8831 Vlan/IP issue

I installed a few 8831s last week for my customer. These phones had no issue on the initial day we set them up.
However the next week we moved them to a different location and they were pulling the DHCP IP address of my Access VLAN, however it showed the VLAN tag on the phone of my Voice VLAN.
I defaulted and reconfigured the port, tried different switches with different VLANs, and had the same result every time.
I was just wondering if anyone else had run into this issue.

Hello!
Have you tried to reset Network settings? All settings?
Apps > Admin Settings > Reset Settings>All
Can u post show run from switches and box, where dhcp server is started?
Regards,
Kirill

Similar Messages

  • Vlan tag issue with Nexus 4001 in IBM Blade Centre

    Hi
    I have a DC architecture with a pair of Nexus 7010's running 3 VDC's (Core/Aggregation/Enterprise). I have at the edge Nexus 5548's which connect to back to the Aggregation VDC. Also connecting back to the Aggregation VDC is an IBM Blade Chassis which has a Nexus 4001i in slots 7 and slot 9. These blade servers are running ESXi 4.0 and are mapped to the Nexus 4001 blade switch.
    I had set up the Native VLAN as VLAN 999 which connects up to the ESXi host and I am trunking up multiple VLANS for the Virtual Machines.
    The problem I have is that VM's in all VLANS except the ESXi host VLAN (VLAN 10) cannot see their default gateway, and I suspect that there is an issue with the VLAN tag going up to the ESXi host. I have read enough documentation to suggest that this is where the issue is.
    My Nexus 4001 interface configuration is below
    interface Ethernet1/1
      switchport mode trunk
      switchport trunk native vlan 999
      switchport trunk allowed vlan 10,30,40-41,60-62,90,96,999
      spanning-tree port type edge trunk
      speed auto
    The Aggregation VDC on the Nexus 7010 is the default gateway for all these VLANS.
    I also noted that the Nexus 5000 and Nexus 7000 supports the command vlan dot1q tag native command yet the Nexus 4000 doesn't seem to support this. Any assistance would be useful
    Thanks
    Greg

    Your configuration on the N4K looks correct. You shouldn't use vlan dot1q tag native commands on your N7Ks and N5Ks. Native VLAN tagging is really for QinQ (dot1q tunneling).
    My only suggestion is check your configuration of the vSwitch in the ESXi host and the host network profile.
    Regards,
    jerry

  • VLAN Map issue

    I have an issue with a VLAN map I am attempting to use to filter traffic. It is a flat Layer 2 LAN so all hosts are in VLAN 1. I have a number of test machines that I want to deny access to live database servers. To do this I tried the following:
    ip access-list extended testboxes
    permit ip host x.x.x.x host x.x.x.x
    vlan access-map denytest 10
    match ip address testboxes
    action drop
    vlan filter denytest vlan-list 1
    Once I apply the VLAN map I lose all connectivity to the switch. Is there something I am missing here?
    Thanks
    Ian

    Unlike regular IOS standard or extended ACLs that are configured on router interfaces only and are applied on routed packets only, VACLs apply to all packets and can be applied to any VLAN. If a VACL is configured for a certain traffic and that traffic does not match the VACL, the default action is deny. Additionally, VACLs have an implicit deny at the end of the map; a packet is denied if it does not match any ACL entry, and at least one ACL is configured for the packet type. Add an additional permit statement allowing telnet/ssh/or web traffic to the switch:
    permit tcp host X.X.X.X host X.X.X.X eq telnet
    Best Regards
    Francisco

  • Ip phone and pc VLAN security issue - ISE 1.0

    Hello there.
    We are about to implement IP phones to our current network and during testing I have found 2 issues.
    1- ip phone connects to a protected port using ISE mab authentication for the data network.
    The voice VLAN is set up static on the port. The pc VLAN is given by ISE profiling.
    Then the issue is that once the pc connects to the VLAN it belongs to from the ip phone it leaves open that vlan on that port which means that if I connect another pc it will get the original VLAN the port had open up the connection with. This is a big security issue as computers that should not be allowed on specific VLAN can access them this way.
    2- once the connection is up and running on the port for both the phone and the pc, there is re-authentication Happening every minute to ISE. The Authentication logs are getting so many messages for just one port. So once we convert from 2 ip phones to 500, that is definitely going to generate a lot of unnecessary traffic.
    Let me know your thoughts...thanks
    Port config info....below
    interface GigabitEthernet0/2
    description Extra port by Camilos Desk
    switchport mode access
    switchport voice vlan 220
    srr-queue bandwidth share 1 30 35 5
    priority-queue out
    authentication event fail action next-method
    authentication event server alive action reinitialize
    authentication host-mode multi-auth
    authentication open
    authentication order mab dot1x
    authentication port-control auto
    authentication periodic
    authentication timer reauthenticate server
    mab
    mls qos trust cos
    snmp trap mac-notification change added
    auto qos trust
    spanning-tree portfast
    end

    On # 1
    You have the make sure that
    "authentication host-mode multi-domain" command is under each port
    This will allow one voice vlan and only one PC vlan at any given time. If you disconnect a PC and connect onother PC mac address to it, the phone will reinitialize to accept or reject the new mac based on its profile.
    On #2
    I have not found a solution. But what I have found after deployment is that it has happend only on 2 VOIP phones, out of 70 that we have as of now. So it might to be related to ISE.
    On the other hand we are not using Cisco phones but mitel. So this might be a whole issueon itself.
    Hope this helps.

  • Cisco 877W Dual SSID/VLAN Security Issue

    Hi All
    I have an issue with my 877W that is as fascinating as it is frustrating. I have two SSIDs/VLANs, one for trusted LAN users (PRIVATE), and one for guests (GUEST).  The PRIVATE network is secured from the GUEST nework by zone based firewall. Everything works fine, guest devices cannot access private devices, except for one thing - the BVI interface on the PRIVATE network is always accessible to guest devices, and all services open to attack eg telnet/ssh/http/dns etc. I've tried everything to secure this interface from the guest network, including putting deny any any on physical, BVI and VLAN interfaces
    Am I missing something obvious, or some fundamental architecture of the 877 that would stop this interface being secured? Any help aprreciated!
    P.S config has been pared down to basics below
    version 15.1
    no service pad
    service tcp-keepalives-in
    service tcp-keepalives-out
    service timestamps debug datetime msec
    service timestamps log datetime msec
    service password-encryption
    hostname ROUTER
    boot-start-marker
    boot-end-marker
    logging buffered 4096
    enable secret 5 $1$BdpF$r/mAhQGYs8LBlqEpANmke0
    no aaa new-model
    dot11 syslog
    dot11 ssid PRIVATE@123
     vlan 100
     authentication open
     authentication key-management wpa
     wpa-psk ascii 7 046B0A535A15441D2D0C11141A5A5F
    dot11 ssid VISITOR@123
     vlan 200
     authentication open
     authentication key-management wpa
     mbssid guest-mode
     wpa-psk ascii 7 03374C0A08392040420C00
    ip source-route
    no ip dhcp conflict logging
    ip dhcp excluded-address 172.16.1.1 172.16.1.10
    ip dhcp excluded-address 192.168.0.1 192.168.0.10
    ip dhcp pool GUEST
     utilization mark low 70 log
     network 172.16.1.0 255.255.255.0
     dns-server 192.168.0.1 61.9.242.33 61.9.226.33
     default-router 172.16.1.1
    ip dhcp pool PRIVATE
     utilization mark low 70 log
     network 192.168.0.0 255.255.255.0
     dns-server 192.168.0.1 61.9.242.33 61.9.226.33
     default-router 192.168.0.1
    ip cef
    no ipv6 cef
    multilink bundle-name authenticated
    username cisco privilege 15 password 7 073F205F5D1E491713
    policy-map type inspect PM-DENYGUEST
     class class-default
      drop
    zone security GUEST
    zone security PRIVATE
    zone-pair security GUEST-TO-PRIVATE source GUEST destination PRIVATE
     service-policy type inspect PM-DENYGUEST
    bridge irb
    interface ATM0
     no ip address
     shutdown
     no atm ilmi-keepalive
    interface FastEthernet0
     no ip address
    interface FastEthernet1
     switchport access vlan 100
     no ip address
    interface FastEthernet2
     switchport access vlan 100
     no ip address
    interface FastEthernet3
     no ip address
    interface Dot11Radio0
     no ip address
     encryption vlan 100 mode ciphers aes-ccm
     encryption vlan 200 mode ciphers aes-ccm
     broadcast-key vlan 100 change 30
     broadcast-key vlan 200 change 30
     ssid PRIVATE@123
     ssid VISITOR@123
     mbssid
     speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
     station-role root
    interface Dot11Radio0.100
     encapsulation dot1Q 100 native
     zone-member security PRIVATE
     bridge-group 1
     bridge-group 1 subscriber-loop-control
     bridge-group 1 spanning-disabled
     bridge-group 1 block-unknown-source
     no bridge-group 1 source-learning
     no bridge-group 1 unicast-flooding
    interface Dot11Radio0.200
     encapsulation dot1Q 200
     zone-member security GUEST
     bridge-group 2
     bridge-group 2 subscriber-loop-control
     bridge-group 2 spanning-disabled
     bridge-group 2 block-unknown-source
     no bridge-group 2 source-learning
     no bridge-group 2 unicast-flooding
    interface Vlan1
     no ip address
    interface Vlan100
     no ip address
     bridge-group 1
    interface Vlan200
     no ip address
     bridge-group 2
    interface Dialer0
     ip address negotiated
     ip access-group 101 out
     ip nat outside
     ip virtual-reassembly in
     encapsulation ppp
     dialer pool 1
     dialer-group 1
     ppp authentication chap callin
     ppp chap hostname [email protected]
     ppp chap password 7 10580A4F1C4005005B
    interface BVI1
     ip address 192.168.0.1 255.255.255.0
     ip nat inside
     ip virtual-reassembly in
     zone-member security PRIVATE
    interface BVI2
     ip address 172.16.1.1 255.255.0.0
     ip nat inside
     ip virtual-reassembly in
     zone-member security GUEST
    ip forward-protocol nd
    ip http server
    ip http access-class 2
    ip http authentication local
    ip http secure-server
    ip nat inside source list 1 interface Dialer0 overload
    ip route 0.0.0.0 0.0.0.0 Dialer0
    logging trap debugging
    logging 192.168.0.11
    control-plane
    bridge 1 protocol ieee
    bridge 1 route ip
    bridge 2 protocol ieee
    bridge 2 route ip
    line con 0
     exec-timeout 5 0
     no modem enable
     transport output all
    line aux 0
     exec-timeout 0 1
     no exec
     transport output none
    line vty 0 4
     exec-timeout 5 0
     login local
     transport input telnet ssh
     transport output none
    end

    Ignore that. self zone got me. Argh! phew!

  • Dynamic VLAN assignment issue with ACS & WLC

    I have configured an ACS (v4.2) & a WLC 4402 (5.2.193.0) according to the document listed at: http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml
    When I attempt to authenticate a user in the ACS local user database, I receive an auth failure.  I have enabled debugging in the WLC's CLI and I see that I get an authentication failure from the ACS.  Upon reviewing the ACS's 'failed attempts' log, I see the username I attempt to authenticare with but it reports 'CN user unknown' even though this user is the local database.
    During troubleshooting, I discovered that if I modify the AAA client for the WLC and change it to 'Cisco Aironet' rather than 'Cisco Airespace', authentication works perfectly, the proper user is authenticated to the local database and I am able to connect to the SSID.  The only issue is that because I'm now using Aironet instead of Airespace, the IETF attributes 064, 065, and 081 (VLAN, 802, and the VLAN ID respectively) do not properly assign the VLAN that the user needs to be on.
    Am I missing something?

    I determined that a NAP was blocking my authentication using Airespace and can successfully authenticate with both Aironet and Airespace now.  I also reviewed the debug output of both types of connections and I can see the proper attributes coming through, but the wireless clients just won't assign to the right VLAN interface.
    I've reviewed all of the configuration settings per the document about 40 or 50 times now and I am certain I'm not missing anything.  I do indeed have override enabled but the configured interface 'management' is still the one the user is assigned to every time, even in the client connection details under the monitor tab.  ARGH!!

  • Mesh Ethernet Bridging with VLAN Tagging Issue

    Hi all.
    I'm a little stuck with a 4400 7.0.220.0 + RAP 1550 + MAP 1260 Ethernet bridging issue. I'm using the VLAN tagging functionality and I'm finding that periodically a VLAN that I've tagged on the MAP will deregister from the backhaul and stop passing traffic. If I go into the Mesh tab on the MAP, select the wired interface, remove the VLAN from the list of tagged VLAN IDs and then add it right back to the list, its starts passing traffic again.
    Has anyone else seen this? I can't find any relevant bugs.
    Justin

    Hi Saravanan,
    It is one RAP and three MAPs. After a TAC call and 30 hours of monitoring, my VLANs have remained registered. I think the issue was mismatched VLANs to bridge groups an it looks like the mesh bridge may be stable for now. Here is what I was seeing on the RAP and MAPs when the VLANs were deregistering unexpectedly. Notice how VLANs 2 and 10 are mapped to opposite bridge groups on the RAP and MAP:
    After I removed all the VLAN IDs from the Trunk configuration on the MAPs (through each AP's Mesh tab -- Ethernet Bridging config) and then rebuilt the VLAN IDs, I ran the same commands and now see this:
    My very unscientific theory here is that the mismatching was causing consistency checks to fail, so the RAP was just tearing down the registrations after getting bogus or non- responses from the MAPs during the periodic VLAN registration maintenance checks (debug mesh ethernet registration).
    If I have continued issues, I'll post back with updates.
    Thanks for the response!
    Justin

  • Dot1X guest vlan authentication issue..Real Challenge!!

    Hi Guys!
    I would really appreciate if some one could help me find lead on this issue...
    My coporate and Quarantine users dosn't get correct VLAN as soon as i enable Guest VLAN feature..all of them go to guest VLAN...
    Scenario 1
    interface GigabitEthernet3/0/42
    switchport mode access
    authentication port-control auto
    dot1x pae authenticator
    dot1x timeout quiet-period 5
    dot1x timeout tx-period 5
    spanning-tree portfast
    Test Workstation behavior
    802.1X (Corporate) = VLAN 1
    802.1X (Quarantine)= VLAN 20
    Non-802.1X (Guest) = UnAouthorized
    Conclusion
    802.1x authentication is working without the guest VLAN feature
    Scenario 2
    interface GigabitEthernet3/0/42
    switchport mode access
    authentication event no-response action authorize vlan 30
    authentication port-control auto
    dot1x pae authenticator
    dot1x timeout quiet-period 5
    dot1x timeout tx-period 5
    spanning-tree portfast
    Test Workstation behavior
    802.1X (Corporate) = VLAN 30 GuestVlan
    802.1X (Quarantine)= VLAN 30 GuestVlan
    Non-802.1X = VLAN 30 GuestVlan
    Conclusion
    802.1X doesn't work after enabling Guest VLAN feature (no-response)
    Some important notes...
    1) IOS version = c3750-ipbase-mz.122-50.SE.bin the only IOS which supports 10gig modules...
    so i can not test with any other IOS
    2) We had older 3750 100Mpbs switches with same config (we copied the config from old switch to new Switch) and the only command which got change automatically due to IOS change is....
    dot1x guest-vlan 30 (Old IOS syntax) = authentication event no-response action authorize vlan 30 (New IOS syntax)
    so even if you put old command syntax it will get change to new one...
    http://www.cisco.com/en/US/docs/switches/lan/catalyst3750e_3560e/software/release/12.2_50_se/configuration/guide/sw8021x.html#wp1176660
    Guys please help me.........

    Just to update you here.......after running some debugs on Swicth i found that....(Scenario-2)
    When we connect 8021X enabled PCs (Coporate users) and Boot them...they initially behave like Non-8021X client while booting and during that time switch puts them in guest vlan but when workstation comes to a state (login prompt)where they start communicating like 8021X client.....switch just fails to put them in appropriate VLANs.. may be due to some time out issues.........I feel like i am very close to get the solution but just wondering which timers need to change or may be i am wrong if there is something else need to be put in...........any way i just shared my things with you....
    Same Workstations are working fine with old swicthes without any problem...it is windows XP SP3

  • Exalogic  VLAN bond issue

    Hi,
    vlan module: 8021q used
    For example
    ref link; http://docs.oracle.com/cd/E18476_01/doc.220/e18478/commproc.htm#BEIHAIDA --- here they used multiple physical hosts not single ethernet port
    Here 
    in bracket oracle details and other is my details
    1)  eth0 (1A-ETH-3) - ethernet port
    2)  vlan121 (eth4, vlan 10 ) -     vlan 121
    3)  vlan122 (eth5, vlan 11 ) -      vlan 122
    I have a exalogic machine which has Oracle Linux 5.6- x64 bit
    Created 2 VLANs with IP and bond interface if i start network service [service network restart], I
    get hardware address conflicts error message on vlan 121, 122
    i have 1 physical lan cord, creating eth0, multiple vlans, bond1, bond0 interfaces
    i could see eth0 192.168.1.12, bond1 192.168.48.128 but vlan121, vlan122 no static ips displayed
    Question : How can i build vlan121, vlan122 ip address should set as static ips (or) based on hardware address
    when i run #ifconfig -a ==> default HwAddr displays common for all the vlans, bond1, eth0
    # vim /etc/sysconfig/network-scripts/ifcfg-vlan121
    DEVICE=vlan121
    BOOTPROTO=none
    ONBOOT=yes
    IPADDR=192.168.48.129
    #HWADDR=a2:c0:a0:a8:01:01
    VLAN=yes
    PHYSDEV=eth0
    VLAN_NAME_TYPE=VLAN_PLUS_VID_NO_PAD
    MASTER=bond1
    SLAVE=yes
    # vim /etc/sysconfig/network-scripts/ifcfg-vlan122
    DEVICE=vlan122
    BOOTPROTO=none
    ONBOOT=yes
    IPADDR=192.168.48.130
    #HWADDR=a2:c0:a0:a8:01:01
    VLAN=yes
    PHYSDEV=eth0
    VLAN_NAME_TYPE=VLAN_PLUS_VID_NO_PAD
    MASTER=bond1
    SLAVE=yes
    # vim /etc/sysconfig/network-scripts/ifcfg-bond1
    DEVICE=bond1
    IPADDR=192.168.48.128
    NETMASK=255.255.255.0
    BOOTPROTO=none
    USERCTL=no
    TYPE=Ethernet
    ONBOOT=yes
    IPV6INIT=no
    BONDING_OPTS="mode=active-backup miimon=100 downdelay=5000 updelay=5000"
    GATEWAY=192.168.48.1

    I'm not really sure I understand your question. If you want any or all network interface cards in a computer to be used for communication, then any or all need to be connected to a switch or network router using a cable. Every real and virtual NIC has a physical address (MAC), which the device broadcasts when initialized to tell other devices that it's there. The MAC address is a unique number. The mapping of an IP address to a MAC address is maintained by an ARP table.
    Network redundancy typically shifts an IP address among available devices. If a devices fails, a standby is activated, which updates the ARP table to inform other devices of the change and IP communiation can continue. I have also seen non Linux systems, which actually modify the phsycial MAC address of a device. If you want to use mutliple NIC's to work in a team for performance, the system network stack needs to support inverse multiplexing and you need to connect each device to a managed network switch that supports Link Aggregation Ccontrol Protocol (802.3ad).
    Your ping issue might be due to TCP/IP routing. Devices by default see each other only if they are phycially connected through a switch and share the same network or subnet. If you have devices with different subnets you need to configure a TCP/IP gateway or bridge. This is basic TCP/IP routing and knowledge, which is explained by many free sources available on the Internet. Just search Google for TCP/IP routing basics.
    Update:
    Looking at your TCP/IP configuration from the information you provided, your VLAN interface is not within the network (netmask) of your gateway, hence the VLAN interface has no knowledge of your other networks. So perhaps if you change your VLAN to 255.255.0.0 it will work.

  • Vlan Trunking issue

    Hi,
    I need some help setting up  L3 Cisco 3560 for my VM lab. I have setup a few vlans and at this point I am trying to test out routing and connectivity. I came across with two issues and I am trying to get good advise from the experst since I am not
    The Cisco 3560 is directly connected to my home router gi0/4 192.168.10.0/24 which would be my internet connection. The home router default gateway is 192.168.10.1.
    I created Vlan192 on the 3560 to interact with the home router and get me to the outside world from the core. Obviously I'm doing something wrong here and came across 2 issues.
    1- I tried setting Fas0/2 as trunk port and using the vlan226 on my pc but it wont work when I set this to my computer. It wont route to all vlans and I am not able to ping this 10.23.226.9 address from the 3560. The only way this works for me is if I set the IP to the 192 range which is my native Vlan, but anything other from 192 wont route.
    PC IP address
    10.23.226.9
    255.255.255.0
    10.23.226.254
    Fas0/2 configurartion
    switchport trunk encapsulation dot1q
    switchport trunk allowed vlan 192,224-229
    switchport mode trunk
    Please see my entire config below and maybe you can help since I am not an expert on this.
    zeus-sw1#sh run
    Building configuration...
    Current configuration : 5364 bytes
    version 12.2
    no service pad
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    hostname zeus-sw1
    boot-start-marker
    boot-end-marker
    no logging console
    enable secret 5 $1$E9/L$UAOdxa6S.6QT52G2Lgcll0
    enable
    username admin1 privilege 15 secret 5 $1$hlCW$laTgSRIXF2LnZO.wyd0k0/
    aaa new-model
    aaa session-id common
    system mtu routing 1500
    vtp mode transparent
    ip routing
    crypto pki trustpoint TP-self-signed-13407744
    enrollment selfsigned
    subject-name cn=IOS-Self-Signed-Certificate-13407744
    revocation-check none
    rsakeypair TP-self-signed-13407744
    crypto pki certificate chain TP-self-signed-13407744
    certificate self-signed 01
      3082023D 308201A6 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
      2F312D30 2B060355 04031324 494F532D 53656C66 2D536967 6E65642D 43657274
      69666963 6174652D 31333430 37373434 301E170D 39333033 30313030 31393031
      5A170D32 30303130 31303030 3030305A 302F312D 302B0603 55040313 24494F53
      2D53656C 662D5369 676E6564 2D436572 74696669 63617465 2D313334 30373734
      3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 8100BC82
      4A857145 B3984EBF ED1553C2 E23AF1CF 60B5CB00 96984A72 CEC9F4CC 09CA7B8D
      7416102A E630D17C 66716B57 DF7991AB 87DE6EBD DADE5539 F0278510 70BE7391
      F2EC292D DF0C707A 70083E80 D19F4D3D 31462E89 5EE310EE 4976F764 AB1592C1
      2A8EE610 C3B11D76 252568A7 2AE260B7 4C9141AB C8358A4A B76B94BF 6E970203
      010001A3 69306730 0F060355 1D130101 FF040530 030101FF 30140603 551D1104
      0D300B82 097A6575 732D7377 312E301F 0603551D 23041830 16801487 8F7A7E29
      112BA5CC 42E2E9E0 0A9C5ACF 6CCBD330 1D060355 1D0E0416 0414878F 7A7E2911
      2BA5CC42 E2E9E00A 9C5ACF6C CBD3300D 06092A86 4886F70D 01010405 00038181
      0059DAD2 5601B324 2B1E4143 9CE67677 45100C44 DC21364D 175CB8F2 178B0EBC
      D39D603F 8F896ADB 4CEEA493 13D8C028 F805F67B 9C7D6BA4 D195B7F3 FEED6763
      F03F4575 B768C6FB 9A783232 DCC60120 9F72B78C 9B5C1B7A FD1C78D7 A3DF7BFE
      483E46E6 7CA84A6C 95F37C63 BEA804F9 E535520E 629AE46E 0752BE69 42781471 21
      quit
    spanning-tree mode pvst
    spanning-tree extend system-id
    vlan internal allocation policy ascending
    vlan 192
    name NativeVlan
    vlan 224
    name iSCSI
    vlan 225
    name ESX_MGMT
    vlan 226
    name VM_SERVERS
    vlan 227
    name VMOTION
    vlan 228
    name VIEWDESKTOPS
    vlan 229
    name VCLOUD
    lldp run
    interface FastEthernet0/1
    interface FastEthernet0/2
    switchport trunk encapsulation dot1q
    switchport trunk native vlan 192
    switchport trunk allowed vlan 192,224-229
    switchport mode trunk
    interface FastEthernet0/3
    interface FastEthernet0/4
    interface FastEthernet0/5
    interface FastEthernet0/6
    interface FastEthernet0/7
    interface FastEthernet0/8
    interface FastEthernet0/9
    interface FastEthernet0/10
    interface FastEthernet0/11
    interface FastEthernet0/12
    interface FastEthernet0/13
    interface FastEthernet0/14
    interface FastEthernet0/15
    interface FastEthernet0/16
    interface FastEthernet0/17
    interface FastEthernet0/18
    interface FastEthernet0/19
    interface FastEthernet0/20
    interface FastEthernet0/21
    interface FastEthernet0/22
    interface FastEthernet0/23
    interface FastEthernet0/24
    interface FastEthernet0/25
    interface FastEthernet0/26
    interface FastEthernet0/27
    interface FastEthernet0/28
    interface FastEthernet0/29
    interface FastEthernet0/30
    interface FastEthernet0/31
    interface FastEthernet0/32
    interface FastEthernet0/33
    interface FastEthernet0/34
    interface FastEthernet0/35
    interface FastEthernet0/36
    interface FastEthernet0/37
    interface FastEthernet0/38
    interface FastEthernet0/39
    interface FastEthernet0/40
    interface FastEthernet0/41
    interface FastEthernet0/42
    interface FastEthernet0/43
    interface FastEthernet0/44
    interface FastEthernet0/45
    interface FastEthernet0/46
    interface FastEthernet0/47
    interface FastEthernet0/48
    interface GigabitEthernet0/1
    interface GigabitEthernet0/2
    switchport trunk allowed vlan 192,224-229
    interface GigabitEthernet0/3
    interface GigabitEthernet0/4
    description LINK SG200 UNTAGGED
    switchport trunk encapsulation dot1q
    switchport trunk native vlan 192
    switchport trunk allowed vlan 192,224-229
    switchport mode trunk
    interface Vlan1
    no ip address
    interface Vlan192
    ip address 192.168.10.254 255.255.255.0
    interface Vlan224
    description iSCSI
    ip address 10.23.224.254 255.255.255.0
    interface Vlan225
    description ESX
    ip address 10.23.225.254 255.255.255.0
    interface Vlan226
    description VM_SERVERS
    ip address 10.23.226.254 255.255.255.0
    ip helper-address 10.23.226.2
    interface Vlan227
    description VIEWDESKTOPS
    ip address 10.23.227.254 255.255.255.0
    interface Vlan228
    description vCloudDir
    ip address 10.23.228.254 255.255.255.0
    interface Vlan229
    description SERVERS
    ip address 10.23.229.254 255.255.255.0
    ip classless
    ip route 0.0.0.0 0.0.0.0 192.168.10.1
    ip http server
    ip http authentication local
    no ip http secure-server
    end

    Glen,
    Thanks for your advise. After changing the port as an access port I am able ping all vlans and my gateway from my home router 192.168.10.1, However a new issues came up. I am not able to get to the internet.
    It seems it works from the 3560:
    zeus-sw1#ping yahoo.com
    Translating "yahoo.com"...domain server (255.255.255.255) [OK]
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 206.190.36.45, timeout is 2 seconds:
    Success rate is 100 percent (5/5), round-trip min/avg/max = 76/94/134 ms
    zeus-sw1#
    It wont work from my pc:
    Ethernet adapter Ethernet:
       Connection-specific DNS Suffix  . :
       Link-local IPv6 Address . . . . . : fe80::3d53:efc0:ea00:9bd2%3
       IPv4 Address. . . . . . . . . . . : 10.23.226.9
       Subnet Mask . . . . . . . . . . . : 255.255.255.0
       Default Gateway . . . . . . . . . : 10.23.226.254
    Tunnel adapter Teredo Tunneling Pseudo-Interface:
       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . :
    Tunnel adapter isatap.{461494F6-EA41-42CC-8B0A-B5BD2D8097DA}:
      Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . :
    C:\Users\user1>ping google.com
    Ping request could not find host google.com. Please check the name and try agai
    .C:\Users\user1>ping 14.2.2.2
    Pinging 14.2.2.2 with 32 bytes of data:
    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.
    Ping statistics for 14.2.2.2:
        Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

  • VLAN config issue

         I am configuring VLANS on 2960x switches by building.  We have about 15 buildings and would like to have each building be in its own VLAN.  This issue I am having is that we have some devices that are static IP's and when those devices are pluged in, they do not work.  Cannot ping them.  For example, our maintenance department has some energy management devices that are addressed 10.20.1.x and printers are address 10.10.101.x.  So when i configure vlan 55, ip address 10.55.1.2, set the switch ports to switchports access vlan 55 and plug any device with a static ip in to that switch, it doesnt work.  It is possible to have these devices on the same vlan as everthing else in thier building without changing their IP address? 

    The 2960  is set up with all ports in vlan 55 and the link back to the 4506 is a trunk port.  The 4506 port is set up the same.
    4506
    interface Vlan55
    ip address 10.55.1.1 255.255.255.0
    Port to 2960
    interface GigabitEthernet2/10
    switchport access vlan 55
    switchport mode trunk
    2960
    interface Vlan55
    ip address 10.55.1.3 255.255.255.0
    ip helper-address 10.10.1.41  -- DHCP server
    ip helper-address 10.10.11.2 -- wireless controller
    port to 4506
    interface GigabitEthernet1/0/52
    switchport access vlan 55
    switchport mode trunk
    ip route 0.0.0.0 0.0.0.0 10.55.1.1
    When i plug in a device with a static ip, for example, 10.20.1.250, SM 255.255.0.0, DG 10.20.1.1 it does not work.  These are not PC''s .  They are allen bradly controllers that are installed on equipment like air compressors and heaters so our maintenanse department can monitor everything.  Theses devices will not be in every switch and have been installed way before i started working here.  I set up a pc using a address in the 10.20 range and cant even ping the switch that is plugged into. 

  • VLAN's on 3524 VLAN enable issue (I don't want to route between them)

    I have segmented a 3524 switch into three different VLANs. One is the managment VLAN 1 and the other two are for my Test Lab and Production network. I don't want either VLAN to see the other (router between them). My problem is my VLAN10 and VLAN12 will not come out of a shutdown state. They stay administratively down even after I issue the no shut command from within the VLAN Interface. What am I doing wrong here?

    My guess is that you created 3 SVI's instead of creating the layer 2 vlans that you need . Do a show vlan ", do all 3 of your vlans show up ? If you created 3 different layer 3 SVI's , (conf t , interface vlan 10 and or 12 then the switch will only enable 1 because this is strictly used to manage the switch . To create your vlans I believe on this switch you need to use the vlan database. At the switch prompt type vlan database, enter. Then type vlan 10 , hit enter , then type vlan 12 and hit enter . This activates the layer 2 vlans .Exit out to the command line and do a show vlan and see if all 3 show up now.Apply the vlans to the ports as needed . These should now show up when you do a "show vlan" . I think you gettting confused between the layer 3 SVI's and the layer 2 vlans .

  • Inter-vlan routing issues (one device isn't pingable from one VLAN, is pingable from others).

    Greetings network wizards, 
    I'm facing an interesting issue in our enterprise network.
    There is management VLAN. There are various devices in management VLAN (e.g. WLC controllers, SVIs for management on our catalysts, interfaces for management of servers, ...). 
    There are also other VLANs (office100, office101, printers, technology, ...). I'm unable to ping one device on our management VLAN from office VLAN. From all other VLANs, the ping works fine.
    In terms of CLI (where a.b.c.d is problematic destination addres in management VLAN): 
    ping a.b.c.d. source vlan 20 = success
    ping a.b.c.d source vlan 50 = success
    ping a.b.c.d source vlan 90 = success
    ping a.b.c.d source vlan 101 = failure
    The ping is launched from either of our two L3 switches and the a.b.c.d address belongs to computer shown in the bottom of the picture. 
    The excerpt of our physical topplogy can be seen below. 
    The L3 switches depicted above are our two 4506 catalyst switches with SVIs for our multiple VLANs. There is also HSRP group for each VLAN on our L3 switches. 
    I checked all the relevant data structures (arp, mac, fib, adjacency tables) and everything seems OK. What is also worth to mention, is the fact, that the IP address of the switch shown in the bottom of the picture is in same VLAN as the device represented by PC attached to the switch in the bottom. That management SVI of the switch is pingable and working regardless of the source VLAN. 
    Any help would be appreciated. 
    Best regards, 
    SZ

    Hi, 
    I'm afraid, that the configuration you posted above won't solve my issues. It is so because of following packet flow: 
    Ping from VLAN 101 (office) to VLAN 900 (management) flows to either of my L3 switches. L3 switch takes a look at the destination IP addres and assumes, he should use VLAN900. Thus, he uses VLAN900 SVI, encapsulates the frame to VLAN900 802.1q frame and sends it out of the appropriate trunk (the appropriate trunk is identified by destination IP address and corresponding MAC address). 
    Please, keep in mind that the topology is only excerpt and other switches are physically present, too (but not shown here). These other switches have clients from VLAN101 attached and these clients can easily ping the access switch (VLAN900) shown in the picture, but they're unable to ping the PC (VLAN900) attached to the same access switch. PC's switchport is assigned to correct VLAN. The frame coming from VLAN101 from another switch (not shown in picture) is rerouted at L3 switch and is put on trunk as VLAN900 frame. Then it flows down to the access switch. STP and trunks are fine ... because: 
    If I had STP issue or trunk misconfiguration in place, I wouldn't be able to reach the access switch (from whatever VLAN). In my current situation, I'm able to reach it easily. 
    Best regards, 
    SZ

  • Vlan config issues

    I have a 6509 with a vlan 105 configure. I have also added a vlan 100. vlan 100 and 105 work for internal routing. vlan 105 workstation can get to the internet. however any vlan 100 workstation can not access the internet. A tracert from a workstation on vlan 100 stops at the 6509. attached is the 6509 config, i have included IP just because they already have changed.
    any ideas? Does the port connecting to my firewall have to allow all vlan traffic? if so how do i do this.
    thanks,

    Hi,
    Please provide more information on setup( other devices, connectivity diagram) to have a clear idea, so that we can help you.
    From the config provided, i could see the following default route
    ip route 0.0.0.0 0.0.0.0 10.175.105.3
    What is 10.175.105.3 ? Is this your firewall / WAN router??
    Also what is the need for this static route.?
    ip route 10.175.100.0 255.255.255.0 10.175.105.3
    10.175.100.0/24 is the subnet for vlan 100, which a directly connected network on this switch. Hence you dont need that route. Remove that route.
    Finally whatever device is 10.175.105.3, please add a route in that device for vlan 100 so that traffic can reach vlan 100.
    The route that you should add in 10.175.105.3 is
    ip route 10.175.100.0 255.255.255.0 10.175.105.1.
    Hope this helps.
    -VJ

  • Multiple vlans configuration issue with RV016 router and SG 300-10MP witch

    Hi,
    I have to configure multiple vlans served with a unique DCHP server . As first step, I just will The DHCP server to serve 2 vlans. The following is the hardware and configuration that I implemented :
    Router (RV016 10/100 16-Port VPN Router) as gateway mode:
    IP : 172.16.0.1/24
    DHCP Server :
    IP : 172.16.0.2/24 GW: 172.16.0.1
    2 subnets :
    172.16.1.0/24 GW: 172.16.1.1 to serve vlan 1
    172.16.2.0/24 GW:172.16.2.1 to serve vlan 2
    Switch (SG 300-10MP 10-Port Gigabit PoE Managed Switch) as layer 3 mode:
    IP 172.16.0.254 (vlan 8 default)
    Vlan 1 : 172.16.1.1
    Vlan 2 : 172.16.2.1
    1 device connected on each vlan
    a workstation on the vlan 1
    a laptop on the vlan 2
    In this scenario (see the attached pdf file) the DHCP server is connected on a router, hosts on vlans dont receive any IP address.
    But If I connect the DHCP server on a trunked switch port and adapt the DHCP server gateway 172.16.0.1 to 172.16.0.254, hosts receive ip address properly.
    I have to connect the DHCP server directly to the router. How can I do that, what is wrong in the configuration ?
    I hope the explanations are clear enough and my English too
    Any help will be highly appreciated,
    Zoubeir

    Hi Eric, the small business group doesn't support the ASA config, but  I can help with the switch.
    A couple things I notice in your description-
    48 port (192.168.1.254) and the other 24P (192.168.1.253)  we have a  second vlan 20 set up on the 24P switch (192.168.2.253)  we have ports  1-12 set for vlan20 (untagged and trunk), the remaining ports on on the  default vlan 1.
    The connection between the switches, is it 1u, 2t?
    The link between the switches should be 1u, 2t, the switches support the trunking and vlan tagging, meaning all communication will work fine.
    We have the 24p and 48p switches connect using GE1 and GE1.  We are unable to ping a device on vlan 20 ( on the 24p switch
    The 24p switch should be in layer 2 mode, if you have the 48 port l3 switch upstream. Additionally, you need to have the default gateway set on the 24p switch.
    We have a static route set on the 24p switch (0.0.0.0 192.168.1.0). 
    Between the switches, it shouldn't require any static routes, assuming you correctly trunk / tag your ge1 ports, with both switches operating in l3, the ip route table dynamically builds the connected routes, therefore a static route is redundant.
    -Tom
    Please rate helpful posts

Maybe you are looking for

  • Downloading from alv to excel file

    hai    while downloading from alv grid to excel  file   i am not getting values properly. i have taken 110 fields. i am not getting prper way. can u plz tel me way....

  • Error issues while updating my Xperia Z1 to 4.4.4 Kitkat

    Hi, My name is Vinay. When I try to update my Experia Z1. Iget an error message. First I try to update through my phone. It downloaded the update and then when I press Install, it says could not be installed. When I try to updat through PC Companion,

  • Problem with vinyl recording

    I specifically purchased the Soundblaster x-fi HD for vinyl recording to my computer. The problem is as the signal runs through the unit into my computer, i am unable to designate the different special effects available with this unit. I can record t

  • Edit in Photoshop CC in Lightroom 4 opens Photoshop CC on my backup drive (OS X 10.8)

    Hello, I am having an issue with Lightroom 4 that only began after I installed Photoshop CC.  Every night I clone my iMac to a bootable backup drive.  With Photoshop CS6 I had no problems with this.  Now, whenever I choose "Edit in Photoshop CC" from

  • Should the Cisco Content Engines be used as a proxy appliance

    Should the Cisco Content Engine be use as a proxy appliance like a Blue Coat appliance, Squid cache engine, ISA server, etc... I am pretty sure it is but just need some feedback on past experiences. Customer would like to by a Cisco product for Web f