3750 - QinQ Multiple VLANS - Vlan mapping

Similar Messages

• Flexconnect - local-switching - Interface Groups - multiple subnets/vlans

  So I'm trying to setup an "interface-group-like" configuration on some Flexconnect APs with local switching enabled in order to support multiple subnets/VLANs linked to a single SSID.
  Does anyone know if this is possible or have any suggestions?
  I've tried:
  AP Groups - One SSID which would require central switching for it to be of use (I think).
  AP Groups - Creating an additional SSID and then placing the APs in a group per site. This works but is going to be difficult to manage if I have 400+ sites running this sort of setup.
  For reference, my end goal is to have multiple (400+) branch sites with the same WLAN mapped to 3 or 4 different VLANs in order to split the subnets up into smaller chunks (/23s or /24s). These VLANs are all switched locally and are uniform in numbering across all the sites from a layer 2 perspective.
  Thanks,
  Ric

  Interface groups is not an available feature on FlexConnect. FlexConnect doesn't support layer 3 roaming if devices roam from one FlexConnect ap to another and the wlan to vlan mappings are different. This is a limitation to FlexConnect along with a few others listed in the FlexConnect deployment guide.
  -Scott

• Managment VLAN - SSID mapping

  I'm implementing a large WLAN for a hospital. they will be using Cisco VPN and RSA OTP to provide authentication and data confidentiality/integrity. They also desire a Wireless LAN Solution Engine.
  I wish to create a "user" VLAN-SSID mapping, and a "wireless network management" VLAN-SSID mapping, so I can require users to use VPN to get off their local segment, but also use WLSE & HPOV to manage the WAPs via a managment interface.
  To trunk the mgmt vlan, I think i need to map it to an ssid on the WAP. However, I do not want the mngmt vlan/ssid to accept client associations. I basically only want the mngmt vlan to exist on the wire and at the AP, not on the RF.
  How would I accomplish this?

  It is a little bit of a kludge to do this but.
  On the vlan SSID page set the max allowed associations to 1 ( 0 will mean max number of associations will be 2047) This will allow only on client to associate, now you can block this one by creating a MAC address filter on that VLAN that has no MAC address in it and the default action for both multicast and unicast is discard.
  You could do just the filter but if the filtre is ever turned off then you have the added bonus of only one client getting through
  David

• Multiple ports vlan trunking

  Hello, I recently purchased a 3560 switch and I am relatively new with VLANs.
  What I need to do is quite simple:
  I need multiple fastethernet ports into multiple VLANs on a single switch. For that, I need to trunk these ports but nothing seems to work properly.
  I created multiple VLANs (vlan 100, 200 and 300), but by default each VLAN can see each other (my allowed vlan list is set to ALL on each port).
  When I setup the restrictions of that allowed vlan list, the problem is each port see each other. Example: Port 0/22 is set allowed vlan 100,200 .. but that port still can see vlan 300. I configured Native VLAN on VLAN50 (empty VLAN) for each port on the switch.
  I tried on a 3560 and a 2950, but exactly the same problem occurs.
  The problem is really basic but I'm on it since 1 week. Is there anyone who could help me please?

  Check below link for detail configuration & information.
  http://www.cisco.com/en/US/products/hw/switches/ps628/products_configuration_guide_chapter09186a00800d84be.html
  If you want to remove the vlan from the trunk, you can simply use below command :
  switchport trunk allowed vlan remove 300
  Hope this helps.

• Dynamic vlans with multiple fallback-vlans?

  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-parent:"";
  mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
  mso-para-margin:0cm;
  mso-para-margin-bottom:.0001pt;
  mso-pagination:widow-orphan;
  font-size:10.0pt;
  font-family:"Times New Roman";
  mso-ansi-language:#0400;
  mso-fareast-language:#0400;
  mso-bidi-language:#0400;}
  I've got a problem with dynamic vlans. Trying to figure out configuration for the topology similar to the one in the picture.
  I’ve got four vlans for PCs, one vlan per department. I have to add fifth vlan (50) for devices that can be connected to any of the three switches: A, B, C. these devices need to be on their own vlan, no matter to which switch they are connected to. On the other hand, PCs connected to any port on those switches should be assigned to appropriate vlan (10,20,30 or 40).
  I was thinking about using dynamic vlans with list of mac addresses of devices that need to be on vlan 50 but not sure what to do with PCs. I don’t think I can use fallback vlan as I can set up only one fallback vlan for whole network and not per switch or port.
  I cannot use list of mac addresses of all pcs as there’s simply too many of them (my network is way bigger than in the picture, I simplified it only to present the idea). I imagine I would need multiple fallback vlans for different switches.
  Has anyone got any idea that could help me please? Maybe there’s some other and easier way?

  In new software (for Cisco switches) we provide multiple fallbacks for MAC authentication (MAB):
  1. 802.1x
  2. web authentication
  3. guest vlan (if no supplicant on the PC)
  4. auth fail vlan (if radius denies you access)
  So you could keep a list of MAC addresses for vlan 50 and do MAB for these devices if MAB fails you can use 802.1x for your PCs.
  This will require configuring 802.1x supplicants on all PC (Windows comes preloaded with one) and maintaining a radius of users who are able to log into the network. A lot of people use their Active directory pre-existing database as a backend to store their usernames and passwords for user authentication with dot1x.
  With using both dot1x and MAB you can now distinguish easily between two different processes and use your radius server to assign vlans based upon almost anything you can think of.
  -Elly

• Catalyst 3850, VLAN access map example (VACL, layer 2)

  Hello there:
  Trying to get a simple VLAN access map example working (VACL, layer 2).  Want to allow hosts 10.0.0.2 to SSH to 10.0.0.3 (both in vlan 10), but deny all other connectivity from 10.0.0.2 to 10.0.0.3.
  access-list test permit tcp host 10.0.0.2 host 10.0.0.3 eq 22
  vlan access-map test
     match ip address test
     action forward
  vlan filter test vlan-list 10
  However, 10.0.0.2 cannot see 10.0.0.3 whatsoever, w/ this VACL enabled (connectivity works w/ VACL disabled).
  From what I've read, there is an implicit deny all at the end, if I understand correctly.
  I've played with other variations as well, but without any luck.
  What am I missing here?
  Also, is there a way to debug this using logs or debug statements? Nothing shows up in the logs.
  Thank you.

  Hi,
  You have a problem in that your ACL currently allows the SSH traffic from 10.0.0.2 to 10.0.0.3 but the responses are not allowed to flow back from 10.0.0.3 to 10.0.0.2. That is the most probable reason your VACL does not work as expected.
  This modification should correct the behavior:
  ip access-list extended TestACL
  permit tcp host 10.0.0.2 host 10.0.0.3 eq 22
  permit tcp host 10.0.0.3 eq 22 host 10.0.0.2
  deny ip host 10.0.0.2 host 10.0.0.3
  deny ip host 10.0.0.3 host 10.0.0.2
  permit ip any any
  vlan access-map TestVACL
  match ip address TestACL
  action forward
  vlan filter TestVACL vlan-list 10
  Here, I've made sure that SSH traffic between 10.0.0.2 as a client and 10.0.0.3 as a server is allowed, any other traffic between these two is denied, and every other communication is allowed. Would you mind testing out this modification?
  is there a way to debug this using logs or debug statements? Nothing shows up in the logs.
  None that I know of. This filtering is done in hardware, independently from CPU, so the CPU has no insight into what's going on in the TCAM during packet filtering.
  Best regards,
  Peter

• Multiple RSPAN Vlan on cat 6500

  Hi,
  Can we create multiple RSPAN Vlans on one switch and span across the same VTP domain ?
  I am using Cat 6500 switch.
  Is it possible to have multiple RSPAN sessions Simultaneously
  require valuable inputs for the same.

  Hi
  24 max RSPAN sessions

• Vlan XLT Mapping

  Hello,
  While checking the VPC consistency for layer 1 on a port-channel interface, the output shows that "Vlan xlt mapping" is enabled in the peer and not locally.
  However my vPC is up and this mismatch is not being treated as an inconsistency.
  Since we are going to migrate a service to this new C7010 pair, just want to confirm what this feature really means and is it going to affect when traffic goes live,
  BIOS:      version 2.12.0
  kickstart: version 6.2(6)
  system:    version 6.2(6)
  Mod  Ports  Module-Type                                Model                    Status
  1       24     10 Gbps Ethernet Module             N7K-M224XP-23L     ok
  5       0       Supervisor Module-2                    N7K-SUP2E               active *
  10     48     1/10 Gbps Ethernet Module          N7K-F248XP-25E     ok
  sh vpc consistency-parameters vpc 527
      Legend:
          Type 1 : vPC will be suspended in case of mismatch
  Name                        Type  Local Value            Peer Value            
  STP Port Type                       1     Default                Default              
  STP Port Guard                     1     Default                Default              
  STP MST Simulate PVST       1     Default                Default              
  lag-id                                      1     [(1, 0-23-4-ee-be-66,  [(1, 0-23-4-ee-be-66,
                                                        820f, 0, 0), (fa0,     820f, 0, 0), (fa0,   
                                                        0-23-4-ee-be-1, 820f,  0-23-4-ee-be-1, 820f,
                                                        0, 0)]                 0, 0)]               
  mode                                     1     active                 active               
  Speed                                   1     10 Gb/s               10 Gb/s              
  Duplex                                   1     full                        full                 
  Port Mode                             1     trunk                     trunk                
  Native Vlan                            1     1                          1                   
  MTU                                      1     1500                   1500                 
  LACP Mode                           1     on                     on                   
  Interface type                        1     port-channel           port-channel         
  Admin port mode                    1     trunk                  trunk                
  Vlan xlt mapping                 1     Enabled                -                    
  vPC+ Switch-id                      1     1001                   1001                 
  vPC card type                        1     Clipper                Clipper              
  Allowed VLANs                       -                                                  
  Local error VLANs                  -     -                      -                    

  Can anyone please guide on what vlan-xlt-mapping means on a vpc peer adjacency
   

• Is Multiple Compliant VLAN Possible with NAP 802.1x Enforcement?

  Multiple Compliant VLANs for 802.1x NAP Enforcement
  <small class="single-by" style="font-family:Arial, Helvetica, sans-serif;font-size:0.9em;line-height:1.5em;color:#777777;text-transform:capitalize;"></small>
  Hello Dear,
  I am implementing NAP with 802.1x enforcement type. but it is an existing network where the organisation already has the network segmented into about 7 VLANs based on the departments in the organisation and the VLANs equally have IP interfaces on them (meaning
  they are subnets).
  By design NAP with 802.1x enforcement supports 2 VLANs: Compliant and Non-Compliant VLANs apart from the GuestVlan which the switch uses for 802.1x pre-authentication.
  In my test lab, authenticated clients are pushed to Compliant VLAN if they meet SHV set. Also,if they don’t meet the SHV they are moved to Non-Compliant VLAN.
  How do I apply this type of enforcement for multiple VLANs belonging to the organisation’s different Departments? Assuming I decide to create a single Non-Compliant VLAN this may cater for non-compliant clients but what VLAN among the 7 existing VLAN will compliant
  clients be pushed into?
  How will the switch know the VLAN a member of a particular department should be moved to since there are more than one Compliant VLAN assuming I configured ” NPS Network Policy” for more than one compliant VLAN?
  Please your help is very important.
  Thanks.
  Alex.

  Thanks Greg.
  That works. But I have two other big challenges:
  1st Challenge:
  I have close to 50 VoIP devices as well as printers that must be exempted from NAP and the position of the 802.1x enabled switch is such that it is the Distribution switch to which Access Switches tied to each VLANs are connected(each access switch connect
  to an authenticating port on the Distribution Switch) and IP Phones,data points and printers are then connecting to the Access Switches.  
  There is the limitation of how many MAC addresses can be exempted even when pattern matching is used in NPS(256 characters maximum) and this cannot cater for over 50 non-NAPcapable devices in this network. Should I create
  several exemption policies using the pattern matching to accommodate the 50+ non-NAPcapable devices? Please advise.
  2nd Challenge:
  In this existing Network, there are branch offices that communicate with this HQ over a dedicated WAN connection(NOT VPN over internet). Please how do I ensure routing communication between HQ and branches is not hampered at the introduction of 802.1x NAP
  enforcement at this HQ network? Your prompt response will be highly appreciated...
  Thanks a great deal.
  Alex.

• Import Server - Multiple Qualified Table - Map Crash

  Hello,
  Requirement: I need to update multiple qualified table using single source file.
  Preparation: I have created a map where mapping to multiple qualified table fields maually.
                     Have created a Inbound Port using the above map.
  Problem: Import server throws an exception; while opening the Import Manager using the Port Option and corresponding Exception; Lot of fields were un-mapped. Looks like Import map crashed.
  Please feel free to throw some light reg the same!
  Thanks
  Alexander

  Hi Alexander,
  If you are performing multiple qualifier table mapping and importing then you will hav eto create differnt map for each table importing.In that case you will rrquire multiple inbound ports and in each ports deatils you will give the map name pertaining to which qualified lookup table you wish to import.
  Actually using automatic importing for lookups is not desirable as the lookups always need to be prepopulated before your main table importing.
  The exception taht you are receiving could be due to the reason that the map you are saving is using only one table mapping and so most of the fields are left unmapped.
  try not to use automatic importing for Lookup qualifier tables and use manual importing and see if the the exception still comes.
  Hope it helps
  Kindly reaward points if found useful
  Thanks
  Simona

• Create 2 VLAN (VLAN 1 & VLAN 2)

  Hello all,
  i need help and advice with my new Cisco SF300-48. I want to create 2 vlan (vlan 1 & vlan 2). The switch is set at layer 2.
  example :
  vlan 1 (port 1, 2, 3) , vlan 2 (port 4, 5, 6)
  vlan 1 can communicate each other (port 1, 2, 3) and vlan 2 can communicate each other (port 4, 5, 6)
  But vlan 1 cannot communicate with vlan 2.
  Any help would be appreciated
  Thanks,
  Johan

  Hi Johan,  in a layer 2 environment VLANs are designed to not be able to communicate to each other. For intervlan communication, it requires a layer 3 device.
  If you have the switch with 2 computers connecting on the different VLAN with no other devices connected, vlan 1 talks to vlan 1, vlan 2 talks to vlan 2. A router would have to be able to route between the VLANs. However, the router would have to support 802.1q and either trunk or sub interfaces to make it possible for the VLANs to communicate.
  -Tom
  Please mark answered for helpful posts

• QinQ vs. Vlan mapping

  Hi guys, for me it is new, so i would like to ask that what is different between QinQ and vlan mapping. I hope all guy let could explain me. Thank

  To my knowledge vlan-mapping is another word for vlan translation, meaning you translate (modify) the vlan ID in the frame when entering / exiting a specific interface.
  QinQ is sometimes also called vlan stacking, meaning a frame is altered with a outer vlan tag (ID) and keeping the inner tag of the original frame. This technique is mostly used by service providers to designate a vlan ID per customer in a VPLS network.

• Problem in 3750 with multiple IP segment in same VLAN

  Hi,
  I've problems in 3750 and would like to ask for help.
  I've 3750 switch with standard image. Because of lacking IP addresses, I'm going to redesign the IP scheme. Before complete migrate to new IP range, I've to let new IP segment co-exist with old IP segment for a while (I've 3 VLANs that have same situation). For example, 10.10.13.0/24 (old) will co-exist with 10.10.32.0/21 (new) in same VLAN (let say VLAN 32).
  Below is the partial configuration in 3750:
  interface VLAN 32
  ip address 10.10.13.2 255.255.255.0 secondary
  ip address 10.10.32.2 255.255.248.0
  standby 14 ip 10.10.13.3
  standby 40 ip 10.10.32.3
  I've two PCs. PC-A is 10.10.13.250 and PC-B is 10.10.33.250, both are using HSRP IP as default gateway (the subnet mask are correct).
  My problem is:
  Two PCs can not ping to each other. I can not ping to both PCs from 3750. But if I'm using physical IP as their gateway (such as 10.2.13.2 for PC-A and 10.2.32.2 for PC-B), then both PCs can be ping each others.
  How can I solve the problems if I've to use HSRP IP as default gateway?

  I don't get it. What is the significance of standby 1 and 2 VS standby 14 and 40? The only difference I noticed is the lower number of standby group goes with primry and higher goes with secondary.
  If possible, can you also try the same config you used before except swapping the group number?
  e.g.
  interface VLAN 32
  ip address 10.10.13.2 255.255.255.0 secondary
  ip address 10.10.32.2 255.255.248.0
  standby 40 ip 10.10.13.3
  standby 14 ip 10.10.32.3

• Multiple SSIDs/VLAN - NPS Authentication

  I have recently set up a similar network using Ruckus equipment; however, need to do it now with Cisco...
  I have a multiple SSIDs associated to different VLANs broadcasting.  I would like to configure a single Radius server pointed to my NPS server and allow for authentication by group to each SSID. 
  With Ruckus I had to put in a vendor specific custom attribute and then use Roles to allow access by AD Security Group. 
  Does anyone know how to setup something similar with Cisco?  I just need a single group to be able to autheticate to each SSID.
  Josh Price

  This is pretty straightforward.
  Just create a NPS policy for each SSID.
  A simple policy could check 3 conditions.
  Windows Groups = DOMAIN\GroupABC
  Called Station ID = .*:SSIDNAME$
  NAS Port ID = Wireless IEEE or Wireless Other
  Just change SSIDNAME to whatever the specific SSID is, and obviously the group that you want mapped.  The SSID condition uses regex. 
  Cheers
  Peter

• AP 1131 Multiple SSID VLANS

  Hi, I have problem with AP 1131, my company needs to create 2 vlans one for admin and the other for visitor each one should be in vlan i have configured the router and switch for this and if the connection through wired cables it works great( it give for each IP from differnet range) now i want the wireless clients to work with this configuration and to have multiple ssid i can c the 2 ssids (admin and visitor) when ever i try to connect to one of them it does not associate to any one.
  it is autonoums AP i have no controllers and this will apply to 4 AP
  the configuration is:
  version 12.3
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  service password-encryption
  hostname ap
  ip subnet-zero
  no aaa new-model
  dot11 vlan-name Admin vlan 20
  dot11 vlan-name visitor vlan 30
  dot11 ssid Admin
     vlan 20
     max-associations 50
     mbssid guest-mode
  dot11 ssid Visitor
     vlan 30
     max-associations 50
     mbssid guest-mode
  dot11 network-map
  power inline negotiation prestandard source
  username Cisco password 7 14341B180F0B
  bridge irb
  interface Dot11Radio0
  no ip address
  no ip route-cache
  ssid Admin
  ssid Visitor
  mbssid
  speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
  station-role root
  bridge-group 1
  bridge-group 1 block-unknown-source
  no bridge-group 1 source-learning
  no bridge-group 1 unicast-flooding
  bridge-group 1 spanning-disabled
  interface Dot11Radio0.20
  encapsulation dot1Q 20
  no ip route-cache
  bridge-group 20
  bridge-group 20 subscriber-loop-control
  bridge-group 20 block-unknown-source
  no bridge-group 20 source-learning
  no bridge-group 20 unicast-flooding
  bridge-group 20 spanning-disabled
  interface Dot11Radio0.30
  encapsulation dot1Q 30
  no ip route-cache
  bridge-group 30
  bridge-group 30 subscriber-loop-control
  bridge-group 30 block-unknown-source
  no bridge-group 30 source-learning
  no bridge-group 30 unicast-flooding
  bridge-group 30 spanning-disabled
  interface Dot11Radio1
  no ip address
  no ip route-cache
  shutdown
  ssid Admin
  ssid Visitor
  mbssid
  speed basic-6.0 9.0 basic-12.0 18.0 basic-24.0 36.0 48.0 54.0
  station-role root
  bridge-group 1
  bridge-group 1 block-unknown-source
  no bridge-group 1 source-learning
  no bridge-group 1 unicast-flooding
  bridge-group 1 spanning-disabled
  interface Dot11Radio1.20
  encapsulation dot1Q 20
  no ip route-cache
  bridge-group 20
  bridge-group 20 subscriber-loop-control
  bridge-group 20 block-unknown-source
  no bridge-group 20 source-learning
  no bridge-group 20 unicast-flooding
  bridge-group 20 spanning-disabled
  interface Dot11Radio1.30
  encapsulation dot1Q 30
  no ip route-cache
  bridge-group 30
  bridge-group 30 subscriber-loop-control
  bridge-group 30 block-unknown-source
  no bridge-group 30 source-learning
  no bridge-group 30 unicast-flooding
  bridge-group 30 spanning-disabled
  interface FastEthernet0
  no ip address
  no ip route-cache
  duplex auto
  speed auto
  bridge-group 1
  no bridge-group 1 source-learning
  bridge-group 1 spanning-disabled
  hold-queue 160 in
  interface FastEthernet0.20
  encapsulation dot1Q 20
  no ip route-cache
  bridge-group 20
  no bridge-group 20 source-learning
  bridge-group 20 spanning-disabled
  interface FastEthernet0.30
  encapsulation dot1Q 30
  no ip route-cache
  bridge-group 30
  no bridge-group 30 source-learning
  bridge-group 30 spanning-disabled
  interface BVI1
  ip address 10.1.1.1 255.255.255.0
  no ip route-cache
  ip http server
  no ip http secure-server
  ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
  control-plane
  bridge 1 route ip
  line con 0
  line vty 0 4
  login local
  end
  thanks for your help

  Hi alkabeer,
  Configure the following:
  config)#dot11 ssid Admin
  config-ssid)#authentication open
  config)#dot11 ssid Visitor
  config-ssid)#authentication open