Bridging multiple VLAN with sg 200-08 and wap321

Similar Messages

• AP1300 Bridging Multiple Vlans with Dot1q

  I have a pair of AIR-BR1310G-E-K9 to do ptp bridging. Topology is like this:
  host-switch-rootAP---nonRootAP-switch-host
  We have multiple vlans and have followed this doco:
  <http://www.cisco.com/en/US/docs/wireless/access_point/1300/12.3_7_JA/configuration/guide/b37vlan.html>
  The native vlan is all good and can ping across end-to-end. However, the when I attach a host to the switch in another vlan i.e. user vlan - there is no connectivity. Essentially, we want to dot1q over the ptp bridge setup.
  running version:
  c1310-k9w7-mx.124-10b.JA1
  appreciate any input.
  Ajaz

  yes. standard trunk config on both switches:
  5SL_SWITCH#srif 0/24
  Building configuration...
  Current configuration : 186 bytes
  interface FastEthernet0/24
  switchport trunk encapsulation dot1q
  switchport trunk allowed vlan 1,100
  switchport mode trunk
  switchport nonegotiate
  spanning-tree portfast trunk
  end
  5SL_SWITCH#show interfaces trunk
  Port Mode Encapsulation Status Native vlan
  Fa0/24 on 802.1q trunking 1
  Port Vlans allowed on trunk
  Fa0/24 1,100
  Port Vlans allowed and active in management domain
  Fa0/24 1,100
  Port Vlans in spanning tree forwarding state and not pruned
  Fa0/24 1,100
  5SL_SWITCH#
  11SL_SWITCH#srif 0/24
  Building configuration...
  Current configuration : 186 bytes
  interface FastEthernet0/24
  switchport trunk encapsulation dot1q
  switchport trunk allowed vlan 1,100
  switchport mode trunk
  switchport nonegotiate
  spanning-tree portfast trunk
  end
  11SL_SWITCH#show interfaces trunk
  Port Mode Encapsulation Status Native vlan
  Fa0/24 on 802.1q trunking 1
  Port Vlans allowed on trunk
  Fa0/24 1,100
  Port Vlans allowed and active in management domain
  Fa0/24 1,100
  Port Vlans in spanning tree forwarding state and not pruned
  Fa0/24 1,100
  11SL_SWITCH#
  furthermore the vlans exist in the db and when i trunk between the switches - I can ping the SVI's.
  Do you want me to post the AP config?

• Is it possible to search for multiple folders with the same name and...

  Is it possible to search for multiple folders with the same name and then select them all and change the permissions on just those folders .i.e. Search for the budget folders in all client folders and lock them down to just the project managers. Without having to go to each folder and apply the permissions.

  user11919409 wrote:
  Is it possible to create a Clone database with the same name of source db using RMAN ...
  yes
  >
  DB version is 11.2.0.2
  Is it possible to clone a 11.2.0.2 database to 11.2.0.3 home location directly on a new server . If it starts in a upgrade mode , it is ok ....yes
  Handle:     user11919409
  Status Level:     Newbie (10)
  Registered:     Dec 7, 2009
  Total Posts:     102
  Total Questions:     28 (22 unresolved)
  why do you waste time here when you rarely get any answers to your questions?

• Guest VLAN with SG-200

  I'd like to use the SG-200 to create an isolated guest VLAN that cannot access the secure LAN, except of course for the router. This post discusses the necessary ACE's to use with an SG-300, but it's not clear that this level of access control exists on the SG-200. Is it possible to isolate a guest VLAN with the SG-200? My network is a roaming (bridged) network that looks like this:
  [Modem] — [AE Router] — [Switch] — [Roaming Wifi]

  Thank you very much for the pointers. I found a way to use the router as my VLAN, keeping the SG-200 as a simple switch. This turns out to be the best option because my router doesn't support ACL's or multiple VLANs that would be used for isolating VLANs on my level 2 switch.
  This router-based solution involved resolving a simple DNS issue. My router gets DNS from the server, which the router's VLAN guests cannot see. Configuring DNS by hand on guest clients (e.g. Google DNS 8.8.8.8, 4.4.4.4) provides guest internet access, isolated from the LAN, all with roaming. And I'm using one less piece of hardware by using the router's VLAN. Thanks again.

• How do you use multiple displays with a MacBook Pro and iMac

  I have an iMac and a MacbookPro laptop both upgraded to OS X 10.9 (Mavericks).  I'd like to use multiple displays with them.  Can I do this without an Apple TV?  They are both on the same network.  If I can, can someone please give some instructions on how this can be done?
  Thanks!

  Both computers have ports for external monitors. Check your user manuals. Only one display can be added to the MBP, but newer iMacs have dual Thunderbolt ports.
  Do your own Google research to learn what to do, but reading your manuals should be all you really need. It' not rocket science yet.

• Having multiple problems with script - NTFS Permissions and AD Groups

  Hi, all!  I'm having multiple problems with my first script I've written with Powershell.  The script below does the following:
  1. Prompts the user for a corporate division under which a shared folder will be created, and adjusts variables accordingly.
  2. Prompts if the folder will be a global folder or an office/location-specific folder, and makes appropriate adjustments to variables.
  3.  If a global folder, prompts for the name.  If an office/location-specific folder, prompts for each component of the street address, city and state and an optional modifier.  I've prompted for this information in this way because the information
  is used differently later on in the script.
  4.  Verifies the entered information and requests confirmation to proceed.
  5.  Creates the folder.
  6.  Creates an AD OU and/or security group(s).
  7.  Applies appropriate security groups to the new folder and removes undesired permissions.
  Import-Module ActiveDirectory
  $Division = ""
  $DivAbbr = ""
  $OU = ""
  $OUDrive = "AD:\"
  $FolderName = ""
  $OUName = ""
  $GroupName = ""
  $OURoot = "ou=DFS Restructure Testing OU,ou=Pennsylvania Camp Hill 4410 Industrial Park Rd,ou=Locations,ou=Camp Hill,dc=jacobsonco,DC=com"
  $FSRoot = "E:\"
  $FolderPath = ""
  $DefaultFolders = "Archive","Customer Service","Equipment","Inbounds","Management","Outbounds","Processes","Projects","Quality","Reports","Returns","Safety","Schedules","Time Keeping","Training"
  [bool]$Location = 0
  do {
  $userInput = Read-Host "Enter CLS Division: (W)arehousing, (S)taffing, or (P)ackaging"
  Switch ($userInput)
  W {$Division = "Warehousing"; $DivAbbr = "WHSE"; $OU = "ou=Warehousing,"; break}
  S {"Staffing is not yet implemented."; break}
  P {"Packaging is not yet implemented."; break}
  default {"Invalid choice. Please re-enter."; break}
  while ($DivAbbr -eq "")
  write-host ""
  write-host ($Division + " was selected.")
  $FolderPath = $Division + "\"
  write-host ""
  $choice = ""
  do {
  $choice = Read-Host "Will this be a (G)lobal folder or (L)ocation folder?"
  Switch ($choice)
  G {$Location = $false; break}
  L {$Location = $true; $FolderPath = $FolderPath + "Locations\"; $OU = "ou=Locations," + $OU; break}
  default {"Invalid choice. Please re-enter."; $choice = ""; break}
  while ($choice -eq "")
  write-host ""
  write-host ("Location is set to: " + $Location)
  write-host ""
  if ($Location -eq $false) {
  $FolderName = Read-Host "Please enter folder name:"
  $GroupName = $DivAbbr + " " + $FolderName
  } else {
  $input = Read-Host "Please enter two-letter state abbreviation:"
  $FolderName = $FolderName + $input + " "
  $input = Read-Host "Please enter city:"
  $FolderName = $FolderName + $input + " "
  $input = Read-Host "Please enter street address number only:"
  $FolderName = $FolderName + $input
  $GroupName = $DivAbbr + " " + $FolderName
  $FolderName = $FolderName + " "
  $input = Read-Host "Please enter street name:"
  $FolderName = $FolderName + $input
  $input = Read-Host "Please enter any optional information to appear in folder name:"
  if ($input -ne "") {
  $FolderName = $FolderName + " " + $input
  $OUName = $FolderName
  write-host
  write-host "Path for folder: "$FSRoot$FolderPath$FolderName
  write-host "AD Path: "$OUDrive$OU$OURoot
  write-host "New OU Name: "$OUName
  write-host -NoNewLine "New Security Group names: "$GroupName
  if ($Location -eq $true) { write-host " and "$GroupName" MGMT" }
  write-host
  $input = Read-Host "Please confirm creation of new site/folder: (Y/N) "
  if ($input -ne "Y") { Exit }
  write-host
  write-host -NoNewLine "Folder exists: "; Test-Path ($FSRoot + $FolderPath + $FolderName)
  if (Test-Path ($FSRoot + $FolderPath + $FolderName)) {
  Write-Host "Folder already exists! Skipping folder creation..."
  } else {
  write-host "Folder does not exist. Creating..."
  new-item -path ($FSRoot + $FolderPath) -name $FolderName -itemtype directory
  Set-Location ($FSRoot + $FolderPath + $FolderName)
  if ($Location -eq $true) {
  $tempOUName = "ou=" + $OUName + ","
  write-host
  write-host $OUDrive$tempOUName$OU$OURoot
  write-host
  write-host -NoNewLine "OU exists: "; Test-Path ($OUDrive + $tempOUName + $OU + $OURoot)
  if (Test-Path ($OUDrive + $tempOUName + $OU + $OURoot)) {
  Write-Host "OU already exists! Skipping OU creation..."
  } else {
  write-host "OU does not exist. Creating..."
  New-ADOrganizationalUnit -Name $OUName -Path ($OU + $OURoot) -ProtectedFromAccidentalDeletion $false
  $GroupNameMGMT = $GroupName + " MGMT"
  if (!(Test-Path ($OUDrive + "CN=" + $GroupName + "," + $tempOUName + $OU + $OURoot))) { write-host "Normal user group does not exist. Creating..."; New-ADGroup -Name $GroupName -GroupCategory Security -GroupScope Global -Path ("OU=" + $OUName + "," + $OU + $OURoot)}
  if (!(Test-Path ($OUDrive + "CN=" + $GroupNameMGMT + "," + $tempOUName + $OU + $OURoot))) { write-host "Management user group does not exist. Creating..."; New-ADGroup -Name $GroupNameMGMT -GroupCategory Security -GroupScope Global -Path ("OU=" + $OUName + "," + $OU + $OURoot)}
  $FolderACL = get-acl ($FSRoot + $FolderPath + $FolderName)
  $FolderACL.SetAccessRuleProtection($True,$True)
  # $FolderACL.Access | where {$_.IdentityReference -eq "BUILTIN\Users"} | %{$FolderACL.RemoveAccessRuleAll($_)}
  $BIUsers = New-Object System.Security.Principal.NTAccount("BUILTIN\Users")
  $BIUsersSID = $BIUsers.Translate([System.Security.Principal.SecurityIdentifier])
  write-host $BIUsersSID.Value
  # out-string -inputObject $BIUsers
  $Ar = New-Object System.Security.AccessControl.FileSystemAccessRule($BIUsersSID.Value,"ReadAndExecute,AppendData,CreateFiles,Synchronize","ContainerInherit, ObjectInherit", "None", "Allow")
  $FolderACL.RemoveAccessRuleAll($Ar)
  Set-ACL ($FSRoot + $FolderPath + $FolderName) $FolderACL
  get-acl ($FSRoot + $FolderPath + $FolderName) | fl
  $FolderACL = get-acl ($FSRoot + $FolderPath + $FolderName)
  $ADGroupName = "JACOBSON\" + $GroupName
  $objUser = New-Object System.Security.Principal.NTAccount($ADGroupName)
  $objUser.Translate([System.Security.Principal.SecurityIdentifier]).Value
  write-host $ADGroupName
  write-host $objUser.Value
  $Ar = New-Object System.Security.AccessControl.FileSystemAccessRule($ADGroupName,"ReadAndExecute","ContainerInherit, ObjectInherit", "None", "Allow")
  Out-String -InputObject $ar
  $FolderACL.AddAccessRule($Ar)
  $ADGroupName = "JACOBSON\" + $GroupNameMGMT
  $Ar = New-Object System.Security.AccessControl.FileSystemAccessRule($ADGroupName, "Modify", "ContainerInherit, ObjectInherit", "None", "Allow")
  Out-String -InputObject $ar
  $FolderACL.AddAccessRule($Ar)
  Set-ACL ($FSRoot + $FolderPath + $FolderName) $FolderACL
  } else {
  $tempOUName = "cn=" + $GroupName + ","
  write-host
  write-host $OUDrive$tempOUName$OU$OURoot
  write-host
  write-host -NoNewLine "Group exists: "; Test-Path ($OUDrive + $tempOUName + $OU + $OURoot)
  if (Test-Path ($OUDrive + $tempOUName + $OU + $OURoot)) {
  Write-Host "Security group already exists! Skipping new security group creation..."
  } else {
  write-host "Security group does not exist. Creating..."
  New-ADGroup -Name $GroupName -GroupCategory Security -GroupScope Global -Path ($OU + $OURoot)
  $FolderACL = get-acl ($FSRoot + $FolderPath + $FolderName)
  $ADGroupName = "JACOBSON\" + $GroupName
  $FolderACL.SetAccessRuleProtection($True,$True)
  $Ar = New-Object System.Security.AccessControl.FileSystemAccessRule($ADGroupName,"Modify","ContainerInherit, ObjectInherit", "None", "Allow")
  $FolderACL.AddAccessRule($Ar)
  $FolderACL.Access | where {$_.IdentityReference -eq "BUILTIN\Users"} | %{$FolderACL.RemoveAccessRuleAll($_)}
  Set-ACL ($FSRoot + $FolderPath + $FolderName) $FolderACL
  My problems right now are in the assignment/removal of security groups on the newly-created folder, and the problems are two-fold.  Yes, I am running this script as an Administrator.
  First, I am unable to remove the BUILTIN\Users group from the folder when this is an office/location-specific folder.  I've tried to remove the group in several different ways, and none are having any effect.  Oddly, if I type in the lines directly
  into Powershell, they work as expected.  I've tried the following methods:
  $FolderACL = get-acl ($FSRoot + $FolderPath + $FolderName)
  $FolderACL.SetAccessRuleProtection($True,$True)
  $FolderACL.Access | where {$_.IdentityReference -eq "BUILTIN\Users"} | %{$FolderACL.RemoveAccessRuleAll($_)}
  Set-ACL ($FSRoot + $FolderPath + $FolderName) $FolderACL
  $FolderACL = get-acl ($FSRoot + $FolderPath + $FolderName)
  $FolderACL.SetAccessRuleProtection($True,$True)
  $BIUsers = New-Object System.Security.Principal.NTAccount("BUILTIN\Users")
  $BIUsersSID = $BIUsers.Translate([System.Security.Principal.SecurityIdentifier])
  $Ar = New-Object System.Security.AccessControl.FileSystemAccessRule($BIUsersSID.Value,"ReadAndExecute,AppendData,CreateFiles,Synchronize","ContainerInherit, ObjectInherit", "None", "Allow")
  $FolderACL.RemoveAccessRuleAll($Ar)
  Set-ACL ($FSRoot + $FolderPath + $FolderName) $FolderACL
  In the first case, the script goes through and has no apparent effect because afterwards, I do a get-acl and the BUILTIN\Users group is still there, although when looking through the GUI, inheritance appears to have been broken from the parent folder.
  In the second case, I get the following error message:
  Exception calling "RemoveAccessRuleAll" with "1" argument(s): "Some or all identity references could not be translated."
  At C:\Users\tesdallb\Documents\FileServerBuild.ps1:110 char:5
  +     $FolderACL.RemoveAccessRuleAll($Ar)
  +     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
      + FullyQualifiedErrorId : IdentityNotMappedException
  This seems strange that the local server is unable to translate the SID of a BUILTIN account.  I've also tried explicitly putting in the BUILTIN\Users SID in place of the variable in the New-Object line, but that gives me the same error.  I've
  also tried the solutions given in this thread:
  http://social.technet.microsoft.com/Forums/windowsserver/en-US/ad59dc58-1360-4652-ae09-2cd4273cbd4f/remove-acl-issue?forum=winserverpowershell and at this URL:
  http://technet.microsoft.com/en-us/library/ff730951.aspx but these solutions also failed to have any effect.
  My second problem is when I try to apply the newly-created security groups, I also will get the "Some or all identity references could not be translated."  I thought I had found a workaround to the problem by adding the -PassThru option to
  the New-ADGroup commands, because it would output the SID of the group after creation, however a few lines later, the server is unable to translate the account to apply the security groups to the folder.
  My first Powershell script has been working well up to this point and now I seem to have hit a showstopper.  Any help is appreciated.
  Thanks!

  I was hoping to stay with strictly Powershell, but unless I can find a Powershell solution, I may resort to ICACLS.
  As for the problems with my groups not being translatable right after creating them, I think I have solved this problem by using the -Server parameter on all my New-ADGroup commands and this example code seems to have gotten around the translation problem,
  again utilizing the -Server parameter on the Get-ADGroup command:
  get-acl ($FSRoot + $FolderPath + $FolderName) | fl
  $FolderACL = get-acl ($FSRoot + $FolderPath + $FolderName)
  # Add the new normal users group to the folder with Read and Execute permissions
  $GroupSID = Get-ADGroup -Identity $GroupName -Server chadc01.jacobsonco.com | Select-Object -ExpandProperty SID
  $SIDIdentity = New-Object System.Security.Principal.SecurityIdentifier($GroupSID)
  $Ar = New-Object System.Security.AccessControl.FileSystemAccessRule($SIDIdentity,"ReadAndExecute","ContainerInherit, ObjectInherit", "None", "Allow")
  $FolderACL.AddAccessRule($Ar)
  # Add the management users group to the folder with Modify permissions
  $GroupMGMTSID = Get-ADGroup -Identity $GroupNameMGMT -Server chadc01.jacobsonco.com | Select-Object -ExpandProperty SID
  $SIDIdentity = New-Object System.Security.Principal.SecurityIdentifier($GroupMGMTSID)
  $Ar = New-Object System.Security.AccessControl.FileSystemAccessRule($SIDIdentity, "Modify", "ContainerInherit, ObjectInherit", "None", "Allow")
  $FolderACL.AddAccessRule($Ar)
  Set-ACL ($FSRoot + $FolderPath + $FolderName) $FolderACL
  Going this route seems to ensure that the Domain Controller I'm creating my groups on is the same one that I'm querying for the group's SID to use in the FileSystemAccessRule.  It's been working fairly consistently.
  Still having issues with the translation of the BUILTIN\Users group, though. 

• How do I add a Subnet and vlan with a catalyst 3550 and RV120

  Hello Friends.
  I have a scenario that i'm hoping i can get some help with. I'll be as detailed and descriptive as i can.
  This is for a business with 100 employees nodes and 100 camera nodes all needing IP internet through private addressing and public gateway.
  I have a business class gateway with a private range of 12 public addresses. Ther modem does nothing but act as a gateway since i have disabled the firewall and DHCP.
  In place of the firewall and DCHP from the modem i have installed a RV120 Firewall with VPN. When installing i replicated the IP scheme of the modem as to not disturb and distrup the devices assigned addresses from that scheme from the modem. I did this because the owner could not have any down time or any disruption to the business operations.
  The RV120 now acts as firewall , DHCP , and VPN. I'll address the subnet first. I's using 10.0.0.0/24 subnet range.
  DHCP is assigning 10.1.10.50 - 10.1.10.100 the rest are static and i plan to use static DHCP with the IP and MAC assigned to each static DHCP address.
  There are 100 cameras with static IP addresses in the range of 10.1.10.11 - 10.1.10.40, and 10.1.0.1.101 - 10.1.10.170.
  VPN uses PPTP assigned address 10.1.10.6 - 10.1.10.10.
  There are no layer 3 switches that i know of. Just a layer two that is the primary swith and ports have run out, and various out of the box switches and wireless access points connected to the primary switch.
  I want to implement subnets into the network and VLANS as well on a new Layer 3 switche from cisco. Thinking 3550 from Cisco or one of the older layer 2 switches with layer three capabilities.
  I also want to introduce a 192.168.0.0/24 IP range for the existing wireless network and segment the traffic from the rest of the traffic on other ranges.
  I want to replace the 10.0.0.0/24 DHCP alltogether and the static addresses for end user nodes on the same network, but keep that range just for camera nodes segmented.
  I want to implement a NEW end user IP range and VLAN for employee/guest networks using the 172.16.0.0/24 range.
  Iv'e thought of replacing all the wireless nodes with RV120's and use VLAN. Dont know if that strategy works. Need to think it through.
  I want the 192.168.0.0/24 IP range comunicate to with the 172.16.0.0/24 and possibly the 10.0.0.0/24 range.
  Any advice on how to do this?
  As a side note the next step after this is to install a server domain controller as all the computers are all stand alones in their own workgroups. It's a simultaneous project that will introdue a DCHP, WINS, DNS server.

  Hi Omid, it sounds like you're proposing the 3550 switch but you're not decided yet. The 3550 switch is a pretty old device and needs enhanced multilayer image. It may be more prudent to use a more current switch such as small business SG300 or SG500 as the feature set is more rich and it supports around 480 LAN connections.
  To answer the inquiry, the RV120W, when you create a VLAN it will automatically create an IP interface. From this you may assign subnet as you like along with 'enable or disable' for inter vlan routing. Since the RV120W has this feature, a layer 3 switch is not required unless you are looking to keep the routing load smaller by routing locally with the switch.
  With Catalyst or a small business switch you would need to create a VLAN. After creating the VLAN, on a Catalyst you can simply issue "switchport trunk encapsulation dot1q" on the desired interface and all VLAN will passage without issue. For a port connecting a user "switchport mode access" "native vlan xx" This will assign the port as untag member of the desired VLAN.
  If using a small business switch, it is slightly different, you still create the VLAN but the command issue is a bit different  "switchport trunk allowed vlan add xx" for the link to the router, where xx = the VLAN ID to tag to the router. For access client it remains the same as Catalyst.

• Multiple Vlans with multiple Internet connections using PBR

  Hello all,
  I'm trying to wrap my head around this configuration and not having a lot of success.  I have several Vlans 3,6,71,72,160, and 180.  I have two internet connections, Internet1 is connected to an ASA5510 and Internet2 is connected to a Meraki MX80.  I'm using two 4506 switches on my backbone trunked to 3750 switches that my clients connect to.  None of these switches have IP Services and my 4506 supervisor does not have an Enterprise license. However I do have one 3750 100Mbit switch with IP Services so I'm using that to do my PBR.  All my routing is currently being done on the 4506 switches and all Internet traffic is going to the ASA.  What I would like to do is force vlan160 and vlan180 through the Meraki as their Internet connection and the rest of the Vlans go through the ASA.  I'm thinking about trunking my vlans from the 4506 to the 3750 (the one with IP Services) and use policy based routing from there to force vlan160 and vlan180 to the Meraki.  But in order to do this I think I would have to move my routing onto the 3750 switch but since that is only 100Mbits I'm thinking this is going to choke my network down and defeat the purpose of the 4506 backbones.  Any suggestions or alternate ways to achieve my goal?
  Appreciate any help you guys can send my way.
  Matt

  Matthew
  What is the speed of the connection from the 4500 to the ASA and what is the combined speeds of the internet connections ?
  You definitely don't want to do all the inter vlan routing on the 3750. You could connect it up as shown in your diagram but leave all the routing between vlans on the 4500s. Then you -
  1) connect the 3750 to the 4500 using a L3 point to point link
  2) connect the 3750 to the ASA using a L3 point to point link
  3) do PBR on the 3750 interface connected to the 4500 for traffic coming from the 4500.
  If the 4500 supervisor/IOS version doesn't support routed links on that end just use an access port in a dedicated vlan ie. no other ports in the vlan and create a new SVI for it.
  You would need to update your routing to reflect the next hop on the ASA, Meraki, 3750 and the 4500.
  Disadvantages are -
  1) you only have fast ethernet ports on the 3750 so if the combined internet speed is greater than that then it will be a bottleneck.
  2) it is a single point of failure ie. if it is lost all internet via both connections is lost.
  The alternative would be to not have the 3750 in the path but connected to the 4500 via a trunk link and then route just vlan 160 and 180 on the 3750 ie. move their SVI(s) onto the 3750. Then the 3750 could have a direct connection to the Meraki device and point the default route that way (no PBR needed). The trunk would only allow those specific vlans on it.  This would mean a failure of the 3750 would not mean ASA internet lost but it would mean loss of connectivity for the two vlans routed on the 3750.
  You would need to add routes to the Meraki for return traffic plus routes on the 3750 and 4500 for inter vlan routing.
  The main disadvantages here are -
  1) inter vlan routing between the vlans routed on the 4500s and the vlans on the 3750 will be limited by the 100Mbps connection. However you could use an etherchannel trunk so you could get greater overall throughput and some redundancy
  2) more importantly though i suspect you are running HSRP between the 4500s for the client vlans and moving the SVIs onto the 3750 means a single point of failure for those vlans. 
  Personally i would tend towwards option 1) because of the SVI HSRP issue and perhaps because there may be a lot of inter vlan traffic and even with an etherchannel it would be too much. 
  But, single point of failure issues aside, a lot does depend on internet bandwidth in option 1) vs inter vlan traffic in option 2).
  So it's a tradeoff and personally i don't think either are ideal  so i'll have another think on this in the morning to see if there is anything more obvious that i have missed or maybe someone else will add to the post.
  Jon

• Configure vlan with SG 300-10P and SA 520

  Hi All,
  Forgive my ignorance but i need some help for basic configuration.
  I bought for a little office  a SA520 Security appliance (for future VPN with another distant office) and a SG 300-10P switch for connect 3 PC and 3 IP PHONE. THe SA 520 is the router. I must configure 2 VLANs on the switch :
  VLAN2 : DATA (for PC)
  VLAN3 : VOICE (for IP PHONE)
  VLAN1 : DEFAULT.
  How can i simply configure all ports ?
  I would like to configure ports 1-4 on VLAN2 and ports 5-8 on VLAN3 and port G10 is reserved for the router SA520.
  I want to divise network DATA/VOICE.
  I think i must create a trunk on G10 for SA520 ...
  Does anyone can help me?

  Hi Julien,
  Ok sounds like you are using the default vlan for management on the network  and vlan 2 for data  and vlan3 for voice.
  I am using a simulator for this, my SA520 is loaned out at the moment.
  Step 1   On the SA520  add vlan 2 and vlan 3  and label them data and voice respectively. 
  Step 2. Lets use switch port 4 on the SA520 as a trunked port to the SG-300.
              (my intention is to use untagged vlan1, tagged vlan 2 and tagged vlan 3 on  the uplink from the switch and the SA500.)
            To do this I have to tell the SA520 that switch port 4 will be in trunking mode and not access mode.
  You will have to tick off the membership of vlan 2 and vlan 3 on switch port 4.
  Step 3.  Now add some IP addresses for VLAN2 and VLAN3
  Step 4.  Create some DHCP scopes if that is what is needed on the SA520
  So by now hopefully we have the SA520 with  IP addresses associated with VLAN1, VLAN2 and VLAN3
  We also have switch port 4 as a trunk interface
  We are propogating untagged vlan1 and tagged vlan2 and tagged  vlan3 to the SG-300 switch.
  We have to do the opposite on the SG-300 switch.
  If you are using G10 as the uplink to the SA520 you will note by default  port 10 should already be in trunk mode.
  switch port G10 should be tagged for vlan 2 and tagged for vlan3.  By default Gi10  it will be untagged for vlan1.
  Make sure you set up the rest of the switch ports appropriately. 
  regards Dave

• Multiple issues with iCloud calendar, notes, and iDevices

  So many issues... where to begin?
  Tonight I created a new note entry on my iPad. We had a birthday party for our twins yesterday, and as we opened the presents tonight, I logged who gave us what so my wife and I can write thank-you letters and credit the right people for the right gifts. I e-mailed the note (straight from the Notes app) to my wife to be sure she had a copy of it, and it sent me a CC: automatically per my e-mail setup.
  That was a few hours ago. as of now, I have 137 copies of that e-mail in my in-box and they're still coming.
  A few weeks ago, when I finally got my new iMac (previously I was on a G5 tower that was dying and, of course, unable to upgrade to an OS X capable of supporting iCloud... since I knew my me.com account would be closing soon, I bit the bullet and bought new hardware to support iCloud), I set up my iPad (first-gen model with latest supported iOS) and my wife's iPhone (iPhone 4 with latest supported iOS) to use iCloud with my account so we could continue to share calendars, etc. As much as I resented iCloud being forced on me just when I finally got me.com mostly working, I did like the idea of push-updates to calendars. With twin toddlers, my wife was regularing booking playdates and other activities which affected my schedule, so live syncing of our calendars sounded like a good idea at the time. Nevertheless, all I got was headaches from iCloud ever since setting it up:
  We each now have double and triple calendar entries.
  Some of her Notes disappear on her after a iPhone sync on the iMac.
  Push notifications and calendar updates have never once worked. In fact, when entering items on what should be our iCloud calendar on one device or another, many items NEVER synced, over the air OR in iCal.
  I can now no longer sync to my work calendar, which is in iCal on my work computer, a Mac Pro tower not yet on an OS X version capable of iCloud syncinc (for what that's worth). I have no control over updates to my MacOS at work, and feel as though it wouldn't matter if I did because live updates don't work for me anyway. But now I have had to re-enter a year's worth of meetings, work holidays, paydays, and late-night bookings, previously only on my Work calendar but once syncable to home, on my home calendar. Manually.
  Oh, by the way, since I started typing this, my e-mailed Note from earlier tonight has continued to flood into my mailbox and now I'm up over 150 copies and they're STILL flooding in. I can see them piling up.
  Rhetorically, why does iCloud suck so much? Literally, seeking an answer: what, if anything, am I doing wrong... and what can I do to make it work properly?
  I feel like I did due dilligence, reading up on how to set things up right. I'm no stranger to Apple's way of doing things - I've been a Mac user since the SE/30 days. But while MobileMe and me.com merely frazzled me, iCloud is seriously messing up my life. I hate it and I hate being forced to use it in order to take full advantage of my hardware. The concept is great but I find that, in practice, it's an awful system (at least so far - hopefully, it will improve).
  Any advice is welcome. Thanks in advance.
  - Mike

  By anychance did you or your wife use any forwarding options under mobile me.

• Multiple vLans with Multiple Gateways

  HI.
  Got a SF500 in layer3 mode, operating 5 vlans all with their own subnet.
  Vlan 10 = 192.168.10.0/24
  Vlan 100 = 192.168.100.0/24
  Vlan 200 = 192.168.200.0/24
  Vlan 201 = 192.168.201.0/24
  Vlan 202 = 192.168.202.0/24
  We have a gateway on Vlan 10 (192.168.10.1), which all vlans can see & access (because of intervlan routing), and this at present allows vlan 10 to access the internet.
  I want vlan 100 to be able to access the internet through this gateway as well, although the other vlans (200,201,202), will use a different gateway located on vlan 200 subnet.
  Of course, the gateway has to exist in the subnet.  I cannot assign the default gateway of a machine on vlan 100, an ip address of the gateway on vlan 10.  
  If I point the default gateway to the virtual interface in its subnet (e.g. 192.168.100.254), it equally does not know how to get out to the internet, even though it can see the gateway (I can access a web page it hosts).
  So the question is this:
  Can vlan 100 traffic be routed on the SF500 to use the gateway on vlan 10? (outside of the default gateway of the switch).
  If this is not possible with the SF500, what would I need to make it work?
  Many thanks.

  Hi Andrew,
  I don't have more information about your network so I will try to much your configuration from your post
  let's say we have this configuration :
  1. Create Vlan 10 and assign on SVI IP address 192.168.10.254 /24
  2. Create Vlan 100 and assign on SVI ip address 192.168.100.254/24
  3. Create Vlan 200 and assign on SVI ip address 192.168.200.254/24
  4. Create Vlan 201 and assign on SVI IP address 192.168.201.254/24
  5. Create Vlan 202 and assign on SVI IP address 192.168.202.254/24
  and the gateway (Router) is on Vlan 10 with IP address 192.168.10.1
  6. we assign at least one port to each vlan and the switch port from where is connected to the router should be trunk (10U,100T,200T,201T,202T) it means All the traffic from Vlan 100,200,201,202 is Tagged and transmitting through Untagged Vlan 10
  7. Under IP Cofiguration --> IPv4 Management and Interface --> IPv4 Route
  8. add the deafult static route to the gateway : 
  Destination  : 0.0.0.0
  SubnetMask   : 0.0.0.0
  Remote IP GW :192.168.10.1
  Now from the router expectation : router need to NAT all the source IP address (200.0/24 , 100.0/24 ...)
  I don't know what the router you have but there is a router where NAT all the source coming to him to go to Internet, but there is other router which need to configure NAT for the unknown address for the router side --> Here is up to the Router 
  after that connect PC to port on Vlan 100 setup static IP for example 192.168.100.100/24 with Gw 192.168.100.254 should access to the internet via the trunk port on the switch and router should NAT this subnet to go outside
  Hope I was clear 
  Please rate this post or marked as answered to help other Cisco Routers
  Greetings 
  Mehdi

• BUGS: Multiple Undos with Single CMD-Z (and other buggy tales)

  BUG #1:
  In the SIDs thread (now locked) I said in response to Logic Pro Help, "Hey, after all, Logic ain't that bad". Today I've changed my mind.
  In full view of my writing partner, we witnessed numerous times that Logic would undo multiple edits after hitting CMD-Z just once. I've reported this in numerous other threads I've started here on the Apple Forum. I've posted Feedback about it. Naturally, there's been no response from the company.
  BUG#2a: we tried to troubleshoot why certain SMPTE-locked regions would unlock (using a key command) and other locked regions on the same MIDI track would unlock.
  BUG#2b: while checking to see whether my key command for Unlock SMPTE Position was still intact or not, I went to the key command window and hit cntrl-opt-cmd-U (custom assignment) expecting that the assigned command would scroll into view in the KC window. But I should have known better --- this is one of those key combinations which will NOT cause the assigned command to scroll into view. Sure enough, entering the word "SMPTE" in the search window caused the display to show the Unlock SMPTE Postion command. So why does pressing some keys/key combinations in the KC window show the assigned command while some do not?
  And we're supposed to be OK with this kind of behavior?

  Hey Cozmicone,
  Yes I have done that - I mapped CMD + Z but that kind of gets in the way of years of habit and is a bit frustrating and confusing when you're working quick etc...
  It does work fine doing that (I have just uninstalled 3 versions of Photoshop and reinstalled CC 2014 and still no multiple undos on OPT + CMD + Z?! It's like it won't accept the key combination because if you go into map back to OPT + CMD + Z after changing it to CMD + Z it won't let you. You have to revert to default to even get that option back. C'est bizarre...non?

• Vlans with ESX 3.5 and Cat6509

  have Esx 3.5 with 6 physical NICs. It connects to my Cat6509 running 12.x IOS code. Have downloaded the Vmware/cisco whitepaper and several vmKB articles. Still have some confusion here.
  1) Plan to run ESX in VST (vlan Tagging) mode.
  2) What is the deal with Native Vlan ID in Esx VST can't be the same as the native VlanID of the physical switch? Huh? Is this a fancy way of saying change the native Vlan from 1 to "anything" when handing off trunks to ESX?
  The vmkb articls 1004048 which outline etherchannel, but doesn't specify changing the native vlan to something else.
  Is it possible to etherchannel and trunk over the same nics with ESX?

  In ESX Virtual Switch Tagging (VST Mode) mode, you provision one port group on a virtual switch for each VLAN, and then attach the virtual machine's virtual adapter to the port group instead of the virtual switch directly. The virtual switch port group tags all outbound frames and removes tags for all inbound frames. It also ensures that frames on one VLAN do not leak into a different VLAN.
  Native VLAN ID on ESX VST Mode is not supported. Do not assign a VLAN to a port group that is same as the native VLAN ID of the physical switch. Native VLAN packets are not tagged with VLAN ID on the out going traffic toward ESX host. Therefore, if ESX is set VST mode, it drops the packets that are lacking a VLAN tag.

• Multiple vlan with multiple SSID

  I have a 1130 AP connected to a 500 series express catalyst switch. I want to have two vlans one for guest internet access only and the other that can have both internet and internal access. I want to have two SSID one for guest and the other for internal employee which should match the vlan. Can anyone guide me to a good doc. that can help me implement this solution. And is the 500 series switch is capable of doing this.
  Thanks.

  To anwser your first question Yes your 500 series switch is capable of doing vlans (See Link: "http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps6545/product_data_sheet0900aecd80322aeb.html") (first time pasting a link sorry if it doesnt work) here is another link that you can utilize on config examples. and as for you access point you can do the same as well (http://cisco.com/en/US/products/ps6087/tsd_products_support_configure.html)

• VLAN With secondary IP address and it's HSRP configuration.

  Switch-1
  interface Vlan200
  ip address 10.X.X.1 255.255.254.0 secondary
  ip address 192.X.X.1 255.255.255.0
  standby 200 ip 192.X.X.7
  standby 200 priority 110
  standby 200 preempt
  standby 66 ip 10.X.X.7
  standby 66 priority 95
  standby 66 preempt
  Switch-2
   interface Vlan200
  ip address 10.X.X.4 255.255.254.0 secondary
  ip address 192.X.X.2 255.255.255.0
  standby 200 ip 192.X.X.7
  standby 200 priority 95
  standby 200 preempt
  standby 66 ip 10.X.X.7
  standby 66 priority 110
  standby 66 preempt
  is the above HSRP configuration correct.

  Hi Veera,
  I have not tried it before, but the configuration does not seem to work since the syntax seems to wrong as you cannot type an ip address after secondary keyword. An example below.
  (config-if)#standby 85 ip 10.127.1.130 secondary ?
    <cr>
  But your idea seems to work with exception of the above syntax mistake. A useful post can be seen below.
  https://supportforums.cisco.com/discussion/9912176/hsrp-secondary-address
  Hope this helps. Please always remeber to rate all useful posts.
  Thanks
  Madhu.