Layer3 Switching and BVI questions 2948l3 to 3750

Similar Messages

• Layer3 switch and router

  I have a network that I need to connect to the internet. All internal vlans point to a couple of layer 3 switches. On the layer 3 switch I connected a router for internet access.
  On the inside interface of the router I gave it an ip address of 10.1.0.1 - this is the ip address I want all my lan traffic to route to for internet access.
  1. Do I have to give the layer 3 switch interface port a static ip address or just connect it with a cable (the other side is the internal interface of the router 10.1.0.1)?
  2. On the layer 3 switch what command do I use to forward all lan traffic to this router, is it "ip route 0.0.0.0. 0.0.0.0 10.1.0.1?
  3. Do I use that above command on both of my layer 3 switches or just the one connected directly to the router?
  Thanks.                 

  I cant even ping the router, not sure what else to do. To make it even simpler I removed the layer 3 switch connected to the router above and now have only one layer 3 switch (10.1.0.6) and still cant ping the router. All internal hosts can communicate with each other, just need to get all the vlans routed to the internet.
  Below I pasted the show run from the layer 3 switch connected to the router and the show ip route and show ip int brief from the router.
  Layer 3 switch:
  hostname Switch
  ip routing
  spanning-tree mode pvst
  interface FastEthernet0/1
  switchport mode access
  interface FastEthernet0/24
  switchport mode access
  interface GigabitEthernet0/1
  switchport access vlan 100
  interface GigabitEthernet0/2
  switchport access vlan 100
  switchport trunk encapsulation dot1q
  switchport mode trunk
  interface Vlan1
  no ip address
  shutdown
  interface Vlan10
  description SERVERS_VLAN
  ip address 10.1.10.1 255.255.255.0
  interface Vlan20
  description SALES_VLAN
  ip address 10.1.20.1 255.255.255.0
  interface Vlan30
  description ACCOUNTING_VLAN
  ip address 10.1.30.1 255.255.255.0
  interface Vlan40
  description IT_VLAN
  ip address 10.1.40.1 255.255.255.0
  interface Vlan50
  description VOICE_VLAN
  ip address 10.1.50.1 255.255.255.0
  interface Vlan100
  ip address 10.1.0.6 255.255.255.0
  ip classless
  ip route 0.0.0.0 0.0.0.0 10.1.0.1
  line con 0
  line aux 0
  line vty 0 4
  login
  end
  ROUTER:
  interface GigabitEthernet0/0
  ip address 10.1.0.1 255.255.255.0
  duplex auto
  speed auto
  interface GigabitEthernet0/1
  no ip address
  duplex auto
  speed auto
  shutdown
  interface FastEthernet0/0/0
  switchport mode access
  shutdown
  interface FastEthernet0/0/1
  switchport mode access
  shutdown
  interface FastEthernet0/0/2
  switchport mode access
  shutdown
  interface FastEthernet0/0/3
  switchport mode access
  shutdown
  interface Serial0/1/0
  no ip address
  shutdown
  interface Serial0/1/1
  no ip address
  show IP route
  Router#show ip route
  Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
         D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
         N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
         E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
         i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
         * - candidate default, U - per-user static route, o - ODR
         P - periodic downloaded static route
  Gateway of last resort is not set
       10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
  C       10.1.0.0/24 is directly connected, GigabitEthernet0/0
  L       10.1.0.1/32 is directly connected, GigabitEthernet0/0
  Show ip int brief
  Router#show ip int brief
  Interface              IP-Address      OK? Method Status                Protocol
  GigabitEthernet0/0     10.1.0.1        YES manual up                    up
  GigabitEthernet0/1     unassigned      YES unset  administratively down down
  FastEthernet0/0/0      unassigned      YES unset  administratively down down
  FastEthernet0/0/1      unassigned      YES unset  administratively down down
  FastEthernet0/0/2      unassigned      YES unset  administratively down down
  FastEthernet0/0/3      unassigned      YES unset  administratively down down
  Serial0/1/0            unassigned      YES unset  administratively down down
  Serial0/1/1            unassigned      YES unset  administratively down down
  Vlan1                  unassigned      YES unset  administratively down down

• Switch stack connectivity question

  x.x.x.10 = stack 1
  x.x.x.11 = stack 2
  my question since i have been thrown to the wolves is (with very little experience): I am at one site with 2 stacks. Is connecting stack 1 to stack 2 done with a crossover or straight through cable? On stack 1 I have 6/0/19 and 6/0/20 being used for avaya vm erver and avaya ip office. So I need to make sure that second stack can communciate to number 1 in order for the prots on the second stack to recognize the vm server and ip office locations. I'm a little confused. I know I shouldn't use a stackwise cable. Any help would be appreciated.

  Not to be overly technical or picky, the term "stack" refers to the feature that the 3750 is capable of and stacking this platform would require a "stackwise" cable. It should come with the switch and it's silver. you connect the 3750 through stack port in the back of this switch. Now, if you are simply connecting two switches together, you will require a cross-over cable. A good rule of thumb is when connecting two alike devices you will need cross-over, like router to router or switch to switch. If they are not alike then you will need straight.

• Screen has a bluish tint after fast user switching and then warning tone

  Hi all I'm having a bit of a problem that I hope someone can help me with. First the details, I have a MBP bought in late '07 and running Tiger. I was doing full backups using "Backup" and I also had Safari, iTunes, and Word open. I briefly switched to my other account using fast user switching and when I returned to the original account the whole screen had a blue tint to it. Like the color profile was off. This has happened before and a restart usually cures it, I haven't restarted yet but I am fairly certain it will correct the problem this time too. But is there anyway to prevent this? My second question is the one I'm more worried about. It also has happened before but usually when using more CPU intensive applications. When I went to System Preferences and opened up the display preferences in an attempt to correct the previous problem I heard a very loud tone. Like some type of warning tone, it was loud enough that it startled me. I had iTunes playing and after the tone the music got very quiet but relaunching it brought it back to normal. I'm just wondering is this some type of warning tone? Is it something I should be concerned about? Besides the music everything else seemed unaffected, although the previous times that this has happened usually when using handbrake there was noticeable problems after the tone (like applications crashing). All of these problems are gone after the computer is restarted though. Does anyone have any insight on these issues? Thank you.
  -James

  OK I ran TechTool and everything passed except for the volume scan. Then I checked this with Disk Utility and the HD failed for a few minor reasons, like invalid block count. I repaired it using the fsck -fy command in single user mode. The computer seems a little faster now. I don't know if this error is related to the beep in any way, I may try talking to an Apple genius to see if they know. Since it seems like pretty minor errors I'm not too worried about it but it does seem to be happening often. The last time I had this error was when I posted a question here about it which I just checked was on March 1st. So this error happened again after a little more than 2 weeks which seems excessive to me. Any thoughts?

• Multi-layer/layer3 switch VS. Router

  Multi-Layer Switch or Layer3 switch vs. router; How they are different?
  1.7

  In a router the route calculation and packet processing take place in the software on layer 3. This means that packets need to be moved from the layer 2 hardware interface to layer three and so it takes some time. In a layer 3 Switch Routing calculations takes place at layer 3 in hardware or software, while the actual packet processing takes place at layer 2. The speed gain is accomplished by reducing the amount of features supported and moving as much logic as possible into hardware.

• New to mac and iphoto, questions about photo structure & organization

  I bought a new Macbook Pro a couple of days ago and am still figuring things out. I wasn't displeased with windows...I just decided to try a mac anyway, So far, I adore it except for one thing, the pictures.
  I spent hours researching whether to download and use picasa 3 for mac or iphoto. I decided on picasa....and now I've changed my mind. (Mostly because I tried to take pictures of the moon tonight, and they looked great in camera, but Picasa could only pick up a black screen whearas iphoto actually saw and defined the moon- and with the editing software on the two, the picasa auto-edit looked like a picture that was created in microsoft paint, and iphoto came out with a beautifully contrasted photo).
  Now that I decided to use iphoto, I have been researching how to switch and still seem to have a lot of questions. (I've poked around numerous forums but have found conflicting answers on different sites).
  1) I organize my pictures by folders with the month and year. I know iphoto organizes events, which it seems to determine based on photo similarity. Will my photo structure still appear in finder -> pictures?
  2) Is it possible to stop iphoto from organizing my pictures and just trust me on what I want?
  3) All of my friends and family use PCs, and there is a chance that due to financial concerns, when I eventually replace my macbook pro (far in the future) I could switch to a pc. Does iphoto make transferring pictures more difficult? (If I understand correctly, it does not change the photo file, a jpeg is still a jpeg but I want to be sure)
  4) I do not want iphoto to duplicate all of the pictures already in my library....if I import from finder-users-pictures, will it simply use those, or duplicate all 150gb worth of pictures?
  5) Any other tips for someone completely new to macs and iphoto?
  6) This is very silly, but how do I uninstall picasa (I know how to uninstall on a windows but want to make sure I do things correctly on my mac!)
  Also, just a "bonus"- regarding events vs. files I create, will iphoto create events within the program but leave my file structure in the library it imports from alone? If I use finder to go to where I store my photos, will I still see my file structure regardless of what iphoto does?(Does that make sense? I'm having a hard time trying to describe it)
  I apologize if this question is foolish or misplaced- I did read many other posts but didn't see the answers I was looking for.

  Your questions are neither foolish nor misplaced.
  The first thing I strongly suggest is that you make a trial iPhoto Library. Import 100 or 200 pics and explore. Iphoto isn't right for everybody, and if you're going to use it you will need to rethink things a little.
  1) I organize my pictures by folders with the month and year. I know iphoto organizes events, which it seems to determine based on photo similarity. Will my photo structure still appear in finder -> pictures?
  A: Events are based entirely on Date and Time not on 'photo similarity' You can set the interval for what makes an Event in the iPhoto Preferences: iPhoto Menu -> Preferences -> General Pane: Autosplit into Events... And select from the drop down menu.
  Will my photo structure still appear in finder -> pictures?
  Yes or no, depending... iPhoto can run as a Referenced or Managed Library. In the former case, yes you files will be visible in the Finder, in the latter case they won't.
  Note that Referenced or Managed refers +only to file storage+ It offers no extra functionality, it does nothing at all. App like iPhoto are your go-to app for your photos. If you use it, then you never access the photos via the Finder. Ever. It's always via iPhoto or the many, many hooks into the OS that it has.
  I'll detail more on Referenced v Managed below.
  2) Is it possible to stop iphoto from organizing my pictures and just trust me on what I want?
  I'm not sure what you mean by this. Iphoto does basic date and time organisation by default. You can change it, you can change the location of the photos in Events, merge them and then using the other tools available - Albums, Smart Albums, Faces, Places etc you can organise your photos whatever way you want.
  But what do you mean by pictures. There is a distinction between Photos - the image of your child holding his dog - and files: A Jpeg is just a file. Iphoto is designed for you to +forget about the jpeg+ and get on with the interesting bit: the pics of your younger and his pet.
  3) All of my friends and family use PCs, and there is a chance that due to financial concerns, when I eventually replace my macbook pro (far in the future) I could switch to a pc. Does iphoto make transferring pictures more difficult? (If I understand correctly, it does not change the photo file, a jpeg is still a jpeg but I want to be sure)
  A Jpeg is a Jpeg is a Jpeg. If you migrate to another app or an entire OS you can export the photos plus any and all metadata you've added to the Finder and move it on. (Caveat: You cannot export Faces. There is no agreed standard on any system for exchanging this info.)
  4) I do not want iphoto to duplicate all of the pictures already in my library....if I import from finder-users-pictures, will it simply use those, or duplicate all 150gb worth of pictures?
  It can do either. And this brings me back to the Referenced v Managed discussion above. By default, iPhoto will Manage the files, that is, it will copy them into the Library. You can choose not to, but I strongly recommend that you don't:
  *How to do it:*
  Simply go to iPhoto Menu -> Preferences -> Advanced and uncheck 'Copy Files to the iPhoto Library on Import'.
  *What Happens:*
  Now iPhoto will not copy the files, but rather simply reference them on your HD. To do this it will create an alias in the Originals Folder that points to your file. It will still create a thumbnail and, if you modify the pics, a Modified version within the iPhoto Library Folder.
  *Some things to consider:*
  1. Importing and deleting pics are more complex procedures. You have to to put the files where they will be stored before importing them. When you delete them you'll need to remove the files from the HD yourself.
  2. You cannot move or rename the files on your system or iPhoto will lose track of them on systems prior to 10.5 and iPhoto 08. Even with the later versions issues can still arise if you move the referenced files to new volumes or between volumes.
  3. Most importantly, migrating to a new disk or computer can be much more complex.
  4. Because iPhoto has no tools for managing Referenced Files, if, for some reason, the path to the photos changes then you could find yourself resolving aliases for +each photo in the Library+ one by one.
  My own opinion:
  I've yet to see a good reason to run iPhoto in referenced mode unless you're using two photo organisers
  If disk space is an issue, you can run an entire iPhoto Library from an external disk:
  1. Quit iPhoto
  2. Copy the iPhoto Library as an entity from your Pictures Folder to the External Disk.
  3. Hold down the option (or alt) key while launching iPhoto. From the resulting menu select 'Choose Library' and navigate to the new location. From that point on this will be the default location of your library.
  4. Test the library and when you're sure all is well, trash the one on your internal HD to free up space.
  If you're concerned about accessing the files, There are many, many ways to access your files in iPhoto:
  *For Users of 10.5 and later*
  You can use any Open / Attach / Browse dialogue. On the left there's a Media heading, your pics can be accessed there. Command-Click for selecting multiple pics.
  Uploaded with plasq's Skitch!
  You can access the Library from the New Message Window in Mail:
  Uploaded with plasq's Skitch!
  *For users of 10.4 and later* ...
  Many internet sites such as Flickr and SmugMug have plug-ins for accessing the iPhoto Library. If the site you want to use doesn’t then some, one or any of these will also work:
  To upload to a site that does not have an iPhoto Export Plug-in the recommended way is to Select the Pic in the iPhoto Window and go File -> Export and export the pic to the desktop, then upload from there. After the upload you can trash the pic on the desktop. It's only a copy and your original is safe in iPhoto.
  This is also true for emailing with Web-based services. However, if you're using Gmail you can use iPhoto2GMail
  If you use Apple's Mail, Entourage, AOL or Eudora you can email from within iPhoto.
  If you use a Cocoa-based Browser such as Safari, you can drag the pics from the iPhoto Window to the Attach window in the browser.
  *If you want to access the files with iPhoto not running*:
  For users of 10.6 and later:
  You can download a free Services component from MacOSXAutomation which will give you access to the iPhoto Library from your Services Menu. Using the Services Preference Pane you can even create a keyboard shortcut for it.
  For Users of 10.4 and later:
  Create a Media Browser using Automator (takes about 10 seconds) or use this free utility Karelia iMedia Browser
  Other options include:
  1. *Drag and Drop*: Drag a photo from the iPhoto Window to the desktop, there iPhoto will make a full-sized copy of the pic.
  2. *File -> Export*: Select the files in the iPhoto Window and go File -> Export. The dialogue will give you various options, including altering the format, naming the files and changing the size. Again, producing a copy.
  3. *Show File*: Right- (or Control-) Click on a pic and in the resulting dialogue choose 'Show File'. A Finder window will pop open with the file already selected.
  *If you want to edit the photo in another application:*
  You can set Photoshop (or any image editor) as an external editor in iPhoto. (Preferences -> General -> Edit Photo: Choose from the Drop Down Menu.) This way, when you double click a pic to edit in iPhoto it will open automatically in Photoshop or your Image Editor, and when you save it it's sent back to iPhoto automatically. This is the only way that edits made in another application will be displayed in iPhoto.
  5) Any other tips for someone completely new to macs and iphoto?
  *To Push Home a point*
  For someone inexperienced with Macs and inexperienced with iPhoto I cannot stress enough that Managed Library is the way to go. I understand there is comfort in seeing all those folders. But inside the Library that's all there is: all those folders, stored so that an inexperienced user can't grub things up!
  The iPhoto Library Folder is a Package File. This is simply a folder that looks like a file in the Finder. The change was made to the format of the iPhoto library because many users were inadvertently corrupting their library by browsing through it with other software or making changes in it themselves. Want to see inside?
  Go to your Pictures Folder and find the iPhoto Library there. Right (or Control-) Click on the icon and select 'Show Package Contents'. A finder window will open with the Library exposed.
  Standard Warning: Don't change anything in the iPhoto Library Folder via the Finder or any other application. iPhoto depends on the structure as well as the contents of this folder. Moving things, renaming things or otherwise making changes will prevent iPhoto from working and could even cause you to damage or lose your photos.
  Now close that window and forget about it.
  So, once you've imported your photos to iPhoto in a Managed Library, the surplus duplicates are +your folders+. Of course, in time, trash them to get back the wasted disk space. But don't do it today or tomorrow. There's no hurry. When you feel confident that you understand how iPhoto is working and that's it's working for you, theat's the time to reclaim the space.
  I organize my pictures by folders with the month and year.
  If you want to duplicate your Folder Tree in iPhoto:
  Start at the bottom of the hierarchy and drag a folder of images to the Album Heading in iPhoto. The pics will be imported and an Album of the same name created.
  You can then create the Enclosing Folders in the iPhoto Window (File -> New Folder) and drag the Album to it. Folders can contain other Folders (Nested Folders) and Albums.
  However, is your folder system date based? Then this form of organisation is a bit pointless in iPhoto when Smart Albums or the Calendar tool (Click on the wee magnifying glass in the Search Box) mean you can find the photos taken on any day, month or year at a click. With Smart Albums it's easy to find photos from specific range - say, June 3 to August 25, 2009 etc.
  If your folder system is theme based - Xmas pics, Birthday pics etc, then you'll find Keywords are much more flexible, and can be used in conjunction with other criteria for making Smart Albums and searches.
  6) This is very silly, but how do I uninstall picasa (I know how to uninstall on a windows but want to make sure I do things correctly on my mac!)
  Drag the app to the trash and empty it.
  Regards
  TD
  v

• Home setup - network switch and 2 Time Capsules

  I have an ADSL modem/router (Billion BIPAC 5200G). I have used it previously with wireless turned off. I then used a time capsule  in bridge mode so that NAT etc is turned off, and then use it to broadcast wifi and as a backup. It is attached to the modern with ethernet. It worked fine.
  I am now in a house with a lot of ethernet ports, linked to a massive hub thing. But it needs a switch to link it all together.
  So I am thinking of this setup:
  PHONE LINE
  to
  BILLION ROUTER (Set as a router with wifi turned off)
  to
  NETWORK SWITCH
  to
  VARIOUS ethernet enabled devices in different rooms (i.e. printers, Apple TV, TV, Time capsule)
  Then I want to use my 2nd time capsule to extend my ground floor network by plugging it in essentially directly into the time capsule via ethernet in roaming mode.
  Is this the optimal setup for this? My other idea was to forgo the network switch and do it this way:
  PHONE LINE
  to
  BILLION ROUTER (Set as a router with wifi turned off)
  to
  VARIOUS ethernet enabled devices INCLUDING the TIME CAPSULE and PRINTER.
  then:
  To the TIME CAPSULE:
  to
  VARIOUS ethernet enabled devices INCLUDING Imac, Apple TV and another TIME CAPSULE in roaming mode.
  My main questions are: which setup will give me better speeds to all devices. Ie: is the switch even necessary? In my 2nd example, will the first time capsule and printer be available to the Imac.
  There seems to be no real advantage to having the TIME CAPSULE in router mode while keeping the BILLION ROUTER as a pass through with NAT off (To avoid Double NAT) except for the guest network capabilities.
  If its just simpler to have the network switch, then perhaps that's the way to go. If so: any suggestions on network switches that work well?

  It doesn't allow me to select ethernet as an option for internet connection, only dchp, ppoe and one more which isn't ethernet.
  DHCP is correct setting. .it will use ethernet but the new AC TC has problems.. it needs a crossover cable with some switches. Or you need to return it and get it replaced as there is something wrong with its wan port.. the new AC model needs a hardware revision and about 3 or 4 firmware upgrades before it hits the status of the Gen4 it replaced.
  My questions are: should I connect my time capsules together directly with ethernet using another available port in my new time capsule. I thought my switch would work better. Also, does one time capsule have to be in router mode instead of having both of them in bridge.
  Both should be in bridge.. but you can rearrange things to see if any of the other devices works better.
  You can use the billion or the old TC.. plug the new TC into those.
  Bob is correct though.. the switch is the correct thing for everything to be plugged into .. but in home situation what works is more important than what is best. It if fails in all of them then the WAN port is proven faulty.
  Should I be able to use the hdd on the 2nd (older) time machine as essentially a networked hdd for putting movies and music on, and use my new time capsule as the sole backup (occurring both over ethernet for my iMac and wifi for our laptops)
  Yes, that is ok.. you just need to get the AC version TC actually working properly.
  Give us a few screenshots of things.. that really helps to see.
  Click on each unit and show the summary pages.

• Method calls in switch and for statements

  I have 2 questions concerning method calls in switch and for statements. Consider these two chunks of code:
  1)
       switch (foo.getIntegerValue()){
            case 1:
            case 2:
       }My question is, is getIntegerValue() being called for every case statement (since it has to compare with each case) or is the method called only once?
  2)
  for (Foo bla : xyz.compileFoos()) {
  }Is compileFoos called once or on every iteration?
  I assume it gets called only once but I would like to be sure. The reason I ask is of course to avoid multiple method calls.
  any help is appreciated

  sdb2 wrote:
  I have 2 questions concerning method calls in switch and for statements. Consider these two chunks of code:
  1)
       switch (foo.getIntegerValue()){
            case 1:
            case 2:
       }My question is, is getIntegerValue() being called for every case statement (since it has to compare with each case) or is the method called only once?
       Once, and the value returned compared to each "case" in turn.
  2)
  for (Foo bla : xyz.compileFoos()) {
  }Is compileFoos called once or on every iteration?
  I assume it gets called only once but I would like to be sure. The reason I ask is of course to avoid multiple method calls.
  any help is appreciatedAlso once, and the returned list/set/array is iterated over.

• Access switch and ap's for BYOD

  good day,
  i'm reading the BYOD document and found out that the switch and ap's below are the only listed on their designed, does it mean normal 3560's and 11xx AP's series can't support BYOD solution using ISE? could someone confirm please?
  cat switches:
  Catalyst 3750-X
  Catalyst 3560-X
  Catalyst 4500E Sup7-E
  AP's
  AP3502
  AP3602
  thanks in advance for your input.
  cheers,
  mhon

  The 3560s that can run the code specified in this chart should be able to support ISE -
  http://www.cisco.com/en/US/docs/security/ise/1.1.1/compatibility/ise_sdt.html#wp55038
  The APs that can support the controller code in the above guide show work as well, however if you want to run the AP in standalone mode, and they do not support features such as CoA then you will have to dedicate an inline posture node in order to get the full features of Cisco ISE.
  Thanks,
  Tarik Admani
  *Please rate helpful posts*

• 802.1x, 350AP, 3550 Switch, and ACS 3.0

  Yikes!
  Whatta mess I got myself into! Im trying to implement a couple of security features (at the same time) due to higher corporate directives. I am trying to implement Radius, 802.1x port authentication on a Cat 3550 switch, and mac address athuentication for wireless clients. The idea was:
  1. The 3550 has port based authentication on it and should authenticate access points as well as any workstations that will/may connect to it.
  2. The wireless clients will be MAC authenticated via the access point passing requests to the radius server.
  Confused? I am too, help!
  Thanks

  Nilesh, Thanks for the reply.
  But I do have a few further questions if you are willing:
  1. Getting the AP to use 802.1x and talk with the radius server seems to be the big problem. I have not been able to find clear enough instructions on how to set the AP to do 802.1x through the switch. I do realize the LEAP is just cisco's implementation of 802.1x but we are trying to use non-proprietary protocols.
  2. We already have the clients MAC addresses in the AP's but want to get away from this (network mgt issues) by using the ACS server.
  I guess what makes this confusing for me is the chain of events and if they are possible to do. Here are the steps as I see them, please advise if this is not possible to do.
  1. Access point is plugged into 3550 and uses 802.1x authentication with radius through the switch. Once the switchport is authorized, then the wireless clients can try to associate with AP. To do this the MAC address of the client , is sent to ACS for authorization and when authorized allowed to communicate. Then the wireless client retrieves an IP address through DHCP.
  Whew.

• Wireless AP Management VLAN and BVIs

  Hi All,
  I've been looking around and I can't find a solution to what I am trying to achieve and I was hoping the community may have had more luck than I have.
  I'm looking to have my management VLAN for my AP setup as a tagged BVI but I'm struggling to get it setup. I can set it up fine using BVI1 and having it just accessed on the native VLAN but I see this as a security flaw, I don't really want direct access into my management network on the switch.
  Now there may be a better way of preventing this but I am, at least compared to many, still fairly new to Cisco and this seems to be the best approach. Please see below for my current config, hopefully you can let me know where I am going wrong.
  Also, as a note, at the moment I am mainly focusing on the management security of the AP before I check the wifi config, hence the radios still being shutdown so there may also be small errors in this. I have also removed some elements which are not relevant.
  version 15.3
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  service password-encryption
  hostname AP01
  no ip source-route
  no ip cef
  dot11 syslog
  dot11 ssid <Guest secure network SSID>
     vlan 30
     authentication open
     authentication key-management wpa version 2
     guest-mode
     wpa-psk ascii <key>
  dot11 ssid <Internal Secure SSID>
     vlan 10
     authentication open
     authentication key-management wpa version 2
     wpa-psk ascii <key>
  ip ssh version 2
  bridge irb
  interface Dot11Radio0
   no ip address
   no ip route-cache
   shutdown
   encryption vlan 10 mode ciphers aes-ccm tkip
   encryption vlan 30 mode ciphers aes-ccm tkip
   ssid <Guest secure network SSID>
   ssid <Internal Secure SSID>
   antenna gain 0
   packet retries 64 drop-packet
   channel 2437
   station-role root
   bridge-group 1
   bridge-group 1 subscriber-loop-control
   bridge-group 1 spanning-disabled
   bridge-group 1 port-protected
   bridge-group 1 block-unknown-source
   no bridge-group 1 source-learning
   no bridge-group 1 unicast-flooding
  interface Dot11Radio0.10
   encapsulation dot1Q 10
   no ip route-cache
   bridge-group 10
   bridge-group 10 subscriber-loop-control
   bridge-group 10 spanning-disabled
   bridge-group 10 block-unknown-source
   no bridge-group 10 source-learning
   no bridge-group 10 unicast-flooding
  interface Dot11Radio0.30
   encapsulation dot1Q 30
   no ip route-cache
   bridge-group 30
   bridge-group 30 subscriber-loop-control
   bridge-group 30 spanning-disabled
   bridge-group 30 block-unknown-source
   no bridge-group 30 source-learning
   no bridge-group 30 unicast-flooding
  interface Dot11Radio1
   no ip address
   no ip route-cache
   shutdown
   encryption vlan 10 mode ciphers aes-ccm tkip
   encryption vlan 30 mode ciphers aes-ccm tkip
   ssid <Guest secure network SSID>
   ssid <Internal Secure SSID>
   antenna gain 0
   peakdetect
   no dfs band block
   packet retries 64 drop-packet
   channel dfs
   station-role root
   bridge-group 1
   bridge-group 1 subscriber-loop-control
   bridge-group 1 spanning-disabled
   bridge-group 1 port-protected
   bridge-group 1 block-unknown-source
   no bridge-group 1 source-learning
   no bridge-group 1 unicast-flooding
  interface Dot11Radio1.10
   encapsulation dot1Q 10
   no ip route-cache
   bridge-group 10
   bridge-group 10 subscriber-loop-control
   bridge-group 10 spanning-disabled
   bridge-group 10 block-unknown-source
   no bridge-group 10 source-learning
   no bridge-group 10 unicast-flooding
  interface Dot11Radio1.30
   encapsulation dot1Q 30
   no ip route-cache
   bridge-group 30
   bridge-group 30 subscriber-loop-control
   bridge-group 30 spanning-disabled
   bridge-group 30 block-unknown-source
   no bridge-group 30 source-learning
   no bridge-group 30 unicast-flooding
  interface GigabitEthernet0
   no ip address
   no ip route-cache
   duplex auto
   speed auto
   no keepalive
  interface GigabitEthernet0.10
   encapsulation dot1Q 10
   no ip route-cache
   bridge-group 10
   bridge-group 10 spanning-disabled
   no bridge-group 10 source-learning
  interface GigabitEthernet0.30
   encapsulation dot1Q 30
   no ip route-cache
   bridge-group 30
   bridge-group 30 spanning-disabled
   no bridge-group 30 source-learning
  interface GigabitEthernet0.100
   encapsulation dot1Q 100
   no ip route-cache
   bridge-group 100
   bridge-group 100 spanning-disabled
   no bridge-group 100 source-learning
  interface GigabitEthernet0.101
   encapsulation dot1Q 999 native
   no ip route-cache
   bridge-group 1
   bridge-group 1 spanning-disabled
   no bridge-group 1 source-learning
  interface BVI1
   no ip address
   no ip route-cache
   shutdown
  interface BVI100
   mac-address <Actual ethernet address>
   ip address 10.33.100.101 255.255.255.0
   no ip route-cache
  ip default-gateway 10.33.100.254
  ip forward-protocol nd
  ip http server
  no ip http secure-server
  ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
  bridge 1 route ip
  bridge 100 protocol ieee
  bridge 100 route ip
  line con 0
   logging synchronous
  line vty 0 4
   transport input ssh
  end
  As you can see I am using BVI100 as the management VLAN for the device and BVI1 is shutdown with vlan 999/int gi0/101 holding bridge group 1.
  With this setup I can't get any IP communication, send or receive but I can see the MAC address on the switch in the MAC address table on vlan100. There is also no entries in the ARP table of the AP.
  The switch is setup with vlan 999 untagged and vlans 10,30,100 as tagged.
  Hope you can help! Thanks for any advice in advanced.
  Many thanks,
  Martin.

  Yea that would work and I have set it up like this without issue but I'm trying to limit access to the management VLAN, I don't want someone to be able to plug directly into the switch and be on the same broadcast domain as alll of the other equipment.
  There are otherways of achieving this but I felt like I was so close with the above config but I was just missing something.

• Stacked SF500-24P and routing question

  I'm looking for a stackable L3 switch which can do routing and with PoE and I think the SF500-24P is just right for me but have a question.
  Is a stack of 2 of these switches seen as 1 device with 1 outside ip address per VLAN by devices that have this stack as the default gateway? or is something like VRRP active between the 2 stack switches and they both have their own ip address?
  Thanks in advance,
  Jasper

  That is correct.  The entire stack seen as one device.  once the switches are stacked, there is no need for VRRP, HSRP, etc.. It is all one switch with one IP for management.
  HTH

• Which Switch and Router to choose?

  I am interested in purchasing a Cisco Switch and Router, or possible a Cisco Switch Router.
  However, I am not sure of what model to go with.
  Currently, we have a network with about 200 Workstations and 30 Servers for our Corporation Infrastructure.
  Also, for our lab, we have about 50 Linux Based Servers, and 30 Solaris Based Servers, that are part of our Network. We are a Research and Development Company, and we have had issues with the Lab machines bringing down our network, as well as our corporate network adversely affecting the lab machines. What we would like to do is segment the network so that the different areas will be isolated. However, we also would like to have a lot of control over the traffic that will be able to cross from our network into the lab so that users will still be able to run their tests.
  Security is also an issue, and it would be great to have more control, and a better view of what kind of traffic is running through our network.
  Currently, we have about 8 Gigabyte Switches which are unmanaged (Linksys and NetGear). Our idea was to get a 1 or 2 Cisco Switch Routers, and then split them up into VLANS and cascade our current switches so that we can still make use of them. The other ideas was to just get a Cisco Switch and use our CheckPoint Router/Firewall to do the routing.
  Can you give me any advice as to what model of Cisco Product you would recommend?
  Is it better to go with a Switch Router, or simply get a separate Switch and Router?
  Please note that all of our Machines have 10/100/1000 NICs, so the device will need to be Gigabyte.
  Thanks you so much!

  You have two choices. Either to use a chassis based solution or to use stacable switches such as a 3750. Are all the cat 5(or 5e,6) runs coming into one centralized location ? Or are there separate wiring closets that you plan to put. If then we need to put separate switches at those locations and run fiber back to the central location which has a chassis based or stackable switch.
  If using a chassis based solution, you can get a 4506 (4507 for redundancy, with a redundant supervisor engine). Supervisor engine is nothing but the CPU of the switch. 4506 is a 6 slot modular switch with 2 power supplies for redundancy. You cannot add two Supervisor engines on a 4506 (4507 can).
  Slot 1 is always for supervisor engine, the remaining 5 slots you can fill using 48 port 10/100/1000 modules.(48 * 5 = 240). So your maximum port density is 240 ports on a 4506. (Note that there are 4507, 4510 which are similar models with more slots)
  If using 3750, you can stack upto 9 switches in a stack using stacking cables on the back side of the switch. Each switch will have 48 ports (10/100/1000) and you can stack 5 switches to get 240 ports.
  For the firewall I would recommend using a PIX 515E, (Why go for Checkpoint firewall when you can use all Cisco). For routing between the vlans, the switches that I recommended above are all Layer 3 switches. They will route between the different vlans. You can also configure ACLs to restrict traffic between multiple vlans.
  HTH

• Router and related question

  Try to do the web hosting. The Web Server will host about 10 web applications for the public access (from several hundreds to a couple of thousands people to concurrently access). This server will be located in a Server-Hosting-Company which will use T1/T3 line to connect with the Internet. My web server will be placed in the hosting company's server room (This means that the hosting company will take care of the internet connection, while my server in turn will connect to the company's LAN system). . Now my questions are:
  1) I would like to have a router to act as a firewall, switch, VPN, and to support the DMZ. There is only the data pass though (no sound and vedio is required)
  Of course, the faster, the better. But I would also take the budget into the consideration, so the router should resasonably get the job down, but not be over spended on. Which Cisco routers fits better: 1801 or 2801, or else?
  2) This router will not connect to a DSL or T1 or T3, instead, it will directly plug into the server room's LAN system, can I hook it up using the router's Ethernet port?
  3) To place a web cache machine in the DMZ, can I connect the Web Cache machine to the router's Ethernet port? Or, is there a port SPECIALLY for the DMZ to make the connection?
  Many thanks.
  Scott

  1800s are fixed configs with only wic slots, and you dont need wic slots in your app.
  Get a 2811 for a min, it will have two fastE interfaces or you can get a 2821 or 2851 which have 2 GigE ports onboard. You can use IOS firewal feature on the router and also can do VPN. You need to get the Advanced security or higher feature set and an AIM card if you plan to terminate a lot of VPN connections.
  To support a DMZ switch on the router itself you can buy a module such as NM-16ESW - 16 port switch and put your servers there. You can use ACLS and CBAC to permit specific traffic going to these web servers.
  IOS firewall wont be truly the same as using a dedicated firewall such as PIX or ASA. So I would recommend using a PIX firewall for this purpose.

• Centrally Switched and Flex Local Switched WLAN - same SSID

  Hi All
  I am currently working on a WLAN migration from lightweight to autonomous and would like advice on whether the following scenario is possible.
  We've deployed an 8500HA pair at the customer's central HQ with the plan that SSIDs at the central HQ will centrally switch with SSIDs at branch sites locally switching.  AP and Flex groups have been configured for the HQ and branch sites.  There is a legacy SSID at HQ that will need to break out locally so a flex group is required for HQ.
  My original plan was to do this with one WLAN Profile per SSID, configured to locally switch.  The HQ AP group will map WLAN to the relevant IP interface with the SSID omitted from the HQ Flex Group so that the SSID will centrally switch.  The branch AP groups will be configured with the SSIDs required for branch and Flex groups will be configured to break out the SSIDs  into the relevant local VLAN.
  My question is, is it possible for an SSID to be configured as locally switched for branches but also centrally switched for HQ, by configuring it in the HQ AP Group but omitting it from the HQ Flex group?
  Configured as above a client debug gives the below which seems to suggest that it isn't possible, unless I've configured something incorrectly...
  *apfMsConnTask_5: Oct 03 15:48:51.012: c0:18:85:48:c0:5d Central switch is FALSE
  My alternative option is to create a second WLAN profile for each SSID with the same SSID name but centrally switched and then apply that accordingly in the AP groups.
  If someone can verify the above I'd be very grateful.
  Many thanks in advance
  Mark

  Hi Mark
  My question is, is it possible for an SSID to be configured as locally switched for branches but also centrally switched for HQ, by configuring it in the HQ AP Group but omitting it from the HQ Flex group?
  When you configure an SSID for local switching, it is only applicable if AP in Flexconnnect mode. So as long as your HQ APs are in Local mode then all those users traffic will be central switch for the given SSID. At branch those AP are in Flex mode, they will locally switched.
  Pls do not forget to rate our responses if that is useful to you
  HTH
  Rasika