Native VLAN and the "Black Hole"

While reviewing the configuration of a network that I'm supporting, it seems that the original design of the network has the black hole VLAN as the native VLAN.  At the least this seems incorrect, and possibly very dangerous, but I'm not exactly sure why or how to articulate that.  Can someone confirm or deny this suspicion?
In addition, I had two further questions regarding the practice of using a black hole VLAN:
1.  If you have any unused ports, it seems more practical to just admin down these ports instead of creating an unused VLAN.  Is there some added advantage to ALSO putting these ports in an unused VLAN (e.g. 999)?  If the port was needed, you can simply admin up the port, during which time you could also change any needed VLAN configurations.  In other words, you'd have to log into the device and make changes whether you went with the admin down method, the Black Hole VLAN method, or both.  So what's the point?
2. Assuming you do use the Black Hole VLAN as an added security method, I feel that including that VLAN in the "switchport trunk allowed vlan" command is counterproductive, but I'm not fully able to articulate why.  Can someone help me with this?
Thanks for any information or suggestions that you may have.

Assuming you mean a vlan for unused ports when you refer to a black hole vlan. If so the key things are  -
a) that vlan does not have a L3 vlan interface (SVI) for it as there is no need to route it
b) any unused ports are shutdown
if you follow the above then I can't see the danger in using the native vlan but I wouldn't do it regardless of that. I would have a dedicated native vlan and a separate vlan for unused ports.
To  my mind there should be no ports allocated to the native vlan (other than trunk ports obviously).
The benefit of using a dedicated vlan for unused ports is -
a)  it provides an additional level of security. People make mistakes and having to do multiple things to enable a port requires more attention than simply doing a "no shut" on the interface.
The more attention someone is paying the more likely they will get it right or at least the less likely they will make a mistake.
b) if you don't use an unused vlan you are leaving all the ports in the default vlan which is vlan 1 and this should be avoided as this vlan is overused already eg. switch control plane traffic is sent on this vlan for example and often the switch management interfaces are in this vlan.
As far as allowing the unused vlan on trunk links it is totally unnecessary and in fact you really don't want to do that. The idea of the unused vlan is for non communication so it would make no sense to allow it on trunk links.
In my last place of work we used vlan 998 as the unused vlan and vlan 999 as the native vlan.
Neither had an SVI for it.
If by black hole vlan you meant something else then please clarify.
Jon

Similar Messages

  • WLC 7.4.110.0 where native vlan and SSID vlan is the same vlan

    Hi
    We have app. 1500 accespoints in app. 500 locations. WLCs are WiSM2s running 7.4.110.0. The AP are 1131LAPs.In a FlexConnect configuration we use vlan 410 as native vlan and the ssid (LAN) also in vlan 410. This works fine, never had any problems with this.
    Now we have started use 1602 APs and the client connection on ssid LAN becomes unstable.
    If we configure an different ssid, using vlan 420 and native vlan as 410, everything works fine.
    I can't find any recommandations regarding the use of native vlan/ssid vlan
    Is there anyone experiencing similar problems? Is this a problem with my configuration or is it a bug wittin 1602 accespoints?
    Regards,
    Lars Christian

    It is the recomended design to put FlexConnect AP mgt into native vlan & user traffic to a tagged vlan.
    From the QoS perspective if you want to enforce WLC QoS profile values, you have to tag SSID traffic to a vlan (other than native vlan) & trust CoS on the switch port connected to FlexConnect AP (usually configured as trunk port)
    HTH
    Rasika
    **** Pls rate all useful responses ****

  • About the Native Vlan and Management Vlan.

    I wanted to know that Management vlan and Native vlan can be different vlan id or  both should be same vlan id. Why should not be native vlan 1.

    The use of a native VLAN is generally frowned upon now as there are some well known security exploits that leverage this untagged VLAN. Cisco often recommends setting the Native VLAN to an unused VLAN in your infrastructure in order to render it useless for attacks.
    It is also recommended that you create a separate VLAN for your Management traffic and that this VLAN be tagged (therefore not a Native VLAN).
    Native Vlan is the vlan which will be sent untagged even in Trunk links. Consider a Trunk link configured between two switches SWA and SWB, if a system in vlan1 of SWA is sending a frame via SWB, then this frame will be received as untagged by SWB, then switch B decides that the untagged frame is from native vlan 1 and handles accordingly. By default native vlan is 1, this can also be changed as per requirement.
    Example: In the below figure if a IP phone and system are connected toa switch port as below, the the Phones will  send its frames tagged with vlan 10 where as the frames sent by system will be untagged. So here the the corresponding switch port should be configured as native vlan 20. So that it can recognise and handle the frames from system and IP phone properly.
    a
    Management vlan is different, it means that this vlan will be used for management purposes like Logging into the switch for management, Monitoring the switch,collecting Syslog ans SNMP traps, etc will be done by management vlan IP. This also by default vlan 1 in cisco. So as Antony said the it is always a Best practice and security measure to not use the default vlan and use custom vlans.
    Hope this helps !

  • Will we get The Black Hole soundtrack that is on the US Itunes in the UK???

    As usual the UK version of Itunes is way behind the US one. They seem to have a far better database of film music than the UK one. Will we be getting the Black Hole soundtrack that has recently been posted on the US store?

    Sorry, but we're all just your fellow users here and have no way of knowing what may or may not appear in an given country's iTunes Store. You can submit suggestions for the iTunes Music Store through the feedback page (make sure you clearly specify which country's iTunes Store you're referring to). Whether or not your suggestion will ever be acted upon will depend on a number of factors, some out of Apple's control (to start with, the artists and record companies have to be willing to license the tracks to Apple for your country), so don't expect instant action.
    Forum Tip: Since you're new here, you've probably not discovered the Search feature available on every Discussions page, but next time, it might save you time (and everyone else from having to answer the same question multiple times) if you search a couple of ways for a topic, both in the relevant forums, in the User Tips Library and in the Apple Knowledge Base before you post a question.
    Regards.

  • Native Vlan and tagging

    Hi!
    I have a particular installation on a customer site.
    The management vlan is the number 1 (which is the native vlan) for the whole network and all the switches tag the native vlan.
    So when I plug my AP on a port of a switch configured in trunk mode, it doesn't work.
    How can I resolve this issue?
    Thanks

    Yes, you can specify the native VLAN, though I am not sure if that will enable tagging of that VLAN or not. You might have to try it yourself to see. See the following link for pictures of the pages in question.
    http://www.cisco.com/en/US/products/ps6087/products_tech_note09186a0080736123.shtml#t12
    Because I think it will require a reboot after enabling HREAP but before setting up VLAN support, you might need to set it as an access port while making the changes.
    1. Do not use VLANs for your H-REAP deployment and set the access point switch ports as Access ports in the VLAN you want your users to be in. The AP will need an IP in the user VLAN, but that is not usually a problem. If you do not need multiple user VLANs from different SSIDs, this will be the easiest option.
    2. Disable native VLAN tagging for the ports with APs with the command I listed above.

  • VLAN trunking, native vlan and management vlan

    Hello all,
    In our situation, we have 3 separate vlans: 100 for management vlan and 101 for data and 102 for voice.
    We have an uplink which is trunked using .1Q. Our access ports has the data vlan as the native. Based on our design, what should be the native vlan for this uplink trunk? Should it be the management vlan or the data vlan? Thanks for your help.

    To answer this question you must remember what the native vlan is. Native is where untagged packets are sent, i.e. packets without a dot1Q tag. It is there mainly for compatibility. On an access port it has no function while normal traffic is not tagged and sent to the vlan that is configured for the port. Traffic for the voice vlan is an exception to this general rule.
    Native vlan setting only plays a role on trunk links where most of the traffic carries a tag. As explained, it is then used as the vlan for untagged traffic.
    When you do not consider this a security breach, you may configure the data-vlan as native. Use another vlan (why not vlan1?) in the case where you want to isolate this traffic.
    I find it good design practice to use the same native vlan throughout the network. This keeps things clear and it's better for anyone who is not completely obsessed with security. The latter kind of people can always find a reason to mess things up, both for themselves and for others;-)
    Regards,
    Leo

  • VLAN DOT1Q, SWITCHPORT TRUNK NATIVE VLAN, and VLAN1

    Hi All,
    L2 security documents suggest to avoid using vlan1 and tagging all frames with vlan IDs using the global configuration of vlan dot1q. Other Cisco non-security documents suggest using the switchport trunk native vlan # which removes any vlan tagging. It seems to me that the global vlan dot1q command and the interface switchport trunk native vlan # are contradictory; therefore, both should not be used. Furthermore, my understanding is to avoid using vlan 1 to tighten L2 security. When vlan 1 is removed from all trunked uplinks, user access ports are other than vlan 1, and no spanning-tree vlan 1 operations exists, what is the native vlan 1 actually used for?. The output of show interface gi0/1 trunk shows the native vlan as 1.
    Thanks,
    HC

    Hi HC,
    the command "switchport trunk native vlan" is used to define the native (untagged vlan) on a dot1q link. The default is 1, but you can change it to anyting you like. But it does only change the native vlan, all the others vlan on the trunk are of course tagged (and it only applies to dot1q, as ISL "taggs/encapsulates" all the vlans). The command "vlan dot1q tag native" is mostly used in dot1qindot1q tunnels, where you tunnel a dot1q trunk within a dot1q trunk. Thats something mostly service Providers offer to there customers. There it is important that there is no untagged traffic, as that would not work with dot1qindot1q. This command tagges the native vlan traffic, and drops all traffic which is not tagged.
    Whatfor is the native VLAN? Switches send control PDU such as STP,CDP or VTP over the native VLAN.
    If you don't happen to be a service Provider for L2 metropolitan Ethernet, you wan't need the "vlan dot1q tag native" command. For my part I'm trying not to use vlan 1 everywhere in my campus, because it gives a huge spanningtree topology and if you ever get a switch to blow a heavy load of traffic into it, you have your whole campus network degradet. I try to keep Vlan's a small as possible and to have as much L3 separaton as possible, that's good for the stability!
    Simon

  • Native VLAN and Trunks on Bridges

    I have a need for different Native VLANs on the radio side and the ethernet side. Can this be done on the non-root 1410 bridge?
    The radio native VLAN is to support the management on teh 1410 bridges. I also need to attach a single device from another VLAN on the non-root bridge and I do not want to have to put in a switch just to break out that needed VLAN.

    The bridge supports only one SSID. You should assign the SSID to the native VLAN
    1.Create subinterfaces on the radio and Ethernet interfaces.
    2. Enable 802.1q encapsulation on the subinterfaces and assign one subinterface as the native VLAN.
    3. Assign a bridge group to each VLAN.
    4. (Optional) Enable WEP on the native VLAN.
    5. Assign the bridge's SSID to the native VLAN.
    To assign an SSID to a VLAN and how to enable a VLAN on the bridge radio and Ethernet ports
    For further information click this link.
    http://www.cisco.com/en/US/docs/wireless/bridge/1400/12.3_8_JA/configuration/guide/p38vlan.html

  • Whats difference between native vlan and pvid

                       whats difference between native vlan and pvid ?

    Hi,
    a port VLAN ID is the assigned VLAN of an access-port.
    The native VLAN is used in a trunk. A trunk is used to connect another switch or a device which belongs to more than 1 VLAN. Since a standard ethernet frame doesn't provide a field to distinguish VLANs, a special field is inserted, this is called "tagging". Nevertheless, frames belonging to the native VLAN  are transmitted without such a tag (in other words: the ethernet frames are not modified). In this way, traffic forwaring is possible in the native VLAN even when the trunk is not working  correctly.
    In theory, when you would connect a trunkport from one switch to an accessport of another, communication for the native VLAN would be possible. In such a scenario, the native VLAN-ID doesn't have to match the PVID. Hope, this isn't to confusing.
    You can find more details in discussion https://learningnetwork.cisco.com/thread/8721#39225
    Regards,
    Rolf

  • Hi, I'd like to put a black and white effect on my colour footage which will look really sharp but which also looks bright so the whites look bright and the blacks look very dark . Any tips of which best effects to use to achieve this look in Prem Pro. Th

    Hi, I'd like to put a black and white effect on my colour footage which will look really sharp but which also looks bright so the whites look bright and the blacks look very dark . Any tips of which best effects to use to achieve this look in Prem Pro. Thanks

    Under the Effects-Lumetri Looks-Desaturation choose a B and W effect. Then add the luma corrector from the Video effects-colour correction section. Adjust the brightness and contrast to get the effect you want.

  • How can I buy apple watch  for the space black stainless steel case and the black sport band for one order?

    How can I buy apple watch  for the space black stainless steel case and the black sport band for one order?

    Unfortunately no. I asked the same question when I went to the local Apple Store for my "try on" and as of now you would have to order the watch with the metal link band and the black sports band separately.

  • Wireless AP native vlan and switch trunk

    Hi,
    I am unable to ping my ap, i think it is due to the multiple vlan issues, can provide some advise, my config for the ap and switch is as below
    AP Config
    version 15.2
    no service pad
    service timestamps debug datetime msec
    service timestamps log datetime msec
    service password-encryption
    hostname hostname
    logging rate-limit console 9
    enable secret 5 $1$ZxN/$eYOf/ngj7vVixlj.wjG2G0
    no aaa new-model
    ip cef
    dot11 syslog
    dot11 ssid Personal
       vlan 2
       authentication open
       authentication key-management wpa version 2
       guest-mode
       wpa-psk ascii 7 070E26451F5A17113741595D
    crypto pki token default removal timeout 0
    username Cisco password 7 1531021F0725
    bridge irb
    interface Dot11Radio0
    no ip address
    encryption vlan 2 mode ciphers aes-ccm tkip
    ssid Personal
    antenna gain 0
    stbc
    beamform ofdm
    station-role root
    no dot11 extension aironet
    interface Dot11Radio0.2
    encapsulation dot1Q 2
    bridge-group 2
    bridge-group 2 subscriber-loop-control
    bridge-group 2 spanning-disabled
    bridge-group 2 block-unknown-source
    no bridge-group 2 source-learning
    no bridge-group 2 unicast-flooding
    interface Dot11Radio0.100
    encapsulation dot1Q 100 native
    bridge-group 1
    bridge-group 1 subscriber-loop-control
    bridge-group 1 spanning-disabled
    bridge-group 1 block-unknown-source
    no bridge-group 1 source-learning
    no bridge-group 1 unicast-flooding
    interface Dot11Radio1
    no ip address
    encryption vlan 2 mode ciphers aes-ccm tkip
    ssid Personal
    antenna gain 0
    no dfs band block
    stbc
    beamform ofdm
    channel dfs
    station-role root
    interface Dot11Radio1.2
    encapsulation dot1Q 2
    bridge-group 2
    bridge-group 2 subscriber-loop-control
    bridge-group 2 spanning-disabled
    bridge-group 2 block-unknown-source
    no bridge-group 2 source-learning
    no bridge-group 2 unicast-flooding
    interface Dot11Radio1.100
    encapsulation dot1Q 100 native
    bridge-group 1
    bridge-group 1 subscriber-loop-control
    bridge-group 1 spanning-disabled
    bridge-group 1 block-unknown-source
    no bridge-group 1 source-learning
    no bridge-group 1 unicast-flooding
    interface GigabitEthernet0
    no ip address
    duplex auto
    speed auto
    interface GigabitEthernet0.2
    encapsulation dot1Q 2
    bridge-group 2
    bridge-group 2 spanning-disabled
    no bridge-group 2 source-learning
    interface GigabitEthernet0.100
    encapsulation dot1Q 100 native
    bridge-group 1
    bridge-group 1 spanning-disabled
    no bridge-group 1 source-learning
    interface BVI1
    ip address 192.168.1.100 255.255.255.0
    ip default-gateway 192.168.1.1
    ip forward-protocol nd
    ip http server
    no ip http secure-server
    ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
    bridge 1 route ip
    line con 0
    line vty 0 4
    password 7 01181101521F
    login
    transport input all
    end
    Switch Port config
    interface FastEthernet1/0/10
    switchport trunk native vlan 100
    switchport mode trunk

    I will re-check the routing again but could it be some bridging issues ?
    interface GigabitEthernet0
    no ip address
    duplex auto
    speed auto
    **** unable to put up this command on the giga port
    bridge-group 1
    no bridge-group 1 source-learning
    bridge-group 1 spanning-disabled
    I try to put this command on the gigaethernet port but it does not allow me, could this be the bridging  issue ?

  • Native Vlan and Trunking

    Hi Folks,
    I am having a doubt with native Vlan in trunk ports.
    In a topology of 3 switches. Switch A is connected with switchB and SwitchC on uplinks. Can I configure the different native vlans for 2 different trunk for switch A.
    Like I am having 3 vlan,s configured in switch A with VTP domain transparent(1,500,900-Vlans configured). Same configuration is there in B & C too.
    So can we use 999 as a native vlan for trunk between A&B and native vlan 1 for trunk configured between A&C.

    yes possible, if specific reasons. Already discussed several times on this forum. Pls refer this link:
    http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Network%20Infrastructure&topic=LAN%2C%20Switching%20and%20Routing&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.2cbe4e88

  • Oracle RAC Interconnect, PowerVM VLANs, and the Limit of 20

    Hello,
    Our company has a requirement to build a multitude of Oracle RAC clusters on AIX using Power VM on 770s and 795 hardware.
    We presently have 802.1q trunking configured on our Virtual I/O Servers, and have currently consumed 12 of 20 allowed VLANs for a virtual ethernet adapter. We have read the Oracle RAC FAQ on Oracle Metalink and it seems to otherwise discourage the use of sharing these interconnect VLANs between different clusters. This puts us in a scalability bind; IBM limits VLANs to 20 and Oracle says there is a one-to-one relationship between VLANs and subnets and RAC clusters. We must assume we have a fixed number of network interfaces available and that we absolutely have to leverage virtualized network hardware in order to build these environments. "add more network adapters to VIO" isn't an acceptable solution for us.
    Does anyone know if Oracle can afford any flexibility which would allow us to host multiple Oracle RAC interconnects on the same 802.1q trunk VLAN? We will independently guarantee the bandwidth, latency, and redundancy requirements are met for proper Oracle RAC performance, however we don't want a design "flaw" to cause us supportability issues in the future.
    We'd like it very much if we could have a bunch of two-node clusters all sharing the same private interconnect. For example:
    Cluster 1, node 1: 192.168.16.2 / 255.255.255.0 / VLAN 16
    Cluster 1, node 2: 192.168.16.3 / 255.255.255.0 / VLAN 16
    Cluster 2, node 1: 192.168.16.4 / 255.255.255.0 / VLAN 16
    Cluster 2, node 2: 192.168.16.5 / 255.255.255.0 / VLAN 16
    Cluster 3, node 1: 192.168.16.6 / 255.255.255.0 / VLAN 16
    Cluster 3, node 2: 192.168.16.7 / 255.255.255.0 / VLAN 16
    Cluster 4, node 1: 192.168.16.8 / 255.255.255.0 / VLAN 16
    Cluster 4, node 2: 192.168.16.9 / 255.255.255.0 / VLAN 16
    etc.
    Whereas the concern is that Oracle Corp will only support us if we do this:
    Cluster 1, node 1: 192.168.16.2 / 255.255.255.0 / VLAN 16
    Cluster 1, node 2: 192.168.16.3 / 255.255.255.0 / VLAN 16
    Cluster 2, node 1: 192.168.17.2 / 255.255.255.0 / VLAN 17
    Cluster 2, node 2: 192.168.17.3 / 255.255.255.0 / VLAN 17
    Cluster 3, node 1: 192.168.18.2 / 255.255.255.0 / VLAN 18
    Cluster 3, node 2: 192.168.18.3 / 255.255.255.0 / VLAN 18
    Cluster 4, node 1: 192.168.19.2 / 255.255.255.0 / VLAN 19
    Cluster 4, node 2: 192.168.19.3 / 255.255.255.0 / VLAN 19
    Which eats one VLAN per RAC cluster.

    Thank you for your answer!!
    I think I roughly understand the argument behind a 2-node RAC and a 3-node or greater RAC. We, unfortunately, were provided with two physical pieces of hardware to virtualize to support production (and two more to support non-production) and as a result we really have no place to host a third RAC node without placing it within the same "failure domain" (I hate that term) as one of the other nodes.
    My role is primarily as a system engineer, and, generally speaking, our main goals are eliminating single points of failure. We may be misusing 2-node RACs to eliminate single points of failure since it seems to violate the real intentions behind RAC, which is used more appropriately to scale wide to many nodes. Unfortunately, we've scaled out to only two nodes, and opted to scale these two nodes up, making them huge with many CPUs and lots of memory.
    Other options, notably the active-passive failover cluster we have in HACMP or PowerHA on the AIX / IBM Power platform is unattractive as the standby node drives no resources yet must consume CPU and memory resources so that it is prepared for a failover of the primary node. We use HACMP / PowerHA with Oracle and it works nice, however Oracle RAC, even in a two-node configuration, drives load on both nodes unlike with an active-passive clustering technology.
    All that aside, I am posing the question to both IBM, our Oracle DBAs (whom will ask Oracle Support). Typically the answers we get vary widely depending on the experience and skill level of the support personnel we get on both the Oracle and IBM sides... so on a suggestion from a colleague (Hi Kevin!) I posted here. I'm concerned that the answer from Oracle Support will unthinkingly be "you can't do that, my script says to tell you the absolute most rigid interpretation of the support document" while all the time the same document talks of the use of NFS and/or iSCSI storage eye roll
    We have a massive deployment of Oracle EBS and honestly the interconnect doesn't even touch 100mbit speeds even though the configuration has been checked multiple times by Oracle and IBM and with the knowledge that Oracle EBS is supposed to heavily leverage RAC. I haven't met a single person who doesn't look at our environment and suggest jumbo frames. It's a joke at this point... comments like "OMG YOU DON'T HAVE JUMBO FRAMES" and/or "OMG YOU'RE NOT USING INFINIBAND WHATTA NOOB" are commonplace when new DBAs are hired. I maintain that the utilization numbers don't support this.
    I can tell you that we have 8Gb fiber channel storage and 10Gb network connectivity. I would probably assume that there were a bottleneck in the storage infrastructure first. But alas, I digress.
    Mainly I'm looking for a real-world answer to this question. Aside from violating every last recommendation and making oracle support folk gently weep at the suggestion, are there any issues with sharing interconnects between RAC environments that will prevent it's functionality and/or reduce it's stability?
    We have rapid spanning tree configured, as far as I know, and our network folks have tuned the timers razor thin. We have Nexus 5k and Nexus 7k network infrastructure. The typical issues you'd fine with standard spanning tree really don't affect us because our network people are just that damn good.

  • My (quite new) MBP's monitor looks a bit pinkish, and the black test goes red when I scroll.  Why?

    I said it all in the header.  All the screen components that usually look pale grey look a bit pinkish, and the inages and text discolor when I scrook.  This is especially noticeable with text, which goes from black to dark red and back to black when scrolling stops. 
    I usually use the MBB with a separate monitor, so I hadn't noticed this until today and don't know when it started. 
    I suspect this means a defect in the display.

    Start Firefox in [[Safe Mode]] to check if one of your add-ons is causing your problem (switch to the DEFAULT theme: Tools > Add-ons > Themes).
    See [[Troubleshooting extensions and themes]] and [[Troubleshooting plugins]]
    If it does work in Safe-mode then disable all your extensions and then try to find which is causing it by enabling one at a time until the problem reappears.
    You can use "Disable all add-ons" on the [[Safe mode]] start window to disable all extensions.
    You have to close and restart Firefox after each change via "File > Exit" (Mac: "Firefox > Quit"; Linux: "File > Quit")

Maybe you are looking for

  • I have a Photosmart 6510e that will only print after I shut printer off and then restart..

    After setting up my 6510e photosmart all computers are able to print ---laptop, netbook and my iPhone can eprint.  However, my desktop PC will only print once the printer sleeps (white light is dim) after I completely shut off the printer and then re

  • Transfer of stock from vendor

    Hi, How can we transfer stock from vendor to our plant? Movement type 501 cannot be used. Also, 101 movement type cannot be used since the material  has not been provided to vendor using 541 mvt type. Thanks in advance.

  • Handling Items which are Subscription Based?

    Does anyone know a good way to handle subscription based items? I have a client which sells newspaper subscriptions among other products. Any ideas on how to handle the yearly subscriptions?

  • Windows 2008 R2 IPSEC fails if NAT involved

    I'm deploying a project that includes an IPSEC Tunnel between Windows servers, through a NAT Firewall. When both servers were windows 2003, this worked fine. We have had to migrate to Win2k8R2, and now the tunnel is established, but no traffic flows

  • About dialog instance

    Hi Friends If more than one dialog instance can be installed in a computer? I have installed a sap system(abap stack), central instance and dialog instance are in the same server. the dialog instance has started up, but I can't see the dialog instanc