Layer 2 Loop-Free U Access - VLAN Extension possible

Cisco says in it's 642-874 study guides that L2 Loop-Free U design in access layer has these characterictics:
The following are characteristics of loop-free U access:
■ VLANs are contained in switch pairs (no extension outside of switch pairs).
■ No STP blocking; all uplinks are active.
■ Layer 2 service modules black hole traffic on uplink failure.
Why would VLAN extension be not supported in this topology? See attached picture where it seems it could be working.
Thanks.

hi Todd,
you maybe right to some extend, it dose work in the case all the up links are up and the access switches daisy chained
however it is not optimal design interims of layr 2 extension,redundancy  in case of a device or link failure
if you you have the inter switch link configured in layer 2 then this cloud be better but you need to remove the interswitch link between the access switches
HTH

Similar Messages

  • Auth VLAN and Access vlan

    When the interface comes up, the CAM puts the user in the AUTH vlan as expected via the set command (vlan 210)
    03:09:09: SNMP: Packet received via UDP from 172.31.200.200 on Vlan220
    03:09:09: SNMP: Set request, reqid 2144479366, errstat 0, erridx 0
    vmVlan.1 = 210
    that works OK
    Fa0/21, Fa0/22, Fa0/23
    210 VLAN0210 active Fa0/1
    211 VLAN0211 active
    So SNMP RW works OK,
    After the user logs in to the network the user should be put back into vlan 220 (according to the port profile settings) but nothig happens, no set command send, no SNMP traffic at all. The user remains in AUTH vlan and the agent loops
    I have tried all the settings, role based, initial VLAN as well, to no avail.
    Any ideas? What to check for?
    Rafal

    Have you double checked your settings for mapping ports with the VG setup guide?
    http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/412/cas/s_addSrvr.html#wp1089247
    Also make sure your OOB port profile is correct and that it switches from auth to access vlan after authentication
    http://www.exio.com/en/US/docs/security/nac/appliance/configuration_guide/411/cam/m_oob.html#wp1083087

  • Tcl script to change access vlan based on MAC address

    Hello all.  I'm looking for some input on how best to handle this situation. I have a large nework with a lot of remote offices where we have limited control over users moving around patch cables. We're using vlan-based QoS in these office to mark voice, video, data. etc. The problem I'm having is that our users are moving video conferencing equipment to different interfaces on our swithes, which puts the VTC unit in a different vlan, fouling our QoS policy.  They then call and complain about poor video quality.
    I'm trying to come up with a way to automate putting the interface in the video vlan if a VTC unit is connected. All of our video conferencing units are from the same vendor, so they have same OUI in the MAC address. The script I've been working on looks for a line protocol up event, then checks to see what access vlan is configured on the interface. If the interface is already in the video vlan, the script exits.  if the interface is not in the video vlan, the script looks at the MAC address table for the interface and if the OUI matches a VTC unit, the script changes interface configuration. My question is, is there a better event to trigger script execution? Maybe a MAC notification trap, or something else? Line protocol transitions when the access vlan is changed, so the current script runs twice: once when the interface first comes up with a new connection, and again when the vlan is changed. 
    Script is attached.  Any help or advice is appreciated!

    Does your video equipment use CDP?  If so, then you can use the neighbor-discovery event detector to only react when you see a media endpoint being connected to a port.  Yes, MAC address notifications (the mat ED) can also work if you know the MACs of your media endpoints.

  • Does Apple give you a toll free number to call about possible viruses?

    Does Apple send toll free numbers to call about possible virus or is it a scam

    There are no known viruses for Macs.  There is adware and malware.  For adware, those things that keep poping up in your browser you can use AdwareMedic from thesafemac.com to quickly and easily remove all know adware. 
    That site also have this Adware Removal Guide if you prefer to do it manually thru the Finder.

  • NAC L2 OOB Auth and Access VLAN

    I'm new to Cisco NAC appliance.
    I wanted to deploy L2 OOB VGM for my wired userd.
    I wanted to check whether can I have multple Authentication to Access VLAN mapping.
    For example :
    Authentication VLAN - 111 Map to Trusted VLAN 311
    and
    Authentication VLAN - 112 Map to Trusted VLAN 312
    Therefore, on the port profile of the switch, I can allocated which are the ports that should be using Authentication VLAN 111 and VLAN 112.
    Why I wanted to do this, because I need the users to obtain IP addresses that are associated with the trusted segment, so that I do not have to bounch the switch port or utilise DHCP release/renew from the CCA or web client.

    Role-based access VLAN mapping for Windows single sign-on (SSO) users can be achieved with this procedure:
    Choose Management > Auth Servers and select Auth Type to Active Directory SSO.
    Select Default Role for the role that you want Windows SSO users to be in after they are logged in. For example, in this case it should be vencorp.
    Choose User Management > User Roles, select the role (vencorp) and click Edit.
    Define the Out of Band User Role VLAN to 5 (or any VLAN that you want the users of this role to be).
    Save the role.
    Choose Switch Management > Profiles > Port > List and click Edit for the control profile.
    Change the Access VLAN to User Role VLAN and click Update.
    Login through the PC with SSO. You are now logged in the domain and have role-based VLAN mapping

  • I have the IPAD3 and have set uip to receive both personal and work emails - I want to password protect both so children cannot access - is this possible ?

    I have the IPAD3 and have set up to receive both personal and work emails - I want to password protect both so children cannot access - is this possible ?

    You can Password protect your iPad, but if you want your children to play games on your iPad, then one you unlock it, they have full access, there is not an option to password apps, such as the Mail app.

  • NAC OOB VGW Auth/Access VLAN

    Hi,
    Does anyone know if when you're setting up this topology and configuring VLAN mapping, if you need unique Auth VLANs for every Access VLAN?  Or can you use one Auth VLAN and map it to multiple Access VLANs.  I assume you need unique Auth VLANs.
    Thanks

    Aaron,
    You can have one auth going to different access vlans based on conditions. Look at User-Role VLANs closely to accomplish that.
    HTH,
    Faisal

  • VoIP query - Access VLAN shutdown

    We share meeting rooms with another company, we require the Acess VLAN to be disabled when the room is not being used by a member from our firm, how do I go about doing this?
    We still need the Voice VLAN to be active.
    Any solutions would be great
    We are using 3560's

    Hi there,
    There are a few ways you could do this. The first and most painfull way would be to take the mac-address of the pc's that will use the switch port and only allow them to connect using port-security. You could also use dot1x authentication on the port. Or you could change the access vlan to one that nothing is on when the room is not in use. That way, the phone will still work, but the data will be in a vlan that goes nowhere.
    Hope that helps,
    LH
    Please rate all posts

  • Switchport comparision, "trunk native vlan" versus "access vlan"

    I want to understand the logic when I install IP phone with PC attached. Is there any difference between two configurations. for exmaple, consideration to handle QoS.
    switchport access vlan 100
    switchport voice vlan 200
    versus
    switchport trunk encapsulation dot1q
    switchport trunk native vlan 100
    switchport voice vlan 200
    switchport mode trunk
    Thanks in adance,

    The difference is that these applies to two different set of switches.
    The first set of configuration applies to the new series switches, Cisco 3550, 3560, 3750 series.
    The second set applies to the olders series Cisco 2900, Cisco 3500XL etc. In these switches, you need to configure the port as a trunk before the port can take both voice and data vlan.
    In the newer series, the port can take both voice and data vlan and still not run in trunk mode.
    Regards,
    Anup

  • Access vlan vs $native Vlan

    SG300-28.  If I config int gi20 to be switchport mode access and then set the access vlan to 100 but I then set the smartport role to desktop it set the $native vlan of 1 so are incoming untagged headers tagged as 100 or 1?  I figure I need to either edit the smartport params or just leave as auto smartport.
    interface gigabitethernet20
    storm-control broadcast enable
    storm-control broadcast level 10
    storm-control include-multicast
    port security max 10
    port security mode max-addresses
    port security discard trap 60
    spanning-tree portfast
    switchport mode access
    switchport access vlan 100
    macro description desktop
    switchport forbidden default-vlan
    macro auto smartport type desktop $max_hosts 10 $native_vlan 1

    Dear Partner,
    Thank you for reaching the Small Business Support Community.
    I would think incoming headers will be tagged as 1, but as for the "switchport forbidden default-vlan" command I am not that sure about it.  It's been several days with no comment on this post, I therefore suggest you to open a service request to figure this out;
    https://supportforums.cisco.com/community/netpro/small-business/sbcountrysupport
    Notice you may also use the 'Partner Helpline" for this matter;
    http://www.cisco.com/web/partners/tools/ph.html
    http://www.cisco.com/web/partners/tools/helponline/index.html#~1
    Please do not hesitate to reach me back if there is any further assistance I may help you with in the meantime.
    Kind regards,
    Jeffrey Rodriguez S. .:|:.:|:.
    Cisco Customer Support Engineer
    *Please rate the Post so other will know when an answer has been found.

  • Switchport trunk native vlan & switchport access vlan dual configuration

    I've discovered this dual configuration on a 3500xl switch while troubleshooting an incrementing runts issue. Could the config of this port be related to the issue at hand?
    port configuration:
    interface FastEthernet0/3
    duplex full
    speed 100
    switchport access vlan 203
    switchport trunk encapsulation dot1q
    switchport trunk native vlan 203
    switchport trunk allowed vlan 1,203,204,220,1002-1005
    switchport mode trunk
    spanning-tree portfast

    Hi,
    The 'switchport access vlan' command will have no effect on the configuration you have on this port. The port will operate as a trunk and will dis-regard any config that pertains to an access port.
    Hope that helps ...
    Paresh

  • Switchport access vlan Vs encapsulation dot1Q ?

    Hi All,
    Could some one explain the difference between encapsulation dot1Q & the switchport access vlan ???

    The command "switchport access VLAN" is a command to specify the one-and-only-one VLAN you want the switch port to carry.  By default, an access port will always carry VLAN 1.  This is the reason why you will never see the command "switchport access vlan 1".  You cannot have an access port carry more than one VLAN (except when you allow voice VLAN).  
    If you want to have two or more VLANs per a single switchport, then you need to enable Trunking.  Therefore the command "encapsulation dot1q" is one of the command to enable Trunking.  This command specifies which of the two Trunking protocols to use:  IEEE's 802.1q or Cisco's ISL.  
    Take note that without the command "switchport mode trunk" the interface is still an access port.   Not all Catalyst switch will accept the command "switchport encapsulation dot1q".  This is because the switch will ONLY accept 802.1q encapsulation so there's no need for this command.  All Catalyst 2K (except 2924XL) and some legacy 4000/4500 line cards support only 802.1q encapsulation.  All others will support either 802.1q or ISL.  You will never find a Catalyst switch that can support BOTH 802.1q and ISL.

  • Access VLAN on 3650 Stack

    I've added a stack of two 3650's to my existing network as follows:
    Watchguard XTM 510 managing 3 VLANs (1,25,50) with trunked connection to the 3650 stack (switchport mode trunk) on Gi1/0/1-2 and also have DHCP services enabled for each VLAN segment
    ESXi server(s) with trunked connection(s) to the 3650 stack (switchport mode trunk, switchport nonegotiate, channel-group # on) on Gi1/0/3-8
    Each ESXi server has three vSwitch with appropriate VLAN ID tagging and VMs work as expected (IP address assigned, traffic reaching the firewall, etc.)
    However, if I assign Gi1/0/9 to VLAN 25 or VLAN 50 (switchport mode access, switchport access vlan 25/50), an end device (laptop, etc.) are unable to obtain an IP address for the appropriate VLAN segment nor does traffic seem to pass even if an IP address is manually configured for either VLAN segment.
    Any idea what I'm missing in my configuration?
    TIA

    Excerpts from my config:
    interface Port-channel1
     description Watchguard
     switchport mode trunk
    interface Port-channel3
     description ESXi-01
     switchport mode trunk
    interface GigabitEthernet1/0/1
     description Watchguard
     switchport mode trunk
     channel-group 1 mode active
    interface GigabitEthernet1/0/2
     description Watchguard
     switchport mode trunk
     channel-group 1 mode active
    interface GigabitEthernet1/0/3
     description ESXi-01
     switchport mode trunk
     channel-group 3 mode on
    interface GigabitEthernet1/0/4
     description ESXi-01
     switchport mode trunk
     channel-group 3 mode on
    interface GigabitEthernet1/0/9
     description Laptop
     switchport access vlan 25
     switchport mode access
    c3650#show vlan id 25 
    VLAN Name                             Status    Ports
    25   VDI-25                           active    Gi1/0/9, Po1, Po2, Po3, Po4, Po5, Po6, Po7
    VLAN Type  SAID       MTU   Parent RingNo BridgeNo Stp  BrdgMode Trans1 Trans2
    25   enet  100025     1500  -      -      -        -    -        0      0   
    Remote SPAN VLAN
    Enabled
    Primary Secondary Type              Ports
    c3650#show int gi1/0/9 switchport
    Name: Gi1/0/9
    Switchport: Enabled
    Administrative Mode: static access
    Operational Mode: static access
    Administrative Trunking Encapsulation: dot1q
    Operational Trunking Encapsulation: native
    Negotiation of Trunking: Off
    Access Mode VLAN: 25 (VDI-25)
    Trunking Native Mode VLAN: 1 (default)
    Administrative Native VLAN tagging: enabled
    Voice VLAN: none
    Administrative private-vlan host-association: none 
    Administrative private-vlan mapping: none 
    Administrative private-vlan trunk native VLAN: none
    Administrative private-vlan trunk Native VLAN tagging: enabled
    Administrative private-vlan trunk encapsulation: dot1q
    Administrative private-vlan trunk normal VLANs: none
    Administrative private-vlan trunk associations: none
    Administrative private-vlan trunk mappings: none
    Operational private-vlan: none
    Trunking VLANs Enabled: ALL
    Pruning VLANs Enabled: 2-1001
    Capture Mode Disabled
    Capture VLANs Allowed: ALL
    Protected: false
    Unknown unicast blocked: disabled
    Unknown multicast blocked: disabled
    Appliance trust: none

  • Re AD002357145UK I have just subscribed to Adobe Send. I am sure that v revently I used Adobe Send Now for free. Is that still possible (which means I could cancel AdobeSendNow subscription) or do I have to subscribe to Adobe Send to carry out file transf

    Re AD002357145UK I have just subscribed to Adobe Send. I am sure that v revently I used Adobe Send Now for free. Is that still possible (which means I could cancel AdobeSendNow subscription) or do I have to subscribe to Adobe Send to carry out file transfer. Incidentally I have Adobe Creative Suite. Thanks. Nadim Othman

    [topic moved to Adobe Send forum]

  • NAC manager doesn't change auth vlan to access vlan

    Hi,
    I am trying to install L2 out-of band NAC in my LAN but I have problem for which I don't seem to find any solutions.
    The problem is that NAC manager simply doesn't change switchport from authentication to access vlan although user
    is authenticated and all CAA requirements have been met.
    I connect my laptop to switch and NAM changes vlan to auth. vlan and laptop gets IP address from access vlan (vlan mapping
    configured on NAM). Then CCA login pops out and I enter username and password. After that CAA says: "Successfully logged in
    to network" but laptop stays in auth. vlan and I can see my user in "out of band" users list (on NAM) but laptop (his MAC address) is not
    in the certified devices list. And Manager keeps it in auth. vlan. So when I click OK in CAA, the login window pops out again because I'm still
    in authentication vlan.
    What could be the problem? I really tried everything and I don't know why manager doesn't put laptop to certified devices list (I repeat, user is in out
    of band users list) and CCA says successfully logged in to network, and all requirements are met too.

    Faisal,
    thank you very much, yes that was the problem. I didn't have managed subnet entry. Now it works fine, but I have another problem. When I added managed
    subnet I cannot connect to NAC server from my PC which has IP address from that subnet range. I cannot ping neither connect via https, totally
    inaccessible.
    What can I do to have that managed subnet entry, and still to be able to connect to server from that subnet (VLAN)?
    I tried adding managed subnet entry with auth. vlan (400) and then with access vlan (110) and no-vlan (-1) but the situation is same - clean access
    works fine, but I cannot reach server from my PC.

Maybe you are looking for

  • Using session.xml file from WorkB in  a Session Facade based on another xml

    Hi I have the follwing scenario. Need to read data from a set of tables and convert them into an XML file based on an XSD. I am planning to use Toplink POJO in JDeveloper to create a SessionFacade to read the values. I tested the SessionFacade using

  • Error sending mail via JSP in weblogic 5.1

    Hi, I am running weblogic 5.1. I am trying to send an email via a JSP page and I get the following error in the browser: Error 500--Internal Server Error From RFC 2068 Hypertext Transfer Protocol -- HTTP/1.1: 10.5.1 500 Internal Server Error The serv

  • Reading metadata of a JPEG image

    Hi, I am trying to read the metadata of an image taken from mobile. how can i extract the thumbnail from the metadata? I will be receiving the image as bytearray from client. Thanks & Regards, Sairam

  • ADI Installation Error

    Hi All, At the time of installing Desktop ADI I encountered with follwing error. An Unexpected Error Has Occurred in ADI: Routine: MAINGLDI: DoSignOn Source: oraGLDI32 Message: Object variable or With block variable not set Error Number: 91 It is rec

  • WD ABAP: call dialog window from component controller method

    Hi all, I need to call a dialog box from a method in the component controller. It would be helpful if u could post the code too. Thanks, Sravanthi