Cisco ASASM Bridge-group support
How many bridge groups total are supported. If I have 100 contexts, can each context run 8 bridge groups each for a total of 800 bridge groups? What is the max?
How many bridge groups total are supported. If I have 100 contexts, can each context run 8 bridge groups each for a total of 800 bridge groups? What is the max?
Similar Messages
-
Hi,
I have another problem - after upgrade ios wirelles connection not work.
After reload i have :
Configuration of subinterfaces and main interface
within the same bridge group is not permitted
STP: Unable to get the port parameters.
Please configure the bridge group on this interface first.
Please configure the bridge group on this interface first.
Please configure the bridge group on this interface first.
SETUP: new interface NVI0 placed in "shutdown" state
my old configuration work propertly in the old software, but after update i have notificatio.
Old thread:
https://supportforums.cisco.com/discussion/12379491/cisco-877w-no-wireless-connection
my current sh run:
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
hostname cisco
boot-start-marker
boot system flash:c870-advipservicesk9-mz.124-24.T6.bin
boot-end-marker
logging message-counter syslog
logging buffered 4096 informational
enable secret 5 $1$eCNp$rWuBfZ/cexnwnkm7L447s.
aaa new-model
aaa session-id common
dot11 syslog
dot11 ssid ciscowifi
vlan 1
authentication open
authentication key-management wpa
guest-mode
wpa-psk ascii 7 050D031D26595D0617
dot11 wpa handshake timeout 500
ip source-route
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.56.1
ip dhcp pool CLIENT
import all
network 192.168.56.0 255.255.255.0
default-router 192.168.56.1
dns-server 8.8.8.8 194.204.159.1 194.204.152.34
lease 0 2
ip cef
no ip domain lookup
no ipv6 cef
multilink bundle-name authenticated
username marek password 7 00121A0908500A
archive
log config
hidekeys
ip tcp path-mtu-discovery
bridge irb
interface ATM0
description Polaczenie ADSL do ISP$ES_WAN$
no ip address
no atm ilmi-keepalive
pvc 0/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
hold-queue 224 in
interface FastEthernet0
description Edzia
interface FastEthernet1
description dom
interface FastEthernet2
description Dziadek
interface FastEthernet3
interface Dot11Radio0
no ip address
no ip redirects
ip local-proxy-arp
ip nat inside
ip virtual-reassembly
no dot11 extension aironet
encryption vlan 1 mode ciphers tkip
encryption mode ciphers aes-ccm tkip
broadcast-key change 3600
ssid ciscowifi
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
world-mode dot11d country AU indoor
no cdp enable
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
interface Dot11Radio0.1
description ciscowifi
encapsulation dot1Q 1 native
no cdp enable
interface Vlan1
no ip address
bridge-group 1
interface Dialer0
description Interfejs dzwoniacy
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp chap hostname [email protected]
ppp chap password 7 xxxxxxxxxxxxxxxxxxxxxx
interface BVI1
description Polaczenie dla sieci LAN
ip address 192.168.56.1 255.255.255.0
ip nat inside
ip virtual-reassembly
no ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
no ip http server
no ip http secure-server
ip nat inside source list 100 interface Dialer0 overload
ip nat inside source static tcp 192.168.56.10 80 interface Dialer0 80
ip nat inside source static tcp 192.168.56.10 22 interface Dialer0 22
logging trap debugging
logging 192.168.56.10
access-list 100 permit ip 192.168.56.0 0.0.0.255 any
access-list 100 deny ip any any
no cdp run
snmp-server community ciskacz RO
snmp-server chassis-id ciskacz
control-plane
bridge 1 protocol ieee
bridge 1 route ip
line con 0
no modem enable
line aux 0
line vty 0 4
exec-timeout 0 0
transport preferred ssh
transport input ssh
scheduler max-task-time 5000
end
please help - thanks!Hello Marek,
I suppose you are not planning to do any kinds of advanced config using several VLANs and multiple SSIDs so let's just make your configuration simple and working.
In short, you need to remove all references to VLAN 1 and to any subinterfaces possibly related to the VLAN 1. This means in particular (follow these steps in sequence):
Remove the Dot11Radio0.1 subinterface entirely
In the Dot11Radio0 section, remove the encryption vlan 1 mode ciphers tkip command
In the dot11 ssid ciscowifi section, remove the vlan 1 command
After performing these steps, make sure that the ssid ciscowifi and encryption mode commands are still present in the Dot11Radio0 configuration, and if not, reenter them.
Best regards,
Peter -
Which cisco wireless bridges support point to multipoint
hi all i am really new to wireless. i am looking for information as which cisco wireless bridges support point to multipoint configuration.
i have a cisco 1230G access-point will it support the same .
any help would be great.
regards
sushilThe Cisco 1300's and 1400's support point-to-point and point-to-multipoint. The 1230G can only support point-to-point (i think)
http://www.cisco.com/en/US/products/hw/wireless/ps441/products_qanda_item09186a0080094644.shtml#q20 -
Creating new Bridge Group names in Cisco 5508 WLC??
How do we Create new Bridge Group names on Cisco 5508 WLC, with 1552E Access Point??
You create it on the 1552 once the AP joins. One it joins, you will have to choose that AP and then set the AP mode to Bridge and then apply. This will reboot the AP. Once the AP comes back, you will have a MESH tab on that specific AP or any AP that you have set to Bridge mode. You then set the AP role and the bridge group name there. Here is an older MESH deployment guide to follow.
http://www.cisco.com/c/en/us/td/docs/wireless/controller/7-0/configuration/guide/c70/c70mesh.html
Scott -
Support for Cisco VPN "mutual group authentication"
Hi,
Does anyone know of support plans for Cisco VPN mutual group authentication in the built-in VPN client on MacOSX?
Thanks,
JohnI would like to know the answer to this as well.
Thanks,
Josh -
Does anyone know how the internal DHCP server in these access points connects to virtual interfaces and bridges in the unit?
Is there some sort of default connection that connects the DHCP server to the native bridge group or VLAN?
In a test case, with an SSID in the native VLAN and bridge group, the 1702i serves an IP address to a wireless client no problem. But with a second SSID in a non native VLAN and bridge group, no IP gets served. My only guess is that since the bvi1 defaults to the native bridge group and VLAN, sub-interfaces also in this group are assumed to be in the same subnet as bvi1, or in this case:
interface bvi1
ip address 192.168.1.205 255.255.255.0
no ip route-cache
exit
It would be the ..1. subnet.
Since the dhcp pool is set as:
ip dhcp pool GeneralWiFi
network 192.168.1.0 255.255.255.0
lease 1
default-router 192.168.1.1
dns-server 8.8.8.8
exit
There may be an assumption that anything bvi1 can talk to is in the ..1. subnet, so the above pool gets activated on a request coming through bvi1.
Is the DHCP server just hanging out waiting for a request from an "area" that is assumed to be on the same subnet as the given pool?
Do I need to somehow show the device what subnet the 2nd SSID/ subinterfaces are in so the internal DHCP server can decide it needs to go to work, or is there some sort of bridging between the DHCP server and the interfaces that needs to be done? I am trying to use the same DHCP pool for the second subnet at this point, since I assume I will need another router to service an additional subnet and DHCP pool.Keep in mind that DHCP is a broadcast packet to start. So the AP can only listen in the subnet that it has an IP address for.
Now, for any other subnet you can use the AP for DHCP but you have to have an IP helper address on your L3 pointing back to the AP.
That being said, I wouldn't use the DHCP server on the AP as it is limited. You'd be better off using a Microsoft server or some other device that is designed for DHCP.
HTH,
Steve -
Why Bridge group on cisco routers
Can anybody tell me why do we use bridge group on routers. I have read from many different sites, their is no clarity on that.
Can we enable ip routing and access-list if we implement bridge groupIf you have protocols that cannot be routed you can use a bridge group.
If you want to extend a LAN over a point-to-point WAN link (without routing, which requires different IP Subnet) you can use a bridge group to "bridge" the traffic over the link to the remote location.
IP access-lists do not have effect on bridged traffic. In that case you need to use mac access-lists to prevent traffic from being forwarded. It is possible to both bridge and route traffic, to do this I recommend you to read the documention on transparent bridging, Integrated Routing and Bridging (IRB) and Concurrent Routing and Briding (CRB).
HTH
--Leon -
L2vpn xconnect/bridge group
Hi
I just want to get confirmation on this:
that the syntax "l2vpn xconnect group" or "l2vpn bridge group" is just a container for the subsequent xconnects or bridge-domains.
That the group is only a container and doesnt have any operational impact on the contained xconnects or bridge-domains?
unless you of course delete the group!
example of thinkings is when a customer has contracted multiple bridge-domains, the the group would be the customer ID and their services are contained within?Correct the group definition is nothing more then a confg container.
The p2p or bridge-domain CFO is what actually intantiates the resources
Xander
Sent from Cisco Technical Support iPad App -
Can single interface accomodates multiple bridge groups
Hi,
I am working on building FW configuration to serve multiple tier environment. The FW is in Transparent Mode, Sw Ver 8.4 which supports Bridge-group.
My question is, whether FW supports having mutilple Bridge-groups under single interface. If not, what are the alternatives.
firewall transparent
interface gi0/0
nameif outside
security-level 0
bridge-group-1
bridge-group-2
interface gi0/1
nameif WebServers
security-level 50
bridge-group-1
interface e0/2
nameif AppServers
security-level 100
bridge-group-2
ThanksHello,
That is not possible, Each interface will need to be assigned to a specific bridge group..
Alternative would be to use a dedicated pair of interfaces for each bridge group
Regards,
Julio -
Bridge Groups, are they required?
Hi All
I'm currently a tad confused about Bridge Groups and ASA/FWSM in transparent more. Are they really required or not?
Here one sample: http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/interface_complete_transparent.html
It's written:
At least one bridge group is required per context or in single mode.
So that really sounds like yes you need one.
Where as this config sample here: http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008089f467.shtml or many others I found online, never have a bridge group configured.
Could somebody please enlighten me about what is correct?
And does it matter if it's an active/standby configuration?
Thanks a lot
patoPato,
It depends. On the newer ASA and FWSM you need the BVI. It is just to configure the management IP. This is required.
The old link (the second one that you listed) has the management IP (not under the int BVI) but on the newer ASA code you can see it is configured under the int BVI as you can see here:
http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/interface_complete_transparent.html#wp1382356
-Kureli -
Hi experts!
I have to interconnect 2 DMZs switches to the core switch and an internet access switch with a ASA 5520 in transparent mode. Is it possible to do bridge groups with subinterfaces, using VLANs on ASA5520 in transparent mode?
Thanks
WesleyThe transparent security appliance uses an inside interface and an outside interface only.If your platform includes a dedicated management interface, you can also configure the management interface or subinterface for management traffic only.
If you place the ASA in transparent mode on a trunk link, you will need to configure a security context for each vlan in the trunk.
Try these link:
http://www.cisco.com/en/US/products/ps6120/products_configuration_guide_chapter09186a0080450b68.html
http://www.cisco.com/en/US/products/ps6120/products_configuration_guide_chapter09186a0080450b7d.html#wp1044006
http://www.cisco.com/en/US/products/ps6120/products_configuration_guide_chapter09186a0080450b90.html -
Hello All,
I have a question about Bridge Groups if someone can help me. So, I have two bridge groups on one FWSM obviously using two different IP Scopes. However I can only have one default route so for instance.
BVI 1 - 192.168.1.4 (outside1)
BVI 2 - 192.168.2.4 (outside2)
ip route outside1 0.0.0.0 0.0.0.0 192.168.1.1
I now obviously cannot put another default route statement in so how does the FWSM route traffic it doesn't know the destination to when the source is from 192.168.2.x. Does it send it out 192.168.1.1? If so does this become a suboptimal routing issue, and is there possibly a better solution than this? Or is thisnormal and everything is ok? Thanks in advance to all who reply!Hi John,
When the FWSM uses bridge-groups, it is configured in transparent (layer 2) mode. Because of this, the FWSM won't be responsible for routing traffic. It will use a MAC address lookup instead:
http://www.cisco.com/en/US/docs/security/fwsm/fwsm41/configuration/guide/fwmode_f.html#wp1232185
One exception to this is management traffic to/from the FWSM. For this, you'll need to specify separate static routes:
http://www.cisco.com/en/US/docs/security/fwsm/fwsm41/configuration/guide/fwmode_f.html#wp1202704
"The default route for the transparent firewall, which is required to provide a return path for management traffic, is only applied to management traffic from one bridge group network. This is because the default route specifies an interface in the bridge group as well as the router IP address on the bridge group network, and you can only define one default route. If you have management traffic from more than one bridge group network, you need to specify a static route that identifies the network from which you expect management traffic."
-Mike -
Hi Team
Can anybody tell me if a 1522 (or, I guess 1510) Mesh bridge can support VLAN tagged packets? ie Multiple VLANs on either side of the bridge. Is anybody using this in production?
Also is anybody using this with wireless clients on the MAP also?
My aim is to get wireless clients onto one VLAN, some remote wired workstations onto either the wireless client VLAN or a separate VLAN, plus a VLAN for the AP IP address (AP-Manager).
Thanks
LPIt allows the LWAPP access points to communicate with the controller via a Layer 2 (L2) or Layer 3 (L3) network. For the further description of the Cisco Aironet 1522 Lightweight Outdoor Mesh Access Point follow the URL :
http://www.cisco.com/application/pdf/en/us/guest/netsol/ns107/c649/ccmigration_09186a0080775ae7.pdf -
Cisco 7606 stacked VLAN support
Hi All,
Does Cisco 7606 GigabitEthernet modules support stacked VLAN (two VLAN tags)?
If yes, how do I configure it?
Thanks in advance.
Regards,
SarahHi Sean,
Yes, it is QinQ tunneling. I am using Cat6k-Sup720.
Cisco7606(config-vlan)#?
VLAN configuration commands:
are Maximum number of All Route Explorer hops for this VLAN (or
zero if none specified)
backupcrf Backup CRF mode of the VLAN
bridge Bridging characteristics of the VLAN
exit Apply changes, bump revision number, and exit mode
media Media type of the VLAN
mtu VLAN Maximum Transmission Unit
name Ascii name of the VLAN
no Negate a command or set its defaults
parent ID number of the Parent VLAN of FDDI or Token Ring type VLANs
private-vlan Configure a private VLAN
remote-span Configure as Remote SPAN VLAN
ring Ring number of FDDI or Token Ring type VLANs
said IEEE 802.10 SAID
shutdown Shutdown VLAN switching
state Operational state of the VLAN
ste Maximum number of Spanning Tree Explorer hops for this VLAN (or
zero if none specified)
stp Spanning tree characteristics of the VLAN
tb-vlan1 ID number of the first translational VLAN for this VLAN (or
zero if none)
tb-vlan2 ID number of the second translational VLAN for this VLAN (or
zero if none)
Regards,
Sarah -
Hi Members,
Any news on a Cisco 5GHz Bridge (such as Aironet 1400 or equivalent) that is certified for use in the UK (IR 2007).
Aparrently we can go up to 4W EIRP with IR2007 on 5GHz bridging, much better than 2.4GHz allowed power.
I don't think I can use the North American model as it doesn't have DFS & TPC, and uses different channels.
Thanks in advance,
MARTIN.Isnt the 1400 series certified in Ireland? Wonder why its not certified in ETSI area as you state we can now use 4W from 5,725-5,850MHz so the 1400 could be useful here also.
Another alternative is the 1500 LWAP mesh series that i believe could be use since it support briging as well. Currently our business use the 1242AG to do 5GHZ briging, but this currently doesnt go higher than 5,725MHZ so we are stuck to 1W EIRP.
Hope Cisco could be so kind to enable functionality for 5,725 and above soon!
Maybe you are looking for
-
This is driving me crazy! I have no problems synching music with Vista, but every time I attempt to synch photos, the photos are corrupted, don't download properly or - more often than not - the computer crashes with a variety of bluescreen error mes
-
@-moz-keyframes does not seem to work in cs 5.5
I have difficulties when editing a CSS style in CS5.5. Dreamweaver accepts @-webkit-keyframes [id]... and @keyframes [id]... without any problems. Only when I try do use @-moz-keyframes [id]... the editor does not seem to accept the term. Usually the
-
Troubles with printing text document exported to pdf (edited)
Hello, I've exported a text document from pages to pdf. When I open it with adobe reader everything it's ok. But when then I try to print the pdf file a small dots grid on the background appears on the paper sheets. Can someone tell me what can I do
-
How to get the user active stauts in jspdynpro
How to get the user active status in jspdynpro. I want check weather a user is active or not (Collaboration Launch Pad functionality) in jspdynpage. Thank's in advance, Mr.Chowdary
-
HT4583 i tunes could not connect to the i tunes store
i tunes could not connect to the i tunes store