.blocking host in same VLAN

Similar Messages

• Policy based routing to host in same vlan/subnet

  Hello i have nexus 7k that i have a policy based routing setup as follows for 2 vlans, 802 and 803, to set default route out to a host in vlan 802. i have applied my policy to the vlans and everything works fine for a host in vlan 803, it routes over and out properly. However when im in vlan 802 my host traffic never gets to 172.21.1.237 when pointed at the gateway 172.21.1.1. I can see the pbr statistics incrementing indicating that i am initially hitting the policy but im not sure where my traffic goes after that. I can talk to .237 direct in the vlan but i would like this to work through pbr to utilize all of my other routes and default gateway.
  vlans 802
  172.21.1.1/24
  ip policy route-map West
  vlan 803
  172.21.17.1/24
  ip policy route-map West
  route-map West permit 10
    match vlan 802-803
    set ip default next-hop 172.21.1.237
  Im thinking there is some kind of hairpinning problem or maybe im creating some kind of blackhole.
  any help is appreciated.
  thanks, scott

  Scott
  If the destination IP is in the same subnet as source IP then it won't be routed it will be L2 switched so it would never use the default gateway ie.
  src IP 172.21.1.10 255.255.255.0
  dst IP 172.21.1.237 255.255.255.0
  src compares it's own IP with it's subnet mask and sees it is on the 172.21.1.x network. src then compares the destination IP with it's own subnet mask and sees it is also on the 172.21.1.x network so it simply arps out for that address and when it gets the mac address it sends it direct to the destination. It would only use the default gateway if the destination IP was on a different network.
  So i don't see how you will be able to do this and i'm not sure why you are seeing hits in your PBR acl for the host in the 172.21.1.x network.
  Edit - what exactly do you mean when you say -
  However when im in vlan 802 my host traffic never gets to 172.21.1.237 when pointed at the gateway 172.21.1.1.
  How are you doing this ie. pointing it to the default gateway because as i say it should always be able to communicate with 172.21.1.237 as it is in the same subnet.
  Jon

• Nexus 1000v: Control VLAN must be same VLAN as ESX hosts?

  Hello,
  I'm trying to install nexus 1000v and came across the below prerequisite.
  The below release notes for Nexus 1000v states
  VMware and Host Prerequisites
  The VSM VM control interface must be on the same Layer 2 VLAN as the ESX 4.0 host that it manages. If you configure Layer 3, then you do not have this restriction. In each case however, the two VSMs must run in the same IP subnet.
  What I'm trying to do is to create 2 VLANs - one for management and the other for control & Data (as per latest deployment guide, we can put control & data in the same vlan).
  However, I wanted to have all ESX host management same VLAN as the VSM management as well as the vCenter Management. Essentially, creating a management network.
  However, from the above "VMWare and Host Prerequisites", does this means I cannot do this?
  I need to have the ESX host management same VLAN as the control VLAN?
  This means that my ESX host will reside in a different VLAN than my management subnet?
  Thanks...

  Control vlan is a totally seperate VLAN then your System Console. The VLAN just needs to be available to the ESX host through the upstream physical switch and then make sure the VLAN is passed on the uplink port-profile that you assign the ESX host to.
  We only need an interface on the ESX host if you decide to use L3 control. In that instance you would create or use an existing VMK interface on the ESX host.

• [ACE] Real servers and VIP in the same VLAN

  Hello.
  I´m facing an issue because the real servers and the VIP address are in the same VLAN, when a request comes from an external client to the VIP (crossing an ASA firewall) , the ACK gets back using the IP of one of the real servers instead of the VIP so this traffic is blocked by our WAN firewall probably due the inspection rules.
  My question is if there is some way make the VIP the address who ACK´s that requests? Creating a new VLAN would be complicated because there are other services already running on those real servers.
  Thanks a lot,
  Miquel

  Hi Miquel,
  Please do source nat on ACE so that return traffic gets sent to ACE and not FW. Pasting an example for you.
       ==========================================================================
       One-Armed Load Balancing with VIP, Servers, & NAT Pool on the Same Subnet
       ==========================================================================
  login timeout 0
  access-list ANYONE line 10 extended permit ip any any
  rserver host SERVER_01
    ip address 192.168.1.11
    inservice
  rserver host SERVER_02
    ip address 192.168.1.12
    inservice
  rserver host SERVER_03
    ip address 192.168.1.13
    inservice
  serverfarm host REAL_SERVERS
    rserver SERVER_01
      inservice
    rserver SERVER_02
      inservice
    rserver SERVER_03
      inservice
  class-map match-all VIP-30
    2 match virtual-address 192.168.1.30 tcp eq www
  class-map type management match-any REMOTE_ACCESS
    description remote-access-traffic-match
    2 match protocol telnet any
    3 match protocol ssh any
    4 match protocol icmp any
  policy-map type management first-match REMOTE_MGT
    class REMOTE_ACCESS
      permit
  policy-map type loadbalance first-match SLB_LOGIC
    class class-default
      serverfarm REAL_SERVERS
  policy-map multi-match CLIENT_VIPS
    class VIP-30
      loadbalance vip inservice
      loadbalance policy SLB_LOGIC
      loadbalance vip icmp-reply active
      nat dynamic 1 vlan 451
  interface vlan 451
    description Servers vlan
    ip address 192.168.1.2 255.255.255.0
    access-group input ANYONE
    service-policy input CLIENT_VIPS
    nat-pool 1 192.168.1.10 192.168.1.10 netmask 255.255.255.0 pat
    no shutdown
  ip route 0.0.0.0 0.0.0.0 192.168.1.1
  Let me know if you have any question.
  Regards,
  Kanwal

• Block host to host traffic

  I need to block all traffic from host to host that are on the same VLAN. But continue to reach the outside world. I am using a 2921 router. What do I need to do to achieve this?

  Cisco ACLs won't help in this case. Traffic between hosts on the same VLAN is controlled entirely from the switches and APs. The routers don't ever see that, so they can't control it.
  The APs from just about any vendor will be able to do client isolation, so keeping the wireless clients from talking to each other shouldn't be difficult. Wired clients are another story and will depend on the capabilities provided by the switches. If they have an equivalent to Cisco's "switchport protected" functionality, you should be able to use that.

• Need to configure different SSIDs on same VLAN on 1142

  We're having a problem with interference in the B/G range due to the large number of access points owned by other companies in a fairly small area. The various laptops keep deauthenticating, which is causing problems with applications. I'd like to configure two SSIDs on the same VLAN but have them broadcasted on different frequencies. The AP complained about the configuration when I added the Company5.8 SSID below stating another SSID can't be added to a VLAN, but it shows in the configuration. Does any one have a suggestion as to what I can try? Thanks
  interface Dot11Radio0
   no ip address
   no ip route-cache
   encryption vlan 1 mode ciphers aes-ccm
   encryption vlan 3 mode ciphers aes-ccm
   ssid Moleculera Labs
   ssid Moleculera Labs-guest
   antenna gain 0
   mbssid
   channel least-congested 2412 2437 2462
   station-role root
  interface Dot11Radio0.1
   encapsulation dot1Q 1 native
   no ip route-cache
   bridge-group 1
   bridge-group 1 subscriber-loop-control
   bridge-group 1 block-unknown-source
   no bridge-group 1 source-learning
   no bridge-group 1 unicast-flooding
   bridge-group 1 spanning-disabled
  interface Dot11Radio0.3
   encapsulation dot1Q 3
   no ip route-cache
   bridge-group 3
   bridge-group 3 subscriber-loop-control
   bridge-group 3 block-unknown-source
   no bridge-group 3 source-learning
   no bridge-group 3 unicast-flooding
   bridge-group 3 spanning-disabled
  interface Dot11Radio1
   no ip address
   no ip route-cache
   encryption mode ciphers aes-ccm
   encryption vlan 1 mode ciphers aes-ccm
   encryption vlan 3 mode ciphers aes-ccm
   ssid Moleculera Labs
   ssid Moleculera Labs-guest
   antenna gain 0
   dfs band 3 block
   mbssid
   channel dfs
   station-role root
  interface Dot11Radio1.1
   encapsulation dot1Q 1 native
   no ip route-cache
   bridge-group 1
   bridge-group 1 subscriber-loop-control
   bridge-group 1 block-unknown-source
   no bridge-group 1 source-learning
   no bridge-group 1 unicast-flooding
   bridge-group 1 spanning-disabled
  interface Dot11Radio1.3
   encapsulation dot1Q 3
   no ip route-cache
   bridge-group 3
   bridge-group 3 subscriber-loop-control
   bridge-group 3 block-unknown-source
   no bridge-group 3 source-learning
   no bridge-group 3 unicast-flooding
   bridge-group 3 spanning-disabled

  Amjad, if I delete "encryption mode ciphers aes-ccm" what kind of encryption will the AP use?
  Mohanak, I'm using the same encryption settings with VLANs
  Here is the more complete configuration:
  version 12.4
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  service password-encryption
  hostname COMPANY-AP
  no logging console
  enable secret 5 *
  no aaa new-model
  no ip domain lookup
  ip domain name COMPANY.local
  dot11 syslog
  dot11 ssid COMPANY-2.4
     vlan 1
     authentication open
     authentication key-management wpa
     mbssid guest-mode
     wpa-psk ascii 7 *
  dot11 ssid COMPANY-5.8
     vlan 1
     authentication open
     authentication key-management wpa
     mbssid guest-mode
     wpa-psk ascii 7 *
  dot11 ssid COMPANY-guest
     vlan 3
     authentication open
     authentication key-management wpa
     guest-mode
     mbssid guest-mode
     wpa-psk ascii 7 *
  bridge irb
  interface Dot11Radio0
   no ip address
   no ip route-cache
   encryption vlan 1 mode ciphers aes-ccm
   encryption vlan 3 mode ciphers aes-ccm
   ssid COMPANY-2.4
   ssid COMPANY-guest
   antenna gain 0
   mbssid
   station-role root
  interface Dot11Radio0.1
   encapsulation dot1Q 1 native
   no ip route-cache
   bridge-group 1
   bridge-group 1 subscriber-loop-control
   bridge-group 1 block-unknown-source
   no bridge-group 1 source-learning
   no bridge-group 1 unicast-flooding
   bridge-group 1 spanning-disabled
  interface Dot11Radio0.3
   encapsulation dot1Q 3
   no ip route-cache
   bridge-group 3
   bridge-group 3 subscriber-loop-control
   bridge-group 3 block-unknown-source
   no bridge-group 3 source-learning
   no bridge-group 3 unicast-flooding
   bridge-group 3 spanning-disabled
  interface Dot11Radio1
   no ip address
   no ip route-cache
   encryption mode ciphers aes-ccm
   encryption vlan 1 mode ciphers aes-ccm
   encryption vlan 3 mode ciphers aes-ccm
   ssid COMPANY-2.4  (Want this to be COMPANY-5.8)
   ssid COMPANY-guest
   antenna gain 0
   dfs band 3 block
   mbssid
   channel dfs
   station-role root
  interface Dot11Radio1.1
   encapsulation dot1Q 1 native
   no ip route-cache
   bridge-group 1
   bridge-group 1 subscriber-loop-control
   bridge-group 1 block-unknown-source
   no bridge-group 1 source-learning
   no bridge-group 1 unicast-flooding
   bridge-group 1 spanning-disabled
  interface Dot11Radio1.3
   encapsulation dot1Q 3
   no ip route-cache
   bridge-group 3
   bridge-group 3 subscriber-loop-control
   bridge-group 3 block-unknown-source
   no bridge-group 3 source-learning
   no bridge-group 3 unicast-flooding
   bridge-group 3 spanning-disabled
  interface GigabitEthernet0
   no ip address
   no ip route-cache
   duplex auto
   speed auto
   no keepalive
  interface GigabitEthernet0.1
   encapsulation dot1Q 1 native
   no ip route-cache
   bridge-group 1
   no bridge-group 1 source-learning
   bridge-group 1 spanning-disabled
  interface GigabitEthernet0.3
   encapsulation dot1Q 3
   no ip route-cache
   bridge-group 3
   no bridge-group 3 source-learning
   bridge-group 3 spanning-disabled
  interface BVI1
   ip address 192.168.67.3 255.255.255.0
   no ip route-cache
  ip default-gateway 192.168.67.1
  ip http server
  ip http secure-server
  ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
  bridge 1 route ip
  line con 0
  line vty 0 4
   exec-timeout 30 0
   password 7 *
   login local
  end
  COMPANY-AP#

• ACE30-MOD-k9 in bridge mode. Individual server in the same vlan of Real Servers not reacheable.

  I configured ACE30-MOD-K9 in bridge mode and I configured a server farm with his real servers. The traffic passes and is balanced correctly between all RSERVER. But I can not contact a server that is on the same vlan of the serverpharm but doesn't belong at this serverfarm.
  I Thought that the traffic directed to this "spare" server shouldn't  be balanced but the bridge should permit traffic to pass. (trasperent mode) Is it correct ?
  What does ACE in bridge mode with traffic directed to servers that do not belong to any server farm but are present on the same VLAN (same bridge group)?
  In rispect at the following configuration 10.10.10.168 isn't reacheable
  access-list INBOUND line 8 extended permit ip any any
  access-list INBOUND line 16 extended permit icmp any any
  probe http HTTP_PROBE1
    expect status 200 200
  rserver host RS_WEB1
    ip address 10.10.10.163
    inservice
  rserver host RS_WEB2
    ip address 10.10.10.164
    inservice
  rserver host RS_WEB3
    ip address 10.10.10.165
    inservice
  rserver host RS_WEB4
    ip address 10.10.10.167
    inservice
  serverfarm host SF_FIREGROUP
    rserver RS_WEB1
      inservice
    rserver RS_WEB2
      inservice
    rserver RS_WEB3
      inservice
    rserver RS_WEB4
      inservice
  sticky ip-netmask 255.255.255.255 address source sticky-ip
    replicate sticky
    serverfarm SF_FIREGROUP
  sticky http-cookie myCookie sticky-cookie
    cookie insert browser-expire
    serverfarm SF_FIREGROUP
  class-map match-any VS_FIREGROUP
    2 match virtual-address 10.10.10.169 tcp eq www
    4 match virtual-address 10.10.10.169 tcp eq 8081
    5 match virtual-address 10.10.10.169 tcp eq 8082
    6 match virtual-address 10.10.10.169 tcp eq 8083
    7 match virtual-address 10.10.10.169 tcp eq 8084
    8 match virtual-address 10.10.10.169 tcp eq 8085
    9 match virtual-address 10.10.10.169 tcp eq 8097
  class-map match-any VS_FIREGROUP_HTTPS
    2 match virtual-address 10.10.10.169 tcp eq https
  policy-map type loadbalance first-match HTTP
    class class-default
      sticky-serverfarm sticky-cookie
  policy-map type loadbalance first-match HTTPS
    class class-default
      sticky-serverfarm sticky-ip
  policy-map multi-match HTTP_HTTPS_MULTI_MATCH
    class VS_FIREGROUP
      loadbalance vip inservice
      loadbalance policy HTTP
      loadbalance vip advertise active
    class VS_FIREGROUP_HTTPS
      loadbalance vip inservice
      loadbalance policy HTTPS
      loadbalance vip advertise active
  interface vlan 4
    bridge-group 1
    access-group input INBOUND
    service-policy input HTTP_HTTPS_MULTI_MATCH
    no shutdown
  interface vlan 700
    bridge-group 1
    access-group input INBOUND
    no shutdown
  interface bvi 1
    ip address 10.10.10.150 255.255.255.0
    no shutdown
  ip route 0.0.0.0 0.0.0.0 10.10.10.1
  Thanks a lot
  Francesco

  Hi Francesco,
  Just to add more a bit, A bridge group is very similar to routed mode except ACE cannot NAT pass through traffic, vlan's cannot be shared and couple of other things but client's should be able to access the server as in before.
  But also whether in bridge or routed mode, ACE does create flows and applies other security parameters if configured to the traffic. This is for security. Also, ACE should know the MAC of the device to forward the traffic to. Can you check if ACE has the MAC of the destination? You can also put a route for testing purpose and see if that resolves the issue. That should probably be the quickest way to check if ACE is creating any issue here.
  Regards,
  Kanwal

• CSS SLB within same VLAN

  Hi -
  We have a need to load-balance requests within the same VLAN, but need to make sure it only happens then. We have multiple web servers all members of the same subnet, these servers are grouped differently in 5 different VIPS whose IPs are also part of the same subnet.
  Example: We need server A, who is a member of VIP Z, to talk to VIP Y and be load-balanced. These servers and VIPs are all part of the same subnet. however, when that same server A talks to host C somewhere else we don't want it to be translated.
  We'll obviously need to use groups and ACLs, but would we be using 'add service XX' in the group command or the 'add destination service XX' command? Should we NAT these connections as a new IP address, or just fake out the dest VIP so that it thinks the sender's MAC is the CSS?
  Anyone have a sample config from doing this before?
  Thanks!
  chad

  Thanks for the info, Steve. I have looked at a couple of online references including that one, but they all seem to be just a percentage of what I'm looking to do. It's probably a combination of them all put together, but because these VIPs are production websites I want to make sure I don't have to try this a second time. To make it make more sense I'll paste in what I'm trying to do below.
  First, I have these 2 content VIPs:
  content www-LT-80
  vip address 10.28.128.30
  protocol tcp
  port 80
  url "/*"
  advanced-balance arrowpoint-cookie
  arrowpoint-cookie browser-expire
  add service lt-bw02-80
  add service lt-bw04-80
  add service lt-bw06-80
  add service lt-bw08-80
  add service lt-bw10-80
  add service lt-bw12-80
  add service lt-bw14-80
  add service lt-bw16-80
  add service lt-bw18-80
  add service lt-bw20-80
  add service lt-bw22-80
  add service lt-bw24-80
  add service lt-bw26-80
  add service lt-bw28-80
  add service lt-bw30-80
  add service lt-bw32-80
  balance leastconn
  active
  content rc-LT-80
  vip address 10.28.128.38
  protocol tcp
  port 80
  url "/*"
  advanced-balance arrowpoint-cookie
  arrowpoint-cookie browser-expire
  balance leastconn
  add service rc-pub08-80
  add service rc-pub06-80
  add service rc-pub04-80
  add service rc-pub02-80
  active
  Second, these are the services in each VIP respectively. I'll only paste 1 service from each VIP, all the others are the same just with incrementing IPs:
  service lt-bw02-80
  ip address 10.28.128.51
  protocol tcp
  port 80
  string wwwltbw2
  keepalive type script ap-kal-httptag "10.28.128.51 /keepalive.asp www.lendingtree.com"
  keepalive frequency 15
  active
  service rc-pub02-80
  ip address 10.28.128.171
  protocol tcp
  port 80
  string rcpub02
  keepalive type script ap-kal-httptag "10.28.128.171 /keepalive.asp rc.lendingtree.com"
  keepalive frequency 15
  active
  Goal to achieve:
  I need the lt-bwXX-80 services that are members of the first VIP to be able to talk to the second (RC) VIP and be load-balanced. The caveat is that when these lt-bwXX-80 services talk to other hosts through the CSS I do not want them being NATted at all, for reporting reasons their IPs need to stay the same. To touch on your earlier comment, all of these VIPs are also load-balanced to the Internet for web browsing. Basically, I need some form of address translation, whether it be IP or MAC, but only on specific to/from relationships.
  Does that help make it more clear? Thanks in advance for any assistance.
  Chad

• ACE30_MOD-K9 in bridge mode. Individual servers in the same vlan of rserver not reach.

  I configured ACE30-MOD-K9 in bridge mode and I configured a server farm with his real servers. The traffic passes and is balanced correctly between all RSERVER. But I can not contact a server that is on the same vlan of the serverpharm but doesn't belong at this serverfarm.
  I Thought that the traffic directed to this "spare" server shouldn't  be balanced but the bridge should permit traffic to pass. (trasperent mode) Is it correct ?
  What does ACE in bridge mode with traffic directed to servers that do not belong to any server farm but are present on the same VLAN (same bridge group)?
  In rispect at the following configuration 10.10.10.168 isn't reacheable
  access-list INBOUND line 8 extended permit ip any any
  access-list INBOUND line 16 extended permit icmp any any
  probe http HTTP_PROBE1
    expect status 200 200
  rserver host RS_WEB1
    ip address 10.10.10.163
    inservice
  rserver host RS_WEB2
    ip address 10.10.10.164
    inservice
  rserver host RS_WEB3
    ip address 10.10.10.165
    inservice
  rserver host RS_WEB4
    ip address 10.10.10.167
    inservice
  serverfarm host SF_FIREGROUP
    rserver RS_WEB1
      inservice
    rserver RS_WEB2
      inservice
    rserver RS_WEB3
      inservice
    rserver RS_WEB4
      inservice
  sticky ip-netmask 255.255.255.255 address source sticky-ip
    replicate sticky
    serverfarm SF_FIREGROUP
  sticky http-cookie myCookie sticky-cookie
    cookie insert browser-expire
    serverfarm SF_FIREGROUP
  class-map match-any VS_FIREGROUP
    2 match virtual-address 10.10.10.169 tcp eq www
    4 match virtual-address 10.10.10.169 tcp eq 8081
    5 match virtual-address 10.10.10.169 tcp eq 8082
    6 match virtual-address 10.10.10.169 tcp eq 8083
    7 match virtual-address 10.10.10.169 tcp eq 8084
    8 match virtual-address 10.10.10.169 tcp eq 8085
    9 match virtual-address 10.10.10.169 tcp eq 8097
  class-map match-any VS_FIREGROUP_HTTPS
    2 match virtual-address 10.10.10.169 tcp eq https
  policy-map type loadbalance first-match HTTP
    class class-default
      sticky-serverfarm sticky-cookie
  policy-map type loadbalance first-match HTTPS
    class class-default
      sticky-serverfarm sticky-ip
  policy-map multi-match HTTP_HTTPS_MULTI_MATCH
    class VS_FIREGROUP
      loadbalance vip inservice
      loadbalance policy HTTP
      loadbalance vip advertise active
    class VS_FIREGROUP_HTTPS
      loadbalance vip inservice
      loadbalance policy HTTPS
      loadbalance vip advertise active
  interface vlan 4
    bridge-group 1
    access-group input INBOUND
    service-policy input HTTP_HTTPS_MULTI_MATCH
    no shutdown
  interface vlan 700
    bridge-group 1
    access-group input INBOUND
    no shutdown
  interface bvi 1
    ip address 10.10.10.150 255.255.255.0
    no shutdown
  ip route 0.0.0.0 0.0.0.0 10.10.10.1
  Thanks a lot
  Francesco

  Hi Francesco,
  Just to add more a bit, A bridge group is very similar to routed mode except ACE cannot NAT pass through traffic, vlan's cannot be shared and couple of other things but client's should be able to access the server as in before.
  But also whether in bridge or routed mode, ACE does create flows and applies other security parameters if configured to the traffic. This is for security. Also, ACE should know the MAC of the device to forward the traffic to. Can you check if ACE has the MAC of the destination? You can also put a route for testing purpose and see if that resolves the issue. That should probably be the quickest way to check if ACE is creating any issue here.
  Regards,
  Kanwal

• Block Traffic under two VLAN's : Unidirectional OR Bidirectional ???

  I have a Ciso L3 switch with 4 VLANs and all host computer connected to rest of 8 cisco 2960 switch's:
  VLAN 1  : 192.168.1.0/24
  VLAN 10: 192.168.10.0/24
  VLAN 20: 192.168.20.0/24
  VLAN 50: 192.168.30.0/24
  There are list of my some Questions about Extended ACL serialwise :
  1. For Restrict traffic from VLAN 10 to VLAN 20, I am using  only one ACL is : Access-list 100 deny ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255.
      What will happen in this scenerio if we talk about traffic from VLAN 20 to VLAN 10. Will it communicate or not ???
  2.   How to Block the traffic from VLAN 10  to  VLAN 20 but allow the traffic from VLAN 20  to  VLAN 10 ? Plz tell access list command for this.
        Question # 2 Depends on Question# 1...................
  Plz find here My cisco 3560 switch configuration in Blog below :
  Regards
  Kuldeep

  Hi Richard,
                    See this cisco 3560 switch Configuration, and tell me answers accordingly:
  CORE_3560#sh run
  Building configuration...
  Current configuration : 5299 bytes
  version 12.2
  no service pad
  service timestamps debug uptime
  service timestamps log uptime
  no service password-encryption
  hostname CORE_3560
  enable secret 5 $1$d6GO$No/vGsChZP5O.5ANOYI2m/
  no aaa new-model
  ip subnet-zero
  ip routing
  no file verify auto
  spanning-tree mode pvst
  spanning-tree extend system-id
  vlan internal allocation policy ascending
  interface Port-channel1
  description *** CONNECTING TO CISCO-2960 SWITCH-1 ***
  switchport trunk encapsulation dot1q
  switchport mode trunk
  interface Port-channel2
  description *** CONNECTING TO CISCO-2960 SWITCH-2 ***
  switchport trunk encapsulation dot1q
  switchport mode trunk
  interface GigabitEthernet0/1
  description *** CONNECTING TO CISCO-2960 SWITCH-1 ***
  switchport trunk encapsulation dot1q
  switchport mode trunk
  channel-group 1 mode on
  interface GigabitEthernet0/2
  description *** CONNECTING TO CISCO-2960 SWITCH-1 ***
  switchport trunk encapsulation dot1q
  switchport mode trunk
  channel-group 1 mode on
  interface GigabitEthernet0/3
  description *** CONNECTING TO CISCO-2960 SWITCH-2 ***
  switchport trunk encapsulation dot1q
  switchport mode trunk
  channel-group 2 mode on
  interface GigabitEthernet0/4
  description *** CONNECTING TO CISCO-2960 SWITCH-2 ***
  switchport trunk encapsulation dot1q
  switchport mode trunk
  channel-group 2 mode on
  interface GigabitEthernet0/5
  description *** CONNECTING TO CISCO-2960 SWITCH-3 ***
  switchport trunk encapsulation dot1q
  switchport mode trunk
  interface GigabitEthernet0/6
  interface GigabitEthernet0/7
  description *** CONNECTING TO CISCO-2960 SWITCH-4 ***
  switchport trunk encapsulation dot1q
  switchport mode trunk
  interface GigabitEthernet0/8
  interface GigabitEthernet0/9
  description *** CONNECTING TO CISCO-2960 SWITCH-5 ***
  switchport trunk encapsulation dot1q
  switchport mode trunk
  interface GigabitEthernet0/10
  interface GigabitEthernet0/11
  description *** CONNECTING TO CISCO-2960 SWITCH-6 ***
  switchport trunk encapsulation dot1q
  switchport mode trunk
  interface GigabitEthernet0/12
  interface GigabitEthernet0/13
  description *** CONNECTING TO CISCO-2960 SWITCH-7 ***
  switchport trunk encapsulation dot1q
  switchport mode trunk
  interface GigabitEthernet0/14
  description *** CONNECTING TO CISCO-2960 SWITCH-8 ***
  switchport trunk encapsulation dot1q
  switchport mode trunk
  interface GigabitEthernet0/15
  switchport trunk encapsulation dot1q
  switchport mode trunk
  interface GigabitEthernet0/16
  interface GigabitEthernet0/17
  interface GigabitEthernet0/18
  interface GigabitEthernet0/19
  interface GigabitEthernet0/20
  interface GigabitEthernet0/21
  interface GigabitEthernet0/22
  interface GigabitEthernet0/23
  interface GigabitEthernet0/24                       
  description Connecting to Cisco-1800 Router             
  switchport access vlan 50
  switchport mode access
  interface GigabitEthernet0/25
  interface GigabitEthernet0/26
  interface GigabitEthernet0/27
  interface GigabitEthernet0/28
  interface Vlan1                                     ***** L2 switch's Vlans
  ip address 192.168.1.1 255.255.255.0      
  interface Vlan10
  ip address 192.168.10.1 255.255.255.0
  ip access-group 101 in
  interface Vlan20
  ip address 192.168.20.1 255.255.255.0
  ip access-group 101 in
  interface Vlan50
  ip address 192.168.30.1 255.255.255.0
  ip classless
  ip route 0.0.0.0 0.0.0.0 192.168.30.10
  ip http server
  access-list 101 deny ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255
  access-list 101 permit ip any any
  access-list 101 permit icmp any any
  control-plane
  line con 0
  line vty 0 4
  password cisco
  no login
  line vty 5 15
  no login
  end

• How to make 2 clients on same VLAN communicate to each other when tunnel-loop-prevention is enabled?

  Requirement:
  How to make two clients on same VLAN communicate to each other when tunnel-loop-prevention is enabled on tunneled-node configuration at controller?
  Whenever we enable tunnel-loop-prevention on controller while we configure tunneled-node, the communication between two tunneled-node client on same VLAN is blocked or dropped.
  If the tunneled-node clients are of different VLANs then they can communicate between them even when the tunnel-loop-prevention is enabled on the controller.
  Solution:
  To make two tunneled-node client on same VLAN to communicate between them, we need to enable "local-proxy-arp" for the interface VLAN on the controller.
  Once it is enabled now the tunneled-node clients on same VLAN can communicate between each other. 
  Configuration:
  To enable "local-proxy-arp":
  Get to the interface of the VLAN on the controller
  Example :
  (config)#interface vlan 5
  (config)#ip local-proxy-arp
  To enable tunnel loop prevention on controller
  (config)# tunnel-loop-prevention
  Verification
  Show commands:
  To check if tunnel-loop-prevention is enabled or disabled
  #show tunneled-node config
  Tunnelded node Server: Enabled
  Tunnel Loop Prevention: Enabled
  To check if local-proxy-ap is enabled:
  #show interface vlan 5
  Look for in the output "ProxyARP enable"

  streetfi8er wrote:
  Server ready,waiting for client:
  Exception in thread "New THREAD" java.lang.NullPointerException
       at server4$server4Thread.run(server4.java:88)
  Failed to accept client
  when i run the second client programme on different a console in the same system i get the error that:
  Unknown HostOK, I'm no socket programming expert; but I can see a few potential problems with what you've written.
  1. First off, which line is line 88? Line numbers would be useful. Also, indenting your code properly would make it easier to read.
  2. Your 'while(!str.equalsIgnoreCase("close"))' will always fail with a NullPointerException because 'str' is initially set to null.
  3. Your 'while(true)' loop worries me. How does it exit? Relying on an exception is usually very bad practise.
  4. You are not handling SecurityExceptions. While it's unlikely to happen on your machine; it could easily happen on another.
  5. It might be worth indicating the actual exception thrown in your "Failed to accept client" message. accept() can throw three different types of IOException.
  6. All the threads you create will be called "New THREAD", which doesn't provide much value.
  HIH
  Winston

• Multiple data blocks on the same canvas

  Forms newbie question:
  Is it possible to have 2 data blocks with two different sets of transactional triggers (ON-UPDATE, ON-LOCK, etc.) on the same canvas?
  I've got an example where i've got two data blocks (one sourced from a view, and one that is a CTL block) on the same canvas. The block sourced from the view is working fine. When I make updates, they are reflected, etc. But, i've got one field in the control block that I need to update from as well, and I can't seem to get it (or any of the CTL block items) to show up as "updateable", regardless of the set_item_property....theyre always grayed out.
  Do i need to take the user to a new canvas to be able to utilize the update of the ctl field?

  A second canvas is not needed. Normally, control-block items are always updateable, so there is something going on in your form to prevent it.
  > I can't seem to get it (or any of the CTL block items) to show up as "updateable",
  regardless of the set_item_property....theyre always grayed out.
  What... Is there code someplace in the form that sets them to Enabled, false? If that is the case, then to get them working again, besides setting Enabled to true, you also must set Updateable and Navigable to Property_True. (This is documented at the end of the on-line help on Set_Item_Property.)

• AP groups with same vlans , same ssid but different subnet.

  Hi Members,
  I have a Cisco Flex 7500 in my datacenter and I need to connect 100 sites , each site with 2-3 APs , each side has its own network and is independent of other sites , the site only need to comunity locally and do not need to access any centralized applications.
  I am trying to achieve this by Creating 100  different AP groups and assiging 2-3 AP in each groups for each branch, I will achieve WAN failover resiliency by creating flexconnect groug , the issue I am facing are as below .
  1.Since all the sites has same setup , the AP and clients on all sites are in vlan 2 , so when I try to create 2 or more AP group with same vlan, it restricts me of doing so , I cannot create diffrent AP groups mapped to same Vlan .
  2.If I keep the APs and Clients in the same subnet , I dont think it should be a problem , but I need your second opinion.
  to give you an even better picture , look at the topology enclosed , and my question is if both STAFF and STUDENT APs are in same vlan but in 2 different broadcast domain , how would I create the AP groups.
  Thank you

  Thanks for the reply Jenn , here is my situation.
  I have 2 sites lets day , site A in virginia ,  site B in Maryland.
  SiteA - 10.1.1.0/24 - vlan 2
             10.1.2.0/24 - vlan 3
             10.1.3.0/30 - WAN to central site where controller sits.
  SiteB - 10.2.1.0/24 - vlan 2
             10.2.2.0/24 - vlan 3
             10.2.3.0/30 - WAN to central site where controller sits.
  both the sites will have a single ssid "XYZ" and will switch locally only.
  howin my understanding the way I will deploy this is as below
  1.I will create WLAN with ssid "XYZ".
  2.I will create 2 AP groups lets say "Site-A" and "Site-B"
  3.I will map the APs in site A to AP group "Site-A" and APs in Site B to "Site-B"
  4.I will create 2 dynamic interfaces one for each AP group , now this is where I am facing problem , when I am creating dynamin interfaces , I need to specify the subnet and vlans when creating dynamic interfaces , since the vlans used is same on both sites , its not letting me create 2 interfaces with same vlan id.
  in my understanding HREAP is only majorly used for WAN failover and local authentication so I am not concerned about that right not , my prime work is to udnerstand the AP group and working.
  if you still need print shot let me know I will have to go at site.
  also validate if my thinking is right on the 4 steps I have mentioned above , I am new to wireless and whatever I have learned I have learned in last 10 days .
  Appreciate your help.
  Thank you

• 2 SSIDs on the same Vlan?

  Hi all -
  Newbie question. When I am setting up wireless, will I be able to use 2 different SSIDs on the same vlan?
  Example:
  dot11 ssid Example1
  vlan 2
  authentication open eap eap_methods
  authentication network-eap eap_methods
  dot11 ssid Example2
  vlan 2
  authentication open eap_methods
  authentication network-eap eap_methods

  Hi James,
  Hopefully the attached docs will answer your question:
  Cisco Aironet 1100 Series
  Using VLANs with Cisco Aironet Wireless Equipment
  Deprecated versions of Cisco Aironet software permit binding multiple SSIDs to one VLAN. Current versions do not.
  http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_example09186a00801d0815.shtml#
  Cisco IOS Software Configuration Guide for Cisco Aironet Access Points, 12.2(15)JA
  Configuring Multiple SSIDs
  vlan vlan-id
  (Optional) Assign the SSID to a VLAN on your network. Client devices that associate using the SSID are grouped into this VLAN. You can assign only one SSID to a VLAN.
  http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_guide_chapter09186a00802085c4.html
  Hope this helps!
  Rob
  Please remember to rate helpful posts.......

• 3750 bandwidth limitation between the same vlan over the trunk

  Hi All,
  I have 2 3750G series switches on the trunk link. some machines are part of vlan1 on the switch 1 and some machines are the part of the same vlan1 on the other switch2. I need to limit the bandwidth between the switches for the vlan1. picture is attached.
  I tried to do through the modulare policy frame work (class-map/service-map and policy-map using the police command) but problems are
  1) 3750 does not support output service policy, so i cannot apply the policy on the output of the trunk link.
  2) I can apply the input policy but it will be only for one machine but not for the others on the same switch. if i apply the policy on per port basis then every port has separate bw limitation. I require to limit the bandwidth on per vlan basis on the trunk port. like vlan 1 takes 10 MB, VLAN2 takes 10 MB on the trunk link when communicating between the same vlans.
  Is there any solution for that scenario? your help in this case will be higly appriciated. As its the layer 2 communication, its hard for me to find the solution. if it was layer 3 then i can do it easily by using the rate-limit commmand on the interface.
  thanks

  On the 4500 series we use vlan-range for this,
  conf t
  qos aggregate-policer 10MB 10 mbps 1250000 byte conform-action transmit exceed-action drop
  policy-map 10MB
  class class-default
  police aggregate 10MB
  interface GigabitEthernet1/1
  switchport trunk encapsulation dot1q
  switchport trunk allowed vlan 1,10,12,15
  switchport mode trunk
  switchport nonegotiate
  vlan-range 1
  service-policy input 10MB
  service-policy output 10MB
  end
  dunno if the 3750's have the same options