Assigning multiple ports/interfaces to a VLAN-Switch-IOS
Hi,
I am trying to assign ports/Interfaces to VLAN 2 but need to assign the whole blade or many ports on two or three blades to VLAN 2. Switch CAT 4500 running Cisco IOS - I can only do one port/interface at a time:
Switch-4500(config)# interface fastEthernet 0/2
Switch-4500(config-if)# switchport access VLAN 2
vlan Set VLAN when interface is in access mode
So this way, as explained above one port at a time gets assigned to a VLAN. I need to do multiple ports. how can I do this if possible at all.
Thanks,
Masood
Thanks for getting back to me. You know, I have taken over this network just recently and have realized that the company that was taking care of this network had done this way:
1 main subnet (Uers, Servres,WS, ect)- VLAN2
1 Development Subnet - VLAN 3 - still active but not in use
So all of my switches, i.e. two CAT 4006, Two CAT 3560, and one New 4500 (just purchased) all on VLAN 2. the main CAT switch has VLAN 3 information since the DEV subnet connects to it as well.
Now , I am trying to create 4 or 5 functional VLANS for my main network (currently has all my switches and Three Routers in it and VLAN 2).
2 CAT 4006 switch
1 CAT 4500 Switch
2 CAT 3560
1 CAT 3550
2 CAT 2948-G-TX
2 Border or Gateway Routers Cisco 2621
1 gateway Router 2621 (Connects this office to a remote extention to this office using a point to point T1 and at th eother end - Private IP, connects to Internet Via an ISP).
My two border Router - public IP and connects two T1a, one prim and the other one shadow.
I guess my question is:
what would be the best way to create VLAN 2,3,4,5,6
using the above switches and routers and have Intervlan communications through Truncking and management through VTP or else.
I want to create VLANs in such a way that if a user belong to VLAN2 seats at 12 flr and another user belong to this same VLAN 2 seats at 14 floor makes no difference, so independent of users location - how do I do the port assignment on the switches to do this? No resource or network file resource segmentation needed sonce all users wil acess same information.
I really appreciate your sugestions and help.
Regards,
Masood
Similar Messages
-
Assign Swtich Port Descriptions based on CDP, LLDP, or some type of Hostname Information
Hey guys,
I was wondering, is there a way to automatically change/assign the port Descriptions on my Cisco switches based upon information pulled from CDP or LLDP, or some type of hostname, that will go out, pull what device is plugged into that port, and insert description information about that device into the Port Description for that particular port that the device is plugged into?
Thank you for your help!
MichaelGood question!
You can do this with an eem applet policy.
below is a link that discusses it.
https://supportforums.cisco.com/document/100791/automatically-set-port-descriptions
hope this helps,
if so, please rate.
thanks -
Wlc2112-k9 802.1x dynamic vlans on multiple ports
I have a wlc2112-k9. I have succesfully setup a WLAN with 802.1x authentication and dynamic VLAN assignment. The issue I have (and maybe it isn't an issue and just the way the controller works) is that if the vlan interfaces I have defined are connected to different ports from which the default interface for the WLAN it doesn't work.
So for instance, I create my WLAN and set the interface to the management interface (which is connected to port 1). I then define all my other vlan interfaces that could be returned by my radius server.
ex: vlan_102 connected to port 2
vlan_104 connected to port 3
vlan_106 connected to port 4
And so forth.
Port 1 is configured on the switch on vlan 21. If the radius server returns a VLAN ID of 102, 104 or 106 my client successfully connects to the WLAN but it gets put on VLAN 21. However if I move the vlan interfaces above over to port 1 the client correctly gets put on the correct VLAN.
All ports on the switch are configured as trunk with the native vlan set to the corresponding value that is set on the WLC.
Is this just the way the controller functions? That it can't assign a client to a different interface that is connected to a different port from the default one setup when the WLAN is created? I would have just though that if the radius server returned VLAN 102 that it would find that interface and connect the user session via that interface regardless of the port it is configured on.
Thanksdynamic vlan assignment should work with the controller
by returing the standard IETF attributes
64,65, and 81
You said that you have configured the native vlan on each trunk port to be exactly the same as the vlan assigned to dynamic interface on the neighbor controller port. Make sure to have the native vlan something else specially i guess that you have tagged the vlans on those dynamic interfaces.
Please make sure to rate correct answers -
Hello, I recently purchased a 3560 switch and I am relatively new with VLANs.
What I need to do is quite simple:
I need multiple fastethernet ports into multiple VLANs on a single switch. For that, I need to trunk these ports but nothing seems to work properly.
I created multiple VLANs (vlan 100, 200 and 300), but by default each VLAN can see each other (my allowed vlan list is set to ALL on each port).
When I setup the restrictions of that allowed vlan list, the problem is each port see each other. Example: Port 0/22 is set allowed vlan 100,200 .. but that port still can see vlan 300. I configured Native VLAN on VLAN50 (empty VLAN) for each port on the switch.
I tried on a 3560 and a 2950, but exactly the same problem occurs.
The problem is really basic but I'm on it since 1 week. Is there anyone who could help me please?Check below link for detail configuration & information.
http://www.cisco.com/en/US/products/hw/switches/ps628/products_configuration_guide_chapter09186a00800d84be.html
If you want to remove the vlan from the trunk, you can simply use below command :
switchport trunk allowed vlan remove 300
Hope this helps. -
OTV site vlan with multiple overlay interface
Hi,
I have an OTV multihoming sites. 2 sites. 2 otv edge device each site.
and with multiple overlay interface sharing 1 joint interface
otv edge device connected to multiple VDC.
each internal / downlink will forward different vlan for each vdc.
================================
example
int overlay 1
otv extends-vlan 10
int overlay 2
otv extends vlan 20
int eth 2/1
description trunk to VDC1
switchport trunk allowed vlan 10,100
int eth 2/2
description trunk to VDC2
switchport trunk allowed vlan 20,100
otv site-vlan 100
================================
i understand that i can only use 1 site vlan.
so in order for the failover to happen, both eth 2/1 and eth2/2 must fail?
what if only int eth2/1 fail? will the int overlay 1 failover to secondary otv device?
thanks,
ivan"So when querying the adjacency server the ED then knows which other ED is within the same site?"
Yes for the first part of the question, using the site Vlan unique to each site.
Why do you need a routed link between ED's at local site? You dont need to connect those back-back over L3. Moreover if you want to use it for L3 ADJ over peer-link, you need to make sure that VLAN that you are using is not allowed on the VPC member ports, just on the peer-link, else VPC loop alrorithm will break your traffic.
Are you planning to use multicast or a Unicast deployment? I remember I tried testing the topology in a POC for one of my customer, things did not work as expected in multicast deployment mode and worked fine in Unicast Adjacency server mode. I need to go back and check my notes on this.
I would rather have the join-interface go back to a routed core at site rather than back-back connecivity as it opens up the tested Multicast deployment mode.
Cheers,
-amit singh -
Assigning multiple interfaces for Oracle API Gateway (OAG)
We are deploying Oracle API Gateway to throttle our incoming API requests. We would like to keep the incoming external API requests separate from the internal configuration management so that they go through different interfaces when accessing the OAG server. This is mainly for security reasons so that the external people won’t have access to the interface used by internal operations team to manage OAG. Based on your experience, is there any standard best practice to accomplish this? We were thinking to perhaps use two of the server’s network interfaces with different IPs, one for the incoming API requests and the other for the internal admin management of OAG. But not sure if this is the best way to do what we need. We are aware of OAG's capability to support two separate ports to handle this situation, but would like a more secure set-up that could completely eliminate external access to the OAG management done by the IT team.
Would appreciate any thoughts on best practices used regarding multiple interfaces for OAG set-up. Thank you. Oracle Marketing Cloud.You are on the right track.
Here is how you can achieve this:
You can use multiple network interfaces on the UNIX machine and setup networking/routing in such a way that all external traffic comes on on one card and is routed internally via a different card.
Segregate difference types of services (i.e to be used by external clients vs internal apps) into difference different "Service Groups". Have each of these service groups listen on different port + NIC card (under Listeners, you can define a port to list to list on a specific network address and port instead of *).
Setup additional protection for services that will be accessed by external clients. Use "Threatening Content " filter to protect your services.
Setup 2 way SSL for the interface that will be called by external clients. Setup a DN based authorization check if you want to have both authentication and authorization.
Hope this helps.
-Thanks,
Ankit Kumar -
Assigning multiple IP address to the same Interface in rc.conf
Hi,
Is there any way to assign multiple IP address to the same Interface in rc.conf ?
Or else how is it done?
Thanks
--SijuLike oh so many things, IP aliasing is covered in the wiki.
Or you can just add the commands to /etc/rc.local if you need to do it some other way. -
Good morning everybody,
I am writing on behalf of not being able to implement a desired outcome in our company network. In fact the situation is as follows:
What I want to do is to be able to authenticate users (802.1x authentication) in our company radius server and authorize them access by having a dynamic VLAN assignment in a multi-user environment on one and the same port of a Cisco 2960 switch. So far, the authentication and authorization has been working completely smoothly (there are no problems with itself). The concept involves the configuration of both DATA and VOICE VLANs as I there is also phone authentication implemented. In order to simulate this environment I introduce a Dumb switch connected to my Cisco 2960 Catalyst.
What I have successfully managed to get to work so far is this:
1) On one switch port I have tried the “authentication host-mode multi-domain” and it worked perfectly for a PC behind a telephone, or with one PC connected to a the dumb switch + the telephone connected to another port of the dumb switch. Logically it is the same situation as there is a separation in two domains – DATA and VOICE. Bellow is an output from show authentication sessions for this scenario.
Interface MAC Address Method Domain Status Session ID
Fa0/23 0021.9b62.b79b dot1x DATA Authz Success C0A8FF69000000F3008E (user1)
Fa0/23 0015.655c.b912 dot1x VOICE Authz Success C0A8FF69000000F9009F (phone)
2) On the other hand, when I try the same scenario with the “authentication host-mode multi-auth”, the switch still separates the traffic in two domains and is able to authenticate all users, AS LONG AS they are in the same VLAN.
show authentication sessions:
Interface MAC Address Method Domain Status Session ID
Fa0/23 0021.9b62.b79b dot1x DATA Authz Success C0A8FF69000000F3008E (user1)
Fa0/23 b888.e3eb.ebac dot1x DATA Authz Success C0A8FF69000000F8008C (user2)
Fa0/23 0015.655c.b912 dot1x VOICE Authz Success C0A8FF69000000F9009F (phone)
However, I cannot succeed authentication of many users from DIFFERENT VLANs, neither in multi-auth nor in multi-domain modes.
What I want to get is an output like this:
Interface MAC Address Method Domain Status Session ID
Fa0/23 0021.9b62.b79b dot1x DATA Authz Success C0A8FF69000000F3008E (user1)
Fa0/23 b888.e3eb.ebac dot1x DATA Authz Success C0A8FF69000000F8008C (user2)
Fa0/23 0015.655c.b912 dot1x VOICE Authz Success C0A8FF69000000F9009F (phone)
I want the switch to authenticate the users anytime they connect to itself and for them to have an instant access to the network. (I tell this because I tried scenario 1) with multi-domain mode and authentication violation replace, and it worked but, two users never had access to the “Internet” simultaneously!!!
The configuration of the interface connected to the Dumb switch is as follows.
interface FastEthernet0/x
description Connection to DUMBswitch
switchport mode access
switchport voice vlan XXX
switchport port-security maximum 10
switchport port-security
switchport port-security violation protect
authentication host-mode multi-auth
authentication priority dot1x
authentication port-control auto
authentication timer reauthenticate 4000
authentication violation replace
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
The way I see it is explained in the following steps:
- PC1 connects to the Dumb switch. This causes the Cisco switch to authenticate user1. This creates an auth. session with its MAC address linked to a domain DATA.
- When PC2 connects to the Dumb switch, this causes the violation replace which replaces the recent authenticated MAC address with the MAC of PC2. I would like it once authenticated to appear in the authentication sessions with a link to a new DATA domain linked to the VLAN assigned from the RADIUS server.
Is this possible? I think (in theory) this is the only way to provide authenticated access to multiple users connecting through Dumb switch to the network.
Has anybody ever succeeded in such a configuration example and if yes, I would be love to get some help in doing so?
Thank you
Stoimen HristovHi Stoimen,
I have done a setup similar to yours with the only exception being VLAN assignment. When I used dACLs only, it makes things somewhat easier as the VLAN no longer matters. Remember that the switchport is in access mode and will only allow a single VLAN across it (with the exception of the voice VLAN). I think that is the real cause of your problem.
From what I can see, you have 2 options available to you:
1) Use dACLs instead of VLAN assignment. This means that an access list will be downloaded from the radius server straight to the authenticated user's session. I have tested this and it works perfectly. Just Google Cisco IBNS quick reference guide and look for the section that deals with Low Impact mode.
2) Get rid of the dumb switches and use managed switches throughout your network. Dumb switches will always be a point of weakness in your network because they have no intelligence to do advanced security features like port security, 802.1x, DHCP snooping, etc.
Hopefully someone else will chime in with another option.
Xavier -
Solaris 8: Multiple primary interfaces connected to the same network
I have a machine with Solaris 8, and it has multiple interfaces that are connected to the same network which means they all have metric 0 (1 hop) to the default gateway.
assume:
e1000g0: 192.168.30.70
e1000g2: 192.168.30.72
e1000g4: 192.168.30.74
e1000g5: 192.168.30.76
gateway: 192.168.30.65 (Cisco Router)
However, it seems like despite the fact that they have a direct connection, they seem to be using e1000g0 to access the 192.168.30.0 network to get to the default gateway and then to anywhere else.
When I send a ping to say, 192.168.30.74 (IP of e1000g4) and capture packets on e1000g0, I see the "echo reply" messages going out of it as opposed to e1000g4 even though e1000g4 is the one receiving the "echo request". This should not happen and these should be completely independent as they should all be advertising a 1 hop to that network
The outputs from netstat -rn and ifconfig -a are shown in the picture on the link below
[http://img836.imageshack.us/img836/7308/ifconfignetstathiddenip.jpg]
This gets even more confusing when I go into the Cisco router and run the command: "show mac address-table" where only the MAC address of e1000g0 is shown for the switch port it's connected to, but not for the other interfaces which are connected to the switch. Yes, all ports are active (no shut) and are pingable.
Also, the odd thing is that ALL of these individual MACs show up in the router ARP table when the machine comes up, however after sending a ping to one of them, after a certain expiry or whatever period, the MACs disappear from the router ARP table and only the MAC for e1000g0 shows up. The arp table of the solaris machine however shows all the relevant MACs of each port of the router that it's physically connected to (This is actually a Cisco Switch with the advanced IP services imagine and L3 routing turned on)
Before anyone asks: The setting local-mac-address? setting does NOT exist in my machine and it never has, but it used to work fine. Also, from the ifconfig command, once can tell that all the MAC addresses are fine.
I need to somehow assign all these interfaces equal priority and make them understand that they're physically connected to the 192.168.30.0 network and there's no need to go through e1000g0 to get to it.
This is causing a lot of problems as eventually all traffic will end up going through the e1000g0 interface and that will become a bottle neck.
Please help Thanks in advanceOk thanks. That was a useful response.
I did think about the trunking software that is claimed to be available for Solaris 8, but it's only available if you've got paid support contract. Oracle came and ruined everything re: Sun support which is so expensive now.
The other confusion is, we never had that OR needed to configure trunking/link aggregation on this machine, so why now?
Lastly, by your explanation, this should be expected and is "normal" behaviour, which would mean that this machine was always doing this and I only just noticed it this time? I thought if you turn off ipv4 forwarding and router function in the machine, it's every interface for itself. But it's not doing that :(
So then the question is, Can I force it? I've tried a bunch of things by manipulating the tables and it seems to mess things up where nothing is getting through or it now shifts all the traffic to some other port make the problem no different
Is there a way to give equal weight to all interfaces for the traffic to go directly through them that is originating at those ports? -
Static unicast MAC entry in multiple ports Cat6500VSS
Hello, I'm trying to configure a static mapping of a MAC address in two different ports on a Catalyst 6500 switch.
My situation is: I've configured a Cluster of Firewalls which exposes a unicast MAC addres for the cluster virtual interface. The situation is that the MAC address is a unicast one, and when the swith sees the MAC from multiple ports, it gets confused and starts doing flooding in all the VLAN.
The configuration I'm trying to do is for a McAfee Firewall conected to 2 Catalyst 6500 in VSS mode. Here is the article of the firewall vendor with the recommended configuration: https://kc.mcafee.com/corporate/index?page=content&id=KB61307&actp=null&viewlocale=en_US&showDraft=false&platinum_status=false&locale=es_ES
What i want to do is to configure unicast mirrored mode, and in that mode, I have to run this command on Catalyst 6500 and I can't:
mac-address-table static 000e.a210.440a GigabitEthernet 1/1/3 GigabitEthernet 2/1/3
Note that the mac address is a unicast one
How can I do That? Any help will be appreciatedHello,
There is a fundamental architecture difference between the 2 platforms regarding the internal forwarding of frames. With the 3550 the notification packet is sent after a lookup and the results index can contain more than one entry where as with other architectures the results are limited to a single entry. Basically that is why you can configure an ARP entry to point to different ports on the 3550 versus other platforms.
Hope that helps.
Regards,
James -
ERROR OWS-04045 during accessing multiple ports based web service
I use WSA to publish a web service which have multiple ports.
The ant build script :
<oracle:assemble appName="${app.name}" ear="${app.name}.ear"
targetNamespace="http://www.xxx.com" classpath="${domestic.class.path}"
input="${web.home.path}/WEB-INF/classes" output="${archive.output.path}"
style="rpc" mappingFileName="type-mapping.xml" appendToExistingDDs="true"
serviceName="${app.name}">
<oracle:porttype interfaceName="com.xxx.service.ICompanyDefinerWebService"
className="com.xxx.CompanyWebServiceImpl">
<oracle:port name="company" uri="company" />
</oracle:porttype>
<oracle:porttype interfaceName="com.xxx.IUserDefinerWebService"
className="com.xxx.UserProfileWebServiceImpl">
<oracle:port name="userprofile" uri="userprofile" />
</oracle:porttype>
</oracle:assemble>
There is a class name UserDTO which extends another class AbstractDTO, which locates in another package. I used a type-mapping file for giving them different namespaces.
After deployment, I can use the url http://localhost:8888/xxx/userprofile to access the web service. OC4J provided a javascript based stub for testing.
But I met some problems. When I use the web stub to access it , error occurs.
ERROR OWS-04045 Malformed Request Message:Caught exception while handling request: unexpected element name: expected={http://www.xxx.com/framework/bean}operationRecord, actual={http://www.xxx.com/user/dto}operationRecord
I switched the form to display in xml before invoke, I found there are different and correct namespaces on these 2 elements (UserDTO and OperationLog) .So, I'm very strange why the server will response such a fault information.
In addition, if I use default style (just document-wrapped) to publish web service, almost all methods can not be accessed on web stub which is provided by oracle.
Surely, the problem is caused by multiple port. The soap specification is 1.2 and JDK is SUN 1.5.0-b6, OC4J is 10.1.3.3
I just want to konw whether oracle have some better practices or suggestion for publishing a web service which will have multiple ports.
The other problem is we can not use abstract class(only support interface) when we want to use WSA to assemble a web service based EAR.Is it possible to use several "class L4VIPCLASS" inside the "policy-map multi-match VIPs" in order to have several VIPs to load-balance services for several serverfarms?
Something like this:
class-map match-all L4VIPCLASS-1
2 match virtual-address 172.16.1.1 tcp eq www
class-map match-all L4VIPCLASS-2
2 match virtual-address 172.16.1.2 tcp eq www
class-map match-all L4VIPCLASS-3
2 match virtual-address 172.16.1.3 tcp eq 8081
policy-map type loadbalance http first-match WEB_POLICY-1
class class-default
serverfarm-1
policy-map type loadbalance http first-match WEB_POLICY-2
class class-default
serverfarm-2
policy-map type loadbalance http first-match WEB_POLICY-3
class class-default
serverfarm-3
policy-map multi-match VIPs
class L4VIPCLASS-1
loadbalance vip inservice
loadbalance policy WEB_POLICY-1
loadbalance vip icmp-reply active
loadbalance vip advertise active
nat dynamic 1 vlan 11
class L4VIPCLASS-2
loadbalance vip inservice
loadbalance policy WEB_POLICY-2
loadbalance vip icmp-reply active
loadbalance vip advertise active
nat dynamic 2 vlan 22
class L4VIPCLASS-3
loadbalance vip inservice
loadbalance policy WEB_POLICY-3
loadbalance vip icmp-reply active
loadbalance vip advertise active
nat dynamic 3 vlan 33
interface vlan XX
service-policy input VIPs
Many thanks for your support. -
Int vlan up while no port connected on the vlan
Hello,
Having a cat3750 stack (Layer2-Layer3, release 12.2.25SEB4), I would like to have an interface vlan up for administration reason with no port connected on this vlan?
Do you know a way to get it, wihout using loopback interface, i.e. having a switch port stat up while not beeing connected. (no keepalive nor L3 interface with no keepalive do not help me)
sh run int fas 3/0/24
Building configuration...
Current configuration : 170 bytes
interface FastEthernet3/0/24
no switchport
no ip address
no logging event link-status
no keepalive
no snmp trap link-status
power inline never
no mdix auto
end
sh run int vlan 1
Building configuration...
Current configuration : 96 bytes
interface Vlan1
description *** Management ***
ip address a.b.c.d 255.255.255.248
end
sh int vlan 1
Vlan1 is up, line protocol is down
sh int fast 3/0/24
FastEthernet3/0/24 is down, line protocol is down (notconnect)
Regards,Hello Glen,
Thank you replying so fast.
Here is some more information:
The switch is used as a router too.
It is reachable by a WAN router connected to this switch on an another vlan (vlan 9). The SVI for the management of this switch is on a dedicated vlan (vlan 1) but this is the only switch of this site.
The management of this switch isn't in the same vlan as the router.
And I wonder if there is a way to have a SVI up just for the management process of this switch, without using a loopback interface.
WAN router is on vlan 9 and I would like to have the switch management IP'address on vlan 1.
Vlan 1 IP network is a subnet of the network routed by the WAN router (managed by an operator).
Regards, -
WLC is ARPing but will not receive answer from vlan-switch
Hi - this is my first posting in theese forums - hope I get it right
Setup: a procurve-vlan-switch (2915) is connected directly to a cisco-wlc (2504) on two ports.
Port 1 on the wlc has the management- and apmanager-interface, untagged, connected to untagged port on procurveswitch.
Port 2 on the wlc has a dynamic interface (vlan 100) connected to tagged (vlan100) port on the switch.
Port 1 I can ping, and everything works as it should, LAP connects and so on.
Port 2 I can't ping, and it will not let clients get an ip-address i the vlan100 segment.
Wireshark tells me, that wlc sends arp-requests to the vlan-gateway on the procurve switch, and also that the switch replies in the same vlan (with tagged packets). But the WLC will not pick theese answers up and keeps ARPing for the gateway. Result is = no dhcp-answer to the clients.
Workaround: If I first ping from the wlc to the gateway, everything works for 5 minutes, i.e. I can ping the dynamic interface on the wlc and clients get ip-addresses, but when the arp-cache times out, everything goes black again.
BIG question: Can anyone help me with this? Why will the wlc not pick the arp-answer from the switch? The wlc asks with tagged packets and get tagged replies imediatly but will not listen
Sincerely
Nicholas Wolf HaamannIs there a reason you are using two separate ports on the WLC?
Generally you would just create a Trunk port to the WLC and all traffic would pass over it.
The fact it works for 5 minutes makes me wonder if the WLC is somehow using the same MAC for both ports. What MAC addresses does the MAC address table on the HP switch show for both ports? -
802.1x Dynamic VLAN Switching Question
Trying to set up 802.1x dynamic VLAN switching, and have a question. I think I've gotten it working except for one part. The VLAN on a protected interface is never getting switched. I can see an entry in the ACS stating that it applied the appropriate VLAN via RADIUS response, but it never changes on the switch.
Environment:
ACS Express 5.0.1
C3550 running c3550-ipbasek9-mz.122-44.SE6.bin
Switch config:
aaa new-model
aaa group server radius dot1x
server-private 10.10.1.4 auth-port 1645 acct-port 1646 key 7 071C244F5C0C0D544541
aaa authentication dot1x default group dot1x
dot1x system-auth-control
dot1x guest-vlan supplicant
interface FastEthernet0/3
switchport access vlan 3
switchport mode access
speed 100
duplex full
dot1x pae authenticator
dot1x port-control auto
dot1x violation-mode protect
dot1x timeout tx-period 5
dot1x timeout supp-timeout 5
spanning-tree portfast
ip radius source-interface FastEthernet0/1 vrf default!
radius-server host 10.10.1.4 auth-port 1645 acct-port 1646 key 7 01000307490E125E731F
Am I missing something easy?It looks like "aaa authorization network default group dot1x" was the missing command I needed to get this working.
The only issue I'm having now is that if the client fails to meet the authentication requirements, the line status gets set as "down" -
Service port interface Question
I have a customer that wants to use the service port interface as a backup entry door to its WLCs in the event of a network failure or misconfiguration. I have configured the WLC's mgt and ap-manager interface in a 10.50.x.x network and the service interface in a 10.103.x.x network, which are 2 completely separate networks. Cisco's documentation is unclear as to how to configure the service interface. Should I have the service interface completely separate from the 10.x.x.x network class (e.g 172.16.x.x or 192.168.x.x) or I am okay in using the 10.103.x.x. network?
The WLC can be configured with static routes. Are those, when configured, reserved for the service interface? Should I configure the WLC with a static route? And if yes what should it be?
Your help would be greatly appreciated
ThanksYou can use the service port, but make sure you configure it correctly. Here is from a Cisco doc:
By default, the physical service port interface has a DHCP client installed and looks for an address via DHCP. The WLC attempts to request a DHCP address for the service port. If no DHCP server is available, then a DHCP request for the service port fails. Therefore, this generates the error messages.
The workaround is to configure a static IP address to the service port (even if the service port is disconnected) or have a DHCP server available to assign an IP address to the service port. Then, reload the controller, if needed.
The service port is actually reserved for out-of-band management of the controller and system recovery, and maintenance in the event of a network failure. It is also the only port that is active when the controller is in boot mode. The service port cannot carry 802.1Q tags. Therefore, it must be connected to an access port on the neighbor switch. Use of the service port is optional.
The service port interface controls communications through and is statically mapped by the system to the service port. It must have an IP address on a different subnet from the management, AP-manager, and any dynamic interfaces. Also, it cannot be mapped to a backup port. The service port can use DHCP in order to obtain an IP address, or it can be assigned a static IP address, but a default gateway cannot be assigned to the service port interface. Static routes can be defined through the controller for remote network access to the service port.
Hope this helps.
Maybe you are looking for
-
Use of LIKE in where clause of select statement for multiple records
Hi Experts, I have a account number field which is uploaded from a file. Now this account numbers uploaded does not match fully with sap table account numbers but it contains all of the numbers provided in the file mostly in the upright positions. Fo
-
Transformation : some fields are not visble in Source DSO
Hi i have done mapping in transformation by connecting one Write Optimized DSO with a Standard DSo. Both DSO have same fields. But i am seeing some of the fields are not visible in Write optimized DSO in Transformation so those fields can not be mapp
-
So I started playing around with iWeb and created a web site for my portfolio. I then signed up for a trial of the MobileMe. After I went through the whole setup process for MobileMe...setting up on my iPod Touch, then on my iMac, then syncing all th
-
Loading frames before images (preloader question)
I've got an .swf of which is 83% images and weighs ~4mb. For that big size I decided I would do an preloader, however, the preloader's frame will only load after images and other resources are loaded. Basically, the preloader will only appear after 8
-
Is it better to use 30 Illustrator documents or generate 30 leaflets in a single document?
I am developing an advertising campaign and both aforementioned methods I have tried before, however due to my computer being dated I couldn't determine if it was my hardware or software. Now as I generate the leaflets my new iMac is struggling with