Management and native Vlan in different subnet??

Similar Messages

• Connection fails if server and clients are in different subnets

  Hello,
  our Volume License Manager (v2.1) is running in another subnets than the clients (All machines are running under Windows XP-SP2 without Domains or ADS, just workgroups).
  The server is in subnet A (192.168.42.0/24), all clients are located in another subnet  B (192.168.50.0/24).
  Routing is properly configured and is working fine, traffic to the specific hosts is not blocked by a firewall. We can ping every machine,
  open telnet connections to the NILM, everything works.
  But if the clients try to connect to the remote NILM (both local client NI License Manager and VLM port settings are correct)  their connection attempt always
  times out with error code "NILM10"
  (I already read the mentioned KBs, no solution has helped so far). This is true if clients and server are separated.
  For testing purposes, i plugged one client into the server's subnet (server's IP: 192.168.50.250, client 192.168.50.10)
  and it worked perfectly. Is there a reason why  server and client have to be on the same subnet or is it some other kind of problem that I am not aware of?
  Thank you.
  Thorsten

  Hello Thorsten,
  Did you add the server's domain to the client computer's DNS settings. To do this, complete the following steps on the client computer:
  1. Open Local Area Network Settings from the Control Panel (Start»Control Panel»Network Connections»Local Area Connection)
  2. Click the Properties button
  3. Select Internet Protocol (TCP/IP) from the list of network components
  4. Click the Properties button
  5. Click the Advanced button
  6. Change to the DNS tab
  7. Ensure Append these DNS suffixes is selected
  8. Click the Add button
  9. Enter the domain suffix of the license server and click Add
  10. Close any open dialog boxes, choosing OK and Close as necessary.
  (http://digital.ni.com/public.nsf/allkb/3AAF37CD7B89A2CD86257070005A075A?OpenDocument)
  Further you should check this KBs.
  Why is My NI License Manager Slow or Not Responsive with a Configured Network Server on Another Domain?
  http://digital.ni.com/public.nsf/allkb/27D6BD8116EF257A862572F2005C2181?OpenDocument
  How Can I Access NI Volume License Manager from a Different Network or Behind a Firewall?
  http://digital.ni.com/public.nsf/websearch/54E52C3F348B929786256DCD0056B19B?OpenDocument
  Regards,
  WolfgangZ

• Voice Vlan and Native Vlan

  Dear all,
  I am now reading some information regarding the setup of Voip Phone. It mentioned that the Phone is actually a 3-ports switch:
  Port 1: Connect to upstream switch
  Port 2: Transfer Phone traffic
  Port 3: Connect to a PC
  Actually, what should i configure on the upstream switch port? Should it be a trunk port containing both the voice traffic vlan and pc data vlan?
  Or something else?
  Also, there is a term called 'Voice Vlan', is there any different between 'Voice vlan' and ordinary Vlan ?
  Is there any special usage of 'Native' Vlan in implementing Voip?
  Thanks.
  Br,
  aslnet

  Thanks.
  How about if the PC data should be tagged as another vlan (e.g., Vlan 10)? Then I should change the native vlan to vlan 10?
  But from my understanding, Native Vlan should be the same in the whole network, then I need to change the whole network native vlan? If there are different vlans should be assigned to different PCs that behind different VoIP-phone, then how to do it?
  From my guessing, is it i can assign individual native vlan (vlan10) on that port (connect to voip-phone), and then keep the switch's uplink port as original native vlan (vlan1).
  Therefore, PC data traffic would be untagged when entering from voip to the switch, and then tagged as vlan10 when leaving the switch to other uplink switch, right?
  Thanks.

• Nexus 7k and native vlan 1

  Hi, is it recommended to use a native vlan other than 1 on the trunks connecting Nexus box's. It used to be that you should not use native vlan 1 on the trunks between switches. Is this not an issue anymore.
  Thanks

  Hi Chuck,
  It is recomended to use a different vlan other than vlan 1 as your default vlan.
  This is one of the best practices for secure the overall network.
  For eg.
  In a switch spoofing attack, an attacking host imitates a trunking  switch by speaking the tagging and trunking protocols (e.g. Multiple  VLAN Registration Protocol, IEEE 802.1Q, VLAN Trunking Protocol) used in  maintaining a VLAN. Traffic for multiple VLANs is then accessible to  the attacking host. 
  HTH,
  Aman

• Wireless VLAN and Native VLAN

  OK, I’m a bit confused about what to do with the native VLAN. I know that for QoS/CoS, I should not use VLAN1 as the native VLAN. I also know that I should use a separate VLAN as the management VLAN. So I’m left thinking, do I need a native VLAN? If I do, can I just make a dumb VLAN that goes nowhere and use that as the native VLAN? Or am I just completely missing something. Thanks

  The native VLAN must also be your management VLAN for Cisco APs.
  The Native VLAN can be any number, as long as you configure it accordingly.
  Also keep in mind that the local RADIUS server, and DHCP will only deliver to the native VLAN. If you intend to use either of those services on the non-native VLAN/SSID, you'll need to have a layer three device on the line to forward that traffic.
  Good Luck
  Scott

• Fabric interconnect and Native Vlan

  Hi
  I just want to ask a simple question
  is there any precautions with native vlan between the Switched infrastructure and the Fabric interconnect ?! 
  I mean can I use any vlan as a native vlan ex.999 "anything but not 1" ?! 

  As a security best practice on trunks carrying multiple VLANs you should not allow the native vlan on the line.  When you have a single VLAN going to a device, an end node for example, the port should be configured as an access port with a single data VLAN, and potentially a voice vlan if that will be used.  
  For example, our N5Ks have a trunk to each of our UCS interconnects.  We set the native VLAN on the n5k side to 999. 999 is not in the allowed list for the trunk then, so the native VLAN never makes it to the ucs.  On the ucs then, any server that can handle VLANs (esxi for example) we send only tagged VLANs -- no VLAN is marked native, thus accomplishing the same thing as we did for the n5k to FI link.
  It is recommended to not leave your native VLAN as 1 as best practice.  It's less of a concern if the native VLAN isn't in the allowed list, but to avoid mis configuration issues you should set it to another VLAN. 

• FIP and Native VLAN

  Hello,
  according to documentation, FIP uses native vlan for FCoE VLAN discovery. Is it necessary to trunk native VLAN on the CNA port of a switch facing a server? For example if e1/1 is connected to a host and I'm using VLAN10 for data and VLAN100 for storage, and my native vlan is VLAN1, should the configuration be:
  interface Ethernet1/1
    switchport mode trunk
    switchport trunk native vlan 1
    switchport trunk allowed vlan 1,10,100
    spanning-tree port type edge trunk
  OR is it sufficient to have:
  interface Ethernet1/1
    switchport mode trunk
    switchport trunk allowed vlan 10,100
    spanning-tree port type edge trunk
  Another alternative, which takes into account that host may not tag it's data traffic:
  interface Ethernet1/1
    switchport mode trunk
    switchport trunk native vlan 10
    switchport trunk allowed vlan 10,100
    spanning-tree port type edge trunk
  Is it really a must to trunk native VLAN? In my lab it works either way.

  FIP VLAN Discovery
  FIP VLAN discovery discovers the FCoE VLAN that will be used by all other FIP protocols as well as by the FCoE encapsulation for Fibre Channel payloads on the established virtual link. One of the goals of FC-BB-5 was to be as nonintrusive as possible on initiators and targets, and therefore FIP VLAN discovery occurs in the native VLAN used by the initiator or target to exchange Ethernet traffic. The FIP VLAN discovery protocol is the only FIP protocol running on the native VLAN; all other FIP protocols run on the discovered FCoE VLANs.
  The ENode sends a FIP VLAN discovery request to a multicast MAC address called All-FCF-MACs, which is a multicast MAC address to which all FCFs listen. All FCFs that can be reached in the native VLAN of the ENode are expected to respond on the same VLAN with a response that lists one or more FCoE VLANs that are available for the ENode's VN_Port login. This protocol has the sole purpose of allowing the ENode to discover all the available FCoE VLANs, and it does not cause the ENode to select an FCF.

• What is difference between Default VLAN and Native VLAN?

  Answer

  Cisco switches always have VLAN 1 as the default VLAN, which is needed for many protocol communication between switches like spanning-tree protocol for instance.
  You can't change or even delete the default VLAN, it is mandatory.
  The native VLAN is the only VLAN which is not tagged in a trunk, in other words, native VLAN frames are transmitted unchanged.
  Per default the native VLAN is VLAN 1 but you can change that:
  #show interface Fa0/8 trunk
  Port        Mode             Encapsulation  Status        Native vlan
  Fa0/8       on               802.1q         other         1
  (config-if)#switchport trunk native vlan 2
  (config-if)#do show interface f0/8 trunk
  Port        Mode             Encapsulation  Status        Native vlan
  Fa0/8       on               802.1q         other         2
  The default VLAN is still VLAN 1.
  #show vlan id 1
  VLAN Name Status    Ports
  1    default active    Fa0/8, Gi0/1
  HTH
  Rolf

• Management and Default VLAN

  Hi All
  I need advice.
  At my former office, we used to have another vlan e.g. vlan 10 for management vlan purpose so that we do not use default VLAN 1 to access the switches which i think is good for security purpose.
  Now how can I convince my present company that it is the best way to go as they have only vlan 1 for management purposes but then use another vlan say vlan 189 for all unused port which alas, they do not keep to, so invariably, we have ports in vlan 1 and 99 and every where
  Is there a doc whereby I can show them why it is best to have a different management vlan from default vlan.?
  Thanks

  Hi, here is a link that gives a little explanation on Precautions for the use of default management vlan.
  Refer to "Precautions for the Use of VLAN 1" section.
  http://www.cisco.com/en/US/products/hw/switches/ps708/products_white_paper09186a008013159f.shtml#wp38986

• PXE boot issue with DHCP and SCCM server on different subnets

  I'm working with a client on the operating system deployment module of SCCM.
  Their network configuration currently has a single large subnet for client
  computers with a DHCP server on the same subnet. The SCCM subnet is
  configured on a seperate subnet with no DHCP server on the subnet. We want to
  configure client computers to be able to boot using the PXE client to deploy
  OS images to the machines but can not get PXE-boot to work correctly.
  Also, the client does not want to make changes to their network
  infrastructure routers or switches to remedy this problem. Are there settings
  on the DHCP or SCCM servers we can implement to make this work? If so, what
  needs to be installed or configured on each server. We currently already have
  WDS installed on the SCCM server and the SCCM server is configured as a PXE
  Service Point within SCCM. Both WDS and the PXE Service Point seem to be working fine.
  Any help would be appreciated.
  Thanks,
  Gary

  I am Brazilian,
  sorry for wrong english
  My DHCP is on linux,
  in my own structure VLANS
  The system center is on the network
  10.0.4.0/24
  The machines on the network 10.0.5.0/24
  The problem is that the machines that
  are not on the same network system center
  can not boot
    I tried configuring / etc/dhcp3/dhcpd.conf
  follows
  option vendor-class-identifier "PXEClient";
  option bootfile-name "\
  \ SMSBOOT \ \ x86 \
  \ wdsnbp.com";
  option tftp-server-name
  "10.0.4.101"; ---->
  IP server
  But it did not work, anyone know
  how to configure?

• The same network and id vlan in different contex in the same ACE

  Hello,
  I want to know if I can create 2 context in an ACE with the same ID Vlans that other context and this can be in the same network, in the configuration I explain.
  Best Regards
  ++++++++Switch C6513++++++++
  svclc multiple-vlan-interfaces
  svclc module 6 vlan-group 100
  svclc module vlan-group 100 60,233
  vlan 60
  name inside
  vlan 233
  name outside
  interface vlan 233
  ip address 10.24.16.1 255.255.255.0
  no shutdown
  ++++++++Context Admin++++++++
  hostname ACE-MOD6
  ft interface vlan 350
  ip address 10.24.15.34 255.255.255.248
  peer ip address 10.24.15.33 255.255.255.248
  no shutdown
  ft peer 1
  heartbeat interval 200
  heartbeat count 20
  ft-interface vlan 350
  ft group 1
  peer 1
  priority 200
  peer priority 150
  associate-context Admin
  inservice
  context SERV1
  description SERV1
  allocate-interface vlan 60
  allocate-interface vlan 233
  context SERV2
  description SERV2
  allocate-interface vlan 60
  allocate-interface vlan 233
  ft group 2
  peer 1
  priority 200
  peer priority 150
  associate-context SERV1
  inservice
  ft group 3
  peer 1
  priority 150
  peer priority 200
  associate-context SERV2
  inservice
  ++++++Contex SERV1++++++
  interface vlan 60
  ip address 10.24.8.5 255.255.255.0
  no shutdown
  interface vlan 233
  ip address 10.24.16.5 255.255.255.0
  no shutdown
  ip route 0.0.0.0 0.0.0.0 10.24.16.1
  ++++++Contex SERV2++++++
  interface vlan 60
  ip address 10.24.8.6 255.255.255.0
  no shutdown
  interface vlan 233
  ip address 10.24.16.6 255.255.255.0
  no shutdown
  ip route 0.0.0.0 0.0.0.0 10.24.16.1

  Sharing Vlans is possible in routed mode.
  Its not possible when ACE is operating in Bridge mode.
  You need to use unique IP addresses in each context for shared vlans.
  Also make sure to use " shared-vlan-hostid " command.
  When contexts share a VLAN, the ACE assigns a different MAC address to the VLAN on each context. The MAC addresses reserved for shared VLANs are 0x001243dc6b00 to 0x001243dcaaff, inclusive. All ACE modules derive these addresses from a global pool of 16k MAC addresses. This pool is divided into 16 banks, each containing 1,024 addresses. An ACE supports only 1,024 shared VLANs, and would use only one bank of MAC addresses out of the pool.
  By default, the bank of MAC addresses that the ACE uses is randomly selected at boot time. However, if you configure two ACE modules in the same Layer 2 network and they are using shared VLANs, the ACEs may select the same address bank and use the same MAC addresses. To avoid this conflict, you need to configure the bank that the ACEs will use. "
  Above paragraph & More details at
  http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A2/command/reference/config.html#wp1447465
  Syed Iftekhar Ahmed

• Wifi and PC on 2 different subnets ?

  Can anyone confirm if BlackBerry Link can use:
  * MULTICAST to locate devices ?  This will allow PC software to find a device across routers that participate in multicast.  I presume the default mechanism the BB10 device uses is BROADCAST which does not cross any router.  But I can understand Enterprise customers not caring which LAN they are on (as they might have multiple WiFi LANs and multiple Ethernet LANs on a single site) and just wanting device and PC to be paired and working.
  * Allow explict IP address associations to be setup.  The Wifi IP my Z30 gets is locked to MAC, so can BlackBerry Link keep trying to poll/connect to it, multilple IPs should be allowed to be setup this way, with priority order, where higher priority IPs continue to be polled even if device is connected to lower priority.  This will allow me to configure Wifi IP as top priority, and VPN IP (which can also be locked/static IP) as 2nd priority.  The VPN static IP allows for an IP to work from anywhere in the world (from a foreign Wifi or mobile network).
  * Can non-direct communication be disabled (both on PC software and on device) for example to disable routing of all data via an intermediate node.   This indirect connectivity should also be in the priority list, maybe as the last-resort.
  My Wifi has a stateful firewall back to the LAN.  That is the LAN can access Wifi freely but the Wifi can not access the LAN freely.  So what protocol/ports need to be open ?  Or does the PC side always initiate the connectivity ?  With the Wifi and the LAN can access the Internet freely.
  What is the system tray, BlackBerry Device Manager for ?  what is the "Bypass Router Configuration" about ?  and port 4101 ?  is this a BES/Enterprise feature ?
  I am thinking in here I should be able to configure MULTICAST enable and also setup various static IPs my PC can connect to where my Z30 device might be, including IPv6 IPs.

  I cannot answer all your concerns but I can answer some.
  Here is some limited info on port 4101......http://docs.blackberry.com/en/admin/deliverables/25735/BB_Router_ports_connection_types_566661_11.js...
  The System Tray BlackBerry Device Manager is used to see and save to PC the data on your phone when your phone is connected via USB.
  Here is additional info which may or may not help:   http://btsc.webapps.blackberry.com/btsc/viewdocument.do?noCount=true&externalId=KB13366&sliceId=1&do...

• WLSM, mGRE tunnels and Native VLAN

  I understand that to be able to use mGRE tunnels, all that is needed from the AP is to have IP connectivity. If the AP connects to a port on a switch, and that port is on VLAN 196, for instance, will the following setup allow me to connect to that VLAN over wireless, and at the same time allow other users (through the use of the other SSID) to connect to a network that's on a mobility group?
  I've tested it already and it works. I just want to know if there are any drawbacks, or if it's not recommended. etc...
  interface Dot11Radio0
  encryption mode wep mandatory
  ssid vlan196
  authentication open eap eap_methods
  authentication network-eap eap_methods
  ssid public
  authentication open eap eap_methods
  authentication network-eap eap_methods
  mobility network-id 100

  I had a look at your configuration and it looks good. I think this is the best way of doing this and will work without any issues. You can goahead and implement this setup.

• Can I use non-native VLAN for AP management (BVI100 vs. BVI1)

  Owning AIR-AP1121G-E-K9 and AIR-AP1131AG-E-K9, with IOS 12.3.8JA2, want to migrate AP (wired) management from native VLAN1 to tagged VLAN100.
  Management VLAN must not be accessed by WiFi devices.
  Tried to configure fa0.100, bridge 100 and BVI 100 instead of fa0.1, bridge 0.1 and BVI1, reloaded and AP is working, but doesn't respond to management.
  Tried to use simple L3 fa0.1, but int is not reachable from outside.
  Any suggestions?
  Thank you very much
  Flavio Molinelli
  [email protected]

  The management VLAN must be the Native VLAN ... it doesn't have to be VLAN 1, but whichever VLAN you declare as Native will be the Management VLAN (at least as far as the AP is concerned) ...
  Some switches / routers permit the management and Native VLANs to be different ... verify that both are configured and matching on both ends (AP and switch / router).
  Good Luck
  Scott

• About the Native Vlan and Management Vlan.

  I wanted to know that Management vlan and Native vlan can be different vlan id or  both should be same vlan id. Why should not be native vlan 1.

  The use of a native VLAN is generally frowned upon now as there are some well known security exploits that leverage this untagged VLAN. Cisco often recommends setting the Native VLAN to an unused VLAN in your infrastructure in order to render it useless for attacks.
  It is also recommended that you create a separate VLAN for your Management traffic and that this VLAN be tagged (therefore not a Native VLAN).
  Native Vlan is the vlan which will be sent untagged even in Trunk links. Consider a Trunk link configured between two switches SWA and SWB, if a system in vlan1 of SWA is sending a frame via SWB, then this frame will be received as untagged by SWB, then switch B decides that the untagged frame is from native vlan 1 and handles accordingly. By default native vlan is 1, this can also be changed as per requirement.
  Example: In the below figure if a IP phone and system are connected toa switch port as below, the the Phones will  send its frames tagged with vlan 10 where as the frames sent by system will be untagged. So here the the corresponding switch port should be configured as native vlan 20. So that it can recognise and handle the frames from system and IP phone properly.
  a
  Management vlan is different, it means that this vlan will be used for management purposes like Logging into the switch for management, Monitoring the switch,collecting Syslog ans SNMP traps, etc will be done by management vlan IP. This also by default vlan 1 in cisco. So as Antony said the it is always a Best practice and security measure to not use the default vlan and use custom vlans.
  Hope this helps !