ACS 5.x Multiple Vlans

Similar Messages

• Multiple Vlans Per SSID

  Hi
  We are just putting in a new Controller - 5500 type
  We are using a WCS .
  Someone has raised the issue of whether we can have multiple vlans
  per SSID - as otherwise we may have very large broadcast domains
  due to the overall design being to have  Maybe 3 SSIDs
  Guest
  Staff
  Engineering
  I think in SWAN we could get away with dynamic vlans.
  We would like to have multiple vlans in each SSID to avoid the above.
  Can we do this in the new setup.
  Kind Regards
  Steve

  Hi Steve,
  yes it works just the same.
  Enable AAA override on the controller and have interfaces configured for each vlan. Then the ACS can simply push the vlan depending on the user authentication. Users are then split in separate vlans.
  Another way of doing is to group APs. You can have a group of APs serving SSID Guest in vlan 1, Employee in vlan 2 and another group of APs serving the same SSIDs but in vlan 3 and 4. It's "per-user" vlan load balancing or "geographic" vlan load balancing.
  However, broadcast domains should not be a major concern in wireless as broadcasts are blocked by default. The WLC will proxy for ARP and DHCP.
  Regards,
  Nicolas

• Multiple Vlans on a single port.

  hi,
  Can i configure single port with multiple vlans on L2 2950 switch, if yes then what are the commands.
  Thanks,
  Vishal D.

  Paresh,
  i think i have not quoted the question properly.
  see by doing 'switchport mode trunk' it will flow the traffic of all vlan right.
  but if i want to give access of selected vlans then what to do,
  i have tried the command 'switchport trunk allowed vlan 1,2,3'
  do i have to give encapsulation on that port, but on 2950 encap cannot be configured.
  now can u tell me wht is possible to do.
  Thanks for ur reply.
  Vishal.

• DHCP Setup across multiple VLANs on RV325 - DHCP Server only working on VLAN 1

  I have multiple VLAN subnets defined on my RV325 - when I try and utilize a DHCP Server on each VLAN, it only seems to be issuing IP Addresses to clients on VLAN ID 1.  When I first set this up months ago, I thought I had tested it providing IP Addresses via the other subnets.  Now that I am trying to do so, it isn't working "as expected".  Example - I am using VLAN 25 as the GuestWireless subnet utilizing a separate 802.11n WAP that is set to Bridge connections to the IP Address of the VLAN interface.  Devices are able to connect to the WAP, but end up with a self-assigned IP Address 169.x.x.x address.  There has to be an easy fix to this, but I seem to be "stuck" figuring out what it is…pointers/redirects appreciated.  Thanks!

  Thanks - I've already reviewed that information before I posted.  I've been working with DHCP since the mid-90's, so I'm comfortable with the settings/configuration I need to leverage to make this work via other means using various Network-based OSes.
  I'm wondering if there are other options in configuring this device that can impact the ability to dynamically serve IP addresses on a VLAN/subnet-by-VLAN/subnet basis.
  As I did more testing, I discovered when I reserved an IP Address via the IP & MAC Binding option within the DHCP Settings, those devices would receive their static reservations and work as expected, so the problem seems to be leveraging the DHCP Pool for devices connecting to VLANs other that VLAN 1.
  Any ideas as to why the DHCP Pool's are "non-functioning" for the other VLANs is greatly appreciated...
  Each VLAN is setup with a separate DHCP Server configuration as shown below:
  VLAN ID = 1 (Default, Inter VLAN Routing = Enabled, LAN1-6 = Untagged, LAN7=Tagged, LAN8=Excluded, LAN9-14 Untagged)
  Device IP Address = 172.16.xxx.1
  Subnet Mask = 255.255.255.0
  DHCP Mode = DHCP Server
  Remote DHCP Server = 0.0.0.0
  Client Lease Time = 1440 min
  Range Start = 172.16.xxx.100
  Range End = 172.16.xxx.199
  DNS Server = Use DNS as Below
  Static DNS 1 = 208.67.222.222
  Static DNS 2 = 208.67.220.220
  WINS Server = 0.0.0.0
  Correctly serving IP Addresses via DHCP (both static and dynamic) to Wired devices & Wireless devices connecting through WAP (set to Bridge)
  VLAN ID = 25 (GuestWireless, Inter VLAN Routing = Disabled, LAN1-LAN7 = Excluded, LAN8 = Untagged, LAN9-14 = Excluded)
  Device IP Address = 172.16.yyy.1
  Subnet Mask = 255.255.255.0
  DHCP Mode = DHCP Server
  Remote DHCP Server = 0.0.0.0
  Client Lease Time = 1440 min
  Range Start = 172.16.yyy.100
  Range End = 172.16.yyy.199
  DNS Server = Use DNS as Below
  Static DNS 1 = 208.67.222.222
  Static DNS 2 = 208.67.220.220
  WINS Server = 0.0.0.0
  NOT serving dynamic IP Addresses via DHCP to Wired devices & Wireless devices connecting through WAP (set to Bridge)
  Static DHCP Reservations setup via IP & MAC Binding settings DO WORK in terms of providing the assigned static IP Address to the client.  Inbound/Outbound traffic to Internet works for devices with Static DHCP Reservations.
  VLAN ID = 100 (Voice, Inter VLAN Routing = Disabled, LAN1-6 Excluded, LAN7 = Untagged, LAN8-14 = Excluded)
  Device IP Address = 192.168.zzz.1
  Subnet Mask = 255.255.255.0
  DHCP Mode = DHCP Server
  Remote DHCP Server = 0.0.0.0
  Client Lease Time = 1440 min
  Range Start = 192.168.zzz.100
  Range End = 192.168.zzz.199
  DNS Server = Use DNS as Below
  Static DNS 1 = 208.67.222.222
  Static DNS 2 = 208.67.220.220
  WINS Server = 0.0.0.0
  NOT serving dynamic IP Addresses via DHCP to Wired devices & Wireless devices connecting through WAP set to Bridge
  Static DHCP Reservations setup via IP & MAC Binding settings DO WORK in terms of providing the assigned static IP Address to the client.  Inbound/Outbound traffic to Internet works for devices with Static DHCP Reservations.

• Multiple vlans configuration issue with RV016 router and SG 300-10MP witch

  Hi,
  I have to configure multiple vlans served with a unique DCHP server . As first step, I just will The DHCP server to serve 2 vlans. The following is the hardware and configuration that I implemented :
  Router (RV016 10/100 16-Port VPN Router) as gateway mode:
  IP : 172.16.0.1/24
  DHCP Server :
  IP : 172.16.0.2/24 GW: 172.16.0.1
  2 subnets :
  172.16.1.0/24 GW: 172.16.1.1 to serve vlan 1
  172.16.2.0/24 GW:172.16.2.1 to serve vlan 2
  Switch (SG 300-10MP 10-Port Gigabit PoE Managed Switch) as layer 3 mode:
  IP 172.16.0.254 (vlan 8 default)
  Vlan 1 : 172.16.1.1
  Vlan 2 : 172.16.2.1
  1 device connected on each vlan
  a workstation on the vlan 1
  a laptop on the vlan 2
  In this scenario (see the attached pdf file) the DHCP server is connected on a router, hosts on vlans dont receive any IP address.
  But If I connect the DHCP server on a trunked switch port and adapt the DHCP server gateway 172.16.0.1 to 172.16.0.254, hosts receive ip address properly.
  I have to connect the DHCP server directly to the router. How can I do that, what is wrong in the configuration ?
  I hope the explanations are clear enough and my English too
  Any help will be highly appreciated,
  Zoubeir

  Hi Eric, the small business group doesn't support the ASA config, but  I can help with the switch.
  A couple things I notice in your description-
  48 port (192.168.1.254) and the other 24P (192.168.1.253)  we have a  second vlan 20 set up on the 24P switch (192.168.2.253)  we have ports  1-12 set for vlan20 (untagged and trunk), the remaining ports on on the  default vlan 1.
  The connection between the switches, is it 1u, 2t?
  The link between the switches should be 1u, 2t, the switches support the trunking and vlan tagging, meaning all communication will work fine.
  We have the 24p and 48p switches connect using GE1 and GE1.  We are unable to ping a device on vlan 20 ( on the 24p switch
  The 24p switch should be in layer 2 mode, if you have the 48 port l3 switch upstream. Additionally, you need to have the default gateway set on the 24p switch.
  We have a static route set on the 24p switch (0.0.0.0 192.168.1.0). 
  Between the switches, it shouldn't require any static routes, assuming you correctly trunk / tag your ge1 ports, with both switches operating in l3, the ip route table dynamically builds the connected routes, therefore a static route is redundant.
  -Tom
  Please rate helpful posts

• Encrypting Aironet 1410 bridge link using multiple VLANs

  I've looked at the documentation available for Aironet 1400 series, and still would like to see a single document showing an example of
  the best encryption/authentication available for bridge links using multiple VLANs.
  As I understand it, 1400 series can support WPA-PSK using AES, which would work for me.  I just can't picture how to integrate chapters 9 and 10 for the 'WEP and WEP Features' + 'Configuring Authentication Types' instructions.
  I'm looking either for an example config, or a step-by-step that did all steps consecutively.
  Thanks

  What doc are you refering to?  If you want to encrypt the link from root bridge to non-root bridge, then WPA/TKIP-PSK is what you should use.  Here is a link to how to setup your link ssid to WPA: http://www.cisco.com/en/US/docs/wireless/bridge/1400/12.2_15_JA/configuration/guide/p15auth.html#wp1044935
  Don't worry about the example they show on the WEP, just use the configuration from the above link for your encryption.
  Configuring a VLAN
  Configuring your bridge to support VLANs is a five-step process:
  1. Create subinterfaces on the radio and Ethernet interfaces.
  2. Enable 802.1q encapsulation on the subinterfaces and assign one subinterface as the native VLAN.
  3. Assign a bridge group to each VLAN.
  4. (Optional) Enable WEP on the native VLAN. <-- Use WPA-PSK
  5. Assign the bridge's SSID to the native VLAN.
  http://www.cisco.com/en/US/docs/wireless/bridge/1400/12.2_15_JA/configuration/guide/p15vlan.html
  Here is an example of vlan 1 (native) will be your management and your wireless link.  vlan 10 & 20 will pass through the link.
  BR# configure terminal
  BR(config)# interface dot11radio0.1
  BR(config-subif)# encapsulation dot1q 1 native
  BR(config-subif)# bridge group 1
  BR(config-subif)# exit
  BR(config)# interface fastEthernet0.1
  BR(config-subif)# encapsulation dot1q 1 native
  BR(config-subif)# bridge group 1
  BR(config)# interface fastEthernet0.10
  BR(config-subif)# encapsulation dot1q 10
  BR(config-subif)# bridge group 10
  BR(config)# interface fastEthernet0.20
  BR(config-subif)# encapsulation dot1q 20
  BR(config-subif)# bridge group 20
  BR(config-subif)# exit
  BR(config)# interface dot11radio0
  BR(config-if)# ssid batman
  BR(config-ssid)# vlan 1
  BR(config-ssid)# infrastructure-ssid
  BR(config-ssid)# end

• ACS 5.4 multiple network interfaces support

  In ACS 5.4 release note, it says:
  Multiple network interface connector support
  ACS  5.4 supports up to four network interfaces: Ethernet 0, Ethernet 1,  Ethernet 2, and Ethernet 3. ACS management functions use only the  Ethernet 0 interface, but AAA protocols use all configured network  interfaces. You must connect the ACS nodes in the distributed deployment  only to the Ethernet 0 interface. Therefore, the syslog messages are  sent and received at the log collector's Ethernet 0 interface. Data  forwarding from one interface to another interface is prohibited to  prevent potential security issues. The external identity stores are  supported only on the Ethernet 0 interface. In ACS 5.4, multiple network  interface connectors are also supported for proxies.
  But in the CSACS 1121 Series Appliance Rear View section, it still says on Ethernet 0 is usable. All other  interfaces are blocked.
  I am confused. Can anyone clarify for me if we can use multiple network interface in ACS 5.4? What about management interface?
  Thanks!

  We configured 2 interfaces in past within testing enviornment and it worked. ACS 5.4 supports multiple network interfaces on the UCS platform, on a virtual machine and on the legacy ACS 5.x IBM/CAM hardware. The ACS management functions use the interface eth0 only and the AAA protocols use all available network interfaces.
  Jatin Katyal
  - Do rate helpful posts -

• Windows Load Balancing on Multiple VLAN?

  Hi all.  Just wondering if any of you having this same issue as I did.  I've got NLB configured on 2 VM running on Hyper-V.  Each of the VM equiped with 2 NIC.  The NIC for heart beat purpose is configured
  with Static MAC and with the option "Enable Spoofing for MAC Address" enabled.  Another NIC is for LAN communication purose.  Each of the NIC is reside on a different VLAN (VLANx and VLANy).  After I've got the NLB configured,
  with "unicast" mode.  I've noticed I am not able to ping the NLB virtual IP address from any of the clients.  Ping works between the NLB hosts, and is accessible.  Once I've put all the NIC into the same VLAN, NLB works
  fine; I can ping the NLB virtual IP, and test on IIS works good.  My question, does NLB requires all the host to reside in the same VLAN?  If NLB support mulitple VLAN, then how can I configure it to support multiple VLAN (eg: production LAN
  NIC on VLANx, and heart beat NIC on VLANy)?  Thank you.

  Hi,
  It seems that we need to use Multicast mode.
  Configure Network Load Balancing Cluster Operation Mode
  http://technet.microsoft.com/en-us/library/cc731616.aspx
  Hope this helps.
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• Multiple VLANs over 1300 series bridges

  Hi
  I am looking to connect a small external building to a main campus building by wireless bridge. The building i want to connect currently has two vlans, can the 1300 series bridges carry multiple vlans over the wireless bridge link? If so can anyone point me towards s document that explains it?
  Many thanks
  Simon

  Hi Simon,
  Yes they can, here is a link, i hope it helps you, look at the "Bridge configuration" title.
  http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_example09186a00801d0815.shtml
  Regards,
  Milton Tizoc.

• AP1300 Bridging Multiple Vlans with Dot1q

  I have a pair of AIR-BR1310G-E-K9 to do ptp bridging. Topology is like this:
  host-switch-rootAP---nonRootAP-switch-host
  We have multiple vlans and have followed this doco:
  <http://www.cisco.com/en/US/docs/wireless/access_point/1300/12.3_7_JA/configuration/guide/b37vlan.html>
  The native vlan is all good and can ping across end-to-end. However, the when I attach a host to the switch in another vlan i.e. user vlan - there is no connectivity. Essentially, we want to dot1q over the ptp bridge setup.
  running version:
  c1310-k9w7-mx.124-10b.JA1
  appreciate any input.
  Ajaz

  yes. standard trunk config on both switches:
  5SL_SWITCH#srif 0/24
  Building configuration...
  Current configuration : 186 bytes
  interface FastEthernet0/24
  switchport trunk encapsulation dot1q
  switchport trunk allowed vlan 1,100
  switchport mode trunk
  switchport nonegotiate
  spanning-tree portfast trunk
  end
  5SL_SWITCH#show interfaces trunk
  Port Mode Encapsulation Status Native vlan
  Fa0/24 on 802.1q trunking 1
  Port Vlans allowed on trunk
  Fa0/24 1,100
  Port Vlans allowed and active in management domain
  Fa0/24 1,100
  Port Vlans in spanning tree forwarding state and not pruned
  Fa0/24 1,100
  5SL_SWITCH#
  11SL_SWITCH#srif 0/24
  Building configuration...
  Current configuration : 186 bytes
  interface FastEthernet0/24
  switchport trunk encapsulation dot1q
  switchport trunk allowed vlan 1,100
  switchport mode trunk
  switchport nonegotiate
  spanning-tree portfast trunk
  end
  11SL_SWITCH#show interfaces trunk
  Port Mode Encapsulation Status Native vlan
  Fa0/24 on 802.1q trunking 1
  Port Vlans allowed on trunk
  Fa0/24 1,100
  Port Vlans allowed and active in management domain
  Fa0/24 1,100
  Port Vlans in spanning tree forwarding state and not pruned
  Fa0/24 1,100
  11SL_SWITCH#
  furthermore the vlans exist in the db and when i trunk between the switches - I can ping the SVI's.
  Do you want me to post the AP config?

• Multiple VLANs per SSID with local switch

  Is it possible to use an 'AP Group' or 'Interface group' to assign multiple VLANs to a WLAN when remote, h-reap APs are in local switch mode? 
  If not, is there a way to overcome 500 maximum host per VLAN when APs are local switching?
  Thanks!

  dont think its possible...
  I donno if the following config will even work but u can have the hreap APs connected at the remote site to map to different vlans...
  Example:
  AP1 -- ssid 1 --- vlan 10
  AP2 -- said 1 --- vlan 11 and so forth..
  Sounds crazy but i ll have to ponder on this a bit more.. Need a pen and paper to draw a quick topology :)...
  Sent from Cisco Technical Support iPhone App

• Creating multiple vlans across multiple switches

  Hi All,
  How should I create multiple vlans across multiple switches?
  For instance, I have two (primary/redudant) layer 3 (core) switches and four layer 2 access switches (Cisco 2960) for the hosts, and given these are the vlans/subnets to be created. Should I do it in the core switches only and it would just propagate through the access via VTP?  Just trying to practice and learn.. Any help will be greatly appreciated:)
  VLAN 100: [DHCP-workstations]
  172.26.4.0/24
  172.26.5.0/24
  VLAN 200: [Servers]
  172.16.1.0/24
  172.16.2.0/24
  VLAN 300: [Printers]
  192.168.129.0/24
  192.168.130.0/24
  VLAN 800: [Management for switches/routers]
  10.160.1.0/24

  Hi
  You will have the SVI on the core. Set a VTP domain, make one of the cores as VTP server and rest of the switches as VTP clients. Once you do this, you won't have to login into each switch and create a vlan locally. The vlans will be automatically advertised from the VTP server to all the VTP clients.
  Thanks
  Ankur
  "Please rate the post if found useful"

• DLSW ethernet redundancy for multiple vlans

  Can dlsw ethernet redundancy support mutliple vlans with the following configuration?
  host dlsw router1 host dlsw router2
  | |
  local dlsw router 1 local dlsw router2
  | |
  ethernet switch1-------ethernet switch2
  Ethernet switch1 and 2 are supporting multiple vlans and connected to local dlsw router1 and 2 through 802.1Q. SNA support is required for the vlans of ethernet switch1 and 2 .
  We found that configuration of dlsw ethernet redundancy is not allowed on the 802.1Q sub-interface of the local dlsw router1 and 2. In this case, how can dlsw ethernet redundancy can be supported for SNA server attached to multiple vlans? Can you provide us some reference / sample for dlsw ethernet redundancy to support SNA servers attached to different vlans in a switch environment.
  Thanks.

  I think that I understand the problem. I am thinking the following:
  dlsw local-peer peer-id 2.2.2.2 promiscuous
  dlsw transparent switch-support
  interface Ethernet0
  mac-address 0000.3333.3333
  dlsw transparent redundancy-enable 9999.9999.9999 master-priority 10
  dlsw transparent map local-mac 0000.6666.0000 remote-mac 0200.eca2.0000 neighbor 0000.5555.5555
  interface Ethernet1
  mac-address 0000.4444.4444
  dlsw transparent redundancy-enable 9999.9999.0001 master-priority 10
  dlsw transparent map local-mac 0000.6666.0001 remote-mac 0200.eca2.0000 neighbor 0000.7777.7777
  Of course, you need an ethernet interface per VLAN. If you need DLSw ER over dot1q interface, please contact the local Cisco Sales Rep or partner. You are not the first one to ask for it. Hope that there is a strong business case to initiate the new feature.

• How to create multiple Vlan in Controller 4402

  Please let me know step-by-step procedure to create multiple vlan in conroller 4402, In my topology we have vlan -1 for date and vlan - 11 for voice both are in different network, please light me detail config on controller and switch

  Hi Balamurugan,
  I don't want to sound rude, but, you have posted your issue three times.  Each one, I recommended that you go through the WLC Configuration Guide.  I recommended this because you are new to WLC and it's the best way for you to learn.
  However, you recent post has led me to believe that you are reluctant to peruse the document and I am puzzled.  Is there any reason of your reluctance and hesitance?
  Cisco Wireless LAN Controller Configuration Guide, Release 6.0
  http://www.cisco.com/en/US/docs/wireless/controller/6.0/configuration/guide/Controller60CG.html

• Bridge with clients & multiple VLANs on 1242 AP

  Hi,
  I am trying to set up a test as per the attached diagram. I am looking to use 2x 1242 access points to bridge to a remote part of the network.
  I currently have 2 VLANs on the network, all network devices are on VLAN 1 for management and client access is on VLAN 2.
  What I am trying to achieve is to bridge between the two access points and also have clients connect to VLAN 2 on each access point.
  Firstly, are the 1242's capable of this or would I need to look at a 1300 Bridge?
  I have attached a copy of the base config I have on both AP's, the only difference between them is the root or non-root role.
  My bridge link currently works and I can ping across it on VLAN 1 but I cannot get a client to connect to the SSID on VLAN2. Although the SSID is set to guest mode I cannot see it being broadcast and if I manually try and connect nothing happens.
  Is there anything basic I am missing here or can anyone offer advice on bridging multiple VLANs with 1242 AP's?
  Thanks,
  Paul

  Ooops....forgot to add the attachments first time.
  Thanks,
  Paul.