache
bridge-group 10
bridge-group 10 spanning-disabled
no bridge-group 10 source-learning
interface GigabitEthernet0.30
encapsulation dot1Q 30
no ip route-cache
bridge-group 30
bridge-group 30 spanning-disabled
no bridge-group 30 source-learning
interface GigabitEthernet0.100
encapsulation dot1Q 100
no ip route-cache
bridge-group 100
bridge-group 100 spanning-disabled
no bridge-group 100 source-learning
interface GigabitEthernet0.101
encapsulation dot1Q 999 native
no ip route-cache
bridge-group 1
bridge-group 1 spanning-disabled
no bridge-group 1 source-learning
interface BVI1
no ip address
no ip route-cache
shutdown
interface BVI100
mac-address <Actual ethernet address>
ip address 10.33.100.101 255.255.255.0
no ip route-cache
ip default-gateway 10.33.100.254
ip forward-protocol nd
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
bridge 1 route ip
bridge 100 protocol ieee
bridge 100 route ip
line con 0
logging synchronous
line vty 0 4
transport input ssh
end
As you can see I am using BVI100 as the management VLAN for the device and BVI1 is shutdown with vlan 999/int gi0/101 holding bridge group 1.
With this setup I can't get any IP communication, send or receive but I can see the MAC address on the switch in the MAC address table on vlan100. There is also no entries in the ARP table of the AP.
The switch is setup with vlan 999 untagged and vlans 10,30,100 as tagged.
Hope you can help! Thanks for any advice in advanced.
Many thanks,
Martin.Yea that would work and I have set it up like this without issue but I'm trying to limit access to the management VLAN, I don't want someone to be able to plug directly into the switch and be on the same broadcast domain as alll of the other equipment.
There are otherways of achieving this but I felt like I was so close with the above config but I was just missing something. -
Why does management VLAN ID matter in Cisco AP541n configuration?
is working on configure AP541n AP, is able to connect to the AP wired, assign AP static IP with proper subnet mask & default gateway,
when it's done, everything looks perfectly, but since I changed the management VLAN ID from 1 to 2, I can't even connect to the AP wired from the PC, why does the change matter?
thanks.Hi,
When working with access points in IOS mode also known as autonomous the access point requiers that you configure an Ip address on the BVI1 which is linked to the bridge group 1 and set us untagged.
Now when working with VLANS if the access point has an ip address on vlan x then you will need to confiugre this as the native vlan and with the bridgroup 1.
If you do not do this then you will see the issue you are reporting.
In other words if the access point will have an ip address for vlan 30 the the native vlan on the ap will need to be vlan 30 and vlan or the subnet for vlan one linked to the bridge group 1
Sent from Cisco Technical Support iPhone App -
Autonymouse AP1121 - Management Vlan and SSID Vlan
Hello,
We are using an ACS server to authenticate wireless users to active directory this works fine. The issue occurs when we try to pull an ip and we can't fomr the dhcp. The vlan we have the SSID on is vlan 10 and the management vlan of the AP is vlan 500. The ip-helper info is correct because wired users on vlan 10 get an ip immedialty. We just can't pull one with the AP. Does anyone know the config for this? Here is my current config, the client authenticate through the ACS 4.2 but pull no ip, the only way for me to manage the ap is to have the native vlan command on there, once i remove it i can't telnet. What is the fix for this? Thanks
current switch port config ap is plugged into.
interface FastEthernet1/0/48
switchport trunk encapsulation dot1q
switchport trunk native vlan 500
switchport mode trunkDo you have sub interfaces for vlan 10 being brigged through the radio interface?
Example config below...
interface Dot11Radio0.10
description Secure Wireless access
encapsulation dot1Q 10
no ip route-cache
bridge-group 10
bridge-group 10 subscriber-loop-control
bridge-group 10 block-unknown-source
no bridge-group 10 source-learning
no bridge-group 10 unicast-flooding
bridge-group 10 spanning-disabled
interface FastEthernet0.10
encapsulation dot1Q 10
no ip route-cache
bridge-group 10
no bridge-group 10 source-learning
bridge-group 10 spanning-disabled
Also verify that vlan 10 is allowed on the trunk interface of the switch by typing "show int trunk" -
HI, I want to use the management VLAN254 for my 4 WAP321. but after changing the management vlan in the unit from 20 th 254 I lost contact with the unit.
The switch I use is a Cisco 2960. Here's the config of the port :
interface FastEthernet0/23
switchport trunk native vlan 254
switchport trunk allowed vlan 5,20,254,1002-1005
switchport mode trunk
spanning-tree portfast
Vlan 5 and 20 are my two SSID Vlan
I was able to connect to the unit when the management vlan was set to 20 with an IP of 192.168.254.51 but since I chaged the vlan in the unit can't connect to it, I can't even ping it from the switch ...
Any ideas ?Hi Tom,
Got it back to work by setting the native Vlan in my 2960 to vlan 20
I also have an issue with my 2nd wireless network, vlan 20 if I don't set the untagged vlan to 20 I can't reach that network. but no problem with my wireless network with vlan 5 which is the first one. It looks like the vlan tagging only work for the first network. Is this a normal behaviour of that AP ?
Ben -
Users VLAN and Management VLAN
is it possible to separate two VLANs:
one is running for the users VLAN connects to the clients
one is for management purpose.
Is there a sample code available for access points, bridges, and switches?
I am really appreciated thatHi,
You can configure VLANs on enterprise access points.
What you need to do is configure the access point with its managment IP address, set this as the native vlan and then add the other VLAN or VLANs.
Then on the switch that the access point is connected to you need to configure a trunk port and make sure that the native vlan is the same VLAN you set as native on the access point.
As an example if the Access point has an IP address for managment vlan 20, we set this VLAN as native and then we add the other VLAN or VLANs, and on the switch you configure the port as a trunk port with the same native VLAN 20.
Note, native vlan is the same as untagged vlan. When we confgure a trunk port this will tag all vlans except the native vlan or untagged vlan that needs to be the same between directly connected devices. -
Cisco Access point management vlan
Hi All,
I have all my switches configured to run on native vlan 500 and management on vlan 10
with the cisco access point , if I make 500 native or another word trunk untagged vlan then I can't access the router using the BVI interface which is meant to have ip from vlan 10.
vlan 10 is the management network across our business and all management ips are on that range.
what are the possible solutions?When you connect the access point to the wired LAN, the access point links to the network using a bridge virtual interface (BVI) that it creates automatically. Instead of tracking separate IP addresses for the access point's Ethernet and radio ports, the network uses the BVI.
When you assign an IP address to the access point using the CLI, you must assign the address to the BVI. Beginning in privileged EXEC mode, follow these steps to assign an IP address to the access point's BVI:
Step 1
configure terminal
Enter global configuration mode.
Step 2
interface bvi1
Enter interface configuration mode for the BVI.
Step 3
ip address address
mask
Assign an IP address and address mask to the BVI. Note If you are connected to the access point using a Telnet session, you lose your connection to the access point when you assign a new IP address to the BVI. If you need to continue configuring the access point using Telnet, use the new IP address to open another Telnet session to the access point.
Maybe you are looking for
-
Install package for Firefox 30.0 on Sun Solaris 10 SPARC?
Looking for the latest Sun Solaris 10 SPARC package for Firefox 30. It appears it either has not been posted yet or development of Firefox on Sun Solaris has halted. http://ftp.mozilla.org/pub/mozilla.org/firefox/releases/latest/contrib/ http://ftp.m
-
11.2.0.3 ORA-28353 using default wallet location
Oracle 11g R2 11.2.0.3 Windows Server 2008 R2 Ent SP1 64bit I receive ORA-28353: failed to open wallet when attempting to create a new wallet in the default location (no ENCRYPTION_WALLET_LOCATION defined in the sqlnet) using alter system set encrypt
-
How to disply last 4months data in obiee 11g
Hi All, In my report i need to disply last four months data in current year. month data format is like 2013/07. reoprt like this Month order item cost 2013/07 20000 2013/06 50000 2013/05 2000000 2013/04 70000 month will go
-
Shows only symbols & crashes constantly.
I'm a book blogger and use NetGalley to access ARC titles. I've used ADE for a few months and never had a problem with it until 4 days ago when I couldn't transfer an .acsm title into it. I uninstalled and then reinstalled 2.0 but unfortunately when
-
Hey When I press a button (for example NEXT) I want the JTable to go to that field . How can I do that cause I can't find it :D