Access VLAN on 3650 Stack

Similar Messages

• VLAN on 3750 Stack

  I am in the process of getting a 3750 switch stack installed. The stack will use layer 3 and will replace a 5505 layer 2 switch. The 5505 has all ethernet ports set to vlan 110.
  My 3750 stack will also have all fasethernet ports in vlan 110.
  I wanted to do as much of the up front installation prior to cutover, but did not to cause any problems in my vtp domain, so for the moment I have shutdown vlan 110 on the 3750 stack
  I noticed that as soon as I did it took the following off of every fastethernet interface in the stack:
  switchport access vlan 110
  switchport mode access
  While I sort of understand why..it has caused a little trouble because I have recently added another 3750 to the stack and was planning on configuring the rest of my interfaces using port range.
  I assume the commands will be added back as soon as the interface vlan 110 is taken out of shutdown.
  I was just taken by surprise that it modified the configuration as such and has made it hard to configure the other fasethernet ports I have added.
  Hope this clear. Can anyone explain this a little more for me. Thanks

  I want to try and add some clarification
  I have 2 3750-48POE's in a stack...so I had 96 ports
  each fastethernet interface on both 48 port switches was configured like this:
  interface FastEthernet1/0/1
  switchport access vlan 110
  switchport mode access
  switchport access vlan 410
  switchport port-security
  switchport port-security aging time 2
  switchport port-security violation restrict
  switchport port-security aging type inactivity
  priority-queue out
  mls qos trust cos
  no mdix auto
  spanning-tree portfast
  spanning-tree bpdufilter enable
  spanning-tree bpduguard enable
  after shutting down the vlan 110 interface..Here's the config currently:
  JDC-3750S-12#sh run int vlan110
  Building configuration...
  Current configuration : 199 bytes
  interface Vlan110
  description 10th, 11th, 12th Fl - Data
  ip address 10.4.110.1 255.255.255.0
  ip helper-address 10.4.1.100
  ip helper-address 10.25.192.7
  ip pim sparse-dense-mode
  shutdown
  After shutting down the interface for vlan 110, each fastethernet interface became
  JDC-3750S-12#sh run int fa1/0/1
  Building configuration...
  Current configuration : 388 bytes
  interface FastEthernet1/0/1
  switchport access vlan 410
  switchport mode access
  switchport port-security
  switchport port-security aging time 2
  switchport port-security violation restrict
  switchport port-security aging type inactivity
  priority-queue out
  mls qos trust cos
  no mdix auto
  spanning-tree portfast
  spanning-tree bpdufilter enable
  spanning-tree bpduguard enable
  1.So you see that switchpot commands for vlan 110 got removed.
  2. I have added another 3750-24 POE switch since doing this and wanted to use port range to make my additional set of ports like the ones in the original config.
  I can't do that now because the vlan 110 info on the interfaces is gone.
  I'm just trying to understand what this thing is doing to me. Hope this helps

• CISCO 3650 Stacking

  hi all 
  any one can tell me please about StackWise-160 in cisco 3650 it's use to marge two switches or one active and second backup.
  i mean if i have two cisco 3650 and used StackWise-160 between switches, the all the servers connected to the first 3650 and the edge switches connected to the second 3650, the StackWise-160 use to transfer data between two 3650 switches?
  thanks 

  hi Reza 
  thanks for your answer 
  i know it but my question about the data transfer, i will tell you my scenario:
  i have 8 edge switches connected to two 3650 by SFP interface (each 3650 connected to 4 edge switch ) and two 3650 stacked  , some server connected to the first 3650 and some server connected to the second 3650, the 8 switches can access all the server and transfer data by Stacking wise cable??
  i hope you understand what i mean if you want i will draw my scenario
  thanks  

• Tcl script to change access vlan based on MAC address

  Hello all.  I'm looking for some input on how best to handle this situation. I have a large nework with a lot of remote offices where we have limited control over users moving around patch cables. We're using vlan-based QoS in these office to mark voice, video, data. etc. The problem I'm having is that our users are moving video conferencing equipment to different interfaces on our swithes, which puts the VTC unit in a different vlan, fouling our QoS policy.  They then call and complain about poor video quality.
  I'm trying to come up with a way to automate putting the interface in the video vlan if a VTC unit is connected. All of our video conferencing units are from the same vendor, so they have same OUI in the MAC address. The script I've been working on looks for a line protocol up event, then checks to see what access vlan is configured on the interface. If the interface is already in the video vlan, the script exits.  if the interface is not in the video vlan, the script looks at the MAC address table for the interface and if the OUI matches a VTC unit, the script changes interface configuration. My question is, is there a better event to trigger script execution? Maybe a MAC notification trap, or something else? Line protocol transitions when the access vlan is changed, so the current script runs twice: once when the interface first comes up with a new connection, and again when the vlan is changed. 
  Script is attached.  Any help or advice is appreciated!

  Does your video equipment use CDP?  If so, then you can use the neighbor-discovery event detector to only react when you see a media endpoint being connected to a port.  Yes, MAC address notifications (the mat ED) can also work if you know the MACs of your media endpoints.

• NAC L2 OOB Auth and Access VLAN

  I'm new to Cisco NAC appliance.
  I wanted to deploy L2 OOB VGM for my wired userd.
  I wanted to check whether can I have multple Authentication to Access VLAN mapping.
  For example :
  Authentication VLAN - 111 Map to Trusted VLAN 311
  and
  Authentication VLAN - 112 Map to Trusted VLAN 312
  Therefore, on the port profile of the switch, I can allocated which are the ports that should be using Authentication VLAN 111 and VLAN 112.
  Why I wanted to do this, because I need the users to obtain IP addresses that are associated with the trusted segment, so that I do not have to bounch the switch port or utilise DHCP release/renew from the CCA or web client.

  Role-based access VLAN mapping for Windows single sign-on (SSO) users can be achieved with this procedure:
  Choose Management > Auth Servers and select Auth Type to Active Directory SSO.
  Select Default Role for the role that you want Windows SSO users to be in after they are logged in. For example, in this case it should be vencorp.
  Choose User Management > User Roles, select the role (vencorp) and click Edit.
  Define the Out of Band User Role VLAN to 5 (or any VLAN that you want the users of this role to be).
  Save the role.
  Choose Switch Management > Profiles > Port > List and click Edit for the control profile.
  Change the Access VLAN to User Role VLAN and click Update.
  Login through the PC with SSO. You are now logged in the domain and have role-based VLAN mapping

• Layer 2 Loop-Free U Access - VLAN Extension possible

  Cisco says in it's 642-874 study guides that L2 Loop-Free U design in access layer has these characterictics:
  The following are characteristics of loop-free U access:
  ■ VLANs are contained in switch pairs (no extension outside of switch pairs).
  ■ No STP blocking; all uplinks are active.
  ■ Layer 2 service modules black hole traffic on uplink failure.
  Why would VLAN extension be not supported in this topology? See attached picture where it seems it could be working.
  Thanks.

  hi Todd,
  you maybe right to some extend, it dose work in the case all the up links are up and the access switches daisy chained
  however it is not optimal design interims of layr 2 extension,redundancy  in case of a device or link failure
  if you you have the inter switch link configured in layer 2 then this cloud be better but you need to remove the interswitch link between the access switches
  HTH

• NAC OOB VGW Auth/Access VLAN

  Hi,
  Does anyone know if when you're setting up this topology and configuring VLAN mapping, if you need unique Auth VLANs for every Access VLAN?  Or can you use one Auth VLAN and map it to multiple Access VLANs.  I assume you need unique Auth VLANs.
  Thanks

  Aaron,
  You can have one auth going to different access vlans based on conditions. Look at User-Role VLANs closely to accomplish that.
  HTH,
  Faisal

• Auth VLAN and Access vlan

  When the interface comes up, the CAM puts the user in the AUTH vlan as expected via the set command (vlan 210)
  03:09:09: SNMP: Packet received via UDP from 172.31.200.200 on Vlan220
  03:09:09: SNMP: Set request, reqid 2144479366, errstat 0, erridx 0
  vmVlan.1 = 210
  that works OK
  Fa0/21, Fa0/22, Fa0/23
  210 VLAN0210 active Fa0/1
  211 VLAN0211 active
  So SNMP RW works OK,
  After the user logs in to the network the user should be put back into vlan 220 (according to the port profile settings) but nothig happens, no set command send, no SNMP traffic at all. The user remains in AUTH vlan and the agent loops
  I have tried all the settings, role based, initial VLAN as well, to no avail.
  Any ideas? What to check for?
  Rafal

  Have you double checked your settings for mapping ports with the VG setup guide?
  http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/412/cas/s_addSrvr.html#wp1089247
  Also make sure your OOB port profile is correct and that it switches from auth to access vlan after authentication
  http://www.exio.com/en/US/docs/security/nac/appliance/configuration_guide/411/cam/m_oob.html#wp1083087

• VoIP query - Access VLAN shutdown

  We share meeting rooms with another company, we require the Acess VLAN to be disabled when the room is not being used by a member from our firm, how do I go about doing this?
  We still need the Voice VLAN to be active.
  Any solutions would be great
  We are using 3560's

  Hi there,
  There are a few ways you could do this. The first and most painfull way would be to take the mac-address of the pc's that will use the switch port and only allow them to connect using port-security. You could also use dot1x authentication on the port. Or you could change the access vlan to one that nothing is on when the room is not in use. That way, the phone will still work, but the data will be in a vlan that goes nowhere.
  Hope that helps,
  LH
  Please rate all posts

• Switchport comparision, "trunk native vlan" versus "access vlan"

  I want to understand the logic when I install IP phone with PC attached. Is there any difference between two configurations. for exmaple, consideration to handle QoS.
  switchport access vlan 100
  switchport voice vlan 200
  versus
  switchport trunk encapsulation dot1q
  switchport trunk native vlan 100
  switchport voice vlan 200
  switchport mode trunk
  Thanks in adance,

  The difference is that these applies to two different set of switches.
  The first set of configuration applies to the new series switches, Cisco 3550, 3560, 3750 series.
  The second set applies to the olders series Cisco 2900, Cisco 3500XL etc. In these switches, you need to configure the port as a trunk before the port can take both voice and data vlan.
  In the newer series, the port can take both voice and data vlan and still not run in trunk mode.
  Regards,
  Anup

• Access vlan vs $native Vlan

  SG300-28.  If I config int gi20 to be switchport mode access and then set the access vlan to 100 but I then set the smartport role to desktop it set the $native vlan of 1 so are incoming untagged headers tagged as 100 or 1?  I figure I need to either edit the smartport params or just leave as auto smartport.
  interface gigabitethernet20
  storm-control broadcast enable
  storm-control broadcast level 10
  storm-control include-multicast
  port security max 10
  port security mode max-addresses
  port security discard trap 60
  spanning-tree portfast
  switchport mode access
  switchport access vlan 100
  macro description desktop
  switchport forbidden default-vlan
  macro auto smartport type desktop $max_hosts 10 $native_vlan 1

  Dear Partner,
  Thank you for reaching the Small Business Support Community.
  I would think incoming headers will be tagged as 1, but as for the "switchport forbidden default-vlan" command I am not that sure about it.  It's been several days with no comment on this post, I therefore suggest you to open a service request to figure this out;
  https://supportforums.cisco.com/community/netpro/small-business/sbcountrysupport
  Notice you may also use the 'Partner Helpline" for this matter;
  http://www.cisco.com/web/partners/tools/ph.html
  http://www.cisco.com/web/partners/tools/helponline/index.html#~1
  Please do not hesitate to reach me back if there is any further assistance I may help you with in the meantime.
  Kind regards,
  Jeffrey Rodriguez S. .:|:.:|:.
  Cisco Customer Support Engineer
  *Please rate the Post so other will know when an answer has been found.

• Switchport trunk native vlan & switchport access vlan dual configuration

  I've discovered this dual configuration on a 3500xl switch while troubleshooting an incrementing runts issue. Could the config of this port be related to the issue at hand?
  port configuration:
  interface FastEthernet0/3
  duplex full
  speed 100
  switchport access vlan 203
  switchport trunk encapsulation dot1q
  switchport trunk native vlan 203
  switchport trunk allowed vlan 1,203,204,220,1002-1005
  switchport mode trunk
  spanning-tree portfast

  Hi,
  The 'switchport access vlan' command will have no effect on the configuration you have on this port. The port will operate as a trunk and will dis-regard any config that pertains to an access port.
  Hope that helps ...
  Paresh

• Switchport access vlan Vs encapsulation dot1Q ?

  Hi All,
  Could some one explain the difference between encapsulation dot1Q & the switchport access vlan ???

  The command "switchport access VLAN" is a command to specify the one-and-only-one VLAN you want the switch port to carry.  By default, an access port will always carry VLAN 1.  This is the reason why you will never see the command "switchport access vlan 1".  You cannot have an access port carry more than one VLAN (except when you allow voice VLAN).  
  If you want to have two or more VLANs per a single switchport, then you need to enable Trunking.  Therefore the command "encapsulation dot1q" is one of the command to enable Trunking.  This command specifies which of the two Trunking protocols to use:  IEEE's 802.1q or Cisco's ISL.  
  Take note that without the command "switchport mode trunk" the interface is still an access port.   Not all Catalyst switch will accept the command "switchport encapsulation dot1q".  This is because the switch will ONLY accept 802.1q encapsulation so there's no need for this command.  All Catalyst 2K (except 2924XL) and some legacy 4000/4500 line cards support only 802.1q encapsulation.  All others will support either 802.1q or ISL.  You will never find a Catalyst switch that can support BOTH 802.1q and ISL.

• NAC manager doesn't change auth vlan to access vlan

  Hi,
  I am trying to install L2 out-of band NAC in my LAN but I have problem for which I don't seem to find any solutions.
  The problem is that NAC manager simply doesn't change switchport from authentication to access vlan although user
  is authenticated and all CAA requirements have been met.
  I connect my laptop to switch and NAM changes vlan to auth. vlan and laptop gets IP address from access vlan (vlan mapping
  configured on NAM). Then CCA login pops out and I enter username and password. After that CAA says: "Successfully logged in
  to network" but laptop stays in auth. vlan and I can see my user in "out of band" users list (on NAM) but laptop (his MAC address) is not
  in the certified devices list. And Manager keeps it in auth. vlan. So when I click OK in CAA, the login window pops out again because I'm still
  in authentication vlan.
  What could be the problem? I really tried everything and I don't know why manager doesn't put laptop to certified devices list (I repeat, user is in out
  of band users list) and CCA says successfully logged in to network, and all requirements are met too.

  Faisal,
  thank you very much, yes that was the problem. I didn't have managed subnet entry. Now it works fine, but I have another problem. When I added managed
  subnet I cannot connect to NAC server from my PC which has IP address from that subnet range. I cannot ping neither connect via https, totally
  inaccessible.
  What can I do to have that managed subnet entry, and still to be able to connect to server from that subnet (VLAN)?
  I tried adding managed subnet entry with auth. vlan (400) and then with access vlan (110) and no-vlan (-1) but the situation is same - clean access
  works fine, but I cannot reach server from my PC.

• Access to the JAVA Stack of PI system

  Hi,
  User want access to JAVA Stack in PI System.
  Below is the message while user try to logon to Integration Builder in SAP NetWeaver for the PI Portal:
  "No authorization for this action".
  Kindly let us know how access to JAVA stack is possible?
  Thanks and Regards,
  Sachin.

  Hi,
         At present i would like to go for Alert configuration as Raja sekhar suggested. I reffered number of blogs contains how to get alert mail (through Alrtcatdef and scot ) but i need how to get Alert as SMS. where can i specify the mobile numbers and how to do it. Please do the needful.
  Regards,
  srihari.