Dynamic VLAN, should or should not?

Hi everyone, 
My company have 1 Core Switch 6509, this core SW aggregate all access switch.
On the Core SW, I've configuration static IP such as:    # arp IP_address MAC_address rarp
However, when the client move from access switch to another access switch, i must to change Vlan in access port.
It's very manually.
To improve the management, I think Dynamic VLAN.
But this solution require all access switch support VMPS, but all access switches in the network system's not support.
To implement this solution, it's require a large investments to purchase the new device.
Can any one advice me a suitable solution.
Thanks in advance!
HoiVN

Kindly check the following link for reference.
sample configuration link
http://www.cisco.com/c/en/us/td/docs/wireless/controller/5700/software/release/3se/security/configuration_guide/b_sec_3se_5700_cg/b_sec_1501_3850_cg_chapter_01110.html
http://www.cisco.com/c/en/us/td/docs/wireless/controller/7-0/configuration/guide/c70/c70intf.html
Trouble shooting link
http://www.cisco.com/c/en/us/support/docs/security/secure-access-control-system/113485-acs5x-tshoot.html

Similar Messages

  • I purchased OS X Lion on my laptop and if I use the same username on my desktop it should just download not make me pay again, yet it is still saying "BUY APP" not "INSTALL." What do I do?

    I purchased OS X Lion on my laptop and if I use the same username on my desktop it should just download not make me pay again, yet it is still saying "BUY APP" not "INSTALL." What do I do?

    Hi...
    How to re download apps from the Mac App Store:
    Open the App Store. From the menu bar click Store > Sign In
    Click Purchases from the top of the App Store window.
    Select which apps you want to re download. Then right or control click where you see Installed  then click Install.
    Make sure and use the same Apple ID used for the original purchase.
    Mac App Store: Backing up your app purchases

  • When trying to use find my Iphone  says off line , suggestion is to switch on and off airplane mode , so are you saying when you have your phone nicked you should leave a note for the thief to do this so we can trace him?

    when trying to use find my Iphone  says off line , suggestion is to switch on and off airplane mode , so are you saying when you have your phone nicked you should leave a note for the thief to do this so we can trace him?

    Ivorbiggin wrote:
    so are you saying when you have your phone nicked you should leave a note for the thief to do this so we can trace him?
    Yes.

  • HT2481 iphoto now says it is running low on disc space. i should have plenty. not sure how to checkit

    iphoto says it is running low on disc space. i should have plenty. not sure how to check my space or increase my space

    In the finder select your hard drive and get info
    LN

  • I have had my Iphone 5 since June. All of a sudden my other is 5.1GB and i'm almost out of space. How do i do i system restore , if thats what i should do and not loose by stuff

    have had my Iphone 5 since June. All of a sudden my other is 5.1GB and i'm almost out of space. How do i do i system restore , if thats what i should do and not loose by stuff

    Hi jdbarrett1,
    Thanks for using Apple Support Communities.  This article has steps you can take for issues with "other" data taking up too much space:
    iOS: 'Not enough free space' alert when trying to sync
    http://support.apple.com/kb/ts1503
    Cheers,
    - Ari

  • Will apple pay work with the iphone 5s.? Atleast the online payment system can work fine with touch ID.. Apple should make a note of this.

    Apple pay is great feature introduced with the new iphone's. But for 5s users who are not gonna upgrade this year, apple is a requirement. Sure they can use it via apple watch. But apple pay with the online payment system can be used via the touch id, i feel.. Apple should make a note of this and enable it for users.

    Probably not, as the 5s doesn't have NFC capability.

  • What should I take note when converting Servlets to JSPs files?

    Hi Everyone,
    I have a web application that currently runs using Servlets and JSP, but i intend to change every servlet file into JSP.
    What should I take note?
    Please advice and comment.
    Thanks in advance

    Ok, I can see your logic, but I don't agree with it.
    It may SEEM like you'll save time, but I'm pretty sure you wouldn't in the end.
    So you don't have to restart the Tomcat server so much.
    That still doesn't justify writing java code into a JSP.
    Whatever you gain from not restarting the server you will lose 10 times over from stupid compile errors/typos that come from writing scriptlet code in a JSP.
    Java code belongs in a java class, where you can take advantage of all of the assistance of the IDE for code completion, formatting, compiling, syntax checking etc.
    Also if you write your code in classes, you can test them with Junit tests - something harder to do when your logic is embedded in JSPs
    Write your java code where it is meant to be. In java classes. Beans/Servlets/whatever.
    A JSP is for one purpose only - to produce an HTML page.
    Just my 2 cents.
    evnafets

  • Dynamic vlan assignment does not work

    Hello,
    I have been trying to configure dynamic vlan assignment for the employee wlan. Trying to put the employee on vlan 20
    Here are the components used
    WLC: 2100 Software version: 7.0.240.0
    AP: 3502I    IOS version: 12.4  Mini IOS version: 7.0
    Radius server: tried mutiple radius servers (rsa radius , free radius)
    On the WLC:
    1. Created a AAA server.
    2. Along with management interface(vlan 10), configured dynamic interfaces (vlan 20, vlan 30)
    3. AP manager interface is on vlan 40
    4. Created WLAN assigned to management interface-- WPA2 (AES) , 802.1x
    5. on AAA servers tab - checked authentication servers and assigned the AAA server. authentication priority order is set to only radius
    Here, I have 2 options for radius overwrite.
    one on the AAA servers tab
    second on the Advanced tab
    I have selected both. or one at a time
    Ports between WLC and switch is a trunk
    On the AP:
    1. Local mode
    2. Port between AP and switch switchport access  - vlan 40
    On radius server:
    configured WLC's management interface as client
    and assigned the following attributes
    tunnel-type := vlan
    tunnel-medium-type = ieee-802
    tunnel-private-group-id = 20
    When i try to authenticate with an iphone it is successful. But it puts me on the same interface as management interface (vlan10). When i do the packet capture i do see the access-accept but i dont see the attributes.
    when i use a radius test utility against the radius server I do receive all the attributes.
    Im a newbie on this. Iam i missing something here? any help will be much appreciated.

    Kindly check the following link for reference.
    sample configuration link
    http://www.cisco.com/c/en/us/td/docs/wireless/controller/5700/software/release/3se/security/configuration_guide/b_sec_3se_5700_cg/b_sec_1501_3850_cg_chapter_01110.html
    http://www.cisco.com/c/en/us/td/docs/wireless/controller/7-0/configuration/guide/c70/c70intf.html
    Trouble shooting link
    http://www.cisco.com/c/en/us/support/docs/security/secure-access-control-system/113485-acs5x-tshoot.html

  • Dynamic vlan assignment with 1242AG and IAS not working

                       I'm having trouble getting the dynamic vlan assignment to work on my 1242AG Cisco Aironet APs. I've seen multiple cases with a similar setup and configuration where it works just fine.  I've tried everything I can think of.  Any suggestions?
    IAS and AD is running on Windows Server 2003
    Everything works fine except the vlan assignment.  Wireless clients successfully authenticate through IAS and Active Directory, but instead of being switched to the appropriate vlan the client stays in whichever vlan/ssid it originally connected to.
    PEAP is the authentication method, using MS-CHAP v2.  Naturally I have the attributes in the policy set appropriately, ie:
    Tunnel-Medium-Type > 802
    Tunnel-Pvt-Group-ID > vlanid
    Tunnel-Type > VLAN
    On the AP:
    Cisco 1242AG, C1240 Software (C1240-K9W7-M), Version 12.4(3g)JA, RELEASE SOFTWARE (fc2)
    I've attached the config for the AP, which shows that I have two vlans/SSIDs set to cipher, aes, network eap, wpa, etc. I noticed that if the
    Tunnel-Pvt-Group-ID attribute is set to a vlan id that doesn't exist on the AP then the AP makes an event log saying so.

    Good! Well to answer your questions, IAS is sending numbers, i.e. Tunnel-Pvt-Group-ID > 129
    I did view the debug from an AP which showed the Tunnel attributes being recieved from the radius server (I'll have to wait until Monday to get a copy though).
    I see I don't have that line "aaa authorization network default group rad_eap",
    So I'll have give it a try, (maybe I can remote in so I don't have to wait until Monday).
    Thanks,
    Jason

  • SG300-28 Firmware 1.1.2.0 and 1.2.7.76 - Dynamic VLAN+freeRADIUS - Client get rejected

    Hello ladies and gentlemen,
    I am using several SG300-28 Switches with firmware version 1.1.2.0.
    I have dynamic VLAN enabled. As RADIUS server I am using freeradius 2.1.12.
    Authentication is only based on the MAC address. (I configured that on the switches)
    On the switches I created three VLANs. VLAN100 for the authenticated clients, VLAN200 for Management interface and VLAN300 as Guest VLAN. After a wrong authentication the clients should be put into this Guest VLAN immediately (I configured this on the switches).
    I am using Windows XP and Windows 7 clients in my network. I did not configure any EAP settings because I just wnat to use the MAC address.
    In most cases the dynamic VLAN assignment and authentication is working fine. The switch log says that the client is authenticated and the same I can see on freeradius log. But in some (rare) cases the client is rejected. The CISCO log says "MAC aa:bb:cc:dd:ee:ff was rejected on port ge17" but when I look at the freeradius log then this MAC address was successfully authorized.
    The problem is that the client gets an IP address based on the Guest VLAN300 but after that the switch seems to "switch" the VLAN on the port and then the client is authenticated correctly on the right VLAN but the client does not request a new IP on the new VLAN.
    If I unplug and re-plug the LAN cable in most cases the client get the correct VLAN and the correct IP.
    This is happening randomly on nearly all my PCs.
    I would really appreciate your help. Do I have to set some timers higher ? I don't think it is a problem between switch and RADIUS but a problem between communication of the host and the switch.
    Thank you very much for your help!
    Regrads
    Alexander Wilke

    This is from my CISCO log. The computer is always online but there are repeatingly rejects and then with a delay of some minutes an accept.
    2147483395
    2012-Aug-09 21:40:05
    Informational
    %SEC-I-PORTAUTHORIZED: Port gi8 is Authorized       
    2147483396
    2012-Aug-09 21:38:23
    Warning
    %SEC-W-SUPPLICANTUNAUTHORIZED: MAC 00:19:99:0b:8d:b3 was rejected on port gi8        
    2147483397
    2012-Aug-09 21:38:23
    Warning
    %SEC-W-PORTUNAUTHORIZED: Port gi8 is unAuthorized       
    2147483398
    2012-Aug-09 21:16:05
    Informational
    %SEC-I-PORTAUTHORIZED: Port gi8 is Authorized       
    2147483399
    2012-Aug-09 21:13:42
    Warning
    %SEC-W-SUPPLICANTUNAUTHORIZED: MAC 00:19:99:0b:8d:b3 was rejected on port gi8        
    2147483400
    2012-Aug-09 21:13:42
    Warning
    %SEC-W-PORTUNAUTHORIZED: Port gi8 is unAuthorized       
    2147483401
    2012-Aug-09 21:04:04
    Informational
    %SEC-I-PORTAUTHORIZED: Port gi8 is Authorized       
    2147483402
    2012-Aug-09 21:03:50
    Warning
    %SEC-W-SUPPLICANTUNAUTHORIZED: MAC 00:19:99:0b:8d:b3 was rejected on port gi8        
    2147483403
    2012-Aug-09 21:03:50
    Warning
    %SEC-W-PORTUNAUTHORIZED: Port gi8 is unAuthorized       
    2147483404
    2012-Aug-09 20:52:02
    Informational
    %SEC-I-PORTAUTHORIZED: Port gi8 is Authorized       
    2147483405
    2012-Aug-09 20:49:02
    Warning
    %SEC-W-SUPPLICANTUNAUTHORIZED: MAC 00:19:99:0b:8d:b3 was rejected on port gi8        
    2147483406
    2012-Aug-09 20:49:02
    Warning
    %SEC-W-PORTUNAUTHORIZED: Port gi8 is unAuthorized       
    2147483407
    2012-Aug-09 20:40:04
    Informational
    %SEC-I-PORTAUTHORIZED: Port gi8 is Authorized       
    2147483408
    2012-Aug-09 20:39:10
    Warning
    %SEC-W-SUPPLICANTUNAUTHORIZED: MAC 00:19:99:0b:8d:b3 was rejected on port gi8        
    2147483409
    2012-Aug-09 20:39:10
    Warning
    %SEC-W-PORTUNAUTHORIZED: Port gi8 is unAuthorized       
    2147483410
    2012-Aug-09 20:16:06
    Informational
    %SEC-I-PORTAUTHORIZED: Port gi8 is Authorized       
    2147483411
    2012-Aug-09 20:14:29
    Warning
    %SEC-W-SUPPLICANTUNAUTHORIZED: MAC 00:19:99:0b:8d:b3 was rejected on port gi8        
    2147483412
    2012-Aug-09 20:14:29
    Warning
    %SEC-W-PORTUNAUTHORIZED: Port gi8 is unAuthorized       
    2147483413
    2012-Aug-09 19:28:01
    Informational
    %SEC-I-PORTAUTHORIZED: Port gi8 is Authorized       
    2147483414
    2012-Aug-09 19:25:08
    Warning
    %SEC-W-SUPPLICANTUNAUTHORIZED: MAC 00:19:99:0b:8d:b3 was rejected on port gi8        
    2147483415
    2012-Aug-09 19:25:08
    Warning
    %SEC-W-PORTUNAUTHORIZED: Port gi8 is unAuthorized       
    2147483416
    2012-Aug-09 19:15:59
    Informational
    %SEC-I-PORTAUTHORIZED: Port gi8 is Authorized       
    2147483417
    2012-Aug-09 19:15:16
    Warning
    %SEC-W-SUPPLICANTUNAUTHORIZED: MAC 00:19:99:0b:8d:b3 was rejected on port gi8        
    2147483418
    2012-Aug-09 19:15:16
    Warning
    %SEC-W-PORTUNAUTHORIZED: Port gi8 is unAuthorized       
    2147483419
    2012-Aug-09 19:04:00
    Informational
    %SEC-I-PORTAUTHORIZED: Port gi8 is Authorized       
    2147483420
    2012-Aug-09 19:00:27
    Warning
    %SEC-W-SUPPLICANTUNAUTHORIZED: MAC 00:19:99:0b:8d:b3 was rejected on port gi8        
    2147483421
    2012-Aug-09 19:00:27
    Warning
    %SEC-W-PORTUNAUTHORIZED: Port gi8 is unAuthorized       
    2147483422
    2012-Aug-09 18:27:59
    Informational
    %SEC-I-PORTAUTHORIZED: Port gi8 is Authorized       
    2147483423
    2012-Aug-09 18:25:55
    Warning
    %SEC-W-SUPPLICANTUNAUTHORIZED: MAC 00:19:99:0b:8d:b3 was rejected on port gi8        
    2147483424
    2012-Aug-09 18:25:55
    Warning
    %SEC-W-PORTUNAUTHORIZED: Port gi8 is unAuthorized    
    Any ideas ?

  • WLC 5508: 802.1 AAA override; Authenication success no dynamic vlan assignment

    WLC 5508: software version 7.0.98.0
    Windows 7 Client
    Radius Server:  Fedora Core 13 / Freeradius with LDAP storage backend
    I have followed the guide at http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml with respective to building the LDAP and free radius server.  802.1x authorization and authenication correctly work.  The session keys are returned from the radius server and the wlc send the appropriate information for the client to generate the WEP key.
    However, the WLC does not override the VLAN assignment, even though I was to believe I set everything up correctly.  From the packet capture, you can see that verfication of client is authorized to use the WLAN returns the needed attributes:
    AVP: l=4  t=Tunnel-Private-Group-Id(81): 10
    AVP: l=6  t=Tunnel-Medium-Type(65): IEEE-802(6)
    AVP: l=6  t=Tunnel-Type(64): VLAN(13)
    I attached a packet capture and wlc config, any guidance toward the attributes that may be missing or not set correctly in the config would be most appreciated.

    Yes good catch, so I had one setting left off in freeradius that allowed the inner reply attributes back to the outer tunneled accept.  I wrote up a medium high level config for any future viewers of this thread:
    The following was tested and verified on a fedora 13 installation.   This is a minimal setup; not meant for a "live" network (security issues  with cleartext passwords, ldap not indexed properly for performance)
    Install Packages
    1.  Install needed packages.
    yum install openldap*
    yum install freeradius*
    2.  Set the services to automatically start of system startup
    chkconfig --level 2345 slapd on
    chkconfig --level 2345 radiusd on
    Configure and start LDAP
    1.  Copy the needed ladp schemas for radius.  Your path may vary a bit
    cp /usr/share/doc/freeradius*/examples/openldap.schema /etc/openldap/schema/radius.schema
    2.  Create a admin password for slapd.  Record this password for later use when configuring the slapd.conf file
    slappasswd
    3.  Add the ldap user and group; if it doesn't exisit.  Depending on the install rpm, it may have been created
    useradd ldap
    groupadd ldap
    4.  Create the directory and assign permissions for the database files
    mkdir /var/lib/ldap
    chmod 700 /var/lib/ldap
    chown ldap:ldap /var/lib/ldap
    5.  Edit the slapd.conf file.
    cd /etc/openldap
    vi slapd.conf
    # See slapd.conf(5) for details on configuration options.
    # This file should NOT be world readable.
    #Default needed schemas
    include        /etc/openldap/schema/corba.schema
    include        /etc/openldap/schema/core.schema
    include        /etc/openldap/schema/cosine.schema
    include        /etc/openldap/schema/duaconf.schema
    include        /etc/openldap/schema/dyngroup.schema
    include        /etc/openldap/schema/inetorgperson.schema
    include        /etc/openldap/schema/java.schema
    include        /etc/openldap/schema/misc.schema
    include        /etc/openldap/schema/nis.schema
    include        /etc/openldap/schema/openldap.schema
    include        /etc/openldap/schema/ppolicy.schema
    include        /etc/openldap/schema/collective.schema
    #Radius include
    include        /etc/openldap/schema/radius.schema
    #Samba include
    #include        /etc/openldap/schema/samba.schema
    # Allow LDAPv2 client connections.  This is NOT the default.
    allow bind_v2
    # Do not enable referrals until AFTER you have a working directory
    # service AND an understanding of referrals.
    #referral    ldap://root.openldap.org
    pidfile        /var/run/openldap/slapd.pid
    argsfile    /var/run/openldap/slapd.args
    # ldbm and/or bdb database definitions
    #Use the berkely database
    database    bdb
    #dn suffix, domain components read in order
    suffix        "dc=cisco,dc=com"
    checkpoint    1024 15
    #root container node defined
    rootdn        "cn=Manager,dc=cisco,dc=com"
    # Cleartext passwords, especially for the rootdn, should
    # be avoided.  See slappasswd(8) and slapd.conf(5) for details.
    # Use of strong authentication encouraged.
    # rootpw        secret
    rootpw      
    {SSHA}
    cVV/4zKquR4IraFEU7NTG/PIESw8l4JI  
    # The database directory MUST exist prior to running slapd AND
    # should only be accessible by the slapd and slap tools. (chown ldap:ldap)
    # Mode 700 recommended.
    directory    /var/lib/ldap
    # Indices to maintain for this database
    index objectClass                       eq,pres
    index uid,memberUid                     eq,pres,sub
    # enable monitoring
    database monitor
    # allow onlu rootdn to read the monitor
    access to *
             by dn.exact="cn=Manager,dc=cisco,dc=com" read
             by * none
    6.  Remove the slapd.d directory
    cd /etc/openldap
    rm -rf slapd.d
    7.  Hopefully if everything is correct, should be able to start up slapd with no problem
    service slapd start
    8.  Create the initial database in a text file called /tmp/initial.ldif
    dn: dc=cisco,dc=com
    objectClass: dcobject
    objectClass: organization
    o: cisco
    dc: cisco
    dn: ou=people,dc=cisco,dc=com
    objectClass: organizationalunit
    ou: people
    description: people
    dn: uid=jonatstr,ou=people,dc=cisco,dc=com
    objectClass: top
    objectClass: radiusprofile
    objectClass: inetOrgPerson
    cn: jonatstr
    sn: jonatstr
    uid: jonatstr
    description: user Jonathan Strickland
    radiusTunnelType: VLAN
    radiusTunnelMediumType: 802
    radiusTunnelPrivateGroupId: 10
    userPassword: ggsg
    9.  Add the file to the database
    ldapadd -h localhost -W -D "cn=Manager, dc=cisco,dc=com" -f /tmp/initial.ldif
    10.  Issue a basic query to the ldap db, makes sure that we can request and receive results back
    ldapsearch -h localhost -W -D cn=Manager,dc=cisco,dc=com -b dc=cisco,dc=com -s sub "objectClass=*"
    Configure and Start FreeRadius
    1. Configure ldap.attrmap, if needed.  This step is only needed if we  need to map and pass attributes back to the authenicator (dynamic vlan  assignments as an example).  Below is an example for dynamic vlan  addresses
    cd /etc/raddb
    vi ldap.attrmap
    For dynamic vlan assignments, verify the follow lines exist:
    replyItem    Tunnel-Type                                   radiusTunnelType
    replyItem    Tunnel-Medium-Type                   radiusTunnelMediumType
    replyItem    Tunnel-Private-Group-Id              radiusTunnelPrivateGroupId
    Since we are planning to use the userpassword, we will let the mschap  module perform the NT translations for us.  Add the follow line to  check ldap object for userpassword and store as Cleartext-Password:
    checkItem    Cleartext-Password    userPassword
    2.  Configure eap.conf.  The following sections attributes below  should be verified.  You may change other attributes as needed, they are  just not covered in this document.
    eap
    {      default_eap_type = peap      .....  }
    tls {
        #I will not go into details here as this is beyond scope of  setting up freeradisu.  The defaults will work, as freeradius comes with  generated self signed certificates.
    peap {
        default_eap_type = mschapv2
        #you will have to set this to allowed the inner tls tunnel  attributes into the final accept message
        use_tunneled_reply = yes
    3.  Change the authenication and authorization modules and order.
    cd /etc/raddb/sites-enabled
    vi default
    For the authorize section, uncomment the ldap module.
    For the authenicate section, uncomment the ldap module
    vi inner-tunnel
    Very importants, for the authorize section, ensure the ldap module is first, before mschap.  Thus authorize will look like:
    authorize
    {      ldap      mschap      ......  }
    4.  Configure ldap module
    cd /etc/raddb/modules
    ldap
    {        server=localhost       identify = "cn=Manager,dc=cisco,dc=com"        password=admin       basedn="dc=cisco,dc=com"       base_filter =  "(objectclass=radiusprofile)"       access_attr="uid"       ............   }
    5.  Start up radius in debug mode on another console
    radiusd -X
    6.  radtest localhost 12 testing123
    You should get a Access-Accept back
    7.  Now to perform an EAP-PEAP test.  This will require a wpa_supplicant test libarary called eapol_test
    First install openssl support libraries, required to compile
    yum install openssl*
    yum install gcc
    wget http://hostap.epitest.fi/releases/wpa_supplicant-0.6.10.tar.gz 
    tar xvf wpa_supplicant-0.6.10.tar.gz
    cd wpa_supplicant-0.6.10/wpa_supplicant
    vi defconfig
    Uncomment CONFIG_EAPOL_TEST = y and save/exit
    cp defconfig .config
    make eapol_test
    cp eapol_test /usr/local/bin
    chmod 755 /usr/local/bin/eapol_test
    8.  Create a test config file named eapol_test.conf.peap
    network=
    {   eap=PEAP  eapol_flags=0  key_mgmt=IEEE8021X  identity="jonatstr"   password="ggsg"  \#If you want to verify the Server certificate the  below would be needed   \#ca_cert="/root/ca.pem"  phase2="auth=MSCAHPV2"   }
    9.  Run the test
    eapol_test -c ~/eapol_test.conf.peap -a 127.0.0.1 -p 1812 -s testing123

  • Vlans dhcp status are not received

    Hello,
    I am configuring vlan on sg300-20 in dhcp mode.
    One  vlan that is directed connected to the adsl router get ip address and when I connect host to the ports in this vlan they also receive ip address and can go on internet.
    The other four vlans dhcp status are not received.
    Kindly help me check this. Thanks
    Below is the config log:
    switch4ba497#sh running-config
    config-file-header
    switch4ba497
    v1.2.9.44 / R750_NIK_1_2_584_002
    CLI v1.0
    file SSD indicator encrypted
    ssd-control-start
    ssd config
    ssd file passphrase control unrestricted
    no ssd file integrity control
    ssd-control-end cb0a3fdb1f3a1af4e4430033719968c0
    vlan database
    vlan 5,10,20,30,40
    exit
    voice vlan oui-table add 0001e3 Siemens_AG_phone________
    voice vlan oui-table add 00036b Cisco_phone_____________
    voice vlan oui-table add 00096e Avaya___________________
    voice vlan oui-table add 000fe2 H3C_Aolynk______________
    voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone
    voice vlan oui-table add 00d01e Pingtel_phone___________
    voice vlan oui-table add 00e075 Polycom/Veritel_phone___
    voice vlan oui-table add 00e0bb 3Com_phone______________
    ip dhcp relay address 192.168.3.1
    ip dhcp information option
    no boot host auto-config
    bonjour interface range vlan 1
    hostname switch4ba497
    line telnet
    exec-timeout 0
    exit
    no passwords complexity enable
    username cisco password encrypted 7af78c911d5b48bea1dc2449d9d89513abeb4be5 privilege
    15
    ip http timeout-policy 0 http-only
    ip name-server  192.168.1.1 192.168.3.1
    ip telnet server
    interface vlan 1
    ip address 192.168.2.254 255.255.255.0
    no ip address dhcp
    interface vlan 5
    name WAN
    ip address dhcp
    interface vlan 10
    name Studio
    ip address dhcp
    interface vlan 20
    name Service
    ip address dhcp
    interface vlan 30
    name Admin
    ip address dhcp
    interface vlan 40
    name Data
    ip address dhcp
    interface gigabitethernet1
    switchport mode access
    interface gigabitethernet2
    switchport mode access
    switchport access vlan 10
    interface gigabitethernet3
    switchport mode access
    switchport access vlan 10
    interface gigabitethernet4
    switchport mode access
    switchport access vlan 10
    interface gigabitethernet5
    switchport mode access
    switchport access vlan 10
    interface gigabitethernet6
    switchport mode access
    switchport access vlan 10
    interface gigabitethernet7
    switchport mode access
    switchport access vlan 10
    interface gigabitethernet8
    switchport mode access
    interface gigabitethernet9
    switchport mode access
    switchport access vlan 20
    interface gigabitethernet10
    switchport mode access
    switchport access vlan 20
    interface gigabitethernet11
    switchport mode access
    switchport access vlan 20
    interface gigabitethernet12
    switchport mode access
    switchport access vlan 20
    interface gigabitethernet13
    switchport mode access
    switchport access vlan 30
    interface gigabitethernet14
    switchport mode access
    switchport access vlan 30
    interface gigabitethernet15
    switchport mode access
    switchport access vlan 30
    interface gigabitethernet16
    switchport mode access
    switchport access vlan 30
    interface gigabitethernet17
    switchport mode access
    interface gigabitethernet18
    switchport trunk native vlan 40
    interface gigabitethernet19
    switchport mode access
    switchport access vlan 5
    interface gigabitethernet20
    switchport trunk native vlan 5
    switch4ba497#sh ip int
        IP Address         I/F       Type     Directed   Precedence   Status
                                              Broadcast
    0.0.0.0/32          vlan 10   DHCP        disable    No         Not
                                                                    received
    0.0.0.0/32          vlan 20   DHCP        disable    No         Not
                                                                    received
    0.0.0.0/32          vlan 30   DHCP        disable    No         Not
                                                                    received
    0.0.0.0/32          vlan 40   DHCP        disable    No         Not
                                                                    received
    192.168.2.254/24    vlan 1    Static      disable    No         Valid
    192.168.3.102/24    vlan 5    DHCP        disable    No         Valid
    switch4ba497#
    Also i do not understand why the ip address is 0.0.0.0/32 because the dhcp server ip address is 192.168.3.1

    Dear Customer,
    Thank you for reaching Small Business Support Community.
    In Layer 2 system mode, only the management VLAN can be configured with a static or dynamic IP address. In Layer 3 system mode, all the interface types (ports,LAGs, and/or VLANs) on the device can be configured with a static or dynamic IP. Configuring the device to work in either mode is performed in the Administration >System Settings page
    When a DCHP Client starts a discovery process, it assigns a dummy IP address 0.0.0.0 before the real address is obtained. This dummy address has the status of “Not Received”.
    Pretty much your problem should be solved by changing to Layer3 system mode.  Please let me know if anything comes up and/or if there is any further assistance I may help you with.
    Kind regards,
    Jeffrey Rodriguez S. .:|:.:|:.
    Cisco Customer Support Engineer
    *Please rate the Post so other will know when an answer has been found.

  • Dynamic VLAN assignment on SG300

    Cisco documentation states that dynamic vlan assignment via RADIUS should provide the following IETF values:
    The RADIUS user attributes used for the VLAN ID assignment are:
    IETF 64 (Tunnel Type)—Set this to VLAN.
    IETF 65 (Tunnel Medium Type)—Set this to 802
    IETF 81 (Tunnel Private Group ID)—Set this to VLAN ID
    I have done so with an Aruba Clearpass RADIUS server - but the Access-Accept message being sent below:
    Radius:IETF:Tunnel-Medium-Type     6
    Radius:IETF:Tunnel-Private-Group-Id     4
    Radius:IETF:Tunnel-Type     13
    is being received by the SG300 in some way that's not being interpreted correctly. Log files indicate that the IETF values are not what is expected:
    07-Aug-2014 18:58:41 :%SEC-W-SUPPLICANTUNAUTHORIZED: username teststudent with MAC 00:11:25:d8:42:83 was rejected on port gi2 because Radius accept message does not contain VLAN ID
    07-Aug-2014 18:58:41 :%AAAEAP-W-RADIUSREPLY: Invalid attribute 65 ignored - tag should be 0
    07-Aug-2014 18:58:41 :%AAAEAP-W-RADIUSREPLY: Invalid attribute 64 ignored - tag should be 0
    Is there something I'm missing here? These same values sent by the Clearpass RADIUS server are working for other switches such as Extreme and Brocade.
    Thanks,
    Aaron

    Hi Aleksandra,
    Here are the values from a packet capture of the Access-Accept message:

  • Dynamic VLAN assignment and DHCP

    Hello
    I have just upgraded our WLC from 4.0 to 7.0 (via 4.2).
    Before the upgrade we had our ACS returning a VLAN based on user group.  This seemed to be working without an issue.  Now that the WLC is on version 7 this is no longer working correctly.  The ACS is returning a VLAN and passing the user but the client can not get an IP from the DHCP server configured.
    Example configuration:
    SSID-----VLAN
    PN-CSC-----CSCVlan: Works
    PN-Others------OthersVlan: Works
    PN-Others-----CSCVlan: No DHCP
    When users are trying to be allocated to a vlan that is different from the native one the DHCP fails however both WLANs are configured to point to the management interface so dont have any real connection to the vlan other than by name.
    Have there been any changes I haven't seen in the way the dynamic vlan allocation works in version 7?

    Yes, DHCP proxy could be the culprit here.  In 4.0 it was only a CLI command to enable/disable the proxy feature.  In 5.2, I think, and later it is in the GUI
    as well.
       There is a defect filed against the behavior of the WLC DHCP funtion out there currently.  If all of your DHCP is coming from external resources than you can disable proxy.  If, however, you are using the WLC as DHCP server for guest access, then proxy must be enabled.  If the later is true, you should contact TAC, as there is an engineering special available that has the defect resolution.
    Sorry I can't provide the defect ID, my CCO account is acting up.
    Cheers,
    Steve
    If  this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.

  • Flexconnect dynamic VLAN assignment doubt

    Hi, all,
    I am trying to understand how FlexConnect with dynamic VLAN assignment works. We have the need to dynamically put people in different VLANs based on their AD groups (all employees use the same SSID), I can understand that in traditional CAPWAP mode, AP just tunnels all traffic to WLC, WLC is the authenticator and it knows  what users' identities are and can encapsulate user traffic to different VLANs before send the traffic to the switch it connects. Here is the part I don't understand:
    1) If APs are operating in Flexconnect mode (APs are trunking to switches), how does each AP know what VLAN tag to put a specific user traffic on? AP is not authenticator, it knows nothing about associated client's AD identify. How does WLC convey the dynamical VLAN information to APs?
    2) I want to eliminate WLCs in remote offices by letting all remote office APs join HQ WLC with FlexConnect mode, I can keep the same VLAN mapping scheme in remote office switching environment, in some offices I want to do local authentication (Domain controller + Radius Server), looks like I can specify Radius server in FlexConnect group, in this case will APs become authenticator? Since Radius clients have to be explicitly configured on NPS/Radius server side, does this means I have to statically configure each AP's IP?
    3) I have over a dozen APs in HQ which are operating at FlexConnect mode, but the SSID's "local central authentication" checkbox is not checked, if I want to have local authentication in remote office,  seems that I have to turn on "local authentication" on this SSID, does that mean I have to add each and everyone of those HQ APs to Radius/NPS server client list?
    Thanks,

    Hi ,
    1) Aps knows about Vlans as we can define them inside the Flex connect groups. This is the same way we define flex connect ACLs which are pushed to the Flex APs and are returned by the Radius server later on.
    2) If you are going for Central authentication + local switching ....WLCs will always act like central authenticator and would talk to the radius server. If you have some radius servers at the local site and you want them to use without going through the central authentication..you can do that using (local authentication + local switching). Yes, In this case AP will be authenticator and would be AAA client to be added in the Radius server.
    3)yes ,,you are correct. If you want that your AP should do authentication and talk to the local radius server at the site , it has to be added in the Radius server.
    Regards
    Dhiresh
    **Please rate helpful posts**

Maybe you are looking for

  • Opened Firefox this morning and it was like I had just installed it for the first time

    What is going on with Firefox. Everything was fine last night. This morning I opened it to check the weather and what opened was a new Firefox asking me if I wanted to make it my default browser. All my bookmarks were there. All the add-ons were ther

  • When the browser is open the mouse does random things in all open programs, I can close FF and it works fine is there a mouse bug?

    Since the last upgrade, when the browser is open the mouse randomly clicks on things changes windows by itself. In addition highlighting things to cut and past is almost impossible... this transfers over to all open programs word, movie maker, audaci

  • DB13 whole DB online + redo log backup

    Hi expetrs, I am using hp-ux with oracle with ECC6.0 and data protector. I ran DB13 whole DB online + redo log backup on tape and it ran successful on specified tape. But if i check data on tape via login on data protector it shows no data. Also i ch

  • Writing a plugin for Weblogic

    Hi, Is it possible to add a mechanism to Weblogic which would intercept EJB lookups and requests (on a per bean and per method basis), and perform custom access control logic? This mechanism should be seamless and transparent to client code so that e

  • Trouble exporting Alpha on PC

    Hi there, I have some CGI shots that were delivered to me in Quicktime Animation with Alpha that I need to edit and return to the client in a similar format (with transparency). Premiere CC views the clips with Alpha just fine. As soon as I try to ex