Help config vlan and inter routing vlan on SF-300

Similar Messages

• Help config vlan and inter routing vlan on 2 switches SF300-24 ???

  Dear Cisco!
  now we have 2 switches: SF300-24
  on one SF300-24 we config it at layer 3 mode with VLAN configuration same as following
  VLAN ID 2 (ports: 2 -6) have ip interface  192.168.2.254/24
  VLAN ID 3 (ports: 7 - 10) have ip interface  192.168.3.254/24
  VLAN ID 4 (ports 11- 15 ) have ip interface  192.168.4.254/24
  and VLAN 1 default have IP address: 192.168.1.200
  DHCP relay  - DHCP server 192.168.3.1
                     - DHCP relay: VLAN2; VLAN3; VLAN4
  ip route: 0.0.0.0   0.0.0.0  192.168.3.1
  all ports of VLAN2, VLAN3, VLAN4 set access mode.
  and another SF300-24
  was configed at layer 2. We config VLAN ID 2 ̣̣̣have ports  2 -6; VLAN ID 3 ports 7 -10; VLAN ID 4 port 11-15 ,too.
  And we use port 26 on 2 switches SF300-24 is trunk mode then we connect both SF300-24 switches.
  But on SF300-24 layer 2 cann't inderstand VLAN from Sf300-24 layer 3!!!
  Could you please help me check this situation?
  How to config VLAN on 2 switches SF300-24 Layer 3 and SF300-24 layer 2?
  Thanks!
  See you soon!

  Son Nquyen,
  First i would upgrade to 1.1.8 since the 1.0.0.27 was beta code.
  Next when when connecting both switches together each port will need set via Trunk mode with proper native vlan and tagged vlan traffic. What's the configuration of your trunk ports on each switch?
  Thanks,
  Jasbryan.

• Vlans and cisco router

  I have a netgear managed switch and a cisco 1750 router. I would like to set up 2 vlans. the first one is a wan, with a residential cable model connected to it. the other vlan is for my private lan. I will then have the cisco router connected to one port on the switch set up as a trunk. I'm no pro, but from what I've read so far, it should work that way, right? the part I need help with is setting up the cisco router as a gateway and dns proxy, accepting the dynamic ip, gateway, and dns addresses from the cable modem.
  I did see this http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Network%20Infrastructure&topic=Getting%20Started%20with%20LANs&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.1ddcef50
  router in a stick *write that down* so my setup should work if I can figure out the router configuration. a good online tutorial or something would be helpful for this. I have plenty of cisco books, but maybe something for dummies would help me get started, before digging into the tough stuff.

  In order to set up inter vlan routing or a "router on a stick" with a netgear switch you will need a router that supports IEEE 802.1q VLAN Support.
  http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/120newft/120t/120t1/8021q.htm#28767
  On the router interface that is "trunked" to the switch you will need to have a configuration that looks like the what I have below.
  Router(config)#interface FastEthernet0/1.1
  Router(config-subif)#encapsulation dot1Q 1 native
  Router(config-subif)#ip address 10.xx.xx.16 255.255.255.xxx
  Router(config-subif)#interface FastEthernet0/1.2
  Router(config-subif)#encapsulation dot1Q 2
  Router(config-subif)#ip address 10.xx.xx.130 255.255.255.xxx
  The sub-interface 1."2" corresponds to the vlan id on the trunk. In this case the .2 is vlan 2.
  I have attahced a link that exlains the intricate details on inter vlan routing below:
  http://www.cisco.com/warp/public/473/50.shtml
  Lastly you may want to check the Cisco IOS feature Navigator. I was looking at it and I did not see that the 1750 has IEEE 802.1q VLAN Support. It looks like the 1751 is the first platform in the 1700 series that does.

• Wireless VLANs and Layer2/3 VLANs

  Dear,
  The vlans created for the mapping of SSID in embedded AP on cisco 1941 can be connected/communicated to the VLAN created on Layer2/3 switch.
  Lets say i have created 3 vlans (say 200,201,202) for 3 ssid and the vlan created on switch (say 200,201,202) can be communicated?
  Or these wireless vlan are purely for the mapping of ssid?. Thanks

  yes that should be a trunk.. the below link is the configuration guide..
  https://www.cisco.com/en/US/docs/routers/access/1900/software/configuration/guide/Software_Configuration.html
  http://www.cisco.com/en/US/docs/routers/access/1900/software/configuration/guide/wlan.html
  Regards
  Surendra

• Help with Multiple VLANS and IP Phone Setup.

  Although i have a 3com, I have a cisco IP Phone. I have the IP Phone connected to the 3com swithport using a hybrid port. It's a tagged member of vlan3 (voice net) and an untagged member of vlan1(native data)
  The ip phone gets the right DHCP address for vlan3 ( 10.x.x.x ) but the laptop connected to the ip phone gets the IP for vlan 3 as well.
  I want the laptop to get the IP of the native vlan ( 192.168.x.x)
  what would the port setup need to be ? does it need to be a trunk ? i have the PVID of the port set to vlan3, this allows the IP phone to get its vlan3 DHCP address.
  any help would be greatly appreciated.
  The 3com OS is very similar to the latest of CISCO IOS'.
  so explain wtih syntax and i'm sure the 3com can relate.

  Based on your description of a 'Hybrid Port' this sounds like Cisco's 'Multi-VLAN Port' that was a feature of the 2900XL/3500XL series switches. This feature has however long since gone......
  With a Cisco switch an access port supporting an Access VLAN & a Voice VLAN is effectively a Trunk with only one Tagged VLAN and the Native VLAN:
  interface FastEthernet0/1
  switchport mode access
  switchport access vlan 10
  switchport voice vlan 100
  This results in the same configuration as:
  interface FastEthernet0/1
  switchport mode trunk
  switchport trunk encapsulation dot1q
  switchport trunk native vlan 10
  switchport trunk allowed vlan 100
  With the exception of CDP packets being sent advertising the Voice VLAN.
  With regards to other IP Phone vendors and DHCP Vendor Options - the answer is it depends....
  Nortel use Vendor Option 144 to inform the IP Phone of the Voice VLAN and Option 128 for the Server (PBX) to use. Ericsson uses Vendor Option 43 that can be configured to tell the IP Phone the VLAN and the Web server to read the config file from.
  I don't think you will get this working automatically with your 3Com switches, you can however manually configure the VLAN on the Cisco IP Phones.
  HTH
  Andy

• Need help configuring multiple VLANs and SSIDs

  Hi,
  We bought a Cisco SGE2000P 24Port switch and 10 WAP4410N access points. Our intent is to provide a secure network to our LAN, and a guest network to the Internet.
  We are thinking 3 VLANs would be best for this: VLAN 100 connected to the LAN, VLAN 1000 for the Internet Router and Filter, and VLAN 1100 for the Guest Wireless access.
  We have the switch configured for all three of these, and 1 initial access point configured for the VLANS, too.
  We have not yet moved the current Internet connection to VLAN 1000 because we aren't sure how to setup routing between VLANS.
  Here are some specifics on how the traffic needs to route:
  1. We have the DHCP server, which is the PDC, handling both scopes for the LAN and Guest VLAN.
  2. The web filter in VLAN 1100 needs to authenticate with the DHCP server as there are different filter rules based on authenticated user. Any users coming from VLAN 1100 will have a default filter rule without requiring any authentication.
  3. Certain traffic coming in from the Internet needs to be able to get to VLAN 100. The router has a built-in firewall that handles NAT and port forwarding, so as long as traffic can be forwarded to VLAN 100 we should be good.
  4. Traffic on VLAN 1100 (guest Wireless network) should only be allowed to go to Internet (VLAN 1000).
  Right now I have the VLANs configured and the ports assigned to the Access Points are set for TAGGED and on VLAN 100 and VLAN 1100.
  The SGE2000P has the following IP addresses assigned to the VLANS:
  10.7.3.252 - VLAN 100
  10.7.40.254 - VLAN 1000
  192.168.254.254 - VLAN 1100
  Has anyone been able to setup a similar configuration? We have scoured the Internet for documentation but it seems to be very difficult to find!
  Thank you!
  Gary Smith

  Based on your description of a 'Hybrid Port' this sounds like Cisco's 'Multi-VLAN Port' that was a feature of the 2900XL/3500XL series switches. This feature has however long since gone......
  With a Cisco switch an access port supporting an Access VLAN & a Voice VLAN is effectively a Trunk with only one Tagged VLAN and the Native VLAN:
  interface FastEthernet0/1
  switchport mode access
  switchport access vlan 10
  switchport voice vlan 100
  This results in the same configuration as:
  interface FastEthernet0/1
  switchport mode trunk
  switchport trunk encapsulation dot1q
  switchport trunk native vlan 10
  switchport trunk allowed vlan 100
  With the exception of CDP packets being sent advertising the Voice VLAN.
  With regards to other IP Phone vendors and DHCP Vendor Options - the answer is it depends....
  Nortel use Vendor Option 144 to inform the IP Phone of the Voice VLAN and Option 128 for the Server (PBX) to use. Ericsson uses Vendor Option 43 that can be configured to tell the IP Phone the VLAN and the Web server to read the config file from.
  I don't think you will get this working automatically with your 3Com switches, you can however manually configure the VLAN on the Cisco IP Phones.
  HTH
  Andy

• Wirless Vlans and DHCP

  I am trying to configure my Aironet 1121G acess points with several vlans, got the vlans all working fine with wired devices, but the wirless devices don't get DHCP.
  Basically, I have the BVI on my managment vlan and two other vlans that pass through, trying to have the public WiFi on 1 vlan and two corporate vlans with seperate wifi. can't get IPs on any of them though.
  Vlnas are routed by a catlayst 3550 with helper addresses configured on all the vlan interfaces.
  DHCP comes from 2 windows server 2003 boxes on a further vlan
  any Ideas?

  Vinod,
       Here is the AP config, I'm confused, so any help would be useful, got to get a wireless course under my belt.
  Cheers,
  Peter
  version 12.3
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  service password-encryption
  hostname IT_AP1121G_01
  no logging console
  enable secret
  ip subnet-zero
  aaa new-model
  aaa group server radius rad_eap
  aaa group server radius rad_mac
  aaa group server radius rad_acct
  aaa group server radius rad_admin
  aaa group server tacacs+ tac_admin
  aaa group server radius rad_pmip
  aaa group server radius dummy
  aaa authentication login eap_methods group rad_eap
  aaa authentication login mac_methods local
  aaa authorization exec default local
  aaa accounting network acct_methods start-stop group rad_acct
  aaa session-id common
  dot11 vlan-name Corporate vlan 3
  dot11 vlan-name Default vlan 1
  dot11 vlan-name Managment vlan 2
  dot11 ssid stosWIFI
  vlan 1
  authentication open
  guest-mode
  mbssid guest-mode
  infrastructure-ssid optional
  mobility network-id 1
  dot11 ssid stoswaldsWIFI
  vlan 3
  authentication open eap eap_methods
  mobility network-id 3
  username admin privilege 15 secret 5 $1$.dBF$jstGCUjGPaD6OQ/JVmZEY1
  bridge irb
  interface Dot11Radio0
  no ip address
  no ip route-cache
  shutdown
  encryption key 1 size 128bit 7 0D1A262E215F252C7E5A2D6A6498 transmit-key
  encryption mode wep mandatory
  encryption vlan 1 key 1 size 128bit 7 DA303E012047F6068707FC131B4A transmit-key
  encryption vlan 1 mode wep mandatory
  encryption vlan 3 mode wep mandatory
  ssid stosWIFI
  ssid stoswaldsWIFI
  mbssid
  speed basic-1.0 basic-2.0 basic-5.5 basic-6.0 basic-9.0 basic-11.0 basic-12.0 basic-18.0 basic-24.0 basic-36.0 basic-48.0 basic-54.0
  channel 2412
  station-role root
  world-mode dot11d country GB both
  interface Dot11Radio0.1
  encapsulation dot1Q 1 native
  no ip route-cache
  bridge-group 254
  bridge-group 254 subscriber-loop-control
  bridge-group 254 block-unknown-source
  no bridge-group 254 source-learning
  no bridge-group 254 unicast-flooding
  bridge-group 254 spanning-disabled
  interface Dot11Radio0.3
  encapsulation dot1Q 3
  no ip route-cache
  bridge-group 3
  bridge-group 3 subscriber-loop-control
  bridge-group 3 block-unknown-source
  no bridge-group 3 source-learning
  no bridge-group 3 unicast-flooding
  bridge-group 3 spanning-disabled
  interface FastEthernet0
  no ip address
  no ip route-cache
  duplex auto
  speed auto
  interface FastEthernet0.1
  encapsulation dot1Q 1
  no ip route-cache
  bridge-group 254
  no bridge-group 254 source-learning
  bridge-group 254 spanning-disabled
  interface FastEthernet0.3
  encapsulation dot1Q 3
  no ip route-cache
  bridge-group 3
  no bridge-group 3 source-learning
  bridge-group 3
  interface FastEthernet0.2
  encapsulation dot1Q 2 native
  no ip route-cache
  bridge-group 1
  no bridge-group 1 source-learning
  bridge-group 1 spanning-disabled
  interface BVI1
  ip address 192.168.2.33 255.255.255.0
  no ip route-cache
  ip default-gateway 192.168.2.1
  ip http server
  no ip http secure-server
  ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
  ip radius source-interface BVI1
  logging trap notifications
  logging
  radius-server attribute 32 include-in-access-req format %h
  radius-server vsa send accounting
  control-plane
  bridge 1 route ip
  line con 0
  password
  line vty 0 4
  password
  line vty 5 15
  end

• Native VLAN and the "Black Hole"

  While reviewing the configuration of a network that I'm supporting, it seems that the original design of the network has the black hole VLAN as the native VLAN.  At the least this seems incorrect, and possibly very dangerous, but I'm not exactly sure why or how to articulate that.  Can someone confirm or deny this suspicion?
  In addition, I had two further questions regarding the practice of using a black hole VLAN:
  1.  If you have any unused ports, it seems more practical to just admin down these ports instead of creating an unused VLAN.  Is there some added advantage to ALSO putting these ports in an unused VLAN (e.g. 999)?  If the port was needed, you can simply admin up the port, during which time you could also change any needed VLAN configurations.  In other words, you'd have to log into the device and make changes whether you went with the admin down method, the Black Hole VLAN method, or both.  So what's the point?
  2. Assuming you do use the Black Hole VLAN as an added security method, I feel that including that VLAN in the "switchport trunk allowed vlan" command is counterproductive, but I'm not fully able to articulate why.  Can someone help me with this?
  Thanks for any information or suggestions that you may have.

  Assuming you mean a vlan for unused ports when you refer to a black hole vlan. If so the key things are  -
  a) that vlan does not have a L3 vlan interface (SVI) for it as there is no need to route it
  b) any unused ports are shutdown
  if you follow the above then I can't see the danger in using the native vlan but I wouldn't do it regardless of that. I would have a dedicated native vlan and a separate vlan for unused ports.
  To  my mind there should be no ports allocated to the native vlan (other than trunk ports obviously).
  The benefit of using a dedicated vlan for unused ports is -
  a)  it provides an additional level of security. People make mistakes and having to do multiple things to enable a port requires more attention than simply doing a "no shut" on the interface.
  The more attention someone is paying the more likely they will get it right or at least the less likely they will make a mistake.
  b) if you don't use an unused vlan you are leaving all the ports in the default vlan which is vlan 1 and this should be avoided as this vlan is overused already eg. switch control plane traffic is sent on this vlan for example and often the switch management interfaces are in this vlan.
  As far as allowing the unused vlan on trunk links it is totally unnecessary and in fact you really don't want to do that. The idea of the unused vlan is for non communication so it would make no sense to allow it on trunk links.
  In my last place of work we used vlan 998 as the unused vlan and vlan 999 as the native vlan.
  Neither had an SVI for it.
  If by black hole vlan you meant something else then please clarify.
  Jon

• About the Native Vlan and Management Vlan.

  I wanted to know that Management vlan and Native vlan can be different vlan id or  both should be same vlan id. Why should not be native vlan 1.

  The use of a native VLAN is generally frowned upon now as there are some well known security exploits that leverage this untagged VLAN. Cisco often recommends setting the Native VLAN to an unused VLAN in your infrastructure in order to render it useless for attacks.
  It is also recommended that you create a separate VLAN for your Management traffic and that this VLAN be tagged (therefore not a Native VLAN).
  Native Vlan is the vlan which will be sent untagged even in Trunk links. Consider a Trunk link configured between two switches SWA and SWB, if a system in vlan1 of SWA is sending a frame via SWB, then this frame will be received as untagged by SWB, then switch B decides that the untagged frame is from native vlan 1 and handles accordingly. By default native vlan is 1, this can also be changed as per requirement.
  Example: In the below figure if a IP phone and system are connected toa switch port as below, the the Phones will  send its frames tagged with vlan 10 where as the frames sent by system will be untagged. So here the the corresponding switch port should be configured as native vlan 20. So that it can recognise and handle the frames from system and IP phone properly.
  a
  Management vlan is different, it means that this vlan will be used for management purposes like Logging into the switch for management, Monitoring the switch,collecting Syslog ans SNMP traps, etc will be done by management vlan IP. This also by default vlan 1 in cisco. So as Antony said the it is always a Best practice and security measure to not use the default vlan and use custom vlans.
  Hope this helps !

• Voice Vlan and Native Vlan

  Dear all,
  I am now reading some information regarding the setup of Voip Phone. It mentioned that the Phone is actually a 3-ports switch:
  Port 1: Connect to upstream switch
  Port 2: Transfer Phone traffic
  Port 3: Connect to a PC
  Actually, what should i configure on the upstream switch port? Should it be a trunk port containing both the voice traffic vlan and pc data vlan?
  Or something else?
  Also, there is a term called 'Voice Vlan', is there any different between 'Voice vlan' and ordinary Vlan ?
  Is there any special usage of 'Native' Vlan in implementing Voip?
  Thanks.
  Br,
  aslnet

  Thanks.
  How about if the PC data should be tagged as another vlan (e.g., Vlan 10)? Then I should change the native vlan to vlan 10?
  But from my understanding, Native Vlan should be the same in the whole network, then I need to change the whole network native vlan? If there are different vlans should be assigned to different PCs that behind different VoIP-phone, then how to do it?
  From my guessing, is it i can assign individual native vlan (vlan10) on that port (connect to voip-phone), and then keep the switch's uplink port as original native vlan (vlan1).
  Therefore, PC data traffic would be untagged when entering from voip to the switch, and then tagged as vlan10 when leaving the switch to other uplink switch, right?
  Thanks.

• Inter-VLAN routing, Auto-Voice VLAN and IP Address-Helper

  Hope that somebody can help me with the setup in the screenshot. 
  Planning to use Auto-Voice VLAN and Smartports to configure VOIP
  LLDP-MED will be enabled on the switch to detect the IP phones so they will be moved to the Voice VLAN (If not the first 6 signs will be added to the OID table). The Voice VLAN ID will be 2 >> Voice VLAN will be automatically enabled once a device is recognized as a IP phone right? 
  Workstations will be connected to the Cisco switch, VLAN data will be untagged and will remain on the native VLAN.
  Smartports will be used to configure the ports (Macro's) >> Should configure the ports as trunks as assigns the correct VLANs right?
  But how do i configure the IP Helper-Address? Do i have to create the Voice VLAN on both switches and then run the command "IP Helper Address" to specify a DHCP server? From what i've been reading it's required, when using Inter-VLAN routing, to configure the VLAN interface with an IP address. But it's going to give problems when both switches are connected to eachother and both have the same VLAN configured including the same IP address assigned to their VLAN interface?
  Normal data should pass  the ASA firewall, VOIP traffic should go through the Vigor modem to a hosted VOIP provider. The best way, i assume, is to configure 2 separate scopes on the DHCP server?
  Still confused on how to set it up, hope that someone can point me in the right direction

  If you're sending voice to only the Vigor modem then there is no need for a trunk between the SF-300 and the Vigor modem. You can just set that to an untag packet for the VLAN 2 between that switch and the Vigor modem.
  On the 'edge' SF300 where the IP phone/PC is it is obviously going to interoute there and of course the phone port is tagged and PC port is untagged.
  For the IP helper, it uses UDP-RELAY and it should be enabled on the port itself and enabled on the global configuration. You may also need option 82. Also keep in mind, depending how your DHCP server works, it may need option 82 configured as well or at least a route to understand the subnets in the layer 3 environment to get traffic across the VLANS.

• Need basic Help - SG300 with vlan and routing

  Hi,
  i need some basic help with configuring vlan/routing.
  Situation:
  DSL Router - Cisco 300 - XenServer
  192.168.1.253 - 192.168.1.19 - 192.168.1.10 (mgmt ip)
  goal is, to reach from inside xenserver vms the internet.
  vms = 192.168.2.x
  gateway ip = 192.168.2.1
  what i did:
  - configured vlan 102, tagged, with the xenserver port
  - configured on xenserver a network with vlan id 102, attached to the vm
  - this network is conntected to an external bond
  - configured ipva4 interface: vlan102 - Static - IP 192.168.2.1 (this is the gateway ip of the vms)
  - automatic configured IPv4 Route: 192.168.2.0/24 next hop 0.0.0.0, Directly connected
  So at the moment i cant ping from inside a vm to the DSL Router (192.168.2.2 to 192.168.1.253)
  any ideas what i misconfigured or whats wrong?
  cheers,
  -Marco

  Hi Tom,
  ok, that make sense. I can ping the router now inside vms from 192.168.2.x network.
  But i cant ping external adresses, error: Destination net unreachable.
  My other problem i have, i cant reach any server from outside over router portforwarding.
  How do i have to configure the upload port to the dsl router? Is it a access port or a trunk
  port with all vlans (tagged or untagged?) At the moment ive a tagged Trunkport with all vlans.
  IPv4 Interface Table
  Interface
  IP Address Type
  IP Address
  Mask
  Status
  VLAN 1
  Static
  192.168.1.19
  255.255.255.0
  Valid
  Should the VLAN1 ip adress not the router ip adress ? Do i need an additional vlan for
  the router ? At the end i like to change the switch ip from dhcp to static (change automaticly
  when switching to layer 3 mode), but ive to look for the ios commands first.
  What else do i missing ?
  Thanks a lot,
  Marcus

• Adding VLAN to Po-Group and OSPF routing what is the correct way?

  Hi Community,
  I recently had an issue that brought down the links between a couple of switches...luckily this was done after hours and I did not save the config so was able to revert back.
  The basic scope of my project is:
  We are running out of IP's on the 192.168.1.0/24 sunbnet so wanted to create a seperate VLAN/Subnet  for physical workstations.
  He is what I orginally did;
  1) On our core switch; (Switch1) 
       Create the VLAN,
       VLAN interface,
       DHCP pool,
       excluded address'
  2) On second  switch (Switch 2)
       Add VLAN name, no interface
  3) I then updated the PO-group on Switch1 with new VLAN  (this brought down the link before I was able to finish my config)
      Therefore I was not able to complete the following:
            add vlan to spanning-tree or updated OSPF routing
  Here is what I assume to be the correct order?
  1) On Core Switch (Switch 1)
       Create VLAN
       VLAN interface
       DHCP pool
       excluded address'
       add vlan to spanning-tree
       add vlan (passive interface) and sunbet to OSPF routing
  2) On Switch 2
       Add vlan name/interfaces with no ip
  3) Update PO groups after the above has been configured
       Add new VLAN to Po-Group on Switch 2
       Add new VLAN to Po-Group on Switch 1
  4) Last steps
       Updated specific access ports with new VLAN and test
       upon completion of testing, update all other access ports connected ot workstations with new VLAN
  Questions:
  Did my links go down because I added new VLAN to Po-group BEFORE  updating spanning-tree and OSPF routing?
  Can anyone verify the order as outlined in the section "Here is what I assume to be the correct order"

  So the order in which to apply TASKS is correct?
  also just to clarify the following TASK  based on your comments.
  Step 4- Add new VLANs to OSPF as passive interface
  On Switch 1 (core)
  We have this line of code
  router ospf 100
  router-id 192.168.1.10
  log-adjacency-changes
  passive-interface Vlan10
  passive-interface Vlan30
  passive-interface Vlan50
  passive-interface Vlan500
  network 192.168.0.2 0.0.0.0 area 0
  network 192.168.1.10 0.0.0.0 area 0
  network 192.168.30.254 0.0.0.0 area 0
  network 192.168.33.254 0.0.0.0 area 0
  network 192.168.51.254 0.0.0.0 area 0
  network 192.168.99.5 0.0.0.0 area 0
  network 192.168.200.254 0.0.0.0 area 0
  TASK: OSPF - Add new VLANs(40 & 41) to OSPF as Passive Interface
  ******* Begin Here  *********
  config t
  router ospf 100
  passive-interface vlan40
  passive-interface vlan41
  !WE SHOULD ADD THIS LINE OF CODE
  network 192.168.40.254 0.0.0.0 area 0
  network 192.168.41.254 0.0.0.0 area 0
  ******* End Here  *********
  RESULT:
  router ospf 100
  router-id 192.168.1.10
  log-adjacency-changes
  passive-interface Vlan10
  passive-interface Vlan30
  passive-interface Vlan40
  passive-interface Vlan41
  passive-interface Vlan50
  passive-interface Vlan500
  network 192.168.0.2 0.0.0.0 area 0
  network 192.168.1.10 0.0.0.0 area 0
  network 192.168.30.254 0.0.0.0 area 0
  network 192.168.33.254 0.0.0.0 area 0
  network 192.168.40.254 0.0.0.0 area 0
  network 192.168.41.254 0.0.0.0 area 0
  network 192.168.51.254 0.0.0.0 area 0
  network 192.168.99.5 0.0.0.0 area 0
  network 192.168.200.254 0.0.0.0 area 0
  Better??
  Again thanks...your feedback have been a tremendous help!

• NEED HELP PLEASE Setting up 2 VLANS and a redundant WAN connection

  I have a remote branch office which is actually a huge bar/lounge. The bar wants to enable patrons to access the Internet with their wireless laptops. I want to prevent those patrons from accessing our private network, and also prevent them from traversing our static VPN tunnel back to HQ.
  The bar processes all credit cards via the T1 connection, and this has caused us to lose money every time the T1 goes down while we're open, since there is no WAN redundancy right now.
  Here is my current hardware configuration:
  1) one PIX 501 50-user 3des.
  2.) two Dell 3024
  3.) one Aironet 1100(g) AP.
  Current LAN Network: 10.35.35.0
  (internal employees only, static VPN tunneled to remote HQ network)
  Current Wireless SSID's:
  SSID1=PRIVATESSID
  SSID2=PUBLICSSID (not currently in use, waiting to figure this out)
  Current WAN: one T1 connection.
  WHAT I WOULD LIKE TO DO AND NEED HELP FIGURING OUT:
  #1a) I want to create two separate VLAN's that are able to share the WAN connection, but not be able to "see" each other.
  #1b) These VLAN's would be mapped to their respective SSID's on the AP (PRIVATESSID>10.35.35.0 and PUBLICSSID>192.168.1.0).
  #1c) The 192.168.1.0 network should not be able to traverse the static tunnel between the branch site and HQ.
  #2) I would like to install a backup WAN connection such as a modem 56k dial-up to an ISP or a cable modem to an ISP. In case the primary T1 goes down, I would like the router to automatically dial out over the modem conection and route all Internet bound traffic over that backup WAN connection, until the primary comes back online.
  Question 1:
  I'm assuming I need a router to do the intervlan routing. Could this router also do the on-demand WAN backup dialing to an ISP via analog modem?
  What IOS version and flavor (IP base, IP+, etc.) would I need? What is the cheapest router I can do all that with (i.e. 2620/2621/1720/3600 series)? What WIC's or NM's would I need?
  Question Two:
  I would like to prioritize PRIVATESSID's traffic over PUBLICSSID's traffic, which I know I can do on the access point. Can I do this on the router so that any 10.35.35.0 traffic takes priority over any 192.168.1.0 traffic?
  Question Three
  If the primary T1 WAN connection goes down, I don't want the router to re-route the 192.168.1.0 traffic over the backup 56k dial-up WAN connection. That traffic can wait until the T1 comes back up.
  Any help you can provide would be very much appreciated.

  Assuming your access points can place SSID into separate vlans and support 802.1q trunks then I can attempt to answer your questions. There are seperate secuity issues with both SSID for protection and VLANs for seperation but in your case in may be minimal.
  q1
  Any cisco router that will run 802.1q trunking will work. Since you are looking at older routers you will need IP+ to get it. Even 2610's will support 802.1q on their 10m ethernet at the correct code level but 10m and 802.1q is sorta nonstandard. Since your backup is only 56k you can use the internal modem port as a dial backup. A wic-2a/s will also work if you prefer not to use the modem port. You will need some wic to run your t1 line. If you are planning to leave the t1 on another router it makes the next 2 questions much harder.
  q2
  This is fairly simple and depends on your ios level. "priority queing" is supported on even the older software. I assume you do not control the far end of the t1 line since it sounds as if this goes to a ISP.
  You will need to have them do the QoS since most issues with the internet are inbound and not outbound. You can only control outbound traffic.
  q3
  If the T1 is on the same router then this is fairly simple. You can just put a floating static default route in that will cause the dialer to come up if the the t1 goes down. There is no easy way to protect against the line being up but no traffic passing. This is also why it would be best to have the t1 on the same router. If its not you will need to get very creative to solve this. You could build a GRE tunnel to a remote location and montior the tunnel or run a routing protcol over the tunnel. In the newest software you could use SAA and policy routing to force the traffic over the dialer but the router must support ios 12.4.
  3a. You mentioned a cable modem as a backup. That can be much easier sometimes since it is all routing and no dialer interfaces with nasty modem issues. This does not make the issue of the t1 not on the same router easier.

• Help for IPsec with inter Vlan Source!

  Hi everyone,
  I have 6509 switch and 2800 router. Connectivity between them with satellite and run GRE tunnel over this media.
  **6509
  ip vrf VSAT
  rd x : x
  interface vlan 1
  ip add 1.1.1.1 /28
  ip vrf forwarding VSAT
  interface tunnel 1
  ip add 10.1.1.1 /24
  tunnel source 1.1.1.1
  tunnel des 2.2.2.2
  **2800
  interface vlan 1
  ip add 2.2.2.2 /28
  interface tunnel 1
  ip add 10.1.1.2 /24
  tunnel source  2.2.2.2
  tunnel des 1.1.1.1
  When I run IPsec over this tunnel, the tunnel does not work. ( going to down and never up until remove ipsec over tunnel!)
  I use crypto map and bind this to the interface vlan in both side.
  And when run " show crypto isakmp sa " I see this :    " MM_NO_STAT "
  All expert, what you thing?
  What configuration do I need to work properly?
  Please help me. This urgent.
  Thanks.

  Unlike a Router, an ASA appliance will try and NAT traffic going from one internal subnet to another.
  You need to add a static NAT per subnet, as below:
  static (inside,PHONE) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
  static (PHONE,inside) 192.168.10.0 192.168.10.0 netmask 255.255.255.0