Multiple VLAN's and relaying DHCP on two stacked SGE2000-G5 Switches

Similar Messages

• Multiple-point Hardware And Software Failures in Two, Separate and Not-connected Computers At The Same Time...

  A few days ago, I was working on a restoration of a 100-years-or-so-old Calculus book on one of my Linux based computers, while my other computer with the Microsoft Windows Vista operating system was serving as Broadcast TV receiver with its USB HDTV tuner
  in the afternoon.  The weather in Los Angeles was summer-like in November, with clear skies and 90 degree Fahrenheit temperatures.  All of a sudden, my Linux based computer halted in the middle of the processing it had performed hundreds of times
  before in hotter days.  It would not restart.  The entire boot block of the disk seemed to have been garbled.  This did not seem even feasible at all, so I decided to shut its power off for a while.   It came back up after a while,
  and everything looked normal.  Then, it did the same thing again.  I decided to open its cover and check on its multiple fans as there was nothing else that could go wrong.
  I then noticed that the computer with the Microsoft Windows Vista Operating system which had been receiving the broadcast TV, was displaying a freshly-booted log-in screen.  It had "Blue-screened" while I was working on the other computer
  across the large room.  This again did not seem any feasible as there had been utterly no connection between these two computers.  Even the AC power line circuit was different.  Furthermore, this computer had the most extensive air-cooling system
  I had built to have it work through 107 degree Fahrenheit temperatures indoors.  Anyway, I logged back in and started the broadcast TV reception again.  Sure enough, after a while it "blue-screened" one more time...
  I went back to the Linux-based computer and found all of its fans operating, but with somewhat hotter disk drives.  The problem was that in hotter days, the same computer had cooler disk drives with nothing different.  I concluded that somehow
  the 80 mm fan mounted in the front side of the case, with its side with rotating blades clamped on the perforated part of the steel case serving as the fan grill, was starting up fine.   But, as the time passed the spring-loaded rotating hub was slowly
  drawn toward the perforated steel case by two means: The partial vacuum formed by the suction generated by the blades of the fan, and by the magnetic attraction of the rotating hub with electro-magnets in it to the partially magnetized, perforated steel casing.
    The first effect was always there, so it was not the real cause, but once something else came along, it really helped the latter.  The hub was slowly drawn to the perforated steel casing due to magnetic attraction, with the holes in the casing
  inducing a huge air-drag on the hub blades as there was no by-pass around to supply the extra-air needed to reduce the partial vacuum.  In addition, the rotating hub with the electro-magnets now was very close to the conducting metal surface and the induced
  eddy-currents in the metal by the moving electro-magnets had added even more drag on the rotating hub, causing it to come nearly to a halt.  The disk drive electronics was heating up and was causing DMA access faults which in turn caused the Linux kernel
  to panic and halt.
  Well, this was nearly unbelievable, but true...  I had not brought any magnets into the room and I still do not know how the computer case got magnetized.  It has been working at the same location for years.  The solution was to move the fan
  away from the perforated steel casing a little so that some air could come in through the gaps on the sides of the fan (hence supplying a by-pass), reducing the partial vacuum in front of the fan.  This kept the rotating hub far enough away to prevent
  the massive induced eddy-current drag from slowing the fan down to a halt.  The computer now works perfectly with the very same fan as it has had been doing for years. 
  The real solution is to saw the perforated part of the steel casing in front of the fan away, and to replace it with a better fan grill.  The best fan grill material  I have found is the finely perforated, thin, black aluminum sheet that is usually
  used as a car audio speaker grill.  In fact, I use these in my Microsoft Windows Vista based computer.  The fans are quieter, with more air flow.  It also keeps dust away and you can brush the collected dust off easily.
  The next problem was the halting of  the computer with the Microsoft Windows Vista operating system with a blue-screen.  The fans in it could not be the cause of this, as it had already had the best improvements I could put in it,  with even
  externally powered fans that did not load  the computer power supply.  And, all of the fans were working well.  In the meantime, the Microsoft November 2014 updates for the Microsoft Windows Vista came out, and as usual I told the computer to
  load and to implement them.  Sure enough, the computer again "blue-screened" in the middle of the update procedure.
  That was somewhat too much, but there was nothing else I could do other than to debug it.  I had not changed anything in the computer and its power supply, completely internally updated by myself a few years ago, was working perfectly.  Whatever
  was causing it was not in the hardware.  It was not in the November 2014 software updates either as it "blue-screened" before those were announced.  I brought the computer back up after several disk and other software checks and after the
  completion of the updates,  I gingerly turned the network modem on.  I then sent the reports on the six failures (three "blue-screen" type failures and three "Anti-malware Executable" failures) to Microsoft with all of details
  requested using the Microsoft Windows Vista problem reporting system.  Within minutes, the Microsoft came up with a diagnosis that the USB driver code in the system had a serious bug.  I had not changed this code in years.  It suggested that
  I should use the "Microsoft Fix-It" for this problem and it pointed to a link to download it.  I did download it.  It ran and the "blue-screen" problem just went away, as if it had never been there...
  -- Yekta

  I ordered the capacitors on Friday and they arrived on Monday, November 17, 2014.  I removed the motherboard from the machine, by removing all PCI and AGP boards, drive and fan connectors and the computer power supply first.  The motherboard then
  simply unbolted from the case and came out with the CPU fan assembly still attached.
  I wrapped the solder side of the motherboard with aluminum foil and set up a work place with the aluminum foil under the motherboard and myself electrically well grounded.  Here came another surprise:  There were four more capacitors of the same
  kind just behind the CPU fan assembly and their tops were also deformed with one of them leaking the electrolyte inside from the the top.  Luckily, I had ordered more than two capacitors to get the quantity discount and the lower rate of shipping. 
  I do use them in other circuits I occasionally build.
  Technically, the only thing one needed to do was to unsolder the six old capacitors from the motherboard and to solder six new ones in in their place with the correct polarities.  However, due to fact that the capacitors span the 3.3 V power plane and
  the ground plane in the multi-layer motherboard, it is nearly impossible to unsolder these capacitors using regular, fine-tip soldering irons.  The thick copper of the power and the ground planes carry the soldering iron heat away very fast, preventing
  the solder from melting quickly.  Continuous application of heat at this point will simply burn the internal insulating epoxy layers and cause shorts inside the motherboard which are impossible to fix in any reasonable amount of time.
  The only reasonable way to remove these capacitors was to dismantle the capacitors from the top leaving their already soldered leads in place.  The new capacitors were then tack soldered to these stubs using lead-free, hard solder.  However, the
  CPU fan assembly and the CPU itself had to be removed from the board to be able to work on these capacitors.
  To dismantle the capacitors from the top, I first drilled small holes at the tops of the capacitors at the intersections of the indentations using the tip of a hobbyist's knife.   I then used needle nosed pliers to peel back the triangular sections
  of aluminum from the center at the tops to their bases at the top edges of the capacitors.  Next, I  removed the plastic layers covering the outside of the capacitors by scoring the plastic layers first from the bottom to the top using the tip of
  the hobbyist's knife and peeling the plastic layers off starting at the cut.  The following step was to cut the aluminum cans of the capacitors from the top to the bottom using the hobbyist's knife like a can opener.  One could not use a saw like
  tool here to accomplish the feat as the saws generated very fine metal chips which were very hard to remove and were certain to cause shorts in the densely populated mother board.  The cans were then peeled off the rest of the capacitors starting from
  the top at the cuts using needle nose pliers, revealing the spiral-wound metal-paper layers of the capacitors.
  The wound layers of the capacitors were peeled off layer by layer by cutting into the layers from the top to the bottom, leaving only the two aluminum electrodes which were crimped and soldered to the leads of the capacitors.  The picture below shows
  the six capacitors with one of them dismantled (left) and with all of them dismantled (right):
  The  black disks below the aluminum electrodes are the rubber plugs covering the bottoms of the capacitors.  The rubber plugs were then cut in half using the hobbyist's knife and removed using the needle nose pliers.  It was not possible to
  solder to the aluminum electrodes, so these were trimmed at the point they were crimped on the leads of the capacitors, leaving only the stubs of the capacitors' leads soldered to the motherboard.
  The new capacitors with suitably trimmed leads were then soldered to these stubs with the correct polarities using lead-free, hard solder.  The capacitors were lightly bonded together using a flexible glue to prevent them from moving.  The picture
  below shows the new capacitors as installed into the motherboard:
  I then assembled everything back together and turned the computer on.  The BIOS complained on the boot screen that the CPU was out of its socket and it needed to be reset.  I set BIOS parameters correctly to their original values.  The computer
  came up and worked without any problems.  I typed this message on  my newly repaired computer running the  Microsoft  Windows Vista operating system. 
  By the way, the manufacturing date on the motherboard is 09/12/2002 and the CPU is a Socket-478, 2.4 GHz, Intel Pentium-4.
  -- Yekta

• Multiple VLAN's and -A- Bridging on AP1240AG, ver123-8.JA2

  We have a detached building to bridge to. Using the latest JA2 software, configured the A-Radio on the WLAN side as a root bridge, and in the detached building the A-Radio as a non-root bridge. A Cisco 3500 switch resides at both ends connected via BVI1. The switch ports are trunked. VLAN 64 is native. VLAN 172 is IPVoice (7920 B Radio). We only want the two VLAN's but maybe 3 SSID's (inside, bridge, phone). Want to use VLAN 64 to bridge on the A side and provide IP access on the G side. Want to use VLAN 172 for voice only on the G side. Can't get it to work properly where I can ping the switch on the non-root side without using a telnet session from the the non-root AP. Need a working config segment for Interface DotRadio1 (both ends). MAC or WEP encryption both acceptable on the bridge configuration.

  We have a detached building to bridge to. Using the latest JA2 software, configured the A-Radio on the WLAN side as a root bridge, and in the detached building the A-Radio as a non-root bridge. A Cisco 3500 switch resides at both ends connected via BVI1. The switch ports are trunked. VLAN 64 is native. VLAN 172 is IPVoice (7920 B Radio). We only want the two VLAN's but maybe 3 SSID's (inside, bridge, phone). Want to use VLAN 64 to bridge on the A side and provide IP access on the G side. Want to use VLAN 172 for voice only on the G side. Can't get it to work properly where I can ping the switch on the non-root side without using a telnet session from the the non-root AP. Need a working config segment for Interface DotRadio1 (both ends). MAC or WEP encryption both acceptable on the bridge configuration.

• Multiple scopes and multiple VLANS

  What am I missing her, probably a lot?  Goal: Create 3 scopes within WS 2012R2. 1. Default network (192.168.1.0…Range .100-.254) 2. Network for IP Camera system (192.168.2.0…Range .100-.254) 3. Guest Network (192.168.3.0…Range .100-.254). 
  Scopes are already created and the default network is operational.
  Equipment:  WS 2012R2(DNS 192.168.1.5), Cisco RV042(Internet Gateway 192.168.1.2), Qty. 2 ISP’s modems bridged feeding the RV, Cisco SF200-24FP (192.168.2.1 Poe for IP cams), Netgear JGS524E (Not Managed, Default network switch).
  Configuration:  the RV is checked as a gateway, with multiple subnets engaged and the subnets have been added. DHCP Relay is engaged and pointed at the DNS Server IP. Port configuration: Ethernet Ports 1&2 VLAN1, Port 3 VLAN2,
  Port 4 VLAN3.
  Problem:  When I connect PC to either VLAN 2 or 3, I do not get a DHCP of 2.100, or a 3.100 I get a 1.100. 
  Basically why does the server not issue the proper IP when I am connected to VLAN 2 or 3? 
  So if I static my machine to 2.100 with gateway 192.168.2.1, and DNS 192.168.1.5 I connect to the network, cannot surf and get error “cannot communicate with primary DNS server 192.168.1.5”.  In closing how does the server know that IP range
  2.100-.254 is suppose VLAN 2?

  Hi,
  Please try to perform a network capture on the DHCP server.
  We can check the giaddr field in the DHCP DISCOVER message. This field contains the Relay agent's IP address, DHCP server uses this field to find the suitable scope for the client. This field should be set to the IP address of the VLAN interface.(The
  gateway of the VLAN).
  If this field is set to any IP address in subnet 192.168.1.0, the client will get the IP address from your fist scope.
  If this field is set correctly, please check if there is any related warning in the event viewer of the server.
  Best Regards.
  Steven Lee Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• Windows DHCP Server and Linux DHCP Relay Agent

  We are trying to organize a VLAN (say VLAN 1) for guests who must be assigned IP addresses from a DHCP server in a different VLAN (VLAN 2). This DHCP server is configured with two scopes - 172.16.0.0/24 (for VLAN 2) and 172.16.4.0/24 (for the Guests
  VLAN 1). The DHCP server successfully distributes addresses to clients in its VLAN (it has the IP address 172.16.0.2). For the clients in the other VLAN a DHCP Relay Agent has been setup on the router. It is DHCRELAY running on Linux (CentOS) which has
  been configured to accept the DHCPDISCOVER broadcasts coming on the VLAN1 interface of the router and forward these to the DHCP server. The IP address of the VLAN1 interface of the router is 172.16.4.254 and on the VLAN2 interface - 172.16.0.254
  The problem is that the DHCP server won't respond with a DHCPOFFER message to the relay agent. I have traced the frames on the router and on the DHCP server. They arrive on the DHCP server with the correct GIADDR of the relay agent. According to all documentation,
  if a scope has been configured on the DHCP server and it receives a unicast message with the GIADDR set by a relay agent that matches one of the configured scopes, the DHCP server must send a unicast DHCPOFFER to the relay agent. But it doesn't.
  Here is what Wireshark reports (ignore the Destination port unreachable messages, the DHCP service was stopped at the time Wireshark was running)
  When the service is running, there are just DHCPDISCOVERs - no OFFER. You can see that the server has the two scopes configured:
  The relay agent seems to work normally - it forwards the DHCPDISCOVERs to the server continuously (tried many times with ipconfig /renew on the client).
  I read many posts about this problem. Some users had other services running on the DHCP server that used the DHCP port, but I don't have such an issue (you see that when the service is stopped, an ICMP port unreachable is sent which is correct). Others however
  did not find a solution. Am I missing something? Is there something specific when using the DHCRELAY agent from DHCPD? Can I turn on some verbose logging to track this down? Thanks in advance.

  WIth DHCP, there is really nothing to configure. If the Relay Agent/IP Helper is pointing to it, and the VLAN subnet exactly matches the scope subnet, then it should just work.
  What I've seen in the VLAN config is either a static route back to the subnet the DHCP server itself is sitting on is not configured or incorrectly configured, or there are ports blocked (need UDP, too, since that's what DHCP uses to pass the OFFER), and
  other necessary ports are opened, then it should just work.
  Sometimes NIC teaming on the DHCP server will cause it. Not sure. Microsoft doesn't support teaming prior to Windwos 2012, but it doesn't mean that it doesn't work. Don't get me wrong, teaming works nicely, but they just don't support it because they never
  certified the drivers, that's all.
  The issues I've seen with DHCP relays and VLANs in the forums are usually based on misconfigs in the VLAN or ports blocked. Sometimes we'll refer to call Microsoft Support for specific, hands-on assistance. And searching the threads, from what
  I've found that if they did call support, they've never posted back what the problem was based on or the resolution. I can post a couple of them for you to read through, but there were never any response with the actual resolution.
  If you like, you also have the option to contact Microsoft Support. Here's a list of phone numbers if you choose this option:
  http://support.microsoft.com/contactus/
  Ace Fekay
  MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
  Microsoft Certified Trainer
  Microsoft MVP - Directory Services
  Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/
  This post is provided AS-IS with no warranties or guarantees and confers no rights.

• DHCP Setup across multiple VLANs on RV325 - DHCP Server only working on VLAN 1

  I have multiple VLAN subnets defined on my RV325 - when I try and utilize a DHCP Server on each VLAN, it only seems to be issuing IP Addresses to clients on VLAN ID 1.  When I first set this up months ago, I thought I had tested it providing IP Addresses via the other subnets.  Now that I am trying to do so, it isn't working "as expected".  Example - I am using VLAN 25 as the GuestWireless subnet utilizing a separate 802.11n WAP that is set to Bridge connections to the IP Address of the VLAN interface.  Devices are able to connect to the WAP, but end up with a self-assigned IP Address 169.x.x.x address.  There has to be an easy fix to this, but I seem to be "stuck" figuring out what it is…pointers/redirects appreciated.  Thanks!

  Thanks - I've already reviewed that information before I posted.  I've been working with DHCP since the mid-90's, so I'm comfortable with the settings/configuration I need to leverage to make this work via other means using various Network-based OSes.
  I'm wondering if there are other options in configuring this device that can impact the ability to dynamically serve IP addresses on a VLAN/subnet-by-VLAN/subnet basis.
  As I did more testing, I discovered when I reserved an IP Address via the IP & MAC Binding option within the DHCP Settings, those devices would receive their static reservations and work as expected, so the problem seems to be leveraging the DHCP Pool for devices connecting to VLANs other that VLAN 1.
  Any ideas as to why the DHCP Pool's are "non-functioning" for the other VLANs is greatly appreciated...
  Each VLAN is setup with a separate DHCP Server configuration as shown below:
  VLAN ID = 1 (Default, Inter VLAN Routing = Enabled, LAN1-6 = Untagged, LAN7=Tagged, LAN8=Excluded, LAN9-14 Untagged)
  Device IP Address = 172.16.xxx.1
  Subnet Mask = 255.255.255.0
  DHCP Mode = DHCP Server
  Remote DHCP Server = 0.0.0.0
  Client Lease Time = 1440 min
  Range Start = 172.16.xxx.100
  Range End = 172.16.xxx.199
  DNS Server = Use DNS as Below
  Static DNS 1 = 208.67.222.222
  Static DNS 2 = 208.67.220.220
  WINS Server = 0.0.0.0
  Correctly serving IP Addresses via DHCP (both static and dynamic) to Wired devices & Wireless devices connecting through WAP (set to Bridge)
  VLAN ID = 25 (GuestWireless, Inter VLAN Routing = Disabled, LAN1-LAN7 = Excluded, LAN8 = Untagged, LAN9-14 = Excluded)
  Device IP Address = 172.16.yyy.1
  Subnet Mask = 255.255.255.0
  DHCP Mode = DHCP Server
  Remote DHCP Server = 0.0.0.0
  Client Lease Time = 1440 min
  Range Start = 172.16.yyy.100
  Range End = 172.16.yyy.199
  DNS Server = Use DNS as Below
  Static DNS 1 = 208.67.222.222
  Static DNS 2 = 208.67.220.220
  WINS Server = 0.0.0.0
  NOT serving dynamic IP Addresses via DHCP to Wired devices & Wireless devices connecting through WAP (set to Bridge)
  Static DHCP Reservations setup via IP & MAC Binding settings DO WORK in terms of providing the assigned static IP Address to the client.  Inbound/Outbound traffic to Internet works for devices with Static DHCP Reservations.
  VLAN ID = 100 (Voice, Inter VLAN Routing = Disabled, LAN1-6 Excluded, LAN7 = Untagged, LAN8-14 = Excluded)
  Device IP Address = 192.168.zzz.1
  Subnet Mask = 255.255.255.0
  DHCP Mode = DHCP Server
  Remote DHCP Server = 0.0.0.0
  Client Lease Time = 1440 min
  Range Start = 192.168.zzz.100
  Range End = 192.168.zzz.199
  DNS Server = Use DNS as Below
  Static DNS 1 = 208.67.222.222
  Static DNS 2 = 208.67.220.220
  WINS Server = 0.0.0.0
  NOT serving dynamic IP Addresses via DHCP to Wired devices & Wireless devices connecting through WAP set to Bridge
  Static DHCP Reservations setup via IP & MAC Binding settings DO WORK in terms of providing the assigned static IP Address to the client.  Inbound/Outbound traffic to Internet works for devices with Static DHCP Reservations.

• Multiple vlans configuration issue with RV016 router and SG 300-10MP witch

  Hi,
  I have to configure multiple vlans served with a unique DCHP server . As first step, I just will The DHCP server to serve 2 vlans. The following is the hardware and configuration that I implemented :
  Router (RV016 10/100 16-Port VPN Router) as gateway mode:
  IP : 172.16.0.1/24
  DHCP Server :
  IP : 172.16.0.2/24 GW: 172.16.0.1
  2 subnets :
  172.16.1.0/24 GW: 172.16.1.1 to serve vlan 1
  172.16.2.0/24 GW:172.16.2.1 to serve vlan 2
  Switch (SG 300-10MP 10-Port Gigabit PoE Managed Switch) as layer 3 mode:
  IP 172.16.0.254 (vlan 8 default)
  Vlan 1 : 172.16.1.1
  Vlan 2 : 172.16.2.1
  1 device connected on each vlan
  a workstation on the vlan 1
  a laptop on the vlan 2
  In this scenario (see the attached pdf file) the DHCP server is connected on a router, hosts on vlans dont receive any IP address.
  But If I connect the DHCP server on a trunked switch port and adapt the DHCP server gateway 172.16.0.1 to 172.16.0.254, hosts receive ip address properly.
  I have to connect the DHCP server directly to the router. How can I do that, what is wrong in the configuration ?
  I hope the explanations are clear enough and my English too
  Any help will be highly appreciated,
  Zoubeir

  Hi Eric, the small business group doesn't support the ASA config, but  I can help with the switch.
  A couple things I notice in your description-
  48 port (192.168.1.254) and the other 24P (192.168.1.253)  we have a  second vlan 20 set up on the 24P switch (192.168.2.253)  we have ports  1-12 set for vlan20 (untagged and trunk), the remaining ports on on the  default vlan 1.
  The connection between the switches, is it 1u, 2t?
  The link between the switches should be 1u, 2t, the switches support the trunking and vlan tagging, meaning all communication will work fine.
  We have the 24p and 48p switches connect using GE1 and GE1.  We are unable to ping a device on vlan 20 ( on the 24p switch
  The 24p switch should be in layer 2 mode, if you have the 48 port l3 switch upstream. Additionally, you need to have the default gateway set on the 24p switch.
  We have a static route set on the 24p switch (0.0.0.0 192.168.1.0). 
  Between the switches, it shouldn't require any static routes, assuming you correctly trunk / tag your ge1 ports, with both switches operating in l3, the ip route table dynamically builds the connected routes, therefore a static route is redundant.
  -Tom
  Please rate helpful posts

• Bridging multiple VLAN with sg 200-08 and wap321

  Hi all
  Equipment:
  ASA 5505
  2x gs 200-08
  2x wap321
  Is there a possibility, to bridge 2 VLAN between one and another side with two WAP 321 and use the AP's also as WDS Bridge to extend the Wireless Network?
  I need to extend the Range of the WLAN but also want to use 2 different VLAN on both sides of the network. There is no Possibility to establish a wired Connection, so i try to use the AP's in "workgroup bridge" mode, but i always can use only one VLAN on the other side.
  Thanks for any help

  Hi Luis
  The Problem is, there is no wired connection between the WAP321.
  The topology is like this:
  VLAN1------ASA5505--  --SG200-08---------WAP321             WAP321--------SG200-8-------VLAN1
                                               I                                                                                                 I
  VLAN2---------------------------                                                                                               -----------VLAN2
  VLAN1 and VLAN2 are also available in the WLAN on 2 Different SSID's:
  SSID: inside -> VLAN1
  SSID: outside -> VLAN2
  If i understand the Cluster mode right,there is a wired connection required between the WAP321 .
  In meantime i tried to connect the WAP321 over WDS, but always only VLAN1 is available on the "right" side of the Network.
  Is there a Possibility, to Bridge multiple VLAN's over a WDS connection?
  Best Regards
  Dominique

• Remote APs with multiple vlan / dhcp

  On one of our 5508 controllers we have approx 40 APs, about 20 local and 20 flexiconnect. Until now we have only had one vlan on the flexiconnect APs, but our local APs have several SSIDs connecting to different Vlans and assigned different dhcp addresses correctly.
  We now have the need to have multiple SSIDs on some sites being assigned different IPs.
  I have created the interfaces, with the correct ip and dhcp server, linked with the correct AP group. The SSID is shown and can be connected, but the original ip is being assigned and not the new range.
  I have not yet created any security policies so the new range has full access to the entire network and the controller can ping the new remote vlans.
  If i hard connect to the switch on the new vlan, I am assigned the correct new IP range, so this is working.
  I cannot see why devices connected to the new SSID are not being assigned the correct IP range.

  You need to review the FlexConnect configuration guide. You need to trunk the ap port if more than one vlan is required, you also need to enable FlexConnect local switching in the WLAN, you need to also define the WLAN to vlan mapping on each FlexConnect AP.
  It varies depending if you want to place traffic locally at the site or tunnel it back.
  https://supportforums.cisco.com/docs/DOC-24082
  Sent from Cisco Technical Support iPhone App

• Multiple DHCP on Multiple VLAN not working

  Hi there;
  In my core network switch, I have multiple VLANs, I have these command to assign to DHCP pools.  I configured a port on my core switch for DMZ_VLAN and when I connect my computer to this port, I can get the ip address from the dmz_vlan dhcp pool.  Because I assigned an IP address to the interface of vlan 192, then I found that one of my server "192.168.0.100" connection dropped, I cannot ping this server on the dmz VLAN, and it cannot provide the http service as usual until I remove the "interface vlan 192" from the switch.  Why?  However; without this command, I cannot receive the 192.168.0.0 network IP from the pool.
  ip dhcp pool data_vlan1
  network 10.10.1.0 255.255.255.0
  default-router 10.10.1.1
  dns-server 10.10.1.100 10.10.1.101
  domain-name company.local
  lease 7
  ip dhcp pool dmz_vlan
  network 192.168.0.0 255.255.255.0
  default-router 192.168.0.1
  dns-server 8.8.8.8 4.2.2.2
  domain-name company.com
  lease 7
  interface vlan 10
  ip address 10.10.1.254
  interface vlan 192
  ip address 192.168.0.254

  Sorry for the delay as I got busy with work. If your layer 3 switch is the default gateway for VLAN 192 then the default-router for the DHCP scope should be the IP address of the layer 3 switch interface (192.168.0.254). With that being said, the FW DMZ_192 interface, the switch SVI for VLAN 192  and the DMZ server should all be in the same broadcast domain, thus they should be able to reach each other.
  So, can you confirm with me exactly what does not work on the server configured with VLAN 192 and a static IP? For instance, 
  1. Can you ping the server from the L3 switch
  2. Can you ping the server from the FW
  3. Can the server ping 192.168.0.1 and 192.168.0.254
  4. Can the server ping the outside world? For instance, www.google.com and 4.2.2.2
  5. Have you tried taking a test PC, connecting to the switchport configured for VLAN 192 and see if you get an IP address from the DHCP scope

• Need help configuring multiple VLANs and SSIDs

  Hi,
  We bought a Cisco SGE2000P 24Port switch and 10 WAP4410N access points. Our intent is to provide a secure network to our LAN, and a guest network to the Internet.
  We are thinking 3 VLANs would be best for this: VLAN 100 connected to the LAN, VLAN 1000 for the Internet Router and Filter, and VLAN 1100 for the Guest Wireless access.
  We have the switch configured for all three of these, and 1 initial access point configured for the VLANS, too.
  We have not yet moved the current Internet connection to VLAN 1000 because we aren't sure how to setup routing between VLANS.
  Here are some specifics on how the traffic needs to route:
  1. We have the DHCP server, which is the PDC, handling both scopes for the LAN and Guest VLAN.
  2. The web filter in VLAN 1100 needs to authenticate with the DHCP server as there are different filter rules based on authenticated user. Any users coming from VLAN 1100 will have a default filter rule without requiring any authentication.
  3. Certain traffic coming in from the Internet needs to be able to get to VLAN 100. The router has a built-in firewall that handles NAT and port forwarding, so as long as traffic can be forwarded to VLAN 100 we should be good.
  4. Traffic on VLAN 1100 (guest Wireless network) should only be allowed to go to Internet (VLAN 1000).
  Right now I have the VLANs configured and the ports assigned to the Access Points are set for TAGGED and on VLAN 100 and VLAN 1100.
  The SGE2000P has the following IP addresses assigned to the VLANS:
  10.7.3.252 - VLAN 100
  10.7.40.254 - VLAN 1000
  192.168.254.254 - VLAN 1100
  Has anyone been able to setup a similar configuration? We have scoured the Internet for documentation but it seems to be very difficult to find!
  Thank you!
  Gary Smith

  Based on your description of a 'Hybrid Port' this sounds like Cisco's 'Multi-VLAN Port' that was a feature of the 2900XL/3500XL series switches. This feature has however long since gone......
  With a Cisco switch an access port supporting an Access VLAN & a Voice VLAN is effectively a Trunk with only one Tagged VLAN and the Native VLAN:
  interface FastEthernet0/1
  switchport mode access
  switchport access vlan 10
  switchport voice vlan 100
  This results in the same configuration as:
  interface FastEthernet0/1
  switchport mode trunk
  switchport trunk encapsulation dot1q
  switchport trunk native vlan 10
  switchport trunk allowed vlan 100
  With the exception of CDP packets being sent advertising the Voice VLAN.
  With regards to other IP Phone vendors and DHCP Vendor Options - the answer is it depends....
  Nortel use Vendor Option 144 to inform the IP Phone of the Voice VLAN and Option 128 for the Server (PBX) to use. Ericsson uses Vendor Option 43 that can be configured to tell the IP Phone the VLAN and the Web server to read the config file from.
  I don't think you will get this working automatically with your 3Com switches, you can however manually configure the VLAN on the Cisco IP Phones.
  HTH
  Andy

• Complex NAT and ACL issue with multiple VLANS

  Hello Forum. 
  We have about 12 different VLANS behind an ASA 5515-x. One of those vlans contains a webserver and a DNS server (different machines, different IP addresses). ASDM 7.1.3
  From outside the firewall, people need to be able to get to the webserver via http, https and a custom  port (3390). From outside the firewall, no one needs DNS access.
  From INSIDE the firewall, things are much more complicated. They need access to the DNS server from all VLANS and they need access to Webserver from all VLANS
  The VLANS themselves are defined on the core switches, not the ASA The Vlan labels and network subnets increment by 5 (except in the first 5 numbers) and the VLAN subnets are equal to the vlan name. So for example VLAN 10 is on the 10.10.10.x subnet, vlan 20 is on the 10.10.20.x subnet, and so on. Each subnet is 24 bits
  WHAT WORKS:
  Outside_in: http, RDP work fine. Pretty sure I will be able to get https myself, so not looking for help there
  Inside_in: traffic from vlan 10 to vlan 5 works fine, but I think that is in part to the any any allow rule on the vlan 10 interface. Apart from that, all vlans can get out to the web, but they cannot get proper DNS resoliution or access the webserver across vlans
  I have looked at the access lists, I have looked at NATting the DNS, but it is not working, and I am not sure why. Any assistance would be appreciated

  Tried that, no joy. It said that the problem was a NAT issue, but I cannot figure it out. The NAT rule looks right, but is not because it doesn't work

• Creating multiple vlans across multiple switches

  Hi All,
  How should I create multiple vlans across multiple switches?
  For instance, I have two (primary/redudant) layer 3 (core) switches and four layer 2 access switches (Cisco 2960) for the hosts, and given these are the vlans/subnets to be created. Should I do it in the core switches only and it would just propagate through the access via VTP?  Just trying to practice and learn.. Any help will be greatly appreciated:)
  VLAN 100: [DHCP-workstations]
  172.26.4.0/24
  172.26.5.0/24
  VLAN 200: [Servers]
  172.16.1.0/24
  172.16.2.0/24
  VLAN 300: [Printers]
  192.168.129.0/24
  192.168.130.0/24
  VLAN 800: [Management for switches/routers]
  10.160.1.0/24

  Hi
  You will have the SVI on the core. Set a VTP domain, make one of the cores as VTP server and rest of the switches as VTP clients. Once you do this, you won't have to login into each switch and create a vlan locally. The vlans will be automatically advertised from the VTP server to all the VTP clients.
  Thanks
  Ankur
  "Please rate the post if found useful"

• Multiple SSID With Multiple VLANs configuration on Cisco Aironet APs: Assotiated clients cannot obtain IP addresses

  Hi Surendra,
  I was just given this task to see how i can configure a second ssid for guest access in our environment.
  this is our network setup prior to this request: Internet----Firewall (not ASA)---ce520---C1131AG and CME router is also connecting to the ce520 switch. we only have two vlans: one for voice and two for data.
  Presently, there is no vlan configured on the AP because it on broadcasting ont ssid and wireless users gets IP from a windows DHCP server on the LAN. the configuration on the ce520 switch port for the AP and other switches say access vlan is the DATA vlan which automatically becomes the native vlan for all trunk port connecting the AP and other Stiches to the network.
  Now with this new requirement, i have made my research and i have configured the AP to broadcast both the production and the guest Vlans. The two vlans are 20-DATA and 60-Guest. I made the DATA vlan on the AP the native vlan since the poe switch is using the DATA vlan as native on the trunk ports. I configured the firewall to serve as DHCP server for the guest ssid and i have added the ip helper-address on the guest vlan interface on all switches while the windows server remains the dhcp server for the production DATA Vlan. I have confirmed that the AP, switches can ping the default gateway of the guest dhcp server which is another interface on the firewall. I can now see and connect to all broadcasted ssids but the problem is I am not getting IP addresses from both the production dhcp server and guest dhcp server when i connected to the ssid one at a time.
  My AP config is attached below.
  Please tell me what am I doing wrong.
  Do i need to redesign the whole network to have a native vlan other nthan the data vlan?
  Does the access point need to be aware of the voice vlan?
  Do the native Vlan on the AP need to be in Bridge-group 1 or can i leave it in bridge-group 20?
  I will greatly appreciate your urgent response.
  Thanks in advanced.

  Hi,
  As far as i know we dont set the ip helper address on the radio interface. It should be on the L3 interface of corresposding VLANs i.e.
  int vlan 20
  ip helper-address 192.168.33.xxx
  int vlan 60
  ip helper-address 130.20.1.xxx
  I'm assuming that your using SVI's (int Vlan 20 and int Vlan 60) rahter than physical interfaces. Also hope you have configured switch port as trunk where this AP is connected.
  Modify the AP config as below since you are using data vlan as the native vlan
  interface Dot11Radio0.20
  encapsulation dot1Q 20 native
  interface FastEthernet0.20
  encapsulation dot1Q 20 native
  Ideally your AP fastethernet configuration should looks like below and not sure how you missed this as this comes by default when you have multiple vlans for multiple ssids.
  interface FastEthernet0.20
  encapsulation dot1Q 20 native
  no ip route-cache
  bridge-group 20
  no bridge-group 20 source-learning
  bridge-group 20 spanning-disabled
  interface FastEthernet0.60
  encapsulation dot1Q 60
  no ip route-cache
  bridge-group 60
  no bridge-group 60 source-learning
  bridge-group 60 spanning-disabled
  Hope this helps.
  Regards
  Najaf

• How to configure a port channel with VLAN trunking (and make it work..)

  We're trying to configure a port channel group with trunked ports to connect a NetApp HA pair. We want to create two data LIFs and connect them to the switch stack.  We are trying to create 2 data lifs, one for cifs and one for nfs that are on different vlans.
  We want the same ports to be able to allow multiple vlans to communicate. (trunked)
  These data lifs should be able to fail over to different nodes in the HA pair and still be able to communicate on the network.
  What this means is that we have to connect 4 ports each for each node in the NetApp HA Pair to the switches and create a port channel of some type that allows for trunked vlans. When we configure the ports, the configuration is as follows (below):
  We are only able to configure an IP on one of the vlans.
  When we configure an IP from another vlan for the data lif, it does not respond to a ping.
  Does anyone have any idea what I'm doing wrong on the Cisco switch?
  interface GigabitEthernet4/0/12
  description Netapp2-e0a
  switchport trunk encapsulation dot1q
  switchport trunk allowed vlan 10,20,511,519
  channel-protocol lacp
  channel-group 20 mode active
  end
  interface GigabitEthernet4/0/13
  description Netapp2-e0c
  switchport trunk encapsulation dot1q
  switchport trunk allowed vlan 10,20,511,519
  channel-protocol lacp
  channel-group 20 mode active
  end
  interface GigabitEthernet6/0/12
  description Netapp2-e0b
  switchport trunk encapsulation dot1q
  switchport trunk allowed vlan 10,20,511,519
  channel-protocol lacp
  channel-group 20 mode active
  end
  interface GigabitEthernet6/0/13
  description Netapp2-e0d
  switchport trunk encapsulation dot1q
  switchport trunk allowed vlan 10,20,511,519
  channel-protocol lacp
  channel-group 20 mode active
  end
  interface Port-channel20
  description Netapp2-NFS
  switchport trunk encapsulation dot1q
  switchport trunk allowed vlan 10,20,511,519
  spanning-tree portfast
  spanning-tree bpduguard enable
  end

  Our problem was fixed by the storage people.  They changed the server end to trunk, and the encapsulation / etherchannel.
  I like all the suggestions, and they probably helped out with the configuration getting this to work.
  Thanks!
  interface Port-channel20
  description Netapp2-NFS
  switchport trunk encapsulation dot1q
  switchport trunk allowed vlan 10,20,511,519
  switchport mode trunk
  interface GigabitEthernet4/0/12
  switchport trunk encapsulation dot1q
  switchport trunk allowed vlan 10,20,511,519
  switchport mode trunk
  channel-protocol lacp
  channel-group 20 mode active
  interface GigabitEthernet4/0/13
  switchport trunk encapsulation dot1q
  switchport trunk allowed vlan 10,20,511,519
  switchport mode trunk
  channel-protocol lacp
  channel-group 20 mode active
  interface GigabitEthernet6/0/12
  switchport trunk encapsulation dot1q
  switchport trunk allowed vlan 10,20,511,519
  switchport mode trunk
  channel-protocol lacp
  channel-group 20 mode active
  interface GigabitEthernet6/0/13
  switchport trunk encapsulation dot1q
  switchport trunk allowed vlan 10,20,511,519
  switchport mode trunk
  channel-protocol lacp
  channel-group 20 mode active