Configure VLANs across multiple switches

Similar Messages

• Creating multiple vlans across multiple switches

  Hi All,
  How should I create multiple vlans across multiple switches?
  For instance, I have two (primary/redudant) layer 3 (core) switches and four layer 2 access switches (Cisco 2960) for the hosts, and given these are the vlans/subnets to be created. Should I do it in the core switches only and it would just propagate through the access via VTP?  Just trying to practice and learn.. Any help will be greatly appreciated:)
  VLAN 100: [DHCP-workstations]
  172.26.4.0/24
  172.26.5.0/24
  VLAN 200: [Servers]
  172.16.1.0/24
  172.16.2.0/24
  VLAN 300: [Printers]
  192.168.129.0/24
  192.168.130.0/24
  VLAN 800: [Management for switches/routers]
  10.160.1.0/24

  Hi
  You will have the SVI on the core. Set a VTP domain, make one of the cores as VTP server and rest of the switches as VTP clients. Once you do this, you won't have to login into each switch and create a vlan locally. The vlans will be automatically advertised from the VTP server to all the VTP clients.
  Thanks
  Ankur
  "Please rate the post if found useful"

• Spanning vlans across access switches in distribution block.... please help

  Hi All
  Can someone please explain why Cisco states that in a Campus Hierarchical modle if Vlans are spanned across Access switches in a distribution block, then the Distrubution to distribution link should be Layer 2. Is this really necesary or just a recommendation, and if so why? Can't this link be a L3 link when spanning vlans across Access switches in distribution block, as I understand the benefit of having a L3 distribution to distribution link so that SPT is avoided.
  Please help

  Hello,
  The cisco recommended design is L3 links, but these is only possible if you have no vlans you need to span over the hole network.
  It depends on your topology or what you want achieve.
  If you need for one or more vlan's spanned the LAN, you need to use a layer 2 connection between all switches and between distribution too.
  In my company we have for example a few vlans for restricted areas, like device management or else, so we can't use L3 Links in the distribution area because these vlan's are terminated at the firewall. I think these is good thing.
  I would recommend you if you don't have to span one or more vlan's across the network to use L3 Links, specially in the case of redundancy way's. So you need no spanning-tree, but need to use other protocols like GLBP or else. The works faster and are not so confusing (for some people) as STP.
  best regards,
  Sebastian

• Configuring VLANs on Cisco switches - help on basics please!

  Hi people.
  I'm buying Cisco switches to my home lab to practice VLAN and have some doubts, would someone kindly help me?
  I'm thinking of buying two 300 series switches for the servers (VMware boxes), configure two separate VLANs for VMs and two other VLANs for desktop computers, in order to simulate a small office with a datacenter and two floors (one VLAN for each floor).
  I presume that the connection between each floor switch and the 300 series core switch will be via trunk mode on both, not access port mode, is that correct?
  Another question: for the desktop switches, the ports that are going to connect to the desktops (which runs windows with non-vlan tagging aware nic), will be configured with the correct VLAN, and the operating system will just communicate normally as if there was no VLAN tag on the frames?
  Since I need inter-vlan routing only on the core switch (the 300 series), for the desktops switches I can purchase some 200 series, right?
  And the last question: presuming that I configure a third VLAN and add a third floor switch, but this time a 100 series switch that is not VLAN capable, so connecting this switch to the 300 switch, will it work, or not?
  Thank you!

  Hi! Thanks for the rapid answers!
  I have a couple more based on the same questions:
  I presume that the connection between each floor switch and the 300 series core switch will be via trunk mode on both, not access port mode, is that correct? - Yes, trunk links are required to carry multiple vlans.
  So, I could also use multiple links with LAG/LACP carrying all vlans between switches?
  And the last question: presuming that I configure a third VLAN and add a third floor switch, but this time a 100 series switch that is not VLAN capable, so connecting this switch to the 300 switch, will it work, or not? - Yes, bit make sure that link between these two switches should be an access link, i.e must carry only third vlan.
  So, If I understand correctly, if having one vlan per floor in an office building, for economical reasons you could deploy simple non-managed and non-vlan capable switches, and in the data center, a core switch with the vlans configured for each floor?
  And viewing from a technical perspective, what would be the advantages of deploying in each floor a vlan capable switch configured with the correct vlan?
  And which method mentioned above is more common deployed for endpoint floor switches?
  Thanks!

• Passing vlan across unmanaged switch

  Hello CSC,
       I am trying to figure this out. I have two vlans I am trying to run to a trailer. One is for our wireless network(vlan2) and one for our wired(vlan3). Unfortunately I have only one physical link back to the main network, an unmananged SR2024C, and a WAP4410N. So, I came up with this solution to keep my networks seperate.
       I configured the port on my Cisco 3560 that runs out to the trailer as trunking with native vlan3. This connects to the unmanaged SR2024C switch in the trailer. All the wired devices that connect should and are being put on vlan3. I then configured the WAP4410N to use a default vlan2, with the SSID of my wireless network on vlan2 as well. My wireless device connect and are able to communicate back to the network, but are on vlan3. Also, I cannot connect to the WAP4410N from the main network, but if I configure my laptop with a static IP on from vlan2, I can connect to the WAP while plugged into the SR2024C.
  Diagram below shows the config on the C3560G for int gi1/1 and the WAP4410N vlan info.
  Thank you in advance for any help!

  You are right in that an access port on the Cisco 3560 will drop tagged frames. But the port on the Cisco 3560 is a Trunk. The problem I suspect is on the middle-man, the Cisco SR2024C. I've done some research and think I found two possible answers. 
  1. The IEEE 802.3 Ethernet standard calls for a maximum limit of 1500 bytes to frames. The Dot1Q standard allows for 1522 byte frames. So when the vlan 4byte tag is insterted into a 1500-byte from, the Cisco SR2024C will drop the Jumbo frame.
  2. The IEEE 802.3 Ethernet standard calls for a EtherType/Length at the 21 and 22 byte. With Dot1Q encapsulation, four bytes are inserted into the 21-24 postion and the EtherType/Len is now at the 25/26th byte. The frame is then dropped by the Cisco SR2024C due to an invalid EtherType/Len.
  Both may be true. If I had a dumber device that simply rebroadcasted the frames or a switch that is only concerned with the Destination (and maybe source) MAC address, this would work. Unfortunately, the SR2024C seem just smart enough to break this.

• How to setup the trunk for private vlans across 2 switches (Both are SF300-24)

  Dear All,
  I have 2 switches which are SF300-24.
  Switch 1 is connected to Internet Router for all clients on swith1 and switch 2.
  The clients on switch 1 & switch 2 don’t communicate each other.
  Port1~Port24 on switch 1 & switch 2 are isolated ports.
  Gigaport1 on switch1 is connected to gigaport1 on switch2.  
  Gigaport2 on switch2 is connected to Internet Router.
  The VLAN 100 is for isolated ports.
  The native VLAN is 1.
  Please help me how to configure the case. Thanks for your help.

  I think he's just looking for PVE.  You can enabled 'protected port' on a port by port basis.
  Here's the excerpt from the admin guide.
  Protected Port
  —Select to make this a protected port. (A protected port is
  also referred as a Private VLAN Edge (PVE).) The features of a protected port
  are as follows:
  Protected Ports provide Layer 2 isolation between interfaces (Ethernet
  ports and LAGs) that share the same VLAN.
  Packets received from protected ports can be forwarded only to
  unprotected egress ports. Protected port filtering rules are also applied
  to packets that are forwarded by software, such as snooping
  applications.
  Port protection is not subject to VLAN membership. Devices connected
  to protected ports are not allowed to communicate with each other, even
  if they are members of the same VLAN.

• Private vlan across switches in NX-OS

  Hi,
  I'm trying to make a scenario to span private vlan across multiple switches but I couldn't get this to work in NX-OS N7K.
  My topology is similar to the one in the picture attached.
  I tried to ping from isolated host vlan 201 in switch A to isolated host vlan 202 in switch B. Promiscuous trunk port has been configured to upstream router in Switch A. From switch a to switch b is a normal trunk port.
  But still, I can't establish any connectivity from host vlan 201 to host vlan 202.
  Any suggestion?
  thanks

  Jerry -
  Any idea why? This breaks the ability to use moderately complex ACLs. For example - how would you configure scavenger class traffic to ignore some traffic, and mark other?
  Carole

• VLANs across switches without trunking

  Assuming that you only have one VLAN, is it possible to have that single VLAN reach across multiple switches without trunk ports? I've inherited a network of a handful of Cat 6506s, and Cat4006's, which have one big flat /22 in a single VLAN. I'd like to break it up into smaller chunks and seperate VLANs, but I'm rather suprised that it appears to be working with one VLAN but without trunks.

  Actully you can run seperate access port links per vlan, chewing up a seperate physical port per vlan on each switch. There was a 2900 series switch I had a long time ago that supported vlans but not trunks.
  It had a feature called multi vlan that you could add to a port, but this was a way of letting one port talk to all vlans and was messy.
  But you could run a seperate cable for each vlan. if you have 5 vlans then 5 cables between switch A and switch B, port 1 vlan 1, port 2 vlan2, port 3 vlan3, etc...

• Span VLANs across switches

  VLANs are new to me so please forgive me -
  We have 5 Cisco sg500x switches. We need to create two vlans across some or all of the switches.
  I have been successful in creating vlan1 on one switch and excluding and including ports to segregate traffic. My problem is I can’t get the other switches to see vlan1 that was created on the original switch. I have enabled gvrp on all switches and ports assigned to the vlan but no luck in getting vlan1 devices to communicate across switches. How do I make this work? I think my main problem is creating uplink ports between the switches to carry the vlan across.
  How do I go about spanning vlans across the switches?
  Many thanks

  Thanks Robert I think that has got me a bit further in that I'm not getting VLAN MISMATCH error any more. I believe it was because the trunk ports were marked as untagged.  I still don't feel I understand the NATIVE VLAN concept or how to set it. If I have the default VLAN(1) and I have the VLAN I am trying to span across two switches (VLAN2) do I then need a 3rd VLAN to be the native for either end of the trunk between the two switches? Anyway this what I've done in more detail -
  On Switch 1
  Create VLAN 2: VLAN ID 2
  Set port 2 as follows: Default VLAN1 = forbidden, VAN2 = trunk, tagged
  Set port 3 as follows: Default VLAN1 = forbidden, VAN2 = access, untagged
  On Switch 2
  Create VLAN 2: VLAN ID 2
  Set port 2 as follows: Default VLAN1 = forbidden, VAN2 = trunk, tagged
  Set port 3 as follows: Default VLAN1 = forbidden, VAN2 = access, untagged
  With rj45 connect port 2 on both switches to each other. Clients connected to port 3 on both switches cannot ping each other across the trunk.
  Seeing this in the logs:
  Warning: %STP-W-PORTSTATUS:gi1/1/2: STP status Forwarding
  IP info:
  Default VLAN1 on 172.16.1.0/21
  VLAN2 on 172.16.40.0/21
  Any suggestions or areas to investigate would be helpful however obvious they may seem to anyone as this is my first effort with a Cisco. Thanks

• Configure WAP4410N with Multiple SSIDS

  I need to configure a WAP4410N for use on a small, very simple business network.  There should be a corporate WLAN and a guest WLAN.  The corporate WLAN should allow anyone connectd to it to access resources on the domain.
  In front of the WAP is a cable modem/router and a basic Level 2 (web managed) switch.  What do i have to do to segregate the corporate and guest networks.
  I thought I would add the corporate WLAN to VLAN1 (assuming the default VLAN in the switch is VLAN1).  Then I figured I could create the guest WLAN and assign it to VLAN2 which which will be controlled entirely by the 4410N (DHCP, DNS, etc.)  Does this sound like the right way of going about things?
  If not, can you please point me in th right direction?
  Thank you,

  That's right.If you are going to create a guest wireless network, or any additional SSIDs for that matter, you'll also need to create an additional vlan for the guest network. I've pasted below the 4 steps from the WAP4410N manual, and then as a final step you'll also need to configure vlans on your switch so that traffic on the guest wlan will be allowed a path on your network.
  STEP 1
  Click Wireless > VLAN & QoS.
  STEP 2
  To configure VLAN settings:
  NOTE You can enable this feature only if the hubs/switches on your network
  support the VLAN standard.
  a. To enable VLAN, click Enabled.
  b. Provide the following information:
  • Default VLAN ID—Enter the default VLAN ID.
  • VLAN Tag—Select Tagged to determine the associated VLAN from the
  VLAN tag. The default is Untagged.
  • AP Management VLAN—Specify the VLAN ID used for management.
  • VLAN Tag over WDS—Select Enabled or Disabled as required.
  STEP 3
  To configure the QoS settings, enter the following information:
  • VLAN ID—Enter the ID to assign to the VLAN.
  • Priority—Select a priority from the list.
  • WMM—To enable WMM, check the corresponding check box.
  Wi-Fi Multimedia is a QoS feature defined by WiFi Alliance before IEEE
  802.11e was finalized. Now it is part of IEEE 802.11e. When it is enabled, it
  provides four priority queues for different types of traffic. It automatically
  maps the incoming packets to the appropriate queues based on QoS
  settings (in IP or layer 2 header). WMM provides the capability to prioritize
  traffic in your environment. The default is Enabled.
  STEP 4
  Click Save.
  STEP 5
  Configuration on a Switch running IOS
  apply the following to the interface that the WAP4410N is connected to:
  en
  conf t
  int
  switchport mode trunk
  switchport trunk encapsulation dot1q
  switchport trunk native vlan 1
  switchport trunk allowed vlan 1,
  end
  *you'll also need to configure any interfaces that packets from the guest wlan will traverse, if you intend to permit guest traffic over them.

• Native vlan on 3750 switch

  Is it possible to configure AAA and EAPFAST on a 3750G switch to use a vlan other than vlan1 for management/native vlan?  We are working with RADIUS on Server 2008.

  Hi John,
  Yes, you can do that.
  On 3750 you can take a look at the feature called 802.1x Authentication with VLAN Assignment:
  http://www.cisco.com/en/US/partner/docs/switches/lan/catalyst3750/software/release/12.2_52_se/configuration/guide/sw8021x.html#wp1289244.
  Basically, you define on the RADIUS server what VLAN each User (or User Group) you want to assign, then when the user connects the PC to the port, it authenticates and the RADIUS server returns the required attributes for VLAN assignament to the switch. The switch interprets them and changes the switchport to the configured VLAN.
  The switch will be a simple man-in-the middle during authentication and only processes the RADIUS Reject (if authe fails) or RADIUS Accept (if authe passes).
  The authentication methods like EAP-FAST must be agreed between the RADIUS server (AAA Server) and the PC (AAA supplicant).
  If you want to authenticate users based on certificates you have to use either EAP-FAST, EAP-TLS or EAP-TTLS.
  The most widely spread (which comes by default on WinXP machines) authentication method is PEAP which uses MS-CHAP (username/password) to authenticate users.
  HTH,
  Tiago
  If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

• Does CISCO C3560X VLAN support multiple Network segments which are further configured with HSRP function

  Hi Cisco experts,
      My name is Kumagai and I need your expert opinions below.
  I am trying to configure one VLAN1 support multiple network segments as below.
  (this should be a very straight forward configuration and should be OK, I think ? )
   interface Vlan1
   ip address 172.30.0.0 255.255.128.0
   ip address 172.30.31.253 255.255.254.0 secondary
   ip address 172.30.61.253 255.255.254.0 secondary
   ip address 172.30.71.253 255.255.254.0 secondary
   ip address 172.30.4.253 255.255.255.0 secondary
   The only issue that is eating me is the above network segments are using HSRP too
   and I am not sure is this possible with a combination of VLAN1 supporting multiples which are
   further supported with HSRP settings in Cisco environment.
  !example of HSRP:
  interface Vlan4
   ip address 172.30.4.253 255.255.255.0
   no ip redirects
   standby 4 ip 172.30.4.254
   standby 4 priority 105
   standby 4 preempt
  <<< what will happen if I add the HSRP configuration as below into the above VLAN1 with multiple Network segment ??)
   I would like to summarize my "Combined" configurations as below but I need your expert opinions on
   whether the configuration below is workable without any problem ??
   Or it is a total flop because Cisco does not support the configuration below !!!
   interface Vlan1
   ip address 172.30.0.0 255.255.128.0
   ip address 172.30.31.253 255.255.254.0 secondary
   ip address 172.30.61.253 255.255.254.0 secondary
   ip address 172.30.71.253 255.255.254.0 secondary
   ip address 172.30.4.253 255.255.255.0  secondary
   standby 30 ip 172.30.31.254
   standby 30 priority 105
   standby 30 preempt
   standby 60 ip 172.30.61.254
   standby 60 priority 105
   standby 60 preempt
   standby 70 ip 172.30.71.254
   standby 70 priority 105
   standby 70 preempt
   standby  4 ip 172.30.4.254
   standby  4 priority 105
   standby  4 preempt
  Thanking you in advance !!!!!

  Hi,
  As far as i know we dont set the ip helper address on the radio interface. It should be on the L3 interface of corresposding VLANs i.e.
  int vlan 20
  ip helper-address 192.168.33.xxx
  int vlan 60
  ip helper-address 130.20.1.xxx
  I'm assuming that your using SVI's (int Vlan 20 and int Vlan 60) rahter than physical interfaces. Also hope you have configured switch port as trunk where this AP is connected.
  Modify the AP config as below since you are using data vlan as the native vlan
  interface Dot11Radio0.20
  encapsulation dot1Q 20 native
  interface FastEthernet0.20
  encapsulation dot1Q 20 native
  Ideally your AP fastethernet configuration should looks like below and not sure how you missed this as this comes by default when you have multiple vlans for multiple ssids.
  interface FastEthernet0.20
  encapsulation dot1Q 20 native
  no ip route-cache
  bridge-group 20
  no bridge-group 20 source-learning
  bridge-group 20 spanning-disabled
  interface FastEthernet0.60
  encapsulation dot1Q 60
  no ip route-cache
  bridge-group 60
  no bridge-group 60 source-learning
  bridge-group 60 spanning-disabled
  Hope this helps.
  Regards
  Najaf

• SUN NIS Broadcast across multiple vlans

  We're big sun servers and clients shop. The problem is that NIS is not able to go across multiple vlans on a layer 3 switch. I have enable the forward-udp protcol sunrpc but it still doesn't work. Is anybody else ever run into this issue?

  This might help you. Use the Ip-helper adress along with the forward udp command. Look at this link under the IP- helper command. Should answer your question.
  http://www.cisco.com/en/US/partner/products/sw/iosswrel/ps1835/products_command_reference_chapter09186a0080087387.html#wp1018606
  If this helps please rate.

• How do you configure the DAM so it can be shared across multiple CQ instances?

  How do you configure the DAM so it can be shared across multiple CQ instances?

  You can use shared datastore http://dev.day.com/content/kb/home/Crx/CrxSystemAdministration/HowToCombineTheDatastoreToP reserveDiskSpace.html multiple CQ instance will use same file system to share asset
  clustering http://dev.day.com/docs/en/crx/current/administering/cluster.html multiple node will share repository.
  But you can not have something like one DAM and then have different CQ instance pointing to it (As not everything goes in to one location in file system)
  Yogesh

• How do I configure my contacts to be shared across multiple emails?

  How do I configure my iPhone6 contacts to be shared across multiple emails accounts?

  By interface I simply mean connected to the contacts.  I have two different gmail accounts, one that uses the apple mail app and the new one that launches from the gmail icon that I downloaded from the app store.  The new one doesn't recognize the contacts.