8831 Vlan/IP issue
I installed a few 8831s last week for my customer. These phones had no issue on the initial day we set them up.
However the next week we moved them to a different location and they were pulling the DHCP IP address of my Access VLAN, however it showed the VLAN tag on the phone of my Voice VLAN.
I defaulted and reconfigured the port, tried different switches with different VLANs, and had the same result every time.
I was just wondering if anyone else had run into this issue.
Hello!
Have you tried to reset Network settings? All settings?
Apps > Admin Settings > Reset Settings>All
Can u post show run from switches and box, where dhcp server is started?
Regards,
Kirill
Similar Messages
-
Vlan tag issue with Nexus 4001 in IBM Blade Centre
Hi
I have a DC architecture with a pair of Nexus 7010's running 3 VDC's (Core/Aggregation/Enterprise). I have at the edge Nexus 5548's which connect to back to the Aggregation VDC. Also connecting back to the Aggregation VDC is an IBM Blade Chassis which has a Nexus 4001i in slots 7 and slot 9. These blade servers are running ESXi 4.0 and are mapped to the Nexus 4001 blade switch.
I had set up the Native VLAN as VLAN 999 which connects up to the ESXi host and I am trunking up multiple VLANS for the Virtual Machines.
The problem I have is that VM's in all VLANS except the ESXi host VLAN (VLAN 10) cannot see their default gateway, and I suspect that there is an issue with the VLAN tag going up to the ESXi host. I have read enough documentation to suggest that this is where the issue is.
My Nexus 4001 interface configuration is below
interface Ethernet1/1
switchport mode trunk
switchport trunk native vlan 999
switchport trunk allowed vlan 10,30,40-41,60-62,90,96,999
spanning-tree port type edge trunk
speed auto
The Aggregation VDC on the Nexus 7010 is the default gateway for all these VLANS.
I also noted that the Nexus 5000 and Nexus 7000 supports the command vlan dot1q tag native command yet the Nexus 4000 doesn't seem to support this. Any assistance would be useful
Thanks
GregYour configuration on the N4K looks correct. You shouldn't use vlan dot1q tag native commands on your N7Ks and N5Ks. Native VLAN tagging is really for QinQ (dot1q tunneling).
My only suggestion is check your configuration of the vSwitch in the ESXi host and the host network profile.
Regards,
jerry -
I have an issue with a VLAN map I am attempting to use to filter traffic. It is a flat Layer 2 LAN so all hosts are in VLAN 1. I have a number of test machines that I want to deny access to live database servers. To do this I tried the following:
ip access-list extended testboxes
permit ip host x.x.x.x host x.x.x.x
vlan access-map denytest 10
match ip address testboxes
action drop
vlan filter denytest vlan-list 1
Once I apply the VLAN map I lose all connectivity to the switch. Is there something I am missing here?
Thanks
IanUnlike regular IOS standard or extended ACLs that are configured on router interfaces only and are applied on routed packets only, VACLs apply to all packets and can be applied to any VLAN. If a VACL is configured for a certain traffic and that traffic does not match the VACL, the default action is deny. Additionally, VACLs have an implicit deny at the end of the map; a packet is denied if it does not match any ACL entry, and at least one ACL is configured for the packet type. Add an additional permit statement allowing telnet/ssh/or web traffic to the switch:
permit tcp host X.X.X.X host X.X.X.X eq telnet
Best Regards
Francisco -
Ip phone and pc VLAN security issue - ISE 1.0
Hello there.
We are about to implement IP phones to our current network and during testing I have found 2 issues.
1- ip phone connects to a protected port using ISE mab authentication for the data network.
The voice VLAN is set up static on the port. The pc VLAN is given by ISE profiling.
Then the issue is that once the pc connects to the VLAN it belongs to from the ip phone it leaves open that vlan on that port which means that if I connect another pc it will get the original VLAN the port had open up the connection with. This is a big security issue as computers that should not be allowed on specific VLAN can access them this way.
2- once the connection is up and running on the port for both the phone and the pc, there is re-authentication Happening every minute to ISE. The Authentication logs are getting so many messages for just one port. So once we convert from 2 ip phones to 500, that is definitely going to generate a lot of unnecessary traffic.
Let me know your thoughts...thanks
Port config info....below
interface GigabitEthernet0/2
description Extra port by Camilos Desk
switchport mode access
switchport voice vlan 220
srr-queue bandwidth share 1 30 35 5
priority-queue out
authentication event fail action next-method
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication open
authentication order mab dot1x
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
mls qos trust cos
snmp trap mac-notification change added
auto qos trust
spanning-tree portfast
endOn # 1
You have the make sure that
"authentication host-mode multi-domain" command is under each port
This will allow one voice vlan and only one PC vlan at any given time. If you disconnect a PC and connect onother PC mac address to it, the phone will reinitialize to accept or reject the new mac based on its profile.
On #2
I have not found a solution. But what I have found after deployment is that it has happend only on 2 VOIP phones, out of 70 that we have as of now. So it might to be related to ISE.
On the other hand we are not using Cisco phones but mitel. So this might be a whole issueon itself.
Hope this helps. -
Cisco 877W Dual SSID/VLAN Security Issue
Hi All
I have an issue with my 877W that is as fascinating as it is frustrating. I have two SSIDs/VLANs, one for trusted LAN users (PRIVATE), and one for guests (GUEST). The PRIVATE network is secured from the GUEST nework by zone based firewall. Everything works fine, guest devices cannot access private devices, except for one thing - the BVI interface on the PRIVATE network is always accessible to guest devices, and all services open to attack eg telnet/ssh/http/dns etc. I've tried everything to secure this interface from the guest network, including putting deny any any on physical, BVI and VLAN interfaces
Am I missing something obvious, or some fundamental architecture of the 877 that would stop this interface being secured? Any help aprreciated!
P.S config has been pared down to basics below
version 15.1
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname ROUTER
boot-start-marker
boot-end-marker
logging buffered 4096
enable secret 5 $1$BdpF$r/mAhQGYs8LBlqEpANmke0
no aaa new-model
dot11 syslog
dot11 ssid PRIVATE@123
vlan 100
authentication open
authentication key-management wpa
wpa-psk ascii 7 046B0A535A15441D2D0C11141A5A5F
dot11 ssid VISITOR@123
vlan 200
authentication open
authentication key-management wpa
mbssid guest-mode
wpa-psk ascii 7 03374C0A08392040420C00
ip source-route
no ip dhcp conflict logging
ip dhcp excluded-address 172.16.1.1 172.16.1.10
ip dhcp excluded-address 192.168.0.1 192.168.0.10
ip dhcp pool GUEST
utilization mark low 70 log
network 172.16.1.0 255.255.255.0
dns-server 192.168.0.1 61.9.242.33 61.9.226.33
default-router 172.16.1.1
ip dhcp pool PRIVATE
utilization mark low 70 log
network 192.168.0.0 255.255.255.0
dns-server 192.168.0.1 61.9.242.33 61.9.226.33
default-router 192.168.0.1
ip cef
no ipv6 cef
multilink bundle-name authenticated
username cisco privilege 15 password 7 073F205F5D1E491713
policy-map type inspect PM-DENYGUEST
class class-default
drop
zone security GUEST
zone security PRIVATE
zone-pair security GUEST-TO-PRIVATE source GUEST destination PRIVATE
service-policy type inspect PM-DENYGUEST
bridge irb
interface ATM0
no ip address
shutdown
no atm ilmi-keepalive
interface FastEthernet0
no ip address
interface FastEthernet1
switchport access vlan 100
no ip address
interface FastEthernet2
switchport access vlan 100
no ip address
interface FastEthernet3
no ip address
interface Dot11Radio0
no ip address
encryption vlan 100 mode ciphers aes-ccm
encryption vlan 200 mode ciphers aes-ccm
broadcast-key vlan 100 change 30
broadcast-key vlan 200 change 30
ssid PRIVATE@123
ssid VISITOR@123
mbssid
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
interface Dot11Radio0.100
encapsulation dot1Q 100 native
zone-member security PRIVATE
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
interface Dot11Radio0.200
encapsulation dot1Q 200
zone-member security GUEST
bridge-group 2
bridge-group 2 subscriber-loop-control
bridge-group 2 spanning-disabled
bridge-group 2 block-unknown-source
no bridge-group 2 source-learning
no bridge-group 2 unicast-flooding
interface Vlan1
no ip address
interface Vlan100
no ip address
bridge-group 1
interface Vlan200
no ip address
bridge-group 2
interface Dialer0
ip address negotiated
ip access-group 101 out
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname [email protected]
ppp chap password 7 10580A4F1C4005005B
interface BVI1
ip address 192.168.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security PRIVATE
interface BVI2
ip address 172.16.1.1 255.255.0.0
ip nat inside
ip virtual-reassembly in
zone-member security GUEST
ip forward-protocol nd
ip http server
ip http access-class 2
ip http authentication local
ip http secure-server
ip nat inside source list 1 interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
logging trap debugging
logging 192.168.0.11
control-plane
bridge 1 protocol ieee
bridge 1 route ip
bridge 2 protocol ieee
bridge 2 route ip
line con 0
exec-timeout 5 0
no modem enable
transport output all
line aux 0
exec-timeout 0 1
no exec
transport output none
line vty 0 4
exec-timeout 5 0
login local
transport input telnet ssh
transport output none
endIgnore that. self zone got me. Argh! phew!
-
Dynamic VLAN assignment issue with ACS & WLC
I have configured an ACS (v4.2) & a WLC 4402 (5.2.193.0) according to the document listed at: http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml
When I attempt to authenticate a user in the ACS local user database, I receive an auth failure. I have enabled debugging in the WLC's CLI and I see that I get an authentication failure from the ACS. Upon reviewing the ACS's 'failed attempts' log, I see the username I attempt to authenticare with but it reports 'CN user unknown' even though this user is the local database.
During troubleshooting, I discovered that if I modify the AAA client for the WLC and change it to 'Cisco Aironet' rather than 'Cisco Airespace', authentication works perfectly, the proper user is authenticated to the local database and I am able to connect to the SSID. The only issue is that because I'm now using Aironet instead of Airespace, the IETF attributes 064, 065, and 081 (VLAN, 802, and the VLAN ID respectively) do not properly assign the VLAN that the user needs to be on.
Am I missing something?I determined that a NAP was blocking my authentication using Airespace and can successfully authenticate with both Aironet and Airespace now. I also reviewed the debug output of both types of connections and I can see the proper attributes coming through, but the wireless clients just won't assign to the right VLAN interface.
I've reviewed all of the configuration settings per the document about 40 or 50 times now and I am certain I'm not missing anything. I do indeed have override enabled but the configured interface 'management' is still the one the user is assigned to every time, even in the client connection details under the monitor tab. ARGH!! -
Mesh Ethernet Bridging with VLAN Tagging Issue
Hi all.
I'm a little stuck with a 4400 7.0.220.0 + RAP 1550 + MAP 1260 Ethernet bridging issue. I'm using the VLAN tagging functionality and I'm finding that periodically a VLAN that I've tagged on the MAP will deregister from the backhaul and stop passing traffic. If I go into the Mesh tab on the MAP, select the wired interface, remove the VLAN from the list of tagged VLAN IDs and then add it right back to the list, its starts passing traffic again.
Has anyone else seen this? I can't find any relevant bugs.
JustinHi Saravanan,
It is one RAP and three MAPs. After a TAC call and 30 hours of monitoring, my VLANs have remained registered. I think the issue was mismatched VLANs to bridge groups an it looks like the mesh bridge may be stable for now. Here is what I was seeing on the RAP and MAPs when the VLANs were deregistering unexpectedly. Notice how VLANs 2 and 10 are mapped to opposite bridge groups on the RAP and MAP:
After I removed all the VLAN IDs from the Trunk configuration on the MAPs (through each AP's Mesh tab -- Ethernet Bridging config) and then rebuilt the VLAN IDs, I ran the same commands and now see this:
My very unscientific theory here is that the mismatching was causing consistency checks to fail, so the RAP was just tearing down the registrations after getting bogus or non- responses from the MAPs during the periodic VLAN registration maintenance checks (debug mesh ethernet registration).
If I have continued issues, I'll post back with updates.
Thanks for the response!
Justin -
Dot1X guest vlan authentication issue..Real Challenge!!
Hi Guys!
I would really appreciate if some one could help me find lead on this issue...
My coporate and Quarantine users dosn't get correct VLAN as soon as i enable Guest VLAN feature..all of them go to guest VLAN...
Scenario 1
interface GigabitEthernet3/0/42
switchport mode access
authentication port-control auto
dot1x pae authenticator
dot1x timeout quiet-period 5
dot1x timeout tx-period 5
spanning-tree portfast
Test Workstation behavior
802.1X (Corporate) = VLAN 1
802.1X (Quarantine)= VLAN 20
Non-802.1X (Guest) = UnAouthorized
Conclusion
802.1x authentication is working without the guest VLAN feature
Scenario 2
interface GigabitEthernet3/0/42
switchport mode access
authentication event no-response action authorize vlan 30
authentication port-control auto
dot1x pae authenticator
dot1x timeout quiet-period 5
dot1x timeout tx-period 5
spanning-tree portfast
Test Workstation behavior
802.1X (Corporate) = VLAN 30 GuestVlan
802.1X (Quarantine)= VLAN 30 GuestVlan
Non-802.1X = VLAN 30 GuestVlan
Conclusion
802.1X doesn't work after enabling Guest VLAN feature (no-response)
Some important notes...
1) IOS version = c3750-ipbase-mz.122-50.SE.bin the only IOS which supports 10gig modules...
so i can not test with any other IOS
2) We had older 3750 100Mpbs switches with same config (we copied the config from old switch to new Switch) and the only command which got change automatically due to IOS change is....
dot1x guest-vlan 30 (Old IOS syntax) = authentication event no-response action authorize vlan 30 (New IOS syntax)
so even if you put old command syntax it will get change to new one...
http://www.cisco.com/en/US/docs/switches/lan/catalyst3750e_3560e/software/release/12.2_50_se/configuration/guide/sw8021x.html#wp1176660
Guys please help me.........Just to update you here.......after running some debugs on Swicth i found that....(Scenario-2)
When we connect 8021X enabled PCs (Coporate users) and Boot them...they initially behave like Non-8021X client while booting and during that time switch puts them in guest vlan but when workstation comes to a state (login prompt)where they start communicating like 8021X client.....switch just fails to put them in appropriate VLANs.. may be due to some time out issues.........I feel like i am very close to get the solution but just wondering which timers need to change or may be i am wrong if there is something else need to be put in...........any way i just shared my things with you....
Same Workstations are working fine with old swicthes without any problem...it is windows XP SP3 -
Hi,
vlan module: 8021q used
For example
ref link; http://docs.oracle.com/cd/E18476_01/doc.220/e18478/commproc.htm#BEIHAIDA --- here they used multiple physical hosts not single ethernet port
Here
in bracket oracle details and other is my details
1) eth0 (1A-ETH-3) - ethernet port
2) vlan121 (eth4, vlan 10 ) - vlan 121
3) vlan122 (eth5, vlan 11 ) - vlan 122
I have a exalogic machine which has Oracle Linux 5.6- x64 bit
Created 2 VLANs with IP and bond interface if i start network service [service network restart], I
get hardware address conflicts error message on vlan 121, 122
i have 1 physical lan cord, creating eth0, multiple vlans, bond1, bond0 interfaces
i could see eth0 192.168.1.12, bond1 192.168.48.128 but vlan121, vlan122 no static ips displayed
Question : How can i build vlan121, vlan122 ip address should set as static ips (or) based on hardware address
when i run #ifconfig -a ==> default HwAddr displays common for all the vlans, bond1, eth0
# vim /etc/sysconfig/network-scripts/ifcfg-vlan121
DEVICE=vlan121
BOOTPROTO=none
ONBOOT=yes
IPADDR=192.168.48.129
#HWADDR=a2:c0:a0:a8:01:01
VLAN=yes
PHYSDEV=eth0
VLAN_NAME_TYPE=VLAN_PLUS_VID_NO_PAD
MASTER=bond1
SLAVE=yes
# vim /etc/sysconfig/network-scripts/ifcfg-vlan122
DEVICE=vlan122
BOOTPROTO=none
ONBOOT=yes
IPADDR=192.168.48.130
#HWADDR=a2:c0:a0:a8:01:01
VLAN=yes
PHYSDEV=eth0
VLAN_NAME_TYPE=VLAN_PLUS_VID_NO_PAD
MASTER=bond1
SLAVE=yes
# vim /etc/sysconfig/network-scripts/ifcfg-bond1
DEVICE=bond1
IPADDR=192.168.48.128
NETMASK=255.255.255.0
BOOTPROTO=none
USERCTL=no
TYPE=Ethernet
ONBOOT=yes
IPV6INIT=no
BONDING_OPTS="mode=active-backup miimon=100 downdelay=5000 updelay=5000"
GATEWAY=192.168.48.1I'm not really sure I understand your question. If you want any or all network interface cards in a computer to be used for communication, then any or all need to be connected to a switch or network router using a cable. Every real and virtual NIC has a physical address (MAC), which the device broadcasts when initialized to tell other devices that it's there. The MAC address is a unique number. The mapping of an IP address to a MAC address is maintained by an ARP table.
Network redundancy typically shifts an IP address among available devices. If a devices fails, a standby is activated, which updates the ARP table to inform other devices of the change and IP communiation can continue. I have also seen non Linux systems, which actually modify the phsycial MAC address of a device. If you want to use mutliple NIC's to work in a team for performance, the system network stack needs to support inverse multiplexing and you need to connect each device to a managed network switch that supports Link Aggregation Ccontrol Protocol (802.3ad).
Your ping issue might be due to TCP/IP routing. Devices by default see each other only if they are phycially connected through a switch and share the same network or subnet. If you have devices with different subnets you need to configure a TCP/IP gateway or bridge. This is basic TCP/IP routing and knowledge, which is explained by many free sources available on the Internet. Just search Google for TCP/IP routing basics.
Update:
Looking at your TCP/IP configuration from the information you provided, your VLAN interface is not within the network (netmask) of your gateway, hence the VLAN interface has no knowledge of your other networks. So perhaps if you change your VLAN to 255.255.0.0 it will work. -
Hi,
I need some help setting up L3 Cisco 3560 for my VM lab. I have setup a few vlans and at this point I am trying to test out routing and connectivity. I came across with two issues and I am trying to get good advise from the experst since I am not
The Cisco 3560 is directly connected to my home router gi0/4 192.168.10.0/24 which would be my internet connection. The home router default gateway is 192.168.10.1.
I created Vlan192 on the 3560 to interact with the home router and get me to the outside world from the core. Obviously I'm doing something wrong here and came across 2 issues.
1- I tried setting Fas0/2 as trunk port and using the vlan226 on my pc but it wont work when I set this to my computer. It wont route to all vlans and I am not able to ping this 10.23.226.9 address from the 3560. The only way this works for me is if I set the IP to the 192 range which is my native Vlan, but anything other from 192 wont route.
PC IP address
10.23.226.9
255.255.255.0
10.23.226.254
Fas0/2 configurartion
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 192,224-229
switchport mode trunk
Please see my entire config below and maybe you can help since I am not an expert on this.
zeus-sw1#sh run
Building configuration...
Current configuration : 5364 bytes
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname zeus-sw1
boot-start-marker
boot-end-marker
no logging console
enable secret 5 $1$E9/L$UAOdxa6S.6QT52G2Lgcll0
enable
username admin1 privilege 15 secret 5 $1$hlCW$laTgSRIXF2LnZO.wyd0k0/
aaa new-model
aaa session-id common
system mtu routing 1500
vtp mode transparent
ip routing
crypto pki trustpoint TP-self-signed-13407744
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-13407744
revocation-check none
rsakeypair TP-self-signed-13407744
crypto pki certificate chain TP-self-signed-13407744
certificate self-signed 01
3082023D 308201A6 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
2F312D30 2B060355 04031324 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31333430 37373434 301E170D 39333033 30313030 31393031
5A170D32 30303130 31303030 3030305A 302F312D 302B0603 55040313 24494F53
2D53656C 662D5369 676E6564 2D436572 74696669 63617465 2D313334 30373734
3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 8100BC82
4A857145 B3984EBF ED1553C2 E23AF1CF 60B5CB00 96984A72 CEC9F4CC 09CA7B8D
7416102A E630D17C 66716B57 DF7991AB 87DE6EBD DADE5539 F0278510 70BE7391
F2EC292D DF0C707A 70083E80 D19F4D3D 31462E89 5EE310EE 4976F764 AB1592C1
2A8EE610 C3B11D76 252568A7 2AE260B7 4C9141AB C8358A4A B76B94BF 6E970203
010001A3 69306730 0F060355 1D130101 FF040530 030101FF 30140603 551D1104
0D300B82 097A6575 732D7377 312E301F 0603551D 23041830 16801487 8F7A7E29
112BA5CC 42E2E9E0 0A9C5ACF 6CCBD330 1D060355 1D0E0416 0414878F 7A7E2911
2BA5CC42 E2E9E00A 9C5ACF6C CBD3300D 06092A86 4886F70D 01010405 00038181
0059DAD2 5601B324 2B1E4143 9CE67677 45100C44 DC21364D 175CB8F2 178B0EBC
D39D603F 8F896ADB 4CEEA493 13D8C028 F805F67B 9C7D6BA4 D195B7F3 FEED6763
F03F4575 B768C6FB 9A783232 DCC60120 9F72B78C 9B5C1B7A FD1C78D7 A3DF7BFE
483E46E6 7CA84A6C 95F37C63 BEA804F9 E535520E 629AE46E 0752BE69 42781471 21
quit
spanning-tree mode pvst
spanning-tree extend system-id
vlan internal allocation policy ascending
vlan 192
name NativeVlan
vlan 224
name iSCSI
vlan 225
name ESX_MGMT
vlan 226
name VM_SERVERS
vlan 227
name VMOTION
vlan 228
name VIEWDESKTOPS
vlan 229
name VCLOUD
lldp run
interface FastEthernet0/1
interface FastEthernet0/2
switchport trunk encapsulation dot1q
switchport trunk native vlan 192
switchport trunk allowed vlan 192,224-229
switchport mode trunk
interface FastEthernet0/3
interface FastEthernet0/4
interface FastEthernet0/5
interface FastEthernet0/6
interface FastEthernet0/7
interface FastEthernet0/8
interface FastEthernet0/9
interface FastEthernet0/10
interface FastEthernet0/11
interface FastEthernet0/12
interface FastEthernet0/13
interface FastEthernet0/14
interface FastEthernet0/15
interface FastEthernet0/16
interface FastEthernet0/17
interface FastEthernet0/18
interface FastEthernet0/19
interface FastEthernet0/20
interface FastEthernet0/21
interface FastEthernet0/22
interface FastEthernet0/23
interface FastEthernet0/24
interface FastEthernet0/25
interface FastEthernet0/26
interface FastEthernet0/27
interface FastEthernet0/28
interface FastEthernet0/29
interface FastEthernet0/30
interface FastEthernet0/31
interface FastEthernet0/32
interface FastEthernet0/33
interface FastEthernet0/34
interface FastEthernet0/35
interface FastEthernet0/36
interface FastEthernet0/37
interface FastEthernet0/38
interface FastEthernet0/39
interface FastEthernet0/40
interface FastEthernet0/41
interface FastEthernet0/42
interface FastEthernet0/43
interface FastEthernet0/44
interface FastEthernet0/45
interface FastEthernet0/46
interface FastEthernet0/47
interface FastEthernet0/48
interface GigabitEthernet0/1
interface GigabitEthernet0/2
switchport trunk allowed vlan 192,224-229
interface GigabitEthernet0/3
interface GigabitEthernet0/4
description LINK SG200 UNTAGGED
switchport trunk encapsulation dot1q
switchport trunk native vlan 192
switchport trunk allowed vlan 192,224-229
switchport mode trunk
interface Vlan1
no ip address
interface Vlan192
ip address 192.168.10.254 255.255.255.0
interface Vlan224
description iSCSI
ip address 10.23.224.254 255.255.255.0
interface Vlan225
description ESX
ip address 10.23.225.254 255.255.255.0
interface Vlan226
description VM_SERVERS
ip address 10.23.226.254 255.255.255.0
ip helper-address 10.23.226.2
interface Vlan227
description VIEWDESKTOPS
ip address 10.23.227.254 255.255.255.0
interface Vlan228
description vCloudDir
ip address 10.23.228.254 255.255.255.0
interface Vlan229
description SERVERS
ip address 10.23.229.254 255.255.255.0
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.10.1
ip http server
ip http authentication local
no ip http secure-server
endGlen,
Thanks for your advise. After changing the port as an access port I am able ping all vlans and my gateway from my home router 192.168.10.1, However a new issues came up. I am not able to get to the internet.
It seems it works from the 3560:
zeus-sw1#ping yahoo.com
Translating "yahoo.com"...domain server (255.255.255.255) [OK]
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 206.190.36.45, timeout is 2 seconds:
Success rate is 100 percent (5/5), round-trip min/avg/max = 76/94/134 ms
zeus-sw1#
It wont work from my pc:
Ethernet adapter Ethernet:
Connection-specific DNS Suffix . :
Link-local IPv6 Address . . . . . : fe80::3d53:efc0:ea00:9bd2%3
IPv4 Address. . . . . . . . . . . : 10.23.226.9
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.23.226.254
Tunnel adapter Teredo Tunneling Pseudo-Interface:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Tunnel adapter isatap.{461494F6-EA41-42CC-8B0A-B5BD2D8097DA}:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
C:\Users\user1>ping google.com
Ping request could not find host google.com. Please check the name and try agai
.C:\Users\user1>ping 14.2.2.2
Pinging 14.2.2.2 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 14.2.2.2:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss), -
I am configuring VLANS on 2960x switches by building. We have about 15 buildings and would like to have each building be in its own VLAN. This issue I am having is that we have some devices that are static IP's and when those devices are pluged in, they do not work. Cannot ping them. For example, our maintenance department has some energy management devices that are addressed 10.20.1.x and printers are address 10.10.101.x. So when i configure vlan 55, ip address 10.55.1.2, set the switch ports to switchports access vlan 55 and plug any device with a static ip in to that switch, it doesnt work. It is possible to have these devices on the same vlan as everthing else in thier building without changing their IP address?
The 2960 is set up with all ports in vlan 55 and the link back to the 4506 is a trunk port. The 4506 port is set up the same.
4506
interface Vlan55
ip address 10.55.1.1 255.255.255.0
Port to 2960
interface GigabitEthernet2/10
switchport access vlan 55
switchport mode trunk
2960
interface Vlan55
ip address 10.55.1.3 255.255.255.0
ip helper-address 10.10.1.41 -- DHCP server
ip helper-address 10.10.11.2 -- wireless controller
port to 4506
interface GigabitEthernet1/0/52
switchport access vlan 55
switchport mode trunk
ip route 0.0.0.0 0.0.0.0 10.55.1.1
When i plug in a device with a static ip, for example, 10.20.1.250, SM 255.255.0.0, DG 10.20.1.1 it does not work. These are not PC''s . They are allen bradly controllers that are installed on equipment like air compressors and heaters so our maintenanse department can monitor everything. Theses devices will not be in every switch and have been installed way before i started working here. I set up a pc using a address in the 10.20 range and cant even ping the switch that is plugged into. -
VLAN's on 3524 VLAN enable issue (I don't want to route between them)
I have segmented a 3524 switch into three different VLANs. One is the managment VLAN 1 and the other two are for my Test Lab and Production network. I don't want either VLAN to see the other (router between them). My problem is my VLAN10 and VLAN12 will not come out of a shutdown state. They stay administratively down even after I issue the no shut command from within the VLAN Interface. What am I doing wrong here?
My guess is that you created 3 SVI's instead of creating the layer 2 vlans that you need . Do a show vlan ", do all 3 of your vlans show up ? If you created 3 different layer 3 SVI's , (conf t , interface vlan 10 and or 12 then the switch will only enable 1 because this is strictly used to manage the switch . To create your vlans I believe on this switch you need to use the vlan database. At the switch prompt type vlan database, enter. Then type vlan 10 , hit enter , then type vlan 12 and hit enter . This activates the layer 2 vlans .Exit out to the command line and do a show vlan and see if all 3 show up now.Apply the vlans to the ports as needed . These should now show up when you do a "show vlan" . I think you gettting confused between the layer 3 SVI's and the layer 2 vlans .
-
Greetings network wizards,
I'm facing an interesting issue in our enterprise network.
There is management VLAN. There are various devices in management VLAN (e.g. WLC controllers, SVIs for management on our catalysts, interfaces for management of servers, ...).
There are also other VLANs (office100, office101, printers, technology, ...). I'm unable to ping one device on our management VLAN from office VLAN. From all other VLANs, the ping works fine.
In terms of CLI (where a.b.c.d is problematic destination addres in management VLAN):
ping a.b.c.d. source vlan 20 = success
ping a.b.c.d source vlan 50 = success
ping a.b.c.d source vlan 90 = success
ping a.b.c.d source vlan 101 = failure
The ping is launched from either of our two L3 switches and the a.b.c.d address belongs to computer shown in the bottom of the picture.
The excerpt of our physical topplogy can be seen below.
The L3 switches depicted above are our two 4506 catalyst switches with SVIs for our multiple VLANs. There is also HSRP group for each VLAN on our L3 switches.
I checked all the relevant data structures (arp, mac, fib, adjacency tables) and everything seems OK. What is also worth to mention, is the fact, that the IP address of the switch shown in the bottom of the picture is in same VLAN as the device represented by PC attached to the switch in the bottom. That management SVI of the switch is pingable and working regardless of the source VLAN.
Any help would be appreciated.
Best regards,
SZHi,
I'm afraid, that the configuration you posted above won't solve my issues. It is so because of following packet flow:
Ping from VLAN 101 (office) to VLAN 900 (management) flows to either of my L3 switches. L3 switch takes a look at the destination IP addres and assumes, he should use VLAN900. Thus, he uses VLAN900 SVI, encapsulates the frame to VLAN900 802.1q frame and sends it out of the appropriate trunk (the appropriate trunk is identified by destination IP address and corresponding MAC address).
Please, keep in mind that the topology is only excerpt and other switches are physically present, too (but not shown here). These other switches have clients from VLAN101 attached and these clients can easily ping the access switch (VLAN900) shown in the picture, but they're unable to ping the PC (VLAN900) attached to the same access switch. PC's switchport is assigned to correct VLAN. The frame coming from VLAN101 from another switch (not shown in picture) is rerouted at L3 switch and is put on trunk as VLAN900 frame. Then it flows down to the access switch. STP and trunks are fine ... because:
If I had STP issue or trunk misconfiguration in place, I wouldn't be able to reach the access switch (from whatever VLAN). In my current situation, I'm able to reach it easily.
Best regards,
SZ -
I have a 6509 with a vlan 105 configure. I have also added a vlan 100. vlan 100 and 105 work for internal routing. vlan 105 workstation can get to the internet. however any vlan 100 workstation can not access the internet. A tracert from a workstation on vlan 100 stops at the 6509. attached is the 6509 config, i have included IP just because they already have changed.
any ideas? Does the port connecting to my firewall have to allow all vlan traffic? if so how do i do this.
thanks,Hi,
Please provide more information on setup( other devices, connectivity diagram) to have a clear idea, so that we can help you.
From the config provided, i could see the following default route
ip route 0.0.0.0 0.0.0.0 10.175.105.3
What is 10.175.105.3 ? Is this your firewall / WAN router??
Also what is the need for this static route.?
ip route 10.175.100.0 255.255.255.0 10.175.105.3
10.175.100.0/24 is the subnet for vlan 100, which a directly connected network on this switch. Hence you dont need that route. Remove that route.
Finally whatever device is 10.175.105.3, please add a route in that device for vlan 100 so that traffic can reach vlan 100.
The route that you should add in 10.175.105.3 is
ip route 10.175.100.0 255.255.255.0 10.175.105.1.
Hope this helps.
-VJ -
Multiple vlans configuration issue with RV016 router and SG 300-10MP witch
Hi,
I have to configure multiple vlans served with a unique DCHP server . As first step, I just will The DHCP server to serve 2 vlans. The following is the hardware and configuration that I implemented :
Router (RV016 10/100 16-Port VPN Router) as gateway mode:
IP : 172.16.0.1/24
DHCP Server :
IP : 172.16.0.2/24 GW: 172.16.0.1
2 subnets :
172.16.1.0/24 GW: 172.16.1.1 to serve vlan 1
172.16.2.0/24 GW:172.16.2.1 to serve vlan 2
Switch (SG 300-10MP 10-Port Gigabit PoE Managed Switch) as layer 3 mode:
IP 172.16.0.254 (vlan 8 default)
Vlan 1 : 172.16.1.1
Vlan 2 : 172.16.2.1
1 device connected on each vlan
a workstation on the vlan 1
a laptop on the vlan 2
In this scenario (see the attached pdf file) the DHCP server is connected on a router, hosts on vlans dont receive any IP address.
But If I connect the DHCP server on a trunked switch port and adapt the DHCP server gateway 172.16.0.1 to 172.16.0.254, hosts receive ip address properly.
I have to connect the DHCP server directly to the router. How can I do that, what is wrong in the configuration ?
I hope the explanations are clear enough and my English too
Any help will be highly appreciated,
ZoubeirHi Eric, the small business group doesn't support the ASA config, but I can help with the switch.
A couple things I notice in your description-
48 port (192.168.1.254) and the other 24P (192.168.1.253) we have a second vlan 20 set up on the 24P switch (192.168.2.253) we have ports 1-12 set for vlan20 (untagged and trunk), the remaining ports on on the default vlan 1.
The connection between the switches, is it 1u, 2t?
The link between the switches should be 1u, 2t, the switches support the trunking and vlan tagging, meaning all communication will work fine.
We have the 24p and 48p switches connect using GE1 and GE1. We are unable to ping a device on vlan 20 ( on the 24p switch
The 24p switch should be in layer 2 mode, if you have the 48 port l3 switch upstream. Additionally, you need to have the default gateway set on the 24p switch.
We have a static route set on the 24p switch (0.0.0.0 192.168.1.0).
Between the switches, it shouldn't require any static routes, assuming you correctly trunk / tag your ge1 ports, with both switches operating in l3, the ip route table dynamically builds the connected routes, therefore a static route is redundant.
-Tom
Please rate helpful posts
Maybe you are looking for
-
Downloading from alv to excel file
hai while downloading from alv grid to excel file i am not getting values properly. i have taken 110 fields. i am not getting prper way. can u plz tel me way....
-
Error issues while updating my Xperia Z1 to 4.4.4 Kitkat
Hi, My name is Vinay. When I try to update my Experia Z1. Iget an error message. First I try to update through my phone. It downloaded the update and then when I press Install, it says could not be installed. When I try to updat through PC Companion,
-
I specifically purchased the Soundblaster x-fi HD for vinyl recording to my computer. The problem is as the signal runs through the unit into my computer, i am unable to designate the different special effects available with this unit. I can record t
-
Hello, I am having an issue with Lightroom 4 that only began after I installed Photoshop CC. Every night I clone my iMac to a bootable backup drive. With Photoshop CS6 I had no problems with this. Now, whenever I choose "Edit in Photoshop CC" from
-
Should the Cisco Content Engines be used as a proxy appliance
Should the Cisco Content Engine be use as a proxy appliance like a Blue Coat appliance, Squid cache engine, ISA server, etc... I am pretty sure it is but just need some feedback on past experiences. Customer would like to by a Cisco product for Web f