Cisco 851W and VLANS

Hello,
I have a Cisco 851W router and I'm having this configuration:
All LAN ports and dot11Radio are bridged.
So now I'm trying to do this thing:
I'm trying to create a wireless guest net .
So i've created a bridging vlan 1 native that is for my current trusted ssid and another routing vlan an ssid that is for my guest net .
The problem is that when i create vlan 1 it locks me out: i can connect to the wireless but i cant access nothing on the router (FastEthernet 0-4)
Any solutions ? Thanks

Thanks's for the response . I will try , but now
i've discovered another problem that may cause this one
Here is the link :
http://forums.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Wireless%20-%20Mobility&topic=General&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.1dde0f45
I will attach the running config , but i deleted any encrypted hashs and public ip's
(this is a public forum after all}

Similar Messages

Newbie: Cisco 851w and nat

Hello,
I am a network administrator and recently decided to upgrade my existing network infrastucture at my small office by purchasing a
Cisco 851w router.
I have 14 computers that need internet connection sharing and an Ubuntu 6.06 box running e-mail services, web and dns hosting for
my domain (master zone, running bind9).
Using SDM express I configured the network in 15 minutes, and also NAT for the Linux server. Everything is fine, except one
thing: when I access my domain (let`s say mydomain.ro) from my local network I don`t get my webpage or a response from the mail
server, but instead my SDM express login window. From an outside network I can access my mail and web page using mail.mydomain.ro
and www.mydomain.ro. Internally I get a response from the router.
This is how I configured the network with SDM express:
192.168.0.1 as my routers ip address and network address, dhcp enabled, router`s name is router and domain "domain.ro". At the
dhcp section I typed my ISP`s dns server. The linux box has the ip 192.168.0.10 and runs bind9 for the "domain.ro" as the master
server. I added the following NAT with SDM: 53 tcp and udp from WAN ip (81.xxx.xxx.xxx) to 192.168.0.10, 22 tcp, 25 tcp, 80 tcp,
etc. WAN IP is the ip from my ISP (81.xxx.xxx.xxx).
Can I fix this using SDM, and how? It`s not an option to type 192.168.0.10 as incoming mail server instead of mail.domain.ro. I don`t know how to use CLI, I bought this router just to be able to run away from my old 486 iptables machine. :D
Thanks for you time!

You are absolutly right in that you are not the only one with this problem.
Check this post and the link provided by Sundar out.
http://forum.cisco.com/eforum/servlet/NetProf;jsessionid=968333ACF23358AC6443CE3DC4C19CD9.SJ3B?page=netprof&forum=Network%20Infrastructure&topic=WAN%2C%20Routing%20and%20Switching&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.1ddccf83
And hopefully you will find a working solution.

Cisco 851W - Internal WLAN and Guest WLAN

I have a Cisco 851W Router, which has an IPSEC Tunnel back to my corporate office.
I want to configure 2 WLANS, one for my internal network (vlan 1) which will have access to my corporate network, and one for guests which will just be for outbound internet access (http, https, ftp, sftp, etc ..).
I have not been able to find any Cisco Documentation with how to accomplish. Can someone inform me where I can find this or supply me with some configuration examples?

create 2 ip dhcp pools on the router for the 2 types of clients
create wlan for each type of client
I'm assuming a wlc is involved, then hreap and allow both vlans, procedure will be slightly different for standalone
acl by address to ban traffic from ipsec tunnel- easier on a WLC interface than on the router, no wlc then on the router
bob

VLAN and STP compitability between Cisco 2950 and SRW2048

How Cisco 2950 and Linksys SRW2048 switches can be combined to work fine with more than one VLAN's and STP?? I want both switches to support three VLAN's and STP for loop free network.Can some body help me out to combine linksys and cisco switches to interconnect to form my Network???

I believe that the SRW2048 is a 48 port managed switch. The easiest way to set the VLAN and STP configuration of is to access the web utility of this switch via 192.168.1.254. You have to go to VLAN Management and he needs to create the VLANs. The default VLAN of the switch is VLAN 1. You need to create 2 more VLANs by choosing the VLAN IDs and the name you want for these VLANs.
After creating the VLANS, you need to determine the LAN of the switch you want to assign to each VLAN and the Trunk port or the port where you need to connect the SRW2048 to the Cisco 2950 switch. Go to the port setting and make this port as “truck”, and leave the other ports as “access”. Go to VLAN to ports and manually allocate the each LAN ports to the desired VLAN ID number. Take note that all ports that are members of VLAN1 should be “untagged” and the rest should be “tagged”. Save the settings you made.
The STP configuration for the SRW2048 can be found also in the web utility. Just go to the Spanning Tree tab and setup your desired STP configuration.
For the Cisco 2950, I am not quite sure on how to create these settings but I saw a useful link that might help you:
http://www.petri.co.il/csc_setup_a_vlan_on_a_cisco_switch.htm

Vlan routing with cisco router and linksys switch

I have a linksys switch width vlan configured, connected to a Cisco router (1841), but I cant route between vlans.
Please help me!!
It Works with a Cisco switch perfectly(with the same ip and vlan).

Yes. the linksys switch (SRW2024 24-Port 10/100/1000 Gigabit Switch) supports trunking.
If you want you can visit the link and see that the switch supports vlan, dot1q and trunking.
http://www.linksys.com/servlet/Satellite?childpagename=US%2FLayout&packedargs=c%3DL_Product_C2%26cid%3D1123638180432&pagename=Linksys%2FCommon%2FVisitorWrapper

Communication problem between Cisco 3560 and Cisco SG300.

Dear Support,
I have a Cisco SG300 and Cisco 3560 switches.
3560 is my Core Switch and SG300 is access switch.
From 3560 VLAN information is not passed to SG300.
3560 Configuration:
interface GigabitEthernet0/23
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,2,10,11
switchport mode trunk
SG300 Configuration:
interface gigabitethernet49
spanning-tree link-type point-to-point
switchport mode general
switchport general allowed vlan add 2,10-11 tagged
macro description switch
Please suggest how this issue is resolve.
Regards,
JItesh Mahajan.

Dear Aleksandra,
Below Configuration is right or wrong for 3560 and SG300.
3560 Configuration:
interface GigabitEthernet0/23
switchport trunk encapsulation dot1q
switchport trunk allowed vlan remove VLAN 1
switchport native vlan 1
switchport trunk allowed vlan 1,2,10,11
switchport mode trunk
SG300 Configuration:
interface gigabitethernet49
spanning-tree link-type point-to-point
switchport mode general
switchport general allowed vlan add 2,10-11 tagged
macro description switch
Regards,
JItesh Mahajan.

How do I add a Subnet and vlan with a catalyst 3550 and RV120

Hello Friends.
I have a scenario that i'm hoping i can get some help with. I'll be as detailed and descriptive as i can.
This is for a business with 100 employees nodes and 100 camera nodes all needing IP internet through private addressing and public gateway.
I have a business class gateway with a private range of 12 public addresses. Ther modem does nothing but act as a gateway since i have disabled the firewall and DHCP.
In place of the firewall and DCHP from the modem i have installed a RV120 Firewall with VPN. When installing i replicated the IP scheme of the modem as to not disturb and distrup the devices assigned addresses from that scheme from the modem. I did this because the owner could not have any down time or any disruption to the business operations.
The RV120 now acts as firewall , DHCP , and VPN. I'll address the subnet first. I's using 10.0.0.0/24 subnet range.
DHCP is assigning 10.1.10.50 - 10.1.10.100 the rest are static and i plan to use static DHCP with the IP and MAC assigned to each static DHCP address.
There are 100 cameras with static IP addresses in the range of 10.1.10.11 - 10.1.10.40, and 10.1.0.1.101 - 10.1.10.170.
VPN uses PPTP assigned address 10.1.10.6 - 10.1.10.10.
There are no layer 3 switches that i know of. Just a layer two that is the primary swith and ports have run out, and various out of the box switches and wireless access points connected to the primary switch.
I want to implement subnets into the network and VLANS as well on a new Layer 3 switche from cisco. Thinking 3550 from Cisco or one of the older layer 2 switches with layer three capabilities.
I also want to introduce a 192.168.0.0/24 IP range for the existing wireless network and segment the traffic from the rest of the traffic on other ranges.
I want to replace the 10.0.0.0/24 DHCP alltogether and the static addresses for end user nodes on the same network, but keep that range just for camera nodes segmented.
I want to implement a NEW end user IP range and VLAN for employee/guest networks using the 172.16.0.0/24 range.
Iv'e thought of replacing all the wireless nodes with RV120's and use VLAN. Dont know if that strategy works. Need to think it through.
I want the 192.168.0.0/24 IP range comunicate to with the 172.16.0.0/24 and possibly the 10.0.0.0/24 range.
Any advice on how to do this?
As a side note the next step after this is to install a server domain controller as all the computers are all stand alones in their own workgroups. It's a simultaneous project that will introdue a DCHP, WINS, DNS server.

Hi Omid, it sounds like you're proposing the 3550 switch but you're not decided yet. The 3550 switch is a pretty old device and needs enhanced multilayer image. It may be more prudent to use a more current switch such as small business SG300 or SG500 as the feature set is more rich and it supports around 480 LAN connections.
To answer the inquiry, the RV120W, when you create a VLAN it will automatically create an IP interface. From this you may assign subnet as you like along with 'enable or disable' for inter vlan routing. Since the RV120W has this feature, a layer 3 switch is not required unless you are looking to keep the routing load smaller by routing locally with the switch.
With Catalyst or a small business switch you would need to create a VLAN. After creating the VLAN, on a Catalyst you can simply issue "switchport trunk encapsulation dot1q" on the desired interface and all VLAN will passage without issue. For a port connecting a user "switchport mode access" "native vlan xx" This will assign the port as untag member of the desired VLAN.
If using a small business switch, it is slightly different, you still create the VLAN but the command issue is a bit different "switchport trunk allowed vlan add xx" for the link to the router, where xx = the VLAN ID to tag to the router. For access client it remains the same as Catalyst.

Cisco wireless and Apple Mac woes

Hello all,
I've been working with Cisco wireless and WLC's for a couple of years now but the recent onslaught of Apple Mac's is giving me heart burn. I've seen this at numerous sites now and need to throw it to eht community for guidance.
Basically we have had a number of instances where the Macs just fall off the wifi. Sometimes it's when they wake from sleep and other times when roaming between AP's (1131s with same SSID's). Our standard install is WPA2 and per ap local authentication. PC's work fine and never an issue.
We have completed a survey with a spectrum analyser and no RF interefence is present nor errors on the radio interface.
Questions:
- Is there a preferred Cisco config/setup for Mac's to work reliably? I've heard loads of rumors but nothing concrete and nor can I find anything specific.
- Should I be setting up WDS in case there is an authenticating issue.
- For those who are Mac gurus and happen to be reading. What Mac options we should look at?
This has all come to a head because the clients IT company who recommended the Macs (different from us doing the network infrastructure) are insisting that the problem is Cisco incompatibility and that we should rip out the Cisco kit and install airports (what tha!!!).
Thanks in advance for any pointers.
For those who like a config here it is .... Vanilla stuff really
Building configuration...
Current configuration : 2236 bytes
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname AP4
no logging console
enable secret xxxxxxxxxxxxxxxxx
no aaa new-model
dot11 syslog
dot11 ssid Home
   vlan 1
   authentication open
   authentication key-management wpa
   guest-mode
   mbssid guest-mode
   wpa-psk ascii xxxxxxxxxxxx
dot11 ssid avnet
   vlan 2
   authentication open
   authentication key-management wpa
   mbssid guest-mode
   wpa-psk ascii xxxxxxxxxxxxxxxx
username abcd password 1234
bridge irb
interface Dot11Radio0
no ip address
no ip route-cache
encryption vlan 1 mode ciphers tkip
encryption vlan 2 mode ciphers tkip
ssid Home
mbssid
speed basic-1.0 basic-2.0 5.5 11.0 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0
channel 2412
station-role root
interface Dot11Radio0.1
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
interface Dot11Radio0.2
encapsulation dot1Q 2
no ip route-cache
bridge-group 2
bridge-group 2 subscriber-loop-control
bridge-group 2 block-unknown-source
no bridge-group 2 source-learning
no bridge-group 2 unicast-flooding
bridge-group 2 spanning-disabled
interface FastEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
hold-queue 80 in
interface FastEthernet0.1
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
interface FastEthernet0.2
encapsulation dot1Q 2
no ip route-cache
bridge-group 2
no bridge-group 2 source-learning
bridge-group 2 spanning-disabled
interface BVI1
ip address 192.168.10.54 255.255.255.0
no ip route-cache
ip default-gateway 192.168.10.1
no ip http server
no ip http secure-server
bridge 1 route ip
line con 0
line vty 0 4
login local
end

Yeah!! even i have come across multiple issue with MAC and Cisco.. these are the below settings which i normally do on the cisco gears and most of the times this solved the issue..
on the IOS AP disable Aironet Extentions and set the poer local and ofdm to max
no dot11 extension aironet
power local cck max
power local ofdm max
end
On the WLC, disable Aironet IE..
lemme know if this answered your question..
Regards
Surendra
====
Please dont forget to rate the posts which answered your question and mark it as answered or was helpfull

Urgent!!! Cisco ACE and asymetric routing assistance needed

I am wondering if someone can give me pointers on the cisco ACE
and asymetric routes. I've attached the diagram:
-Cisco IOS IP address is 192.168.15.4/24 and 4.1.1.4/24
-Firewall External interface is 192.168.15.1/24,
-Firewall Internal interface is 192.168.192.1/24,
-F5_BigIP External interface is 192.168.192.4/24,
-F5_BigIP Internal interface is 192.168.196.1/24 and 192.168.197.1/24,
-host_y has IP addresses of 192.168.196.10/24 and 192.168.197.10/24,
-Checkpoint has static route for 192.168.196.0/24 and 192.168.197.0/24
pointing to the F5_BigIP,
-host_y is dual-home to both VLAN_A and VLAN_B with the default
gateway on host_y pointing to VLAN_A which is 192.168.196.1,
-host_x CAN ssh/telnet/http/https to both of host_y IP addresses
of 192.168.196.10 and 192.168.197.10.
In other words, from host_x, when I try to connect to host_y
via IP address of 192.168.197.10, the traffics will go through VLAN_B
but the return traffics will go through VLAN_A. Everything
is working perfectly for me so far.
Now customer just replaces the F5_BigIP with Cisco ACE. Now,
I could not get it to work with Asymetric route with Cisco ACE. In
other words, from host_x, I can no longer ssh or telnet to host_y
via IP address of 192.168.197.10.
Anyone knows how to get asymetric route to work on Cisco ACE?
Thanks in advance.

That won't work because ACE uses the vlan id to distinguish between flows.
So when the response comes back on a different vlan, ACE can't find the flow it belongs to and it drops it.
Even if we could force it to accept the packet, ACE would then try to create a new flow for this packet and it will collide with the flow already existing on the frontend.
You would need to force your host to respond on the same vlan the traffic came in.
This could be done with client nat on ACE using different nat pool.
Gilles.

Cisco ISE and SecurID Integration Questions

I'm looking for some clarity trying to understand something conceptually. I want to integrate Cisco ISE with RSA SecurID, the idea being that if the user authenticates with RSA SecurID they end up on one VLAN, however, if they don't authenticate with (or don't use, or don't have) SecurID they'll end up on another VLAN. Note that I'm not using SecurID for wireless access...all PCs are wired to Ethernet.
We have been using RSA SecurID for a while and are currently on version 8.0. Our users are authenticating via the RSA Agent typically on Windows 8.1. Instead of the usual Windows login prompt, the RSA Agent first prompts for the username and passcode (they use an app on their smartphones to get the passcode), then after a moment or two, it prompts for their Windows domain password.
We have recently installed Cisco ISE version 1.3. With the help of a local Cisco engineer and going through the "Cisco Identity Services Engine User Guide", I have it set up and running along with a few 'test' ports on our Cisco 6809 switch, it basically works...as a test it's simply set up that if they authenticate they're on one VLAN, if not, they end up on another (this is currently without using RSA...just out-of-the-box Windows authentication).
The Cisco engineer was unable to help me with RSA SecurID, so pressing on without him, out of the same user guide I have followed the directions for "RSA Identity Sources" under the "Managing Users and External Identity Sources", and that went well as far as ISE is concerned; I am now ready to get serious about getting ISE and SecurID working together.
My mistake in this design so far was assuming that the RSA agent on the Windows client PCs would communicate with Cisco ISE...there doesn't seem to be a way to have them point to a non-RSA SecurID server for authentication. The concept I'm missing is what, or how, the end-user machine is supposed to authenticate taking advantage of both ISE and SecurID.
I have dug deeper into the Cisco ISE documentation but it seems heavily biased towards Wi-Fi and BYOD implementations and it's not clear to me what applies to wired vs wireless. Perhaps it's a case that I'm not seeing the forest for the trees, but I'm not understanding what the end-user authentication looks like. It apears that as I learn more about ISE, it should become the primary SSO source, that SecurID becomes just an identity source and the PC clients would no-longer directly communicate with the SecurID servers. That being the case, do I need to replace the SecurID client on the PCs and something else Cisco-ish fills this role? An agent for ISE? How do they continue to use their passcode without the RSA agent?
Thanks!

The external db not operation indicates that there is no communication between ACS and RSA. Did you fetch the package.cab file to analyse the auth.log file?
Have you already gone through the below listed link?
http://www.security-solutions.co.za/cisco-CSACS-1113-SE-4.2-RSA-Authentication-Manager-Integration-Configuration-Example.html
Regards,
Jatin Katyal
- Do rate helpful posts -

Strange behavior with Cisco AP and Intel 3945 wireles card

Hi,
I have an interesting problem with an Intel 3945 A/G card, and my cisco APs.
1. Given:
Cisco 1100 and 1200 AP running IOS 12.3.8-JEA
Two laptop, one with Intel 2200 MPCI Card, the other with Intel 3945 MPCI Card
Microsoft AD with IAS radius server
a. 1 SSID with Simple EAP-TLS configuration Enterprise WPA/TKIP, no vlans, broadcast SSID. both card associate correctly and operate normally.
b. 2 SSID, 1 with simple EAP-TLS configuration Enterprise WPA/TKIP (broadcast), and 2nd SSID Open/No encryption/No authentication (not broadcasted), both cards associate correctly and operate normally.
c. 2 SSID, 1 with simple EAP-TLS configuration Enterprise WPA/TKIP (broadcast), and 2nd SSID WPS-PSK (not broadcasted), both cards operate normally.
Now it gets interesting:
c. 2 SSID, 1 with EAP-TLS/WPA Enterprise on its own VLAN 102, 2nd SSID Open/No Encryption/No authentication on a separate VLAN 105, VLAN 1 is used for admin and radius backhaul to IAS.
If both SSID are broadcasted via mbssid guest-mode both Intel cards work as expected
If neither SSID are broadcasted, both Intel cards work as expected
If either SSID is broadcasted via normal guest-mode command, the Intel 2200 associates and works correctly, but the Intel 3945 refuses to assocate to the AP.
Has anyone heard of side-effect?
Alan

I'm seeing a similar issue with the 3945 right now. However in my example the following is the case;
APs are 1200 series IOS upgraded running 802.11b interfaces only. There are multiple SSIDs NONE of which are broadcasting.
We've got a few different client types. The Cisco CB21ABG cards are fine, as are the Intel 2200 and 7920 phones. It's only the 3945 that has a problem and it's running Intel's 10.5.1.68 driver which is the latest. I'm considering downgrading it to an older driver.
Anybody got a definate fix for this Intel card???

Cisco ISE and Catalyst 2950

Hello!
Please, could you help me? Is it possible to install ISE on Catalyst 2950? In Component Compatibility Guide
http://www.cisco.com/en/US/docs/security/ise/1.0.4/compatibility/ise104_sdt.html
Catalyst 2950 only support 802.1X and VLAN.
At first I need to know about VLAN change(from resticted to corporate). Is Catalyst 2950 support it?
Thaks for help!

this would let both user and machine authenticate. for"5434Endpoint conducted several failed authentications of the same scenario" check Suppress Anomalous Clients option. This issue comes in to picture when endpoint attempts a couple of failed authentications and if Suppress Anomalous Clients option with Reject Requests After Detection is enabled then ISE Policy nodes protect themselves from overwhelming numbers of authentication requests by sending an immediate reject for suppressed clients as opposed to processing all the steps in a normal authentication. So if that user did some authentication failure, he will be locked for 1 hours (bydefault).

3750-x and vlan dot1q tag native command

Hello,
I have a 3750-X stack with the following HW & SW revisions:
Cisco-3750-x-stack>show version
Cisco IOS Software, C3750E Software (C3750E-UNIVERSALK9NPE-M), Version 15.0(2)SE4, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
sCopyright (c) 1986-2013 by Cisco Systems, Inc.
Compiled Wed 26-Jun-13 01:47 by prod_rel_team
ROM: Bootstrap program is C3750E boot loader
BOOTLDR: C3750E Boot Loader (C3750X-HBOOT-M) Version 12.2(53r)SE2, RELEASE SOFTWARE (fc1)
Cisco-3750-x-stack uptime is 1 day, 6 hours, 56 minutes
System returned to ROM by power-on
System restarted at 20:27:32 UTC Tue Mar 29 2011
System image file is "flash:/c3750e-universalk9npe-mz.150-2.SE4/c3750e-universalk9npe-mz.150-2.SE4.bin"
License Level: lanbase
License Type: Permanent
Next reload license Level: lanbase
cisco WS-C3750X-48P (PowerPC405) processor (revision A0) with 262144K bytes of memory.
Processor board ID FDO1524K1J2
Last reset from power-on
2 Virtual Ethernet interfaces
1 FastEthernet interface
104 Gigabit Ethernet interfaces
4 Ten Gigabit Ethernet interfaces
The password-recovery mechanism is enabled.
512K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address :
Motherboard assembly number : 73-12553-05
Motherboard serial number :
Model revision number : A0
Motherboard revision number : C0
Model number : WS-C3750X-48P-L
Daughterboard assembly number : 800-32727-01
Daughterboard serial number :
System serial number :
Top Assembly Part Number : 800-31324-02
Top Assembly Revision Number : C0
Version ID : V02
CLEI Code Number :
Hardware Board Revision Number : 0x03
Switch Ports Model SW Version SW Image
* 1 54 WS-C3750X-48P 15.0(2)SE4 C3750E-UNIVERSALK9NPE-M
2 54 WS-C3750X-48P 15.0(2)SE4 C3750E-UNIVERSALK9NPE-M
Switch 02
Switch Uptime : 1 day, 6 hours, 56 minutes
Base ethernet MAC Address :
Motherboard assembly number : 73-12553-06
Motherboard serial number :
Model revision number : A0
Motherboard revision number : A0
Model number : WS-C3750X-48P-L
Daughterboard assembly number : 800-32727-03
Daughterboard serial number :
System serial number :
Top assembly part number : 800-31324-03
Top assembly revision number : B0
Version ID : V03
CLEI Code Number :
License Level : lanbase
License Type : Permanent
Next reboot licensing Level : lanbase
Configuration register is 0xF
I am trying to setup native vlan tagging using the command "vlan dot1q tag native". I am entering this when I am in privileged exec mode, and then config mode. When enter vlan ? it does not show dot1q as an option. Any thoughts on what I might be missing? What I am trying to achieve is all ingress untagged traffic (from my Meru controller) will be tagged with VLAN tag 101 as it progresses through my network, and any tagged traffic on vlan 101 which is destined for the port where my Meru controller is located will be delivered to the Meru controller untagged. I can set this up in this manner on a SG300 Cisco switch, and I believe this is what "vlan dot1q tag native" will achieve if I am understanding correctly.
I welcome suggestions on both why the "vlan dot1q tag native" won't work, and on what I am trying to accomplish.
Thx
Bryan

Hi Aaron,
Thank you for the quick reply.
The Meru controller uses untagged traffic to talk between the controller and the APs. It also uses tagged traffic to talk between the controller and the VLANs which I have associated with each of the SSIDs. I am trying to find a way to do what is normally done with an access port, but do that with an LACP group (801.Q trunk). Where the untagged traffic entering the network from the controller gets tagged as VLAN 101 as it transits the network, and then traffic which is delivered to that 801.Q trunk on VLAN 101 has the tag removed, but all other traffic entering that port will be appropriately tagged, and the tagged traffic along with the tags well egress from that port to the Meru controller. I have done this before on a Cisco SG300 switch, but not on the 3750-X core in my home. If I can't make this work I can front end the Meru controller with an SG300 but now I will be introducing another potential point of failure.
Also, do you have any idea why the "vlan dot1q tag native" would not be accepted by the IOS version on this switch stack?
Thx
Bryan

Cisco 871w and LAN (What did I get myself Into!)

Hey all,
Little background info:
- Took the CCNA1-4 via college course about 3 years ago, haven't used the knowlege since
- most of my experience in the real world has been non-managed networks, but taking care of Windows Terminal Servers.
- basically I think I need to re-educate myself
Current Network:
Windows Domain
45 workstations
4 buildings
Breakdown
Head Office:
- Main Distribution point
- WAN: Cisco Router and DSL modem owned by provider
- Firewall: WatchGuard Firewall (/w 5 VPN connections)
- 1 x 48 port Managed Switch (acting as simple switch)
- Windows SBS 2003 server with Exchange, SQL, and using VPN here as well
- We have about 6 other switches that are not managed in the build
- 1 cable run through building. At the end of this building is a fiber connection to the next building
- 15 workstations
BUilding 2:
- Fiber connection from Head Office
- 1 single CAT 5e from Fiber switch to Unmanaged Switch (Switch 1)
- 1 single CAT 5e from unamanaged switch to half-way point of building where we have another unmanaged switch (Switch 2)
- 1 single CAT 5e from from Switch 1 to another small building (building 4) with a small unmanaged switch and 2 workstations
- 1 single CAT 5e from Switch 2 - to end of building, underground to building 3
- 1 Workstation attached to Switch 2
Building 3:
1 x 24 port Managed Switch with connection from Building 2 (this switch being used as a normal switch)
25 workstations in here, various distances with small workstation switches throughout.
Working with new equipment:
- we upgraded DSL (cheaper) to a 5 Static IP package, this is a seperate circuit for now - so I can configure everything and
not disrupt current services.
- using test PC and connection on this DSL to make sure most everything is working.
- Purchased 871w to replace their router and to replace our Firewall which has a faulty nic and is limited in functionality.
- 6 months from now, adding Fortigate 100A Appliance
- over next 2 years - all switches will be managed
First question: Anyone have a real good resource on how inside local, inside global, outside local, outside global works for ACL's? Isn't there something similar for NAT/PAT?
Second Question: Just looking for some best practice solutions. Should I bother with VLAN's at this time, just leave everything on VLAN since
there can be no real seperation throughout the company. Suggestions?
Outside Services required:
- Webmail - using OWA:
- host header: webmail.companyname.com
- can the router block all requests to this that are made via port 80 and allow the HTTPS ones through?
- since i have 5 statics, using NAT can I have one of the external IP's used for webmail... this can be done using static NAT and firewall rules?
- Exchange Server forwards all SMTP requests to ISP mail server.
- No RDP directly to network resources without vpn activity - taken care of implicet deny.
- Will it be possible to use my other 4 static IP's, say I create a DNS entry for ftp.companyname.com. I assume a static entry in NAT will take care of sending all requests to another network box.
VPN:
Will require VPN connections, there seems to be a ton of different ones. What is the easiest to create for a few home systems
that the VPN client can be installed and configured? Can this be managed with a push policy, can different user accounts be
created with different policies:
i.e: * Steve logs in via VPN, can RDP to a desktop to access server resources but I don't want him to be able to connect to \\serverip\share
* Bob is a user, bob currently vpn's and obtains an IP 10.0.0.249, bob shares a printer that we use to print to. I don't want bob to be able to access any other resources on our network, but users can print to Bob's remote printer.
I'm over thinking all this, and getting confused - a nice simple step approach required - I feel like I'm drowning -lol

try the following links
inter vlan
http://www.cisco.com/en/US/products/hw/switches/ps672/products_configuration_example09186a00800941b4.shtml
NAT
http://www.cisco.com/en/US/products/hw/switches/ps708/products_configuration_example09186a0080881718.shtml
how NAT works
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080094831.shtml
VPN
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080235197.shtml
useful vpn links
http://www.cisco.com/en/US/products/sw/secursw/ps2308/prod_configuration_examples_list.html
good luck
Please, if helpful Rate

Cisco 851W Problems

I am having problems connecting some HTC smartphone devices to a CISCO 851W router. The devices receive the SSID but when we try to connect to the router they can't. The router works well for other devices (latops, PDAs) and the smartphones have worked well with a Linksys router, so the problem is specific to this the conncetion between this router and this devices.
Any help about this is welcomed.

What parameters are you using? (WEP / WPA {TKIP | AES}) etc ...
My 8525 didn't work well using AES. TKIP was OK.
It hardly worked at all with the factory / MS mobile drivers. I added Odyssey (now from Juniper ~US$35.00)and it connected nearly every time, and even worked with EAP-FAST.
Good Luck
Scott

Cisco 851W and VLANS

Similar Messages

Maybe you are looking for