Changing Management Vlan

Hi I need to change the vlan of my management network and had a few questions. I have two cores (4507's) that i created the new vlan on and started to add the vlan to the access switches (2960's) throughout the campus. is it ok to setup the new vlan and give it an Ip address while still leaving the old one in? will this cause any issues? i will eventually take the old one out once im confident everything is stable. Also, Is there anything else i might have missed in creatin the new vlan? i pretty much just copied anything that was in the config for the old one.
thanks
Mike

Mike
If the config at the top is from your 4500s then it looks like you are setting the STP priority for all vlans on those switches so nothing to worry about.
So assuming you have setup the vlan 4 interfaces on the 4500 with HSRP etc. then -
1) login to the 4500. If you work from the 4500 then the default gateway etc. on the access switch doesn't matter because you are in the same vlan ie. vlan 4
2) make sure that vlan 4 is allowed on the trunk link. You need to make sure it is allowed on both ends
3) Currently you have a vlan 241 SVI on each access switch. So you need to -
a) create a vlan 4 SVI and give it an IP. ie. -
int vlan 4
shut <-- just to make sure it is not brought up yet
ip address x.x.x.x <subnet mask>
At this stage that SVI should be down and the vlan 241 up. To see this do a "sh ip int brief" and it should show you the status of the vlan interfaces.
b) do a "no shut" on the vlan 4 ie.
int vlan 4
no shut
one of two things will happen -
i) either both SVIs will still be up in which case you can then log out of the switch, log back in using the vlan 4 SVI IP and then shutdown the 241 SVI
or
ii) because the 241 SVI is up the vlan 4 SVI won't come up. If this is the case you will then need to shutdown the 241 SVI. When you do this you will automatically be logged out of the switch.
You should however then be able to log back in using the vlan 4 IP address because that SVI should have come up. You must make sure you did the "no shut" under vlan 4 in the previous step.
If that all works and you are now logged in using the vlan 4 SVI IP then you can add -
"ip default-gateway x.x.x.x" <-- where x.x.x.x is the HSRP VIP for vlan 4 on the 4500s.
Once you have done that you should be able to connect to the switch from a remote subnet eg. your PC for example.
Like i say, even if you do get locked out of the switch end user traffic will not be affected but you would then need to login locally to the switch to setup the new management vlan.
Let me know how it goes.
Jon

Similar Messages

Cisco 3560 cg (change management vlan)

Good Day guys ,
i've purchased some of the new 3560 cg catalyst switches. Am looking for some guidance/assistance into the procedure to change the default (vlan 1) to my management vlan (x). I have been successful in the addition of all my vlans inclusive of the management to the switch using the following command "switchport access vlan x" via the command line.
Currently I have CE 500's in my environment which allows you to change the management vlan from the GUI. Any recommendations/ assistance as to how this is now done on the newer model switches via command line or GUI would be greatly appreciated.
Regards,
Christian.

conf t
vlan <BLAH>
name Management
exit
default interface vlan 1
interface vlan 1
shutdown
interface vlan <BLAH>
description YIPEE
ip address 1.2.3.4 255.255.255.0
no shutdown

Clustering 3500 and changing management VLAN

I have a cluster of 3 3500XL switches. All have the latest rev of IOS. The cluster is fine when on default vlan. When I change the managment VLAN to VLAN 9 using "cluster management vlan 9" the 2 member switches fail to change to vlan 9 and the cluster breaks. THANKS

Changing the Management VLAN
Access to all switch management facilities is through the switch IP address, and the switch IP address always belongs to the management VLAN, VLAN 1, by default. This section describes how to configure a cluster to support management connectivity when the management VLAN is other than the default.
http://www.cisco.com/univercd/cc/td/doc/product/lan/c2900xl/29_35xu/scg/kiclust.htm#34921

3702i AP's not Joining WLC - Layer 3 discovery request not received on management VLAN

Hi Guys,
This is a follow up post to this thread: https://supportforums.cisco.com/discussion/12400481/3702i-not-joint-2504
Have been playing around with my AP's and made sure the time is correct on all the devices ( WLC and Switch). I have also moved the AP's to the same Vlan as the management IP of the WLC.
if I move the AP's to the same Vlan as the WLC they join and are happy, as soon as I move them to a different Vlan they cant join and there time goes back to the default plus they do not seem to save the WLC details to flash but still remember the test names I give them.
it appears that option 43 is working fine as I can see it look for the WLC IP and I have done some trouble shooting on the WLC and it looks like it see's the AP but doesn't except it.
please see below for the boot up of the AP and the WLC logs:
AP
IIOS Bootloader - Starting system.
*** deleted for breverity *****
Loading "flash:/ap3g2-k9w8-mx.153-3.JA1/ap3g2-k9w8-mx.153-3.JA1"...#########################
File "flash:/ap3g2-k9w8-mx.153-3.JA1/ap3g2-k9w8-mx.153-3.JA1" uncompressed and installed, entry point: 0x2003000
executing...
Secondary Bootloader - Starting system.
Montserrat Board
*** deleted for breverity *****
Boot CMD: 'boot flash:/ap3g2-k9w8-mx.153-3.JA1/ap3g2-k9w8-xx.153-3.JA1;flash:/ap3g2-k9w8-mx.153-3.JA1/ap3g2-k9w8-xx.153-3.JA1'
Loading "flash:/ap3g2-k9w8-mx.153-3.JA1/ap3g2-k9w8-xx.153-3.JA1"...###############################################
File "flash:/ap3g2-k9w8-mx.153-3.JA1/ap3g2-k9w8-xx.153-3.JA1" uncompressed and installed, entry point: 0x1003000
executing...
*** deleted for breverity *****
cisco AIR-CAP3702I-Z-K9 (PowerPC) processor (revision A0) with 376810K/134656K bytes of memory.
Processor board ID FGL1838X4T1
PowerPC CPU at 800Mhz, revision number 0x2151
Last reset from power-on
LWAPP image version 8.0.110.0
1 Gigabit Ethernet interface
2 802.11 Radios
32K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address: F4:4E:05:B7:1E:84
Part Number : 73-15243-01
PCA Assembly Number : 000-00000-00
PCA Revision Number :
PCB Serial Number : FOC18343WPR
Top Assembly Part Number : 068-05054-03
Top Assembly Serial Number : FGL1838X4T1
Top Revision Number : A0
Product/Model Number : AIR-CAP3702I-Z-K9
% Please define a domain-name first.
Press RETURN to get started!
*Mar 1 00:00:19.295: %SOAP_FIPS-2-SELF_TEST_IOS_SUCCESS: IOS crypto FIPS self test passed (15)
*Mar 1 00:00:19.755: Registering HW DTLS
*Mar 1 00:00:19.763: APAVC: Initial WLAN Buffers Given to System is 2500
*Mar 1 00:00:19.815: APAVC: WlanPAKs 42878 RadioPaks 42270
*Mar 1 00:00:22.127: %LINK-6-UPDOWN: Interface GigabitEthernet0, changed state to up
*Mar 1 00:00:26.055: %SOAP_FIPS-2-SELF_TEST_RAD_SUCCESS: RADIO crypto FIPS self test passed on interface Dot11Radio 0 (4)
*Mar 1 00:00:26.167: Loading Power Tables from ram:/Q2.bin. Class = A
*Mar 1 00:00:26.167: record size of 3ss: 1168 read_ptr: 4F9698E
*Mar 1 00:00:31.207: %SOAP_FIPS-2-SELF_TEST_RAD_SUCCESS: RADIO crypto FIPS self test passed on interface Dot11Radio 1 (4)
*Mar 1 00:00:31.251: Loading Power Tables from ram:/Q5.bin. Class = Z
*Mar 1 00:00:31.251: record size of vht: 2904 read_ptr: 4F9698E
*Mar 1 00:00:31.407: Wait until the stile protocol list is initialized.
*Mar 1 00:00:32.651: Start STILE Activation
*Mar 1 00:00:34.571: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0, changed state to down
*Mar 1 00:00:35.447: %SYS-5-RESTART: System restarted --
Cisco IOS Software, C3700 Software (AP3G2-K9W8-M), Version 15.3(3)JA1, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2014 by Cisco Systems, Inc.
Compiled Fri 19-Dec-14 11:20 by prod_rel_team
*Mar 1 00:00:35.447: %SNMP-5-COLDSTART: SNMP agent on host Test_1 is undergoing a cold start
*Mar 1 00:00:36.563: %LINEPROTO-5-UPDOWN: Line protocol on Interface BVI1, changed state to up
*Mar 1 00:00:37.787: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to uplwapp_crypto_init: MIC Present and Parsed Successfully
*Mar 1 00:00:37.939: %SSH-5-ENABLED: SSH 2.0 has been enabled
*Mar 1 00:00:37.939: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to up
*Mar 1 00:00:38.987: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down
*Mar 1 00:00:38.987: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to down
*Mar 1 00:00:47.567: %LINK-6-UPDOWN: Interface BVI1, changed state to down
*Mar 1 00:00:48.567: %LINEPROTO-5-UPDOWN: Line protocol on Interface BVI1, changed state to down
*Mar 1 00:00:50.431: %SOAP_FIPS-2-SELF_TEST_HW_SUCCESS: HW crypto FIPS self test passed (2-16)
*Mar 1 00:00:50.431: DPAA Initialization Complete
*Mar 1 00:00:50.431: %SYS-3-HARIKARI: Process DPAA INIT top-level routine exited
*Mar 1 00:00:51.431: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0, changed state to up
*Mar 1 00:00:53.435: %LINK-6-UPDOWN: Interface BVI1, changed state to up
*Mar 1 00:00:53.867: Currently running a Release Image
*Mar 1 00:00:54.287: Incorrect certificate in SHA2 PB !
*Mar 1 00:00:54.287: Using SHA-1 signed certificate for image signing validation.
*Mar 1 00:00:54.575: %LINEPROTO-5-UPDOWN: Line protocol on Interface BVI1, changed state to up
*Mar 1 00:00:59.787: %DHCP-6-ADDRESS_ASSIGN: Interface BVI1 assigned DHCP address 10.1.20.2, mask 255.255.255.0, hostname Test_1
*Mar 1 00:01:02.707: APAVC: Succeeded to activate all the STILE protocols.
*Mar 1 00:01:02.707: APAVC: Registering with CFT
*Mar 1 00:01:02.707: APAVC: CFT registration of delete callback succeeded
*Mar 1 00:01:02.707: APAVC: Reattaching Original Buffer pool for system use
*Mar 1 00:01:02.707: Pool-ReAtach: paks 42878 radio42270
%Default route without gateway, if not a point-to-point interface, may impact performance
*Mar 1 00:01:10.103: AP image integrity check PASSED
*Mar 1 00:01:10.187: Incorrect certificate in SHA2 PB !
*Mar 1 00:01:10.203: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
*Mar 1 00:01:10.203: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to reset
*Mar 1 00:01:11.591: %CDP_PD-4-POWER_OK: 15.4 W power - NEGOTIATED inline power source
*Mar 1 00:01:12.691: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up
*Mar 1 00:01:13.691: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up
*Mar 1 00:01:13.947: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to up
*Mar 1 00:01:14.947: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to up
*Mar 1 00:01:20.211: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host 255.255.255.255 port 514 CLI Request Triggered
Translating "CISCO-CAPWAP-CONTROLLER"...domain server (255.255.255.255)
*Mar 1 00:01:31.215: %CAPWAP-5-DHCP_OPTION_43: Controller address 10.1.1.231 obtained through DHCP
*Mar 1 00:02:11.599: %CDP_PD-4-POWER_OK: Full power - NEGOTIATED inline power source
*Mar 1 00:02:11.603: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to down
*Mar 1 00:02:11.611: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
*Mar 1 00:02:12.603: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down
*Mar 1 00:02:12.639: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up
*Mar 1 00:02:12.647: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to down
*Mar 1 00:02:12.655: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to reset
*Mar 1 00:02:13.639: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up
*Mar 1 00:02:13.647: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to down
*Mar 1 00:02:13.699: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to up
*Mar 1 00:02:14.699: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to up
Not in Bound state.
*Mar 1 00:02:44.719: %CAPWAP-3-DHCP_RENEW: Could not discover WLC. Either IP address is not assigned or assigned IP is wrong. Renewing DHCP IP.
*Mar 1 00:02:49.839: %DHCP-6-ADDRESS_ASSIGN: Interface BVI1 assigned DHCP address 10.1.20.3, mask 255.255.255.0, hostname Test_1
Translating "CISCO-CAPWAP-CONTROLLER"...domain server (255.255.255.255)
*Mar 1 00:02:55.719: %CAPWAP-5-DHCP_OPTION_43: Controller address 10.1.1.231 obtained through DHCP
Not in Bound state.
*Mar 1 00:03:59.219: %CAPWAP-3-DHCP_RENEW: Could not discover WLC. Either IP address is not assigned or assigned IP is wrong. Renewing DHCP IP.
*Mar 1 00:04:04.343: %DHCP-6-ADDRESS_ASSIGN: Interface BVI1 assigned DHCP address 10.1.20.4, mask 255.255.255.0, hostname Test_1
Translating "CISCO-CAPWAP-CONTROLLER"...domain server (255.255.255.255)
*Mar 1 00:04:10.223: %CAPWAP-5-DHCP_OPTION_43: Controller address 10.1.1.231 obtained through DHCP
WLC:
isco Controller) >show time
Time............................................. Tue Jan 27 17:44:47 2015
Timezone delta................................... 0:0
Timezone location................................ (GMT +8:00) HongKong, Bejing, Chongquing
NTP Servers
NTP Polling Interval......................... 3600
   Index NTP Key Index NTP Server NTP Msg Auth Status
   1 0 150.101.176.226 AUTH DISABLED
(Cisco Controller) >show ap join stats summary
Incorrect input! Use 'show ap join stats summary [all/<ap-mac>]'
(Cisco Controller) >show ap join stats summary all
Number of APs.............................................. 2
Base Mac AP EthernetMac AP Name IP Address Status
f4:4e:05:aa:a6:a0 f4:4e:05:94:c3:98 APf44e.0594.c398 10.1.1.22 Joined
f4:4e:05:b6:ce:f0 N A Test_1 10.1.20.7 Not Joined
(Cisco Controller) >show ap join stats detailed f4:4e:05:b6:ce:f0
Sync phase statistics
- Time at sync request received............................ Not applicable
- Time at sync completed................................... Not applicable
Discovery phase statistics
- Discovery requests received.............................. 45
- Successful discovery responses sent...................... 21
- Unsuccessful discovery request processing................ 24
- Reason for last unsuccessful discovery attempt........... Layer 3 discovery request not received on management VLAN
- Time at last successful discovery attempt................ Jan 27 17:45:49.705
- Time at last unsuccessful discovery attempt.............. Jan 27 17:45:49.705
Join phase statistics
- Join requests received................................... 0
- Successful join responses sent........................... 0
- Unsuccessful join request processing..................... 0
- Reason for last unsuccessful join attempt................ Not applicable
- Time at last successful join attempt..................... Not applicable
- Time at last unsuccessful join attempt................... Not applicable
Configuration phase statistics
--More-- or (q)uit
- Configuration requests received.......................... 0
- Successful configuration responses sent.................. 0
- Unsuccessful configuration request processing............ 0
- Reason for last unsuccessful configuration attempt....... Not applicable
- Time at last successful configuration attempt............ Not applicable
- Time at last unsuccessful configuration attempt.......... Not applicable
Last AP message decryption failure details
- Reason for last message decryption failure............... Not applicable
Last AP disconnect details
- Reason for last AP connection failure.................... Not applicable
- Last AP disconnect reason................................ Not applicable
Last join error summary
- Type of error that occurred last......................... Lwapp discovery request rejected
- Reason for error that occurred last...................... Layer 3 discovery request not received on management VLAN
- Time at which the last join error occurred............... Jan 27 17:45:49.705
AP disconnect details
- Reason for last AP connection failure.................... Not applicable
   Ethernet Mac : 00:00:00:00:00:00 Ip Address : 10.1.20.7
(Cisco Controller) >show interface summary
Number of Interfaces.......................... 4
Interface Name Port Vlan Id IP Address Type Ap Mgr Guest
ap LAG 20 10.1.20.231 Dynamic No No
guest LAG 30 10.1.30.231 Dynamic No No
management LAG 10 10.1.1.231 Static Yes No
virtual N/A N/A 1.1.1.1 Static No No
SWITCH
witch#show run
Building configuration...
*** deleted for breverity *****
no aaa new-model
clock timezone AWST 8
system mtu routing 1500
ip routing
ip dhcp pool WAP_Pool
   network 10.1.20.0 255.255.255.0
   default-router 10.1.20.1
   option 43 hex f104.0a01.01e7
ip dhcp pool Clients
   network 10.1.30.0 255.255.255.0
   default-router 10.1.30.1
   dns-server 203.0.178.191
ip dhcp pool test
   network 10.1.1.0 255.255.255.0
   default-router 10.1.1.1
crypto pki trustpoint TP-self-signed-4082587776
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-4082587776
revocation-check none
rsakeypair TP-self-signed-4082587776
*** deleted for breverity *****
*** deleted for breverity ***** !
interface FastEthernet0/3
description *** WLC ****
switchport trunk encapsulation dot1q
switchport mode trunk
interface FastEthernet0/4
description **** AP *****
switchport access vlan 20
switchport mode access
spanning-tree portfast
interface FastEthernet0/5
description **** AP ****
switchport access vlan 20
switchport mode access
spanning-tree portfast
interface FastEthernet0/6
i*** deleted for breverity ***** !
interface Vlan10
description *** Managment ***
ip address 10.1.1.230 255.255.255.0
interface Vlan20
description *** WIRELESS APS ***
ip address 10.1.20.1 255.255.255.0
interface Vlan30
ip address 10.1.30.1 255.255.255.0
ip classless
ip route 0.0.0.0 0.0.0.0 10.1.1.1
ip http server
ip http secure-server
ip sla enable reaction-alerts
l*** deleted for breverity *****
ntp clock-period 36028827
ntp source FastEthernet0/1
ntp server 121.0.0.42
ntp server 202.127.210.37
end
I have also placed a Device in Vlan 20 and it is able to ping the WLC and the WLC can ping it s routing is working.
Thanks

Hey Scott,
I gave that a shot and still no luck, log's from AP boot up:
IIOS Bootloader - Starting system.
flash is writable
Tide XL MB - 40MB of flash
Xmodem file system is available.
flashfs[0]: 67 files, 9 directories
flashfs[0]: 0 orphaned files, 0 orphaned directories
flashfs[0]: Total bytes: 41158656
flashfs[0]: Bytes used: 20894208
flashfs[0]: Bytes available: 20264448
flashfs[0]: flashfs fsck took 20 seconds.
Base Ethernet MAC address: f4:4e:05:b7:1e:84
Ethernet speed is 100 Mb - FULL Duplex
Loading "flash:/ap3g2-k9w8-mx.153-3.JA1/ap3g2-k9w8-mx.153-3.JA1"...#########################
File "flash:/ap3g2-k9w8-mx.153-3.JA1/ap3g2-k9w8-mx.153-3.JA1" uncompressed and installed, entry point: 0x2003000
executing...
Secondary Bootloader - Starting system.
Montserrat Board
40MB format
Tide XL MB - 40MB of flash
Xmodem file system is available.
flashfs[0]: 67 files, 9 directories
flashfs[0]: 0 orphaned files, 0 orphaned directories
flashfs[0]: Total bytes: 41158656
flashfs[0]: Bytes used: 20894208
flashfs[0]: Bytes available: 20264448
flashfs[0]: flashfs fsck took 21 seconds.
flashfs[1]: 0 files, 1 directories
flashfs[1]: 0 orphaned files, 0 orphaned directories
flashfs[1]: Total bytes: 12257280
flashfs[1]: Bytes used: 1024
flashfs[1]: Bytes available: 12256256
flashfs[1]: flashfs fsck took 1 seconds.
Base Ethernet MAC address: f4:4e:05:b7:1e:84
Boot CMD: 'boot flash:/ap3g2-k9w8-mx.153-3.JA1/ap3g2-k9w8-xx.153-3.JA1;flash:/ap3g2-k9w8-mx.153-3.JA1/ap3g2-k9w8-xx.153-3.JA1'
Loading "flash:/ap3g2-k9w8-mx.153-3.JA1/ap3g2-k9w8-xx.153-3.JA1"...###############################################
File "flash:/ap3g2-k9w8-mx.153-3.JA1/ap3g2-k9w8-xx.153-3.JA1" uncompressed and installed, entry point: 0x1003000
executing...
Restricted Rights Legend
Use, duplication, or disclosure by the Government is
subject to restrictions as set forth in subparagraph
(c) of the Commercial Computer Software - Restricted
Rights clause at FAR sec. 52.227-19 and subparagraph
(c) (1) (ii) of the Rights in Technical Data and Computer
Software clause at DFARS sec. 252.227-7013.
   cisco Systems, Inc.
   170 West Tasman Drive
   San Jose, California 95134-1706
Cisco IOS Software, C3700 Software (AP3G2-K9W8-M), Version 15.3(3)JA1, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2014 by Cisco Systems, Inc.
Compiled Fri 19-Dec-14 11:20 by prod_rel_team
Montserrat Board
40MB format
Tide XL MB - 40MB of flash
Initializing flashfs...
flashfs[2]: 67 files, 9 directories
flashfs[2]: 0 orphaned files, 0 orphaned directories
flashfs[2]: Total bytes: 40900608
flashfs[2]: Bytes used: 20894208
flashfs[2]: Bytes available: 20006400
flashfs[2]: flashfs fsck took 14 seconds.
flashfs[2]: Initialization complete.
flashfs[4]: 0 files, 1 directories
flashfs[4]: 0 orphaned files, 0 orphaned directories
flashfs[4]: Total bytes: 11999232
flashfs[4]: Bytes used: 1024
flashfs[4]: Bytes available: 11998208
flashfs[4]: flashfs fsck took 0 seconds.
flashfs[4]: Initialization complete.
Copying radio files from flash: to ram:
Copy in progress...CCCCC
Copy in progress...CCC
Copy in progress...CCCC
Copy in progress...CCCC
Copy in progress...CC
Copy in progress...CCCC
Copy in progress...CC
Copy in progress...CCCCC
Copy in progress...CCCC
Copy in progress...CC
Uncompressing radio files...
...done Initializing flashfs.
Radio0 present 8764 8000 0 A8000000 A8010000 0
Rate table has 650 entries (20 legacy/224 11n/406 11ac)
POWER TABLE FILENAME = ram:/Q2.bin
Radio1 present 8864 8000 0 80000000 80100000 4
POWER TABLE FILENAME = ram:/Q5.bin
Radio2 not present 0 0 0 0 0 8
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
[email protected].
cisco AIR-CAP3702I-Z-K9 (PowerPC) processor (revision A0) with 376810K/134656K bytes of memory.
Processor board ID FGL1838X4T1
PowerPC CPU at 800Mhz, revision number 0x2151
Last reset from power-on
LWAPP image version 8.0.110.0
1 Gigabit Ethernet interface
2 802.11 Radios
32K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address: F4:4E:05:B7:1E:84
Part Number : 73-15243-01
PCA Assembly Number : 000-00000-00
PCA Revision Number :
PCB Serial Number : FOC18343WPR
Top Assembly Part Number : 068-05054-03
Top Assembly Serial Number : FGL1838X4T1
Top Revision Number : A0
Product/Model Number : AIR-CAP3702I-Z-K9
% Please define a domain-name first.
Press RETURN to get started!
*Mar 1 00:00:19.295: %SOAP_FIPS-2-SELF_TEST_IOS_SUCCESS: IOS crypto FIPS self test passed (15)
*Mar 1 00:00:19.755: Registering HW DTLS
*Mar 1 00:00:19.763: APAVC: Initial WLAN Buffers Given to System is 2500
*Mar 1 00:00:19.815: APAVC: WlanPAKs 42878 RadioPaks 42270
*Mar 1 00:00:22.127: %LINK-6-UPDOWN: Interface GigabitEthernet0, changed state to up
*Mar 1 00:00:26.055: %SOAP_FIPS-2-SELF_TEST_RAD_SUCCESS: RADIO crypto FIPS self test passed on interface Dot11Radio 0 (4)
*Mar 1 00:00:26.167: Loading Power Tables from ram:/Q2.bin. Class = A
*Mar 1 00:00:26.167: record size of 3ss: 1168 read_ptr: 4F9698E
*Mar 1 00:00:31.207: %SOAP_FIPS-2-SELF_TEST_RAD_SUCCESS: RADIO crypto FIPS self test passed on interface Dot11Radio 1 (4)
*Mar 1 00:00:31.251: Loading Power Tables from ram:/Q5.bin. Class = Z
*Mar 1 00:00:31.251: record size of vht: 2904 read_ptr: 4F9698E
*Mar 1 00:00:31.407: Wait until the stile protocol list is initialized.
*Mar 1 00:00:32.651: Start STILE Activation
*Mar 1 00:00:34.571: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0, changed state to down
*Mar 1 00:00:35.447: %SYS-5-RESTART: System restarted --
Cisco IOS Software, C3700 Software (AP3G2-K9W8-M), Version 15.3(3)JA1, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2014 by Cisco Systems, Inc.
Compiled Fri 19-Dec-14 11:20 by prod_rel_team
*Mar 1 00:00:35.447: %SNMP-5-COLDSTART: SNMP agent on host Test_1 is undergoing a cold start
*Mar 1 00:00:36.563: %LINEPROTO-5-UPDOWN: Line protocol on Interface BVI1, changed state to up
*Mar 1 00:00:37.787: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to uplwapp_crypto_init: MIC Present and Parsed Successfully
*Mar 1 00:00:37.939: %SSH-5-ENABLED: SSH 2.0 has been enabled
*Mar 1 00:00:37.939: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to up
*Mar 1 00:00:38.987: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down
*Mar 1 00:00:38.987: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to down
*Mar 1 00:00:47.567: %LINK-6-UPDOWN: Interface BVI1, changed state to down
*Mar 1 00:00:48.567: %LINEPROTO-5-UPDOWN: Line protocol on Interface BVI1, changed state to down
*Mar 1 00:00:50.431: %SOAP_FIPS-2-SELF_TEST_HW_SUCCESS: HW crypto FIPS self test passed (2-16)
*Mar 1 00:00:50.431: DPAA Initialization Complete
*Mar 1 00:00:50.431: %SYS-3-HARIKARI: Process DPAA INIT top-level routine exited
*Mar 1 00:00:51.431: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0, changed state to up
*Mar 1 00:00:53.435: %LINK-6-UPDOWN: Interface BVI1, changed state to up
*Mar 1 00:00:53.867: Currently running a Release Image
*Mar 1 00:00:54.287: Incorrect certificate in SHA2 PB !
*Mar 1 00:00:54.287: Using SHA-1 signed certificate for image signing validation.
*Mar 1 00:00:54.575: %LINEPROTO-5-UPDOWN: Line protocol on Interface BVI1, changed state to up
*Mar 1 00:00:59.787: %DHCP-6-ADDRESS_ASSIGN: Interface BVI1 assigned DHCP address 10.1.20.2, mask 255.255.255.0, hostname Test_1
*Mar 1 00:01:02.707: APAVC: Succeeded to activate all the STILE protocols.
*Mar 1 00:01:02.707: APAVC: Registering with CFT
*Mar 1 00:01:02.707: APAVC: CFT registration of delete callback succeeded
*Mar 1 00:01:02.707: APAVC: Reattaching Original Buffer pool for system use
*Mar 1 00:01:02.707: Pool-ReAtach: paks 42878 radio42270
%Default route without gateway, if not a point-to-point interface, may impact performance
*Mar 1 00:01:10.103: AP image integrity check PASSED
*Mar 1 00:01:10.187: Incorrect certificate in SHA2 PB !
*Mar 1 00:01:10.203: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
*Mar 1 00:01:10.203: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to reset
*Mar 1 00:01:11.591: %CDP_PD-4-POWER_OK: 15.4 W power - NEGOTIATED inline power source
*Mar 1 00:01:12.691: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up
*Mar 1 00:01:13.691: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up
*Mar 1 00:01:13.947: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to up
*Mar 1 00:01:14.947: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to up
*Mar 1 00:01:20.211: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host 255.255.255.255 port 514 CLI Request Triggered
Translating "CISCO-CAPWAP-CONTROLLER"...domain server (255.255.255.255)
*Mar 1 00:01:31.215: %CAPWAP-5-DHCP_OPTION_43: Controller address 10.1.1.231 obtained through DHCP
*Mar 1 00:02:11.599: %CDP_PD-4-POWER_OK: Full power - NEGOTIATED inline power source
*Mar 1 00:02:11.603: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to down
*Mar 1 00:02:11.611: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
*Mar 1 00:02:12.603: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down
*Mar 1 00:02:12.639: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up
*Mar 1 00:02:12.647: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to down
*Mar 1 00:02:12.655: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to reset
*Mar 1 00:02:13.639: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up
*Mar 1 00:02:13.647: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to down
*Mar 1 00:02:13.699: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to up
*Mar 1 00:02:14.699: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to up
Not in Bound state.
*Mar 1 00:02:44.719: %CAPWAP-3-DHCP_RENEW: Could not discover WLC. Either IP address is not assigned or assigned IP is wrong. Renewing DHCP IP.
*Mar 1 00:02:49.839: %DHCP-6-ADDRESS_ASSIGN: Interface BVI1 assigned DHCP address 10.1.20.3, mask 255.255.255.0, hostname Test_1
Translating "CISCO-CAPWAP-CONTROLLER"...domain server (255.255.255.255)
*Mar 1 00:02:55.719: %CAPWAP-5-DHCP_OPTION_43: Controller address 10.1.1.231 obtained through DHCP
Not in Bound state.
*Mar 1 00:03:59.219: %CAPWAP-3-DHCP_RENEW: Could not discover WLC. Either IP address is not assigned or assigned IP is wrong. Renewing DHCP IP.
*Mar 1 00:04:04.343: %DHCP-6-ADDRESS_ASSIGN: Interface BVI1 assigned DHCP address 10.1.20.4, mask 255.255.255.0, hostname Test_1
Translating "CISCO-CAPWAP-CONTROLLER"...domain server (255.255.255.255)
*Mar 1 00:04:10.223: %CAPWAP-5-DHCP_OPTION_43: Controller address 10.1.1.231 obtained through DHCP

VWLC clients getting DHCP address from management VLAN

Hi,
We have a strange scenario whereby some wireless employees are obtaining addresses from the management VLAN.
Some details:
DHCP managed by MS DHCP 2008 R2 (in remote data centre)
Cisco vWLC AIR-CTVM-K9 running v7.6.110.0
AP's are a mix of 2602 and 3702 (46 and 2 of each respectively)
SSID's are employee, guest, and production devices (all mapped to their own interface with relevant VLAN tag as per normal)
AP's all in FlexConnect mode as per vWLC caveats
Some employees are receiving addresses in the wireless management VLAN. This network only has six DHCP addresses available as it is solely for AP's, WLC and HSRP gateway. Obviously this gets exhausted very quickly leaving us with a scenario where clients are not obtaining DHCP addresses.
I understand that with FlexConnect mode, it will assign IP's from the native VLAN. What I don't understand is why most clients receive addresses in the correct VLAN, but a handful do not, and then cannot get an address from DHCP. Obviously the ideal scenario would be to put the AP's into local mode but unless this has changed in a SW release then I don't believe it's possible...
My question is: How do I get ALL the employees to obtain addresses from their interface and not the management VLAN?
Thanks in advance.

Hi,
I think we need a closer look to your configurarion to eliminate some possibilities:
- What is the WLAN security you choose?
- What is the interface that is configured under the WLAN?
- Does your WLAN have local switching enabled?
- If your security is using RADIUS server, do you have AAA override enabled under the WLAN config?
- If your security is using RADIUS server, do you send any attributes to the users?
- You have eliminate that clients that got management vlan IPs are always on same AP or they can be on any AP.
HTH
Amjad

Why does management VLAN ID matter in Cisco AP541n configuration?

is working on configure AP541n AP, is able to connect to the AP wired, assign AP static IP with proper subnet mask & default gateway,
when it's done, everything looks perfectly, but since I changed the management VLAN ID from 1 to 2, I can't even connect to the AP wired from the PC, why does the change matter?
thanks.

Hi,
When working with access points in IOS mode also known as autonomous the access point requiers that you configure an Ip address on the BVI1 which is linked to the bridge group 1 and set us untagged.
Now when working with VLANS if the access point has an ip address on vlan x then you will need to confiugre this as the native vlan and with the bridgroup 1.
If you do not do this then you will see the issue you are reporting.
In other words if the access point will have an ip address for vlan 30 the the native vlan on the ap will need to be vlan 30 and vlan or the subnet for vlan one linked to the bridge group 1
Sent from Cisco Technical Support iPhone App

SF300-24p Q-in-Q - Changing from vlan 4095

I have a Cisco SF300-24P deployed at a customer prem running only a couple VLAN's - 1 customer related and 1 for management. Recently the customer inquired about changing his connection to Q-in-Q. I have changed the interface type to customer but then it selects vlan 4095 as the vlan associated to that port. How do I change that vlan or by default is that the only vlan I can use? Currently the customer is using vlan 904 and would like to continue to use that vlan in the Q-in-Q config.

Hi Christopher, I didn't run in to this problem at all. Please reference the 2 screen shots below. 4095 is a reserved PVID when a native vlan is not associated to the port.
-Tom
Please rate helpful posts

Question in regard to management VLAN for each Context in ACE module

Dear Pros,
I know this will be a simple questions to answer, and I have searched the forum, but I am not able to find the answer I need.
1) Does the ACE module require an Management IP address for each Context? Should the same VLAN be applied to each context, with larger size subnet to supply host address?
2) If it does require that, what IP address should I used for default route in each context.
I will be utilizing "Bridge Mode" for my application to transition the current network from Foundry to ACE. I will later on apply the "Routed Mode" model.
Each ACE module will have 3 seperate Context, for a total of 4 including the Admin.
Any suggestions or if you can point me to location as always will be greatly apprecaited.
Thanks and best regards.
Raman Azizian

Hi,
you have several options to choose from.
1. Use Admin context for management
You can use the Admin context for management. Give it an IP address in your managment VLAN, default route to upstream router, and login and change to contexts from there.
+ Easy and straightforward
- snmp and syslog are using the ip from each individual context and not the management IP
2. Use a Large subnet and assign an IP address in each context for management.
You can configure 1 managment VLAN and assign an IP address to each context in this subnet. Create static routes to the management stations that need to access this management address.
+ each context has its own managment address
- static routes need to be added
3. Use your client-side ip address (or BVI) as management address.
You management traffic will be inline and use the same path as your data. Default route is already configured and also valid for the management.
+ no static routes needed
- inline management
Personally, I choose option 1. That is, if the people that need to manage the ACE is the same team.
If other teams (serverteam for context 1, other serverteam for context 2) need to manage the ACE, than I would choose option 3.
HTH,
Dario

1200 Series - Tagged Management VLAN Traffic

Hi,
As per my understanding the 1200 Series Access points running IOS (12.2(15)XR) send the management traffic (RADIUS,Accouting NTP etc) un-tagged i.e. using VLAN 1.
As per our current setup, we assign this un-tagged traffic to a different VLAN (by changing native vlan to x for the Trunk Port) on the cisco switch.
Is it possible to configure the Access Point to send Management Traffic as tagged with a particular VLAN id ? (Similar to what it does for Wireless Traffic, when SSID are associated to specific VLANs)
We are trying to set this up with a 3-Com 4400 series switch i have been unable to configure the 3-Com switch, so that it can assign the untagged traffic to different VLAN instead of VLAN 1.
Regards \\ Naman

Changing the Native VLAN doesn't make a difference. I can create any VLAN and make it native but management traffic is still being sent un-tagged.
Below was the setup i tested
AP--->Trunk Link<->Switch Port(Native VLAN=15)
Switch Port --->Trunk Link<->Router with VLAN15
I can make any VLAN as native VLAN on the AP and it doesn't effect the functionality as long as the Switch Native VLAN matches to the corresponding VLAN on the router.

Changing native VLAN 100 on SFE2000P to VLAN 1?

The "SFE2000/SFE2000P Gigabit Ethernet Switch Reference Guide" says on page 124 "The Management VLAN is set to VLAN 100 by default, but can be modified." (highlighting is mine).   I'm still searching for how. Anyone know the trick? I always end up blocking myself out of the switch and having to reset it.
My basic problem is trying to connect two SRW224P's with one SFE2000P (in Layer 3 mode).   They need to have the same default or native VLAN for the trunking to work properly.   The SFE2000P has VLAN 100 as default, while the SRW 224P has VLAN 1 as default.
The documentation says I should be able to change it, but never says how.   I haven't found any way to change the VLAN 1 on the SRW224P's to VLAN 100....but I would be willing to that as well. I have attachment to VLAN 1 or VLAN 100....I just want them to be the same.
Thanks....gerry

Correct. As soon as you change it to 100, you will lose access to the devices since vlan 1 is used for management. To shorten the down time, you can create vlan 100 and all the SVIs on all switches ahead of time and than change it form 1 to 100 in a maintenance window.
HTH

DHCP on management VLAN

In the documentation for the 2900XL switch, in the section about the management VLAN, it says:
"Before changing the management VLAN on your switch network [ ... ] the new management VLAN should not have an Hot Standby Router Protocol (HSRP) standby group configured on it."
Can anyone explain why there is this restriction? I can see certain advantages in running HSRP on the management VLAN.
Kevin Dorrell
Luxembourg

Ankur,
I am not really trying to use HSRP on the 2900XL switch itself. I am just trying to move the management to a VLAN that happens to be served by a pair of routers (well, actually 4500 switches) that are doing HSRP between themselves. The management interface of the 2900XL is just another host on the management VLAN. But the documentation seems to imply that I shouldn't be doing that, and I was curious to know why not.
Kevin Dorrell
Luxembourg

WAP 321 Management VLAN

HI, I want to use the management VLAN254 for my 4 WAP321. but after changing the management vlan in the unit from 20 th 254 I lost contact with the unit.
The switch I use is a Cisco 2960. Here's the config of the port :
interface FastEthernet0/23
switchport trunk native vlan 254
switchport trunk allowed vlan 5,20,254,1002-1005
switchport mode trunk
spanning-tree portfast
Vlan 5 and 20 are my two SSID Vlan
I was able to connect to the unit when the management vlan was set to 20 with an IP of 192.168.254.51 but since I chaged the vlan in the unit can't connect to it, I can't even ping it from the switch ...
Any ideas ?

Hi Tom,
Got it back to work by setting the native Vlan in my 2960 to vlan 20
I also have an issue with my 2nd wireless network, vlan 20 if I don't set the untagged vlan to 20 I can't reach that network. but no problem with my wireless network with vlan 5 which is the first one. It looks like the vlan tagging only work for the first network. Is this a normal behaviour of that AP ?
Ben

Management VLAN for Catalyst 3524

Hi,
I'm currently using VLAN30 as my management VLAN (172.16.xxx.xxx) and would like to use VLAN20 for the management VLAN. After configuring VLAN20 as my management VLAN, the changes didn't get updated in the running-config. The IOS commands used are:
config t
int vlan 20
ip address 149.199.xxx.xxx 255.255.252.0
no shutdown

Hi Ankur,
This switch is in VTP client mode. When I did a show vlan, the output is as follows. VLAN 20 is already active.
VLAN Name Status
1 default active
20 core-network active
When I did a sh ip int brief, the output is as follows:
VLAN1 unassigned YES manual up
VLAN20 149.xx.xx.xx YES manual deleted
VLAN30 172.xx.xx.xx YES manual up
The VLAN 20 showed as deleted. I think this was because I issued the no int vlan 20 command as shown below:
config t
int vlan 20
ip address 149.xx.xx.xx.255.255.255.0 (For setting it as the management VLAN)
no int vlan 20
How do I set VLAN20 as the Management VLAN again?
What is the difference between the following:
i) int vlan 20
shutdown
ii) no int vlan 20

Managment VLAN 1

Hi Everyone,
I m working with a leading ISP in India.The issue is that our engineering team has come up with the plan of migrating all management vlans for metro and other switches to vlan1.Presently we are using spearate vlans for management.Somethig like below.
Aggregation router#show runn inter gi0/2.137
Building configuration...
Current configuration : 250 bytes
interface GigabitEthernet0/2.137
description Connectivity for ABC
encapsulation dot1Q 137
ip address 203.154.26.97 255.255.255.240
ip policy route-map ABC
no cdp enable
end
Switch 1 end:(2950)
interface Vlan137
ip address 203.154.26.101 255.255.255.240
no ip route-cache
ip default-gateway 203.154.26.97
switch 2:(2950)
interface Vlan137
ip address 203.154.26.103 255.255.255.240
no ip route-cache
ip default-gateway 203.154.26.97
The router inter gi0/3 is connected to the trunk port on summit switch and a wireless device provides connectivity to the switch 1 and further another oen to switch 2.
The entire pasth is on layer 2.
Please suggest as to how can i migrate to mgmt vlan 1.
Can it be something like
inter gi0/2.1
encapsulation dot1q 1
ip addres
since 2950s dont support more thane one active mgmt vlan wat can be the best way of migration???

This is a tricky proposition. Best way you mean without getting disconnected, right? Cause when you start to change the mgmt interface via telnet, you are risking of getting disconnected once the mgmt inteface is change. for example, you know that there can only be one active interface vlan on 2950 for mgmt purpose. If you are changing the interface vlan from vlan 237 to vlan 1, if they will have the same ip address, you'll have to shut down one of them. Let's say you are able to do that, then how will you bring up the other interface with getting disconnected? remember you are telneted in. the best way will be to console in when you make changes on the mgmt vlan. You'll probably have to walk to the switch anyway if you made the change via telnet. changing the mgmt vlan will not affect the switch's ability to switch packets.

Change Default VLAN on SRW2008P

I have an SRW2008P switch I am trying to connect to my Layer3 network, which is all CIsco 3560 IOS. i think the default vlan for cisco is 100 but the default vlan for linksys is 1. I have port 8 on the SRW2008P connected to my cisco network and have it set as trunk on both sides. I have the vlan 100 set as untagged on the SRW2008P. Also, I have my user/mgt vlan 19 set as a tagged interface on the SRW2008P. Now, when I set the Management VLAN on the SRW2008P to 19, I am not able to communicate with the switch at all from my 3560, no ping, http, etc. My only idea is that the default vlan on the SRW2008P needs to be 100, not 1, is there a way to change that? Am I missing some other step?

As per Linksys documentation, the default or native VLAN cannot be changed.
I would prefer setting up one of the ports on the SRW2008P as TRUNK. Create VLAN 100, member ports to VLAN100 including the TRUNK port and check if that would work.
Hope this helps!

Changing Management Vlan

Similar Messages

Maybe you are looking for