Hyper-V VLAN changes

Similar Messages

• IP address in ISE live authentication after vlan change

  Hi all,
  on ISE live authentication dashboard we can see IP address of the client (known from FRAMED-IP-ADDRESS).
  But what about vlan change and the situation when client gets new IP address after relocation to different vlan.
  Live logs shows only the first IP address - client mapping (from the guest vlan), after authorization new vlan and dACL is assigned but logs don't include new IP address.
  session ID is the same all the time.
  so maybe ip helper or other trick?
  regards

  thx for reply.
  I added "aaa accounting update newinfo" and I'll see tommorow how it works with anyconnect and 802.1x.
  Meanwhile I think I must clarify what I meant
  Not all logs have IP address present in live authentication (this is MAB for test only)
  the situation with 802.1x and anyconnect is a bit better cause there are IP addresses but only from the first dhcp address assignment (authentication open with default ACL). Then if the policy changes vlan and the client gets new IP address from different scope we have wrong information in this log.
  but getting back to our MAB...
  details of this entry looks like:
  so this is probably the reason that no IP address is visible it was too soon for MAB to get this info and send it as framed IP address (according to this config command "radius-server attribute 8 include-in-access-req")
  nevertheless clicking the accounting details (from the 2nd screenshot)
  we see that this information is present
  so my first question is on which stage this column is fulfilled? only when "FRAMED-IP-ADDRESS" is send in radius-request? or from accounting?
  maybe ISE should dynamically modify this record after each accounting newinfo message?
  regards

• VLAN Change by IP

  Hello,
  I was hoping someone could please help me with an automated script. The logic seems not so difficult although, I do not have much TCL experience...
  I need a way to load a list of IPs (probably 50 at a time), find their associated MAC address, then find the port its on (excluding trunks), and then change its vlan.
  Does anyone have any experience with this?
  Thank you in advance for any help!

  If you place the attached file on the flash drive of your switch and run this command it should produce the vlan change only on access ports for the list of provided ip addresses.
  tclsh flash:resolve_changevlan.tcl <list of ip addresses>
  Ex:
  Switch_1#tclsh flash:resolve_changevlan.tcl 192.168.0.125 192.168.0.1
  192.168.0.252 192.168.0.251 192.168.0.141 192.168.0.142
  *** 192.168.0.125 Fa0/12 is not currently an access port ***
  *** 192.168.0.1 Fa0/12 is not currently an access port ***
  ***192.168.0.252 verify vlan change****
  Building configuration...
  Current configuration : 62 bytes
  interface FastEthernet0/14
   switchport access vlan 174
  end
  *** 192.168.0.251 not in MAC table***
  ***192.168.0.141 verify vlan change****
  Building configuration...
  Current configuration : 78 bytes
  interface FastEthernet0/2
   description SUN
   switchport access vlan 174
  end
  *** 192.168.0.142 Fa0/19 is not currently an access port ***

• ISE policy, DACLs and VLAN changes together

  So I have been having a hard time finding consistency in a policy that both changes the VLAN and applies a DACL. Originally, I found out that remarks were causing it to mess up. But I can't find any consistency. I can use the vanilla 'oermit all' DACL in ISE, along with a VLAN change, and it just doesn't work. My AuthZ is very simple...If you are wired_MAB and your endpoint is in a particular group, then apply a policy that changes the VLAN and applies a DACL. This seems like it's at the root of what ISE is supposed to do, but it seems so buggy. Weird thing is, that if I do the VLAN change by itself, it works. But when I add the DACL neither work. Anyone have any ideas as to why this is?

  So it worked this time. The machine has been sitting in sleep mode for a while now. This is so inconsistent. Could it have something to do with me using the same machine to test a few different policies? I'm just switching the machine's MAC between different groups in order to test different policies. Thats really when it stops working.
  - Do you have a pre-auth acl configured already on the port ? Yes, one that says permit any any
  - Is the port running open mode ? Yes
  - What does the "show auth sess int x/x" tell you once the ise has sent the authorization result to the switch ?
  SJ5051IDF1#show authentication sess int g1/5 d
              Interface:  GigabitEthernet1/5
            MAC Address:  d4be.d905.3973
           IPv6 Address:  Unknown
           IPv4 Address:  10.42.163.59
              User-Name:  D4-BE-D9-05-39-73
                 Status:  Authorized
                 Domain:  DATA
         Oper host mode:  multi-auth
       Oper control dir:  both
        Session timeout:  N/A
      Common Session ID:  0A0600210000007B24636E88
        Acct Session ID:  0x00000086
                 Handle:  0x4A000055
         Current Policy:  POLICY_Gi1/5
  Local Policies:
  Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)
        Security Policy:  Should Secure
        Security Status:  Link Unsecure
  Server Policies:
             Vlan Group:  Vlan: 1620
                ACS ACL:  xACSACLx-IP-BLDG-AUTOMATION-DACL-52fa7487
  Method status list:
         Method           State
         mab              Authc Success
  interface GigabitEthernet1/5
  switchport access vlan 32
  switchport mode access
  switchport voice vlan 64
  ip access-group ACL-ALLOW in
  logging event link-status
  authentication event fail action next-method
  authentication event server dead action authorize vlan 2700
  authentication event server alive action reinitialize
  authentication host-mode multi-auth
  authentication open
  authentication order mab dot1x
  authentication priority dot1x mab
  authentication port-control auto
  authentication periodic
  authentication timer reauthenticate server
  authentication violation restrict
  mab
  dot1x pae authenticator
  dot1x timeout tx-period 10
  service-policy input QoS-Input-Policy
  service-policy output QoS-Host-Port-Output-Policy
  end

• EAP-Chaning vlan change with roaming profiles

  Hi
  While doing eap-chaining i change vlan, when user is posture compliant, works great...
  But i also use roaming-profiles.
  So when i log off, the vlan changes back to default immediately, and syncronization off roaming-profile fails, because of the vlan change.
  I tryied th set the" vlan detect interva"l in the Nag-agent to 10sec, but it didn´t change anything.
  Is it possible to have the switch or Anyconnect NAM client to delay the vlan change ??
  Regards Henrik

  I just redid the install and used the "migrate to 5.2" and everything came over again and looks alittle better. But when I try to use LDAP for roaming (Netscape 4.7ish) it says that it can't connect to the 'Roaming Server".
  -Mark

• Windows 8.1 Pro, failed to install Hyper-V, reverting changes

  Hi,
  I'm trying to install Hyper-V, but I'm unable to do it. After rebooting my PC after adding the feature, update goes to 95% and shows the message that changes are being reverted.
  Can someone help me?
  I attach my CBS.log:
  http://www.speedyshare.com/7YWvk/CBS.log

  Please verify that your machine supports SLAT, virtualization (VT/V), and Data Execution Prevention.
  Virtualization and DEP can usually be enabled in the BIOS and then the machine needs to be cold booted (pull the battery if it is a laptop).
  SLAT is a dependency of your processor.
  http://blogs.technet.com/b/brad_rutkowski/archive/2008/01/26/does-my-cpu-support-hardware-virtualization-hyper-v.aspx
  Brian Ehlert
  http://ITProctology.blogspot.com
  Learn. Apply. Repeat.

• ISE Wired Guest + user without supplicant and dynamic vlan change

  Hi All,
  I have two issues:
  Is it still an issue when a wired user who is directed to the ISE CWA, is able to stay authenticated as a guest for as long as they stay connected?
  This is happening on our test pilot - a guest with 2 hour access on a wired connection can maintain the guest access for as long as they desire.
  I hear that this isnt an issue for wireless, but yet to try this out. Is there a workaround for this?
  Secondly my testing confirms that only users with a supplicant eg anyconnect NAM can be dynamically changed into a vlan (only tested on wired).
  What I'd hope to do, is create a policy that when wired guest connect in, to dynamically change their vlan to the guest vlan (same one guest WLAN users will use).
  Is this possible if the guest doesnt have a supplicant?

  One of my tasks was to rebuild the multiportal config, and looks like there was an option there to do a VLAN dhcp release and renew. I wont know if this will work until next week but it sounds promising. It was tucked down on the screen so I had to scroll down to find it...
  Still dont have an answer about the guest able being able stay authenticated, or does this feature solve this issue as well? Only time will tell..

• Using ISE to dynamically VLAN change

  Hello all,
  I need some help to dynamically change VLAN on each port of my Catalyst 3560, to do this, I don't want to use the MAC address filtering but I want to use conditions already in place in my ISE to switch port between two VLAN (Guest and Corporate) where one give access to the corporate LAN and the other to Internet without LAN access.
  Maybe someone of you had could have some ideas to do this with the use, or maybe without VLAN?
  PS : Sorry for my bad English, i'm not a native English speaker ;)
  Thank you in advance.

   I do not get exactly what are you looking for.. But still
  The  two kind of access you are anticipating can be achived by either way
  Chage of VLAN : as explained by you... you need to create two differnent authorization policies as per  users belongs  to (AD )group <e.g. employee or guest..> ..
  dACL : You can push downloadable Acl to switch as per user membership to AD.
  Let me know if you need help from design or configuration  point of view...

• 1410 native vlan Change

  I need to use vlans in a 1410 bridge environment an i need to change the default native vlan too. The question is: what happens to the BVI1 interface, since this one is associated with the native vlan?; is it automatically associated with the new native vlan?, will i need to create a new interface?, what about the connectivity? (this radio does not have a console port). I wolud like to make all changes via CLI.

  You can configure multiple VLANs on the Wireless bridge using the GUI, you do not need CLI or console access to configure VLANs. Here is a good document which explains how to configure VLANs on Bridges.
  http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_example09186a00801d0815.shtml#vlanbr

• Hyper V Vlan

  Hyper V 2012 R2 Vlan
  Hi
  I have a host with VM's on them
  I have one physical adapter
  I have created internal switch
  Vm's are DHCP,AD DNS ETC
  Can I have one vm on a different vlan and then use rras to route between them all
  This doesn't seem to work
  I don't have a managed switch around
  Please help

  Hi shirazgaff,
  Please configure second address range on your DHCP server .
  RRAS works between two different subnets.
  In RRAS configure relay agent on the interface that connected to second subnet , please refer to following link:
  http://technet.microsoft.com/en-us//library/dd469685.aspx
  Also :
  http://www.sqa.org.uk/e-learning/NetInf101CD/page_76.htm
  (I would suggest to re-build the RRAS then configure relay agent again )Best Regards
  Elton Ji
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• Hyper-V Vlan tagging. Question

  Hi everyone,
  The question is simple. My NIC is a Realtek PCI GBe familly controller, Priority and VLAN are enabled. I havent any physical switch and when i create an external virtual switch on hyper-v if I add a VM on VLAN 2 why it doesnt have Internet access or can
  pingn the router ?
  The virtual external switch has no default vlan on it, so it supoosed to be on TRUNK mode. I also have a static route on my router 192.168.2.0/24 -> 192.168.1.254.
  If I add a VM with no VLAN tag and manually assign the IP adress it can communicate with the router but if I add a VLAN tag it doesnt.
  What you think ?
  Thanks

  Hi Sir,
  >>If I add a VM with no VLAN tag and manually assign the IP adress it can communicate with the router but if I add a VLAN tag it doesnt.
  The simple answer is that gateway interface are not in same Vlan as the VM's .
  As you know , different vlan can not access each other without route for Vlan .
   >>The virtual external switch has no default vlan on it, so it supoosed to be on TRUNK mode.
  I assume that you mean the vlan setting when you created external virtual switch :
  (Actually , this Vlan setting applies to the virtual NIC for hyper-v host , if you uncheck "Allow management operating system to ..." the vlan setting will unavailable )
  Based on my understanding of your case (One NIC connecting to router ), you may need to config "single arm route " on that router (it is a network question not hyper-v ).
  Best Regards,
  Elton Ji
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected] .

• Can i undo Hyper-V revert changes

  There is not a way to revert the snapshot that I am aware of. Snapshotting is not a backup method, nor should it be used as one. You really need another backup tool to handle this (there are a few free ones), and then using snapshots for testing configuration changes and updates.

  over the weekend I did revert changes on a windows 2003 SMB server which is running as a virtual machine. After reverting changes the computer only sees information up till April 2015, which is when we took a snapshot. I want to know all the records and data after stored is it still saved some where or we've lost it. Is there anyway to undo the revert changes option
  This topic first appeared in the Spiceworks Community

• Hyper-V VM not talking to Physical Switch on Tagged VLANs

  Hello!
  I'm having a problem where a VM is not communicating with its trunked VLANs.
  My configuration:
  Windows Server 2012 R2 configured with Hyper-V
  VM 1 has 4 Virtual NICS. One of the NIC2 is connected to vSwitch 1. vSwitch 1 is using an external network - a Windows NIC Team consisting of 4 Ethernet ports.
  All 4 ports are connected to a physical Cisco switch in a link aggregation group with LACP. The LAG is configured on the switch as follows:
  Trunk
  VLAN 1 Tagged
  VLAN 2 Untagged & PVID
  VLAN 3 Tagged
  VLAN 4 Tagged
  VLAN 5 Tagged
  VLAN 6 Tagged
  VLAN 7 Tagged
  No VLANs are configured in Hyper-V itself.
  VM1 runs an OS other than Windows, and several  interfaces are configured using NIC2. One interface per VLAN.
  Interface 1 VLAN 1 10.10.1.254/24
  Interface 3 VLAN 3 10.10.3.254/24
  Interface 4 VLAN 4 10.10.4.254/24
  Interface 5 VLAN 5 10.10.5.254/24
  Interface 6 VLAN 6 10.10.6.254/24
  Interface 7 VLAN 7 10.10.7.254/24
  Each interface should be able to talk to the switch though its VLAN and allow traffic to pass though. But it does not.
  Can anyone please suggest a way to get this working?
  Thank you in advance

  Hi ,
  I am afraid  the command "Get-VMNetworkAdapter " could not help you out .
  " Hyper-V leverages 802.1q VLAN trunking to achieve this objective. To utilize this functionality, a virtual network switch must be created on the host and bound to a physical network adapter that supports 802.1q VLAN tagging. "
  http://blogs.msdn.com/b/adamfazio/archive/2008/11/14/understanding-hyper-v-vlans.aspx
  Regarding to the Vlan and  NIC teaming , please refer to following links ：
  http://blogs.technet.com/b/keithmayer/archive/2012/10/16/nic-teaming-in-windows-server-2012-do-i-need-to-configure-my-switch.aspx
  http://blogs.technet.com/b/keithmayer/archive/2012/11/20/vlan-tricks-with-nic-teaming-in-windows-server-2012.aspx
  Hope this helps
  Best Regards
  Elton Ji
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• VLAN Tags and Hyper-V Switches

  Does the Hyper-V 2012 Virtual Switch support forwarding VLAN-tagged packets to a guest OS with the VLAN tags intact?  In other words, can I have a single virtual NIC handle multiple VLANs by doing the VLAN filtering inside the guest OS?
  I would like to run a guest OS that sits on multiple VLANs, and while I could create and delete virtual NICs which are assigned to a single VLAN, it would be much more flexible in my environment to have Hyper-V simply forward frames with the VLAN (802.1q)
  tags intact so that the guest OS can see the tags and deal with them appropriately.  (looking at running a virtual router that sits across multiple VLANs).
  I can't see any obvious way to do this.  I thought that leaving the VLAN tag for the guest off would cause packets to be forwarded unfiltered, but that appears to not be the case.  Does anyone know how to enable forwarding tagged frames through
  a virtual switch/NIC to a guest OS?
  Thanks!

  Hi,
  >  Does it depend on any particular settings on the physical NIC?
  No special settings on the physical NIC, but not every NIC support VLAN tagging. You should generally not set the VLAN ID at the physical NIC, it should be set on either the Virtual Switch or the individual Virtual Machine’s configuration. The VLAN ID on
  the Virtual Switch is what the Host or Parent Partition uses. The VLAN ID setting on the individual Virtual Machine’s settings is what each VM will use.
  For more information please refer to following MS articles:
  Understanding Hyper-V VLANs
  http://blogs.msdn.com/b/adamfazio/archive/2008/11/14/understanding-hyper-v-vlans.aspx
  VLAN Tricks with NICs - Teaming & Hyper-V in Windows Server 2012
  http://blogs.technet.com/b/keithmayer/archive/2012/11/20/vlan-tricks-with-nic-teaming-in-windows-server-2012.aspx#.UWznBmawrX0
  Set-VMNetworkAdapterVlan
  http://technet.microsoft.com/en-us/library/hh848475(v=wps.620).aspx
  Hope this helps!
  TechNet Subscriber Support
  If you are
  TechNet Subscription user and have any feedback on our support quality, please send your feedback
  here.
  Lawrence
  TechNet Community Support

• Vbscript - detect config changes

  not sure if this is the right community to post this kind of question but i am after some example of vbscripts to detect routing change for example like to know when someone add a new route entry, advertised in to our campus networks, would like to know the no of routing entries being added, now of routes in the routing table /etc including vlan changes, RPF failures within the environment and number of entries in our multicast table including new additions.
  any example you can provide will be useful. thanks in advance.

  Config Changes are Changes to Customizing Objects (e.g. through IMG). Config changes are usually settings that a functional user would do in comparison to technical changes that involve ABAP which would require a developer.
  In general you could say that config changes are usually done by functional consultants whereas anything that involves ABAP coding is not config related.
  E.g. You set up order types in IMG and transport those settings. If you would now make changes to your DEV config but didn't transport this you will have config differences between DEV and Q.
  Hope that helps,
  Michael