2 5508's connecting to 2 6500 switches

Looking to design for redundancy and mobility. My initial plan was to use LAG on both but I am confused on the setup because typcially all interfaces on these two switches are setup with HSRP. Does anybody have a matching configuration example they can share? Also looking to map multiple vlans to one SSID and using AD groups. Additional info is that this is for a large campus with multiple distribution areas but looking to just have consolidated WLC infrastructure at one location. Multiple GIG connections exist to all distribution points. Last note plan is to just use two of the 8 ports on each 5508.
All the guides aren't quite bringing together for me the best practice for this setup.
Thanks,
Andrew

Well you must understand, that if the WLC1 fails, then there will be a temporary lose of service until the AP's on WLC1 fails to WLC2.  This is for local mode ap's and this means that all traffic will be tunneled back to the WLC's and the layer 3 subnet needs to reside on the 6500's.  If you have remote sites that you want ap's and maybe don't have over 50, you can setup the ap's in h-reap mode (flexconnect) and the subnet's the users get placed on is the local subnet at the remote site.  So in this scenario, if WLC1 goes down, and remote site 1 has ap's on WLC1, the ap's stay up and traffic still flows normally.  You have two options in h-reap mode.... centrally switched which means tunnel traffic back to the WLC or locally switched where traffic is switched locally at that site.  When AP's are in local mode, the hard failure of the WLC will always disrupt the client devices just for a little (minute or less) until the AP's move to the other WLC.  When WLC1 comes back online, the AP's will move back with little to no disruptions.
You will configure mobility between the two WLC's so that each WLC will know of clients that might roam to an AP on the other WLC.  This also is required for the AP's to know about the other WLC.

Similar Messages

  • Asymmetric routing seen in WAE when using 6500 switch

    Hi all,
    When we do self diagnostic test for WAE connected to the 6500 switch i get warning as below. Due to this alert there is no major acceleration benfits by the WAAS
    Test WARN  [tfo]
         WARN  ASYMMETRIC       Asymmetric routing is seen in the device
         Action:
         Check router's network configuration and WCCP redirection on the router.
    usevwa1#
    6509 switches has only L2 capability and does not do WCCP redirection. The WCCP re-direction is done by 2821 routers.
    Is there any command which needs to be given in 6500 switch to solve the issue

    Hi Dhanasekaran,
    unfortunately you have to check the redirection policies and the routing table of the devices and force both the directions to pass through the same WAE.
    If you have a topology diagram please send it to me also the configuration of the devices that do WCCP redirection.
    Thanks,
    Alessandro

  • Assigning multiple areas to SVI's created on 6500 Switch

    Hey, We are having Cisco 6500 Switch at aggregation layer where all our SVIs are created and we need to advertise them in OSPF for reachability purpose. Now we are using L2 campus model so access layer is not running any routing protocol but we need to segregate our SVIs traffic based on different buildings. We are doing this by assigning unique areas to a group of SVIs while advertising in OSPF. My question is, is this a recommended way ? or we have to advertise all the SVIs in Area 0? because we don't have multiple areas but still we are adding them while advertising at 6500 switch. Thanks.

    Having said that, i am still confused whether is it a good approach or we should advertise all our SVIs directly into OSPF Area0.
    Using an area per building seems unnecessary because all the L3 routing is done on the aggregation layer so it doesn't really make a lot of sense, at least to me.
    I think using one area for all SVIs may be a good idea because then you can simply advertise one summary for the all the SVI subnets into area 0 towards the core.
    This is assuming you can summarise all the aggregation IP subnets with one summary address.
    Even that may not be necessary as it depends on the rest of your topology.
    For example if your core connected multiple buildings as in a campus and each building had a distribution pair of switches connected back to the core then yes it would make sense to use an area per building/site and only advertise a summary to the core.
    Up to you really.
    Jon

  • Who is anybody using a WISM with FWSM on a CAT 6500 Switch?

    Hi
    Who is anybody using a WISM with FWSM on CAT 6500 switch ?
    Are there any problem,if use?
    And How can I set them to connecting each other ?
    I have founded a document relate it on the cisco website that name is Integrating Cisco WiSM and Firewall Service Module.
    I have a question concern it.
    Why do I have make a VRF to communication each other ?
    Please let me know.

    As far as the FWSM is concerned you can have each of the wireless vlans come in to the same context of the FWSM and then just add those vlans to the FWSM as separate vlans.

  • Replacement catalyst 6500 switches under redundancy environment

    Hi everyone,
    I plan to replace old core catalyst 6500 switches with new ones for the purpose of reinforcement.
    Now two core catalyst 6500 switches are working under redundancy environment.
    There are many catalyst 6500 switches as distribution switch connect to each core catalyst
    6500 switches as attached.
    I think there are two ways to replace core catalyst 6500 switches.
    [One]
    Replacing one core catalyst 6500 switches first, then one week later, replacing another core
    catalyst 6500 switch. And all traffic will be handled another core catalyst 6500 switch automatically
    by EIGRP routing during replacement.
    Advantage:
    One another core catalyst 6500 switch continues operating even if the replacement fail.
    Disadvantage:
    Two core catalyst 6500 switches will operate in a different version (CatOS, MSFC IOS) for one week.
    Any problem might be happened due to this issue.
    [Two]
    Replacing both core catalyst 6500 switches at the same time.
    Advantage:
    Replacement will be finished at one time
    Disadvantage:
    If the replacement fail, whole network goes to down and it cause critical situation.
    I have to replace successfully so I would like know good information about this, such as
    best practice, case study and so on.
    Your information would be greatly appreciated.
    Best regards,

    Hi,
    If I were you, I will go for option 1.
    This option will give us the time to observe the traffic pattern, time to get the network and EIGRP to stabilize and even to check for any issues on the IOS part.
    This will give you time frame to work out for any issue if it happens in between the weeks time.This will gibe you tha time to see for any imcompatibilty issues as such.
    HTH, Please rate if it does.
    -amit singh

  • Cannot Telnet to 6500 switch

    Telnet has been working forever on our 6500 switches and today it stopped. We use tacacs. Here's the message we receive when trying to login
    % Authorization failed.
    here's the tacacs config  and aaa
    aaa new-model
    aaa authentication login default group tacacs+ enable
    aaa authentication enable default group tacacs+ enable
    aaa accounting exec default start-stop group tacacs+
    aaa accounting commands 15 default stop-only group tacacs+
    aaa accounting connection default start-stop group tacacs+
    aaa accounting system default start-stop group tacacs+
    aaa session-id common
    tacacs-server host 192.168.100.253
    tacacs-server timeout 10
    tacacs-server directed-request
    tacacs-server key 7 ..................................
    other switches are still authentication properly using the same tacacs.
    What could have happened to it. We received a lot of messages saying it could not reach 192.168.100.254 from the the management Vlan but TACACS server is actually 254. Can you help please. Tried to create a local username but that didn't work either for a temporarily fix.
    Thanks.

    line vty 0 4
    exec-timeout 60 0
    password 7 ......................
    line vty 5 15
    exec-timeout 60 0
    password 7 ..........................
    .Sep 26 16:54:33.538 EDT: TPLUS: Queuing AAA Accounting request 5531 for processing
    .Sep 26 16:54:33.538 EDT: TPLUS: processing accounting request id 5531
    .Sep 26 16:54:33.538 EDT: TPLUS: Sending AV task_id=7744
    .Sep 26 16:54:33.538 EDT: TPLUS: Sending AV timezone=EDT
    .Sep 26 16:54:33.538 EDT: TPLUS: Sending AV service=shell
    .Sep 26 16:54:33.538 EDT: TPLUS: Sending AV start_time=1380228873
    .Sep 26 16:54:33.538 EDT: TPLUS: Sending AV priv-lvl=15
    .Sep 26 16:54:33.538 EDT: TPLUS: Sending AV cmd=debug aaa authentication
    .Sep 26 16:54:33.538 EDT: TPLUS: Accounting request created for 5531(ssaab)
    .Sep 26 16:54:33.538 EDT: TPLUS: using previously set server 192.168.100.253 from group tacacs+
    .Sep 26 16:54:33.542 EDT: TPLUS(0000159B)/0/NB_WAIT/52AC5CD4: Started 10 sec timeout
    .Sep 26 16:54:33.542 EDT: TPLUS(0000159B)/0/NB_WAIT: socket event 2
    .Sep 26 16:54:33.542 EDT: TPLUS(0000159B)/0/NB_WAIT: wrote entire 143 bytes request
    .Sep 26 16:54:33.542 EDT: TPLUS(0000159B)/0/READ: socket event 1
    .Sep 26 16:54:33.542 EDT: TPLUS(0000159B)/0/READ: Would block while reading
    .Sep 26 16:54:33.546 EDT: TPLUS(0000159B)/0/READ: socket event 1
    .Sep 26 16:54:33.546 EDT: TPLUS(0000159B)/0/READ: read entire 12 header bytes (expect 5 bytes data)
    .Sep 26 16:54:33.546 EDT: TPLUS(0000159B)/0/READ: socket event 1
    .Sep 26 16:54:33.546 EDT: TPLUS(0000159B)/0/READ: read entire 17 bytes response
    .Sep 26 16:54:33.546 EDT: TPLUS(0000159B)/0/52AC5CD4: Processing the reply packet
    .Sep 26 16:54:33.546 EDT: TPLUS: Received accounting response with status PASS
    .Sep 26 16:54:42.450 EDT: TPLUS: Queuing AAA Accounting request 5531 for processing
    .Sep 26 16:54:42.450 EDT: TPLUS: processing accounting request id 5531
    .Sep 26 16:54:42.450 EDT: TPLUS: Sending AV task_id=7745
    .Sep 26 16:54:42.450 EDT: TPLUS: Sending AV timezone=EDT
    .Sep 26 16:54:42.450 EDT: TPLUS: Sending AV service=shell
    .Sep 26 16:54:42.450 EDT: TPLUS: Sending AV start_time=1380228882
    .Sep 26 16:54:42.450 EDT: TPLUS: Sending AV priv-lvl=15
    .Sep 26 16:54:42.450 EDT: TPLUS: Sending AV cmd=debug aaa authorization
    .Sep 26 16:54:42.450 EDT: TPLUS: Accounting request created for 5531(ssaab)
    .Sep 26 16:54:42.450 EDT: TPLUS: using previously set server 192.168.100.253 from group tacacs+
    .Sep 26 16:54:42.454 EDT: TPLUS(0000159B)/0/NB_WAIT/52AC5CD4: Started 10 sec timeout
    .Sep 26 16:54:42.454 EDT: TPLUS(0000159B)/0/NB_WAIT: socket event 2
    .Sep 26 16:54:42.454 EDT: TPLUS(0000159B)/0/NB_WAIT: wrote entire 142 bytes request
    .Sep 26 16:54:42.454 EDT: TPLUS(0000159B)/0/READ: socket event 1
    .Sep 26 16:54:42.454 EDT: TPLUS(0000159B)/0/READ: Would block while reading
    .Sep 26 16:54:42.458 EDT: TPLUS(0000159B)/0/READ: socket event 1
    .Sep 26 16:54:42.458 EDT: TPLUS(0000159B)/0/READ: read entire 12 header bytes (expect 5 bytes data)
    .Sep 26 16:54:42.458 EDT: TPLUS(0000159B)/0/READ: socket event 1
    .Sep 26 16:54:42.458 EDT: TPLUS(0000159B)/0/READ: read entire 17 bytes response
    .Sep 26 16:54:42.458 EDT: TPLUS(0000159B)/0/52AC5CD4: Processing the reply packet
    .Sep 26 16:54:42.458 EDT: TPLUS: Received accounting response with status PASS
    .Sep 26 16:55:02.830 EDT: AAA/BIND(0000159F): Bind i/f 
    .Sep 26 16:55:02.830 EDT: AAA/AUTHEN/LOGIN (0000159F): Pick method list 'default'
    .Sep 26 16:55:02.830 EDT: TPLUS: Queuing AAA Authentication request 5535 for processing
    .Sep 26 16:55:02.834 EDT: TPLUS: processing authentication start request id 5535
    .Sep 26 16:55:02.834 EDT: TPLUS: Authentication start packet created for 5535(ssaab)
    .Sep 26 16:55:02.834 EDT: TPLUS: Using server 192.168.100.253
    .Sep 26 16:55:02.834 EDT: TPLUS(0000159F)/0/NB_WAIT/528154D8: Started 10 sec timeout
    .Sep 26 16:55:02.834 EDT: TPLUS(0000159F)/0/NB_WAIT: socket event 2
    .Sep 26 16:55:02.834 EDT: TPLUS(0000159F)/0/NB_WAIT: wrote entire 42 bytes request
    .Sep 26 16:55:02.834 EDT: TPLUS(0000159F)/0/READ: socket event 1
    .Sep 26 16:55:02.834 EDT: TPLUS(0000159F)/0/READ: Would block while reading
    .Sep 26 16:55:02.838 EDT: TPLUS(0000159F)/0/READ: socket event 1
    .Sep 26 16:55:02.838 EDT: TPLUS(0000159F)/0/READ: read entire 12 header bytes (expect 16 bytes data)
    .Sep 26 16:55:02.838 EDT: TPLUS(0000159F)/0/READ: socket event 1
    .Sep 26 16:55:02.838 EDT: TPLUS(0000159F)/0/READ: read entire 28 bytes response
    .Sep 26 16:55:02.838 EDT: TPLUS(0000159F)/0/528154D8: Processing the reply packet
    .Sep 26 16:55:02.838 EDT: TPLUS: Received authen response status GET_PASSWORD (8)
    .Sep 26 16:55:06.407 EDT: TPLUS: Queuing AAA Authentication request 5535 for processing
    .Sep 26 16:55:06.407 EDT: TPLUS: processing authentication continue request id 5535
    .Sep 26 16:55:06.407 EDT: TPLUS: Authentication continue packet generated for 5535
    .Sep 26 16:55:06.407 EDT: TPLUS(0000159F)/0/WRITE/52A57824: Started 10 sec timeout
    .Sep 26 16:55:06.407 EDT: TPLUS(0000159F)/0/WRITE: wrote entire 25 bytes request
    .Sep 26 16:55:06.419 EDT: TPLUS(0000159F)/0/READ: socket event 1
    .Sep 26 16:55:06.419 EDT: TPLUS(0000159F)/0/READ: read entire 12 header bytes (expect 6 bytes data)
    .Sep 26 16:55:06.419 EDT: TPLUS(0000159F)/0/READ: socket event 1
    .Sep 26 16:55:06.419 EDT: TPLUS(0000159F)/0/READ: read entire 18 bytes response
    .Sep 26 16:55:06.419 EDT: TPLUS(0000159F)/0/52A57824: Processing the reply packet
    .Sep 26 16:55:06.419 EDT: TPLUS: Received authen response status PASS (2)
    .Sep 26 16:55:06.427 EDT: AAA/AUTHOR (0x159F): Pick method list 'default'
    .Sep 26 16:55:06.427 EDT: TPLUS: Queuing AAA Authorization request 5535 for processing
    .Sep 26 16:55:06.427 EDT: TPLUS: processing authorization request id 5535
    .Sep 26 16:55:06.427 EDT: TPLUS: Protocol set to None .....Skipping
    .Sep 26 16:55:06.427 EDT: TPLUS: Sending AV service=shell
    .Sep 26 16:55:06.427 EDT: TPLUS: Sending AV cmd*
    .Sep 26 16:55:06.427 EDT: TPLUS: Authorization request created for 5535(ssaab)
    .Sep 26 16:55:06.427 EDT: TPLUS: using previously set server 192.168.100.253 from group tacacs+
    .Sep 26 16:55:06.427 EDT: TPLUS(0000159F)/0/NB_WAIT/47A1ECA0: Started 10 sec timeout
    .Sep 26 16:55:06.431 EDT: TPLUS(0000159F)/0/NB_WAIT: socket event 2
    .Sep 26 16:55:06.431 EDT: TPLUS(0000159F)/0/NB_WAIT: wrote entire 61 bytes request
    .Sep 26 16:55:06.431 EDT: TPLUS(0000159F)/0/READ: socket event 1
    .Sep 26 16:55:06.431 EDT: TPLUS(0000159F)/0/READ: Would block while reading
    .Sep 26 16:55:06.435 EDT: TPLUS(0000159F)/0/READ: socket event 1
    .Sep 26 16:55:06.435 EDT: TPLUS(0000159F)/0/READ: read entire 12 header bytes (expect 6 bytes data)
    .Sep 26 16:55:06.435 EDT: TPLUS(0000159F)/0/READ: socket event 1
    .Sep 26 16:55:06.435 EDT: TPLUS(0000159F)/0/READ: read entire 18 bytes response
    .Sep 26 16:55:06.435 EDT: TPLUS(0000159F)/0/47A1ECA0: Processing the reply packet
    .Sep 26 16:55:06.435 EDT: TPLUS: received authorization response for 5535: FAIL
    .Sep 26 16:55:06.435 EDT: AAA/AUTHOR/EXEC(0000159F): Authorization FAILED
    .Sep 26 16:55:14.751 EDT: TPLUS: Queuing AAA Accounting request 5531 for processing
    .Sep 26 16:55:14.755 EDT: TPLUS: processing accounting request id 5531
    .Sep 26 16:55:14.755 EDT: TPLUS: Sending AV task_id=7746
    .Sep 26 16:55:14.755 EDT: TPLUS: Sending AV timezone=EDT
    .Sep 26 16:55:14.755 EDT: TPLUS: Sending AV service=shell
    .Sep 26 16:55:14.755 EDT: TPLUS: Sending AV start_time=1380228914
    .Sep 26 16:55:14.755 EDT: TPLUS: Sending AV priv-lvl=15
    .Sep 26 16:55:14.755 EDT: TPLUS: Sending AV cmd=show logging
    .Sep 26 16:55:14.755 EDT: TPLUS: Accounting request created for 5531(ssaab)
    .Sep 26 16:55:14.755 EDT: TPLUS: using previously set server 192.168.100.253 from group tacacs+
    .Sep 26 16:55:14.755 EDT: TPLUS(0000159B)/0/NB_WAIT/52A4402C: Started 10 sec timeout
    .Sep 26 16:55:14.755 EDT: TPLUS(0000159B)/0/NB_WAIT: socket event 2
    .Sep 26 16:55:14.755 EDT: TPLUS(0000159B)/0/NB_WAIT: wrote entire 131 bytes request
    .Sep 26 16:55:14.755 EDT: TPLUS(0000159B)/0/READ: socket event 1
    .Sep 26 16:55:14.755 EDT: TPLUS(0000159B)/0/READ: Would block while reading
    .Sep 26 16:55:14.759 EDT: TPLUS(0000159B)/0/READ: socket event 1
    .Sep 26 16:55:14.759 EDT: TPLUS(0000159B)/0/READ: read entire 12 header bytes (expect 5 bytes data)
    .Sep 26 16:55:14.759 EDT: TPLUS(0000159B)/0/READ: socket event 1
    .Sep 26 16:55:14.759 EDT: TPLUS(0000159B)/0/READ: read entire 17 bytes response

  • Server loses internet connection after creating virtual switch in hyper-v

    On a fresh Server 2012R2 Essentials install, I set up Hyper-v and created an external virtual switch. Connection to the vm is good but Health Report no shows loss of internet connectivity and that the router is incorrectly setup. 
    However, I still have a working internet connection? I worry that the server may not update or allow Anywhere Access at some time. Any suggestions? Thanks

    If Hyper-V virtual switch behaves strange and server is destined for testing, then it's correct and I recomend delete this virtual switch and create it again.
    Here is some issues with internet connection and Hyper-V switch, none of them does not match your problem, but can be inspirative for troubleshooting:
    Windows 8 Hyper-V - how to give VM internet access?
    Hyper-V kills internet connection when bridging
    Configuring Hyper-V for multiple subnets with only one NIC (Server 2008 R2 Edition)
    How does basic networking work in Hyper-V?
    Best Regards,
    thennet

  • I'm currently running ios 5 beta on my iphone 4 and when i woke up this morning my phone had decided to automatically update the software OTA. After connecting to wifi and switching on location i proceeded to follow the instructions 'slide to setup'. I wa

    I'm currently running ios 5 beta on my iphone 4 and when i woke up this morning my phone had decided to automatically update the software OTA. After connecting to wifi and switching on location i proceeded to follow the instructions 'slide to setup'. I was informed that it may take 3 minutes to activate phone but was then presented with the screen 'Could not Activate iphone', this is because the activation server is unavailable. Can anybody shed some light on this for me?
    Many thanks

    Can anybody shed some light on this for me?
    Not here. iOS5 beta is only available to registered developers, and discussing it publicly outside of the private developer forums is a violation of the non-disclosure agreement you signed to access the beta.

  • How to provide access to multiple users connected to a Dumb switch? (multi-auth/multi-domain)

    Good morning everybody,
    I am writing on behalf of not being able to implement a desired outcome in our company network. In fact the situation is as follows:
    What I want to do is to be able to authenticate users (802.1x authentication) in our company radius server and authorize them access by having a dynamic VLAN assignment in a multi-user environment on one and the same port of a Cisco 2960 switch. So far, the authentication and authorization has been working completely smoothly (there are no problems with itself). The concept involves the configuration of both DATA and VOICE VLANs as I there is also phone authentication implemented. In order to simulate this environment I introduce a Dumb switch connected to my Cisco 2960 Catalyst.
    What I have successfully managed to get to work so far is this:
    1) On one switch port I have tried the “authentication host-mode multi-domain” and it worked perfectly for a PC behind a telephone, or with one PC connected to a the dumb switch + the telephone connected to another port of the dumb switch. Logically it is the same situation as there is a separation in two domains – DATA and VOICE. Bellow is an output from show authentication sessions for this scenario.
    Interface  MAC Address     Method   Domain   Status         Session ID          
    Fa0/23     0021.9b62.b79b  dot1x    DATA     Authz Success  C0A8FF69000000F3008E (user1)
    Fa0/23     0015.655c.b912  dot1x    VOICE    Authz Success  C0A8FF69000000F9009F (phone)
    2) On the other hand, when I try the same scenario with the “authentication host-mode multi-auth”, the switch still separates the traffic in two domains and is able to authenticate all users, AS LONG AS they are in the same VLAN.
    show authentication sessions:
    Interface  MAC Address     Method   Domain   Status         Session ID          
    Fa0/23     0021.9b62.b79b  dot1x    DATA     Authz Success  C0A8FF69000000F3008E (user1)
    Fa0/23     b888.e3eb.ebac   dot1x    DATA     Authz Success  C0A8FF69000000F8008C (user2)
    Fa0/23     0015.655c.b912  dot1x    VOICE    Authz Success  C0A8FF69000000F9009F (phone)
    However, I cannot succeed authentication of many users from DIFFERENT VLANs, neither in multi-auth nor in multi-domain modes.
    What I want to get is an output like this:
    Interface  MAC Address     Method   Domain   Status         Session ID          
    Fa0/23     0021.9b62.b79b  dot1x    DATA     Authz Success  C0A8FF69000000F3008E (user1)
    Fa0/23     b888.e3eb.ebac dot1x    DATA     Authz Success  C0A8FF69000000F8008C (user2)
    Fa0/23     0015.655c.b912  dot1x    VOICE    Authz Success  C0A8FF69000000F9009F (phone)
    I want the switch to authenticate the users anytime they connect to itself and for them to have an instant access to the network. (I tell this because I tried scenario 1) with multi-domain mode and authentication violation replace, and it worked but, two users never had access to the “Internet” simultaneously!!!
    The configuration of the interface connected to the Dumb switch is as follows.
    interface FastEthernet0/x                                                      
     description Connection to DUMBswitch                                            
     switchport mode access                                                         
     switchport voice vlan XXX                                                      
     switchport port-security maximum 10                                            
     switchport port-security                                                       
     switchport port-security violation protect                                     
     authentication host-mode multi-auth                                            
     authentication priority dot1x                                                  
     authentication port-control auto                                               
     authentication timer reauthenticate 4000                                       
     authentication violation replace                                               
     dot1x pae authenticator                                                        
     dot1x timeout tx-period 10                                                     
     spanning-tree portfast                                                         
    The way I see it is explained in the following steps:
    - PC1 connects to the Dumb switch. This causes the Cisco switch to authenticate user1. This creates an auth. session with its MAC address linked to a domain DATA.
    - When PC2 connects to the Dumb switch, this causes the violation replace which replaces the recent authenticated MAC address with the MAC of PC2. I would like it once authenticated to appear in the authentication sessions with a link to a new DATA domain linked to the VLAN assigned from the RADIUS server.
    Is this possible? I think (in theory) this is the only way to provide authenticated access to multiple users connecting through Dumb switch to the network.
    Has anybody ever succeeded in such a configuration example and if yes, I would be love to get some help in doing so?
    Thank you
    Stoimen Hristov

    Hi Stoimen,
    I have done a setup similar to yours with the only exception being VLAN assignment. When I used dACLs only, it makes things somewhat easier as the VLAN no longer matters. Remember that the switchport is in access mode and will only allow a single VLAN across it (with the exception of the voice VLAN). I think that is the real cause of your problem.
    From what I can see, you have 2 options available to you:
    1) Use dACLs instead of VLAN assignment. This means that an access list will be downloaded from the radius server straight to the authenticated user's session. I have tested this and it works perfectly. Just Google Cisco IBNS quick reference guide and look for the section that deals with Low Impact mode.
    2) Get rid of the dumb switches and use managed switches throughout your network. Dumb switches will always be a point of weakness in your network because they have no intelligence to do advanced security features like port security, 802.1x, DHCP snooping, etc.
    Hopefully someone else will chime in with another option.
    Xavier

  • Configuring the Catalyst 6500 Switch for IPS Inline Operation of the IDSM

    I understand how to configure the Catalyst 6500 switch so that the monitoring ports are access ports in two separate VLAN's for inline operation.
    However, I don't see any documentation that describes how the desired VLAN traffic gets forced through the IPS.
    In promiscuous mode, you can use VACL's to copy/capture and forward the desired traffic to the IDSM for analysis. I'm not seeing how to get the desired traffic through the IPS.
    Note that the host 6500 is running native IOS 12.2(18)SXE.
    Thanks for any assistance.

    A tranparent firewall is a fairly good comparison.
    Let's say you have vlan 10 with 100 PCs and 1 Router for the network.
    If you want to apply a transparent firewall on that vlan you can not simply put one interface of the firewall on vlan 10. Nothing would go through the firewall.
    Instead you have to create a new vlan, let's say 1010. Now you place one interface of the firewall on vlan 10 and the other on vlan 1010. Still nothing is going through the firewall. So now you move that Router from vlan 10 to vlan 1010. All you do is change the vlan, the IP Address and netmask of the router stay the same.
    The transparent firewall bridges vlan 10 and vlan 1010. The PCs on vlan 10 ae still able to communicate to and through the router, but must go through the transparent firewall to do so.
    The firewall is transparent because it does not IP Route between 2 vlans, instead the same IP subnet exists on both vlans and the firewall transparently beidges traffic between the 2 vlans.
    The transparent firewall can do firewalling between the PCs on vlan 10 and the Router on vlan 1010. But is PC A on vlan 10 talks to PC B on vlan 10, then the transparent firewall does not see and can not block that traffic.
    An InLine sensor is very similar to the transparent firewall and will bridge between the 2 vlans. And similarly an InLine sensor is able to InLine monitor traffic between PCs on vlan 10 and the Router on vlan 1010, but will not be able to monitor traffic between 2 PCs on vlan 10.
    Now the router on one vlan and the PCs on the other vlan is a typical deployment for inline sensors, but your vlans do not Have to be divided that way. You could choose to place some servers in one vlan, and desktop PCs in the other vlan. You subdivide the vlans in what ever method makes sense for your deployment.
    Now for monitoring multiple vlans the same principle still applies. You can't monitor traffic between machines on the same vlan. So for each of the vlans you want to monitor you will need to create a new vlan and split the machines between the 2 vlans.
    In your case with Native IOS you are limited to only 1 pair of vlans for InLine monitoring, but your desired deployment would require 20 vlan pairs.
    The 5.1 IPS software has now the capability to handle the 20 pairs, but the Native IOS software does not have the capability to send the 40 vlans (20 pairs) to the IDSM-2.
    The Native IOS changes are in testing right now, but I have not heard a release date for those changes.
    Now Cat OS has already made these changes. So here is a basic breakdown of what you could do in Cat OS and you can use in preparation for a Native IOS deployment when it gets released.
    For vlans 10-20, and 300-310 that you want monitored you will need to break each of those vlans in to 2 vlans.
    Let's say we make it simple and add 500 to each vlan in order to create the new vlan for each pair.
    So you have the following pairs:
    10/510, 11/511, 12/512, etc...
    300/800, 301/801, 302/802, etc....
    You set up the sensor port to trunk all 40 vlans:
    set trunk 5/7 10-20,300-310,510-520,800-810
    (Then clear all other vlans off that trunk to keep things clean)
    In the IDSM-2 configuration create the 20 inline vlan pairs on interface GigabitEthernet0/7
    Nw on each of the 20 original vlans move the default router for each vlan from the original vlan to the 500+ vlan.
    At this point you should ordinarily be good to go. The IDSM-2 won't be monitoring traffic that stays within each of the original 20 vlans, but Would monitor traffic getting routed in and out of each of the 20 vlans.
    Because of a switch bug you may have to have an additional PC moved to the same vlan as the router if the switch/MSFC is being used as the router and you are deploying with an IDSM-2.

  • AP, WiSM module and 6500 switch

    Hi guys,
    1.How many WiSM modules can be installed in a 6500 switch?
    2.A module can support 300 APs. How many APs a 6500 switch with WiSM modules can support?
    3.How many APs in a cluster that some 6500 switches with WiSM modules can support?
    Thanks,
    yytellmey

    1. I believe a 6509 can handle 5 WiSMs, though I've found 4 more realistic when considering the need for uplinks and service modules.
    2. Based on 5 WiSMs, you can have 1500 per chassis. Again, I tend to stick with 4, or 1200 APs per chassis.
    3. There is no hard limit that I am aware of. WCS on a VERY high-end server can handle ~2500 APs when running Linux WCS. As with the above, this works well with 1 WCS per 2 chassis if each has 4 WiSMs.

  • How can I connect the polaroid 6500 ultrasonic sensor ranging module to DaNI 2.0 robot (which is using sbRIO 9631)?

    How can I connect the polaroid 6500 ultrasonic sensor ranging module to DaNI 2.0 robot (which is using sbRIO 9631)?

    check this post
    http://forums.ni.com/t5/Real-Time-Measurement-and/sensor-on-sbrio/m-p/2030424#M11812

  • Aironet 1140 series units won't connect to a gigabit switch

    I just installed 2 new units and neither will connect to a new HP gigabit switch - no link light, other devices can connect to the switch OK.  Their gigabit ethernet settings are set to auto for duplex and speed.  I also tried forcing one of them to full duplex and 1000 Mbps which didn't work either.  They're both powered by POE injectors.  If I connect them to a 10/100 switch they work fine.
    Am I missing something?                  

    Leo,
    Thanks for the reply, sorry I'm late getting back to this, I was lucky enough to have a long weekend off.
    I'm no cabling expert, that's why I hired somebody else to do it.  But I have a question: should standard cat 5 cable work?
    If so, I disconnect the WAP from the cabling that was installed and hooked it up with cat 5 patch cables that I confirmed to be work OK by using them to connect the gigabit switch to a laptop.  When I used the same patch cables on the WAP I still got a failure to connect to the same switch.  So unless it's not standard cat 5 that I should be using it doesn't appear that cabling is my problem.

  • Intervlan Routing with 6500 switch

    I am designing an upgrade to our current network that will contain a 6500 switch and i wanted to setup vlans with the switch. I know that this switch has the ability to perform routing on its own so i do not need an external router to route between the vlans but if that is the case what default gateway do i give each vlan? Do i give the vlan ip address as the default gateway for the end devices or do i use an IP address in the switch somehow as the default gateway?
    Thanks.
    Pete

    Hi,
    Think of the MSFC as a router with many different interfaces. Your router itself would only have one default gateway for all those interfaces. For the clients, they will sit in each VLAN that you create. The clients default gateway will be the VLAN IP address (or HSRP address) on the 6500 that they sit. So, if you create vlan100 and put an IP address of 10.10.10.1 on the vlan100 interface..the 10.10.10.1 address would be the gateway for the clients in vlan 100. If you create a vlan200 and put an IP address of 10.11.11.1 on that interface..all the clients that are in vlan200 would have the gateway address of 10.11.11.1.
    Hope that helps.

  • Connecting two linksys gigabit switches

    Hi,
    I just bought a slm2024 (24 port managed Gigbabit switch) to replace an older 100Mbit switch. The old switch had PCs and other switches connected to it. The other switches are EG005W ver. 3. (linksys workgroup 5 port gigabit switches)
    With the new slm2024 switch, the PCs have no problems connecting. The problem is the EG005W switches. The port on the slm2024 which connects both switches is dark (the LED is dark - no lights at all). Any thoughts on what is the problem? Do I need to configure something special on the slm2024?
    I do have an older 100Mbit switch and if I connect it to the new slm2024 switch, the lights are on and traffic is flowing. It is just the EG005W that does not seem to like being plugged in the gigabit switch. It used to work when plugged in the older 100Mbit switch.
    Oh and if I try to plug in two EG005W together, I get the same problem. PCs connected to the 2nd switch cannot communicate out either.
    I understand that in the past cross-over cables where needed to connect switches but I thought that new switches no longer require this (even my old 100Mbit switch did not require this for the EG005W to work through it).
    Any thoughts on how to fix or debug this?
    Thanks for any suggestions.

    there shouldn't be any configuration needed on the ports of the SLM2024 because they are already "smart ports"
    this could be a possible problem between these 2 devices -- have heard of similar problem before bet. a switch and hub but i have forgotten their model numbers -- you would think that since they came from the same manufacturer you will have an easier set-up but sometimes that's just not the case

Maybe you are looking for

  • I updated my IPad and now I can't download any apps and it won't let me log onto iTunes , I have the same account I use on my iPhone which is synced and that works fine

    Wanting some help , since I updated my IPad I can no longer download apps or movies on my iPad , it won't even let me sign I. . I also have an iPhone which is synced and I updated them both the same day and I have no problems with the phone only the

  • Problem with printing HTML container

    Hi all, I am having a problem with FlexPrintJob (or PrintJob) for the mx.controls.HTML container. On print i receive only one page (only the visible area) of my HTML container. How can i print multiple pages from mx.controls.HTML? Please Help!!!

  • SOAP with HTTPS Connection

    Hi All, For a requirement, I need to connect the PI with 3rd party Web server system for both inbound and outbound interfaces. Currently, I am with SAP PI 7.31 single stack system. I was communicated as HTTPS without client Authentication option need

  • I need help splitting video into segments

    I am very new to this and trying to figure all this out. Does anyone know how to capture a video and then split into several segments so it will show on the main menu as 3 separate videos to watch? I want to have the video split so you can click on t

  • Mail Messages Suddenly Blank!

    New messages display properly, but about 1 hour ago for no reason my older messages are just showing up as blank. It's almost as if it can't find where they are whats happened? When I double click the message just BLANK!! Screen Shots Here http://win