Native vlan on 3750 switch
Is it possible to configure AAA and EAPFAST on a 3750G switch to use a vlan other than vlan1 for management/native vlan? We are working with RADIUS on Server 2008.
Hi John,
Yes, you can do that.
On 3750 you can take a look at the feature called 802.1x Authentication with VLAN Assignment:
http://www.cisco.com/en/US/partner/docs/switches/lan/catalyst3750/software/release/12.2_52_se/configuration/guide/sw8021x.html#wp1289244.
Basically, you define on the RADIUS server what VLAN each User (or User Group) you want to assign, then when the user connects the PC to the port, it authenticates and the RADIUS server returns the required attributes for VLAN assignament to the switch. The switch interprets them and changes the switchport to the configured VLAN.
The switch will be a simple man-in-the middle during authentication and only processes the RADIUS Reject (if authe fails) or RADIUS Accept (if authe passes).
The authentication methods like EAP-FAST must be agreed between the RADIUS server (AAA Server) and the PC (AAA supplicant).
If you want to authenticate users based on certificates you have to use either EAP-FAST, EAP-TLS or EAP-TTLS.
The most widely spread (which comes by default on WinXP machines) authentication method is PEAP which uses MS-CHAP (username/password) to authenticate users.
HTH,
Tiago
If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.
Similar Messages
-
I've 7 accesss switches from which one switch is connected to 2nd switch with RJ 45 Trunk and other switches cascaded with eachother.
My question is ,Is native vlan necessary on all access switches, if yes than ?
Overview:SW1-Trunkport Fa0/1 to SW2-Fa0/13.
SW2-SW3-SW4-SW5-SW6-SW7(Cascading).
SW4-Connected to core switch Trunk port.
Encapsulation type is dotlq and the cascaded switches are in half duplex but the switch that has the RJ45 trunk connectivity with 2nd switch is in Auto duplex and the connectivity for core switch is also in Auto duplex from one of access switch.
Is that affecting speed?Thank you for that.
Last thing I want to know that , can i remove Native Vlans from the uplink and gb ports ,
Is that Necessary to keep in Native Vlan?
If no than why?
interface GigabitEthernet0/1
switchport trunk encapsulation dot1q
switchport trunk native vlan 100******
switchport mode trunk
interface GigabitEthernet0/2
description *** Cascaded to...***
duplex half
switchport trunk encapsulation dot1q
switchport trunk native vlan 100****(Can I remove, if no use?)
switchport mode trunk -
Native Vlan Mismatch on Switch LD connected to
I am running 3 switches each with the same 3 vlans. I also have 2 local directors in failover mode. The primary has interfaces connected to switch one and the secondary has interfaces to switch two. Trunking is disabled on all device ports but enabled on a dedicated fiber connection between the 2 switches
The first vlan is vlan 1 for management
The second is vlan 2 for the gateway side of the local directors
The third is vlan 3 for the server side of the local directors
On the primary switch I am logging CDP messages telling me i have a native vlan mismatch on the 2 local director ports. The secondary switch I dont get these messages.
Any ideas what is going on here and why? Thanks, Art.You mention above " but trunking is enabled on a dedicated fiber connection between the two switches", therefore trunking is enabled.
Because trunked ports need to be assigned to the same native vlan, I would do a "show trunk" and verify that the port used for trunking on each switch, are assigned to the same native vlan, I've seen the mismatch if the are not. That command above is if your switch is using CatalystOS, otherwise, use this command for NativeOS - sh int fast 0/1 switchport and look for the "trunking native mode vlan" number. They must match on each side. To correct the problem, do set vlan 1 4/10 to assign port 4/10 to vlan 1 which, is your management vlan which I assume you've choosen to be your native vlan.
Hope this helps. -
I have a question regarding the default native vlan, I have a cisco based environment and I set vlan XXX on a native on trunk links, I also running Multiple Spanning Tree on my switches & create instances for vlan segregation.
My question is here could I put vlan 1 (default) in any of instance or not?
Thanks & Regards,With MST, it is not running per VLAN spanning tree, it sends all BPDUs via instance 0 which is called the CIST. These frames are sent untagged via the native VLAN. Normally this is VLAN 1 but if you change it to another VLAN then the BPDUs are sent untagged on that native VLAN.
Regarding if to use instance 0 or not, it is often recommended to create as many instances as you need to create the desired topology (usually two) and put your VLANs in those instances. It's a good pratice to map all your VLANs straight away because changing the instance to VLAN mapping makes the MST region become multi region until they all have the same instance to VLAN mapping.
I would keep all VLANs out of instance 0 but it's definitely possible to have VLANs mapped in instance 0 as well.
Daniel Dib
CCIE #37149
Please rate helpful posts. -
Native VLAN on wired switch and wireless AP
On our 3560g switch we have g0/15 set up as a trunk to connect our wireless AP.
Port Mode Encapsulation Status Native vlan
Gi0/15 on 802.1q trunking 35
Port Vlans allowed on trunk
Gi0/15 1-4094
Port Vlans allowed and active in management domain
Gi0/15 1,10-14,18,20,22,30,35
Port Vlans in spanning tree forwarding state and not pruned
Gi0/15 1,10-14,18,20,22,30,35
On my AP I have the native VLAN as 1.
From my reading I found that the AP and the switch port should have the same Native vlan on both ends of the trunk. Well my access point will not work unless the AP trunk is on 1 and the switch is on 35. Any ideas?dot11 ssid guestwifi
vlan 20
authentication open eap eap_methods
authentication network-eap eap_methods
authentication key-management wpa
dot11 ssid nwifi
vlan 35
authentication open eap eap_methods
authentication network-eap eap_methods
authentication key-management wpa
guest-mode
dot11 arp-cache optional
c
bridge irb
interface Dot11Radio0
no ip address
no ip route-cache
encryption mode ciphers aes-ccm tkip
encryption vlan 35 mode ciphers aes-ccm tkip
encryption vlan 1 mode ciphers aes-ccm tkip
encryption vlan 20 mode ciphers aes-ccm tkip
ssid guestwifi
ssid raydonwifi
mbssid
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
channel 2462
station-role root
no dot11 extension aironet
interface Dot11Radio0.1
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
interface Dot11Radio0.20
encapsulation dot1Q 20
no ip route-cache
bridge-group 20
bridge-group 20 block-unknown-source
no bridge-group 20 source-learning
no bridge-group 20 unicast-flooding
bridge-group 20 spanning-disabled
interface Dot11Radio0.35
encapsulation dot1Q 35
no ip route-cache
bridge-group 35
bridge-group 35 block-unknown-source
no bridge-group 35 source-learning
no bridge-group 35 unicast-flooding
bridge-group 35 spanning-disabled
interface Dot11Radio1
no ip address
no ip route-cache
shutdown
encryption mode ciphers tkip
speed basic-6.0 9.0 basic-12.0 18.0 basic-24.0 36.0 48.0 54.0
channel 5200
station-role root bridge
antenna receive right
antenna transmit right
bridge-group 1
bridge-group 1 spanning-disabled
interface FastEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
interface FastEthernet0.1
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1
interface FastEthernet0.20
encapsulation dot1Q 20
no ip route-cache
bridge-group 20
bridge-group 20 spanning-disabled
interface FastEthernet0.35
encapsulation dot1Q 35
no ip route-cache
bridge-group 35
bridge-group 35 spanning-disabled
interface BVI1
ip address 192.168.35.12 255.255.255.0
no ip route-cache
ip default-gateway 192.168.35.1
no ip http server
ip http authentication aaa
ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip radius source-interface BVI1
access-list 111 permit tcp any any neq telnet
snmp-server community home RO
snmp-server enable traps tty
control-plane
bridge 1 route ip
line con 0
access-class 111 in
transport preferred all
transport output all
line vty 0 4
access-class 111 in
transport preferred all
transport input all
transport output all
line vty 5 15
access-class 111 in
transport preferred all
transport input all
transport output all
end -
I am trying to create a SVI on a catalyst 3750 switch but when I do a show int vlan , it indicates the line protocol is down.What could ve the problem and how do I get it up?
Here is my config:
Switch#vlan database
Switch(vlan)#vlan 700 name Management
Switch(vlan)#exit
Switch#conf t
Switch(config)#int vlan 700
Switch(config-if)#ip address 172.16.1.1 255.255.255.0
Switch(config-if)# no shut
Switch(config-if)#^z
What did I do wrong and whatz the way forward ?Hi Friend,
It will remain in line down state till the time you ceate any active port for that vlan.
Suppose you craete SVI for vlan 700 you have to assign any physical port to that vlan or else create a trunk port and allow that vlan on that trunl and the line protocl will come up.
So in short any SVI should have a physical port assignment or there should be an active trunk for that vlan.
HTH, if yes please rate the post.
Ankur -
Migration of users in different vlans of 3750 Switches
I have 30 switches of access (3750). I require To migrate 1200 users connected to this switches of vlan 1 (172.23.8.0 /22) to vlan 2 (172.23.52.0 /22). They changed in server DHCP the rank 172.23.8.0 /22 to 172.23.52.0 /22. ¿In this case the only solution is to change the ports of switches of vlan 1 to vlan 2?. Can i configure 2 vlans in the ports of switches 3750?. What you recommend to make this migration in the efficient form?
well you could use the command interface range fastehternet 0/1 - 48 (change the command according to your ports) and then execute the switchport access vlan 2 command.
Like this all the ports will be changed in one shot. When to do it.....well during a weekend.
The biggest problem is see is that the workstations have to get a new IP address from DHCP after the migration so i suggest that you put the lease expiration to one day. Like this all the workstations will ask for a new ip address every day and after the change to vlan 2 they will ask an ip and everybody will have connectivity and it should be transparent for the user than.
FYI A switch port can always only belong to a single vlan or it has to be a trunk port to support multiple vlans what is not recommended in your situation.
Yves
rate this post if it helped
Yves -
How one Switch identify the Native vlan mismatch
Dear All,
I am using two cisco L2 switches. Both are connected by a trunk link. Unfortunately I configured different native vlan between two switches. Suddenly I got an error that native vlan mismatch. When I changed the configuration Now it's working fine. My question is that how one switch identify that native vlan mismatch(either by Bpdu, cdp or packet). Please mention which of the following used by switch to identify native Vlan mismatch.
Regards,
SanjibSanjib, Karsten,
It's CDP.
Yes, and STP as well if you run a trunk between the two switches. PVST+ and RPVST+ BPDUs have a TLV in their trailer that carries the VLAN number for which the BPDU was originated. If the BPDU is received in a different VLAN (caused by a native VLAN mismatch), the receiving switch will be able to detect it.
Wireshark 1.12.x will be capable of displaying this TLV field in captured PVST+ and RPVST+ BPDUs. Until 1.12.x is released, you may want to try daily builds from:
http://www.wireshark.org/download/automated/
They already incorporate the enhancement.
Best regards,
Peter -
Fabric interconnect and Native Vlan
Hi
I just want to ask a simple question
is there any precautions with native vlan between the Switched infrastructure and the Fabric interconnect ?!
I mean can I use any vlan as a native vlan ex.999 "anything but not 1" ?!As a security best practice on trunks carrying multiple VLANs you should not allow the native vlan on the line. When you have a single VLAN going to a device, an end node for example, the port should be configured as an access port with a single data VLAN, and potentially a voice vlan if that will be used.
For example, our N5Ks have a trunk to each of our UCS interconnects. We set the native VLAN on the n5k side to 999. 999 is not in the allowed list for the trunk then, so the native VLAN never makes it to the ucs. On the ucs then, any server that can handle VLANs (esxi for example) we send only tagged VLANs -- no VLAN is marked native, thus accomplishing the same thing as we did for the n5k to FI link.
It is recommended to not leave your native VLAN as 1 as best practice. It's less of a concern if the native VLAN isn't in the allowed list, but to avoid mis configuration issues you should set it to another VLAN. -
Hi,
I cant figure out why this is showing on switches.
Core switch brc-k25-1 is using Native Vlan 1
Access switch c2-k25-5 is using Native Vlan 1
I get the following error message on the access switch:
Jun 27 08:57:40: %SPANTREE-2-RECV_PVID_ERR: Received BPDU with inconsistent peer vlan id 171 on GigabitEthernet1/0/49 VLAN1.
Jun 27 08:57:40: %SPANTREE-2-BLOCK_PVID_PEER: Blocking GigabitEthernet1/0/49 on VLAN0171. Inconsistent peer vlan.
Jun 27 08:57:40: %SPANTREE-2-BLOCK_PVID_LOCAL: Blocking GigabitEthernet1/0/49 on VLAN0001. Inconsistent local vlan.
Jun 27 08:57:40: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to down
Jun 27 08:57:55: %SPANTREE-2-UNBLOCK_CONSIST_PORT: Unblocking GigabitEthernet1/0/49 on VLAN0171. Port consistency restored.
Jun 27 08:57:55: %SPANTREE-2-UNBLOCK_CONSIST_PORT: Unblocking GigabitEthernet1/0/49 on VLAN0001. Port consistency restored.
Jun 27 08:57:55: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to up
Because of the error, I cannot login to the access switch using the native Vlan IP Address.
brc-k25-1 config:
interface GigabitEthernet3/2
description c2-k25-5
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,146,171
switchport mode trunk
logging event link-status
logging event trunk-status
qos trust dscp
tx-queue 1
bandwidth percent 69
tx-queue 2
bandwidth percent 1
tx-queue 3
bandwidth percent 15
priority high
tx-queue 4
bandwidth percent 15
end
brc-k25-1#sh interfaces gigabitEthernet 3/2 switchport
Name: Gi3/2
Switchport: Enabled
Administrative Mode: trunk
Operational Mode: trunk
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: dot1q
Negotiation of Trunking: On
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: enabled
Voice VLAN: none
Administrative private-vlan host-association: none
Administrative private-vlan mapping: none
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk Native VLAN tagging: enabled
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk associations: none
Administrative private-vlan trunk mappings: none
Operational private-vlan: none
Trunking VLANs Enabled: 1,146,171
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL
interface Vlan1
ip address 172.27.40.254 255.255.255.02
ip access-group vlan1out out
==================================================
c2-k25-5 config:
c2-k25-5#sh cdp ne
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone,
D - Remote, C - CVTA, M - Two-port Mac Relay
Device ID Local Intrfce Holdtme Capability Platform Port ID
brc-k25-1 Gig 1/0/49 138 R S I WS-C4506 Gig 3/2
interface GigabitEthernet1/0/49
description brc-k25-5
switchport trunk allowed vlan 1,146,171
switchport mode trunk
interface Vlan1
ip address 172.27.40.18 255.255.255.0
interface Vlan146
ip address 172.31.146.1 255.255.255.0
c2-k25-5#sh interfaces gigabitEthernet 1/0/49 switchport
Name: Gi1/0/49
Switchport: Enabled
Administrative Mode: trunk
Operational Mode: trunk
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: dot1q
Negotiation of Trunking: On
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: enabled
Voice VLAN: none
Administrative private-vlan host-association: none
Administrative private-vlan mapping: none
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk Native VLAN tagging: enabled
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk associations: none
Administrative private-vlan trunk mappings: none
Operational private-vlan: none
Trunking VLANs Enabled: 1,146,171
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL
Protected: false
Unknown unicast blocked: disabled
Unknown multicast blocked: disabled
Appliance trust: noneThanks for the replies.
I did remove the ACL from the VLAN1 but nothing change. Also the allowed VLAN1 was not included in the trunk allowed before, same result as now.
Jun 30 09:06:40: %SPANTREE-2-RECV_PVID_ERR: Received BPDU with inconsistent peer vlan id 171 on GigabitEthernet1/0/49 VLAN1.
Jun 30 09:06:40: %SPANTREE-2-BLOCK_PVID_PEER: Blocking GigabitEthernet1/0/49 on VLAN0171. Inconsistent peer vlan.
Jun 30 09:06:40: %SPANTREE-2-BLOCK_PVID_LOCAL: Blocking GigabitEthernet1/0/49 on VLAN0001. Inconsistent local vlan.
Jun 30 09:06:41: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to down
Jun 30 09:06:55: %SPANTREE-2-UNBLOCK_CONSIST_PORT: Unblocking GigabitEthernet1/0/49 on VLAN0171. Port consistency restored.
Jun 30 09:06:55: %SPANTREE-2-UNBLOCK_CONSIST_PORT: Unblocking GigabitEthernet1/0/49 on VLAN0001. Port consistency restored.
Jun 30 09:06:56: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to up
We have multiple switches attached to the brc-k25-1 and only 2 switches are affected using VLAN1 management. I had to create another VLAN ID so that I can use that IP Address to SSH. Very weird problem. -
Hi All,
I am connecting 2950 switch port to 6505 switch port, both ports are in trunking mode and allowing only one vlan on the both.
On 6505 switch I set as follows:-
enable> set trunk 2/23 700
enable> set trunk 2/23 nonegotiate dot1q.
On 2950 I set it as follows:
(conf)int f0/23
switchport mode trunk
switchport trunk Native vlan 700
switchport nonegotiate.
when I issue the show logging, I noticed the (Native Vlan missmatch).
when I chang the switch port config on 2950 to the following it doesn't work:-
int f0/23
switchport mode trunk
switchport trunk allowed vlan 700
switchport nonegotiate
when I did the above, the traffic is discarded and subnets 0n the Core 6505 couldn't access subnets on their remote locations.
Could any body tell me the reason of that, and why I am getting Native Message? as well as why it works only if I set 2950 swith port to (trunk Native vlan ,,,, or ,,,, access mode).
thanks...Hi Friend,
On cat6k though you have configured it as trunk and allowed only vlan 700 but still the native vlan is 1 by default.
And you have configured on 2950 native vlan as 700.
So what I will suggest you is to change the native vlan on cat6k switch also to vlan 700
How you can do this on catos is
set vlan 700 2/23
Now what this will do is on cat6k it will make vlan 700 as native on trunk and you can keep the conig on 2950 same
(conf)int f0/23
switchport mode trunk
switchport trunk Native vlan 700
switchport nonegotiate.
or if you just waan a get rid of the error message and keep the config as it was earlier you can also disable CDP on the interface level.
HTH, if yes please rate the post.
Ankur -
Is this considered NATIVE VLAN?
Greetings All I know that the Native VLAN in a switch is VLAN 1
Since my access points needs a native vlan to perform multiple SSID and VLANS etc. If the ACcess pont is sitting on VLAN 20 with an ip address assinged to it from that vlan does that mean VLAN 20 is native?? Sorry for the ignorant question but I am trying to do multiple ssid etcHey Pete,
Have a read of this good doc, here is an excerpt;
The routers and switches that make up the physical infrastructure of a network are managed in a different method than the client PCs that attach to that physical infrastructure. The VLAN these router and switch interfaces are members of is called the Native VLAN (by default, VLAN 1). Client PCs are members of a different VLAN, just as IP telephones are members of yet another VLAN. The administrative interface of the access point or bridge (interface BVI1) are considered and numbered a part of the Native VLAN regardless of what VLANs or SSIDs pass through that wireless device.The switchport config might look like this;
switchport mode trunk
switchport trunk encapsulation dot1q
switchport trunk native vlan 1
switchport trunk allowed vlan 1,10,30
Where vlan 1 is Native and vlan 10 and 30 will be associated with SSID's.
When you use an IEEE 802.1Q trunk port, all frames are tagged except those on the VLAN configured as the "native VLAN" for the port. Frames on the native VLAN are always transmitted untagged and are normally received untagged. Therefore, when an AP is connected to the switchport, the native VLAN configured on the AP must match the native VLAN configured on the switchport.
Note: If there is a mismatch in the native VLANs, the frames are dropped.
This scenario is better explained with an example. If the native VLAN on the switchport is configured as VLAN 12 and on the AP, the native VLAN is configured as VLAN 1, then when the AP sends a frame on its native VLAN to the switch, the switch considers the frame as belonging to VLAN 12 since the frames from the native VLAN of the AP are untagged. This causes confusion in the network and results in connectivity problems. The same happens when the switchport forwards a frame from its native VLAN to the AP.
From this good doc;
Using VLANs with Cisco Aironet Wireless Equipment
http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_example09186a00801d0815.shtml#vlanap
Hope this helps!
Rob
Please remember to rate helpful posts......... -
LAN Switches cannot be accessed by Telnet, SSH or console in native vlan
Hi to all of you:
I do have a question about tagging the native vlan.
In our network we do have about 90 L2 and L3 switches, 2950 the oldest, 2960, 2960S, 3560 PoE, 3750 and 4503E, and we are running VTP, and 43 vlans within the entire network.
our Native VLAN is still vlan 1, and there are many corporative applications running in this vlan.
We have upgraded the IOS for the switches to the latest IOS version about 6 months ago, and after that we started to have issues on the switches, related to accessing the switch, either by telnet, ssh, or even console. However, the switch is still working fine, I mean, doing all bridging and switching traffic.
I have to reset or reload (power cycle) if I want to access the switch.
I have read that having the native vlan can be a problem.
Could you please let me know if you have gone through this problem?
Thanks in advance for your help.
Javier F. Berthin H.Hi Karhtick:
I guess you have the best answer, you suggested the memory command and I am attaching you as result.
Next step should be to downgrade the IOS?, because we did the upgrade just in order to have the latest IOS published by Cisco.
If you need the config please let me know, for complementary comments.
Thanks for your help.
Javier
Core_Toldos#
Core_Toldos#
Core_Toldos#sh processes memory sorted
Processor Pool Total: 57114592 Used: 42061488 Free: 15053104
I/O Pool Total: 12582912 Used: 9397428 Free: 3185484
Driver te Pool Total: 1048576 Used: 40 Free: 1048536
PID TTY Allocated Freed Holding Getbufs Retbufs Process
0 0 56706116 14325484 38372056 0 0 *Init*
197 0 4506712 2363500 1463652 0 0 Auth Manager
0 0 0 0 1443720 0 0 *MallocLite*
0 0 577244636 370831296 916016 12457311 3203234 *Dead*
236 0 532808 46152 507068 0 0 IP ARP Adjacency
303 0 1335768 890528 450448 0 0 ADJ resolve proc
230 0 27640244 15996 378344 10152 0 CDP Protocol
77 0 368260 14413456 377820 0 0 EEM ED ND
102 0 385848 232 362236 0 0 HLFM address lea
404 0 3397428 3069392 334928 0 0 hulc running con
192 0 307492 21604 294808 0 0 HL2MCM
193 0 356552 70624 294744 0 0 HL2MCM
357 0 265100 0 275260 100548 0 EEM ED Syslog
365 0 126849404 86726456 255248 0 0 EEM Server
87 0 569060 274864 244984 0 0 Stack Mgr Notifi
203 0 753032 492440 164316 0 0 DTP Protocol
201 0 737920 526656 159424 0 0 802.1x switch
13 0 505129716 504972016 156620 0 0 ARP Input
Core_Toldos# -
Does the dot1q native VLAN need to be defined on the switch?
I understand the issues with using VLAN 1 as the native VLAN on a dot1q trunk. I follow best practices and change the native VLAN to a VLAN that does not carry any other traffic (switchport trunk native vlan x). I usually go a step further and do not define the VLAN in the switch configuration. This way if traffic bleeds into the native VLAN because it is untagged then it cannot go anywhere. So if I use VLAN 999 as the native VLAN, I do not create VLAN 999 on the switch. I’m curious if anyone else does this or if there are any thoughts on whether this is a good or bad practice?
If you are tagging your native VLAN but do not have that VLAN in the vlan database - it makes no difference if the VLAN exists or not in my opinion. All the vlans on your trunks would be tagged anyway.
It seems like a clever idea, but not sure if it provides any benefit. -
Wireless AP native vlan and switch trunk
Hi,
I am unable to ping my ap, i think it is due to the multiple vlan issues, can provide some advise, my config for the ap and switch is as below
AP Config
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname hostname
logging rate-limit console 9
enable secret 5 $1$ZxN/$eYOf/ngj7vVixlj.wjG2G0
no aaa new-model
ip cef
dot11 syslog
dot11 ssid Personal
vlan 2
authentication open
authentication key-management wpa version 2
guest-mode
wpa-psk ascii 7 070E26451F5A17113741595D
crypto pki token default removal timeout 0
username Cisco password 7 1531021F0725
bridge irb
interface Dot11Radio0
no ip address
encryption vlan 2 mode ciphers aes-ccm tkip
ssid Personal
antenna gain 0
stbc
beamform ofdm
station-role root
no dot11 extension aironet
interface Dot11Radio0.2
encapsulation dot1Q 2
bridge-group 2
bridge-group 2 subscriber-loop-control
bridge-group 2 spanning-disabled
bridge-group 2 block-unknown-source
no bridge-group 2 source-learning
no bridge-group 2 unicast-flooding
interface Dot11Radio0.100
encapsulation dot1Q 100 native
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
interface Dot11Radio1
no ip address
encryption vlan 2 mode ciphers aes-ccm tkip
ssid Personal
antenna gain 0
no dfs band block
stbc
beamform ofdm
channel dfs
station-role root
interface Dot11Radio1.2
encapsulation dot1Q 2
bridge-group 2
bridge-group 2 subscriber-loop-control
bridge-group 2 spanning-disabled
bridge-group 2 block-unknown-source
no bridge-group 2 source-learning
no bridge-group 2 unicast-flooding
interface Dot11Radio1.100
encapsulation dot1Q 100 native
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
interface GigabitEthernet0
no ip address
duplex auto
speed auto
interface GigabitEthernet0.2
encapsulation dot1Q 2
bridge-group 2
bridge-group 2 spanning-disabled
no bridge-group 2 source-learning
interface GigabitEthernet0.100
encapsulation dot1Q 100 native
bridge-group 1
bridge-group 1 spanning-disabled
no bridge-group 1 source-learning
interface BVI1
ip address 192.168.1.100 255.255.255.0
ip default-gateway 192.168.1.1
ip forward-protocol nd
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
bridge 1 route ip
line con 0
line vty 0 4
password 7 01181101521F
login
transport input all
end
Switch Port config
interface FastEthernet1/0/10
switchport trunk native vlan 100
switchport mode trunkI will re-check the routing again but could it be some bridging issues ?
interface GigabitEthernet0
no ip address
duplex auto
speed auto
**** unable to put up this command on the giga port
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
I try to put this command on the gigaethernet port but it does not allow me, could this be the bridging issue ?
Maybe you are looking for
-
I can't update applications as I am being notified that it is Brazilian and not in South Africa. I am in South Africa. How does one change it to South Africa. I have so many updates but can't update. Please help!!!
-
Hi, What is the link between Profit Centre and a Plant on SAP? Where are they maintained? Please advise, Thanks, Themba
-
Adding Full Screen Function Within Browswer
We are nearing completion of a video project that on our web site we have several quicktime movies that I need to play full screen when they click on the movie link. I can do this within quicktime and also if I type in a URL from within Quicktime, bu
-
Hi all, I am a first time user of APEX and tried to install it with ORACLE 10.2. I have followed the steps during installation a: create the two tablespaces (user and files) for apex to use. b. run apexins.sql however i get this error: wwv_flow_api.c
-
Problem in working with HttpURLConnection ..
Hi I am working on HttpURLConnection class. But my problem is i want to make persistent connection for further request to the same http URL. According to java doc HttpURLConnection uses persistent connection. But practically it doesn't looks like.. i