NATIVE VLAN on 4006(CAT OS )Switch
HI,
How can we configure Native Vlan on 4006(CAT OS) switches??
Thanks in Advance.
Hi,
To control the tagging of the native VLAN traffic on 802.1Q private VLAN trunks, use the tag command.
switchport private-vlan trunk native vlan
Rate if it does,
Similar Messages
-
I've 7 accesss switches from which one switch is connected to 2nd switch with RJ 45 Trunk and other switches cascaded with eachother.
My question is ,Is native vlan necessary on all access switches, if yes than ?
Overview:SW1-Trunkport Fa0/1 to SW2-Fa0/13.
SW2-SW3-SW4-SW5-SW6-SW7(Cascading).
SW4-Connected to core switch Trunk port.
Encapsulation type is dotlq and the cascaded switches are in half duplex but the switch that has the RJ45 trunk connectivity with 2nd switch is in Auto duplex and the connectivity for core switch is also in Auto duplex from one of access switch.
Is that affecting speed?Thank you for that.
Last thing I want to know that , can i remove Native Vlans from the uplink and gb ports ,
Is that Necessary to keep in Native Vlan?
If no than why?
interface GigabitEthernet0/1
switchport trunk encapsulation dot1q
switchport trunk native vlan 100******
switchport mode trunk
interface GigabitEthernet0/2
description *** Cascaded to...***
duplex half
switchport trunk encapsulation dot1q
switchport trunk native vlan 100****(Can I remove, if no use?)
switchport mode trunk -
Various questions on uplink profiles, CoS, native VLAN, downlink trunking
I will be using vPC End Host Mode with MAC-pinning. I see I can further configure MAC-Pinning. Is this required or will it automatically forward packets by just turning it on? Is it also best not to enable failover for the vnics in this configuration? See this text from the Cisco 1000V deployment Guide:
Fabric Fail-Over Mode
Within the Cisco UCS M71KR-E, M71KR-Q and M81KR adapter types, the Cisco Unified Computing System can
enable a fabric failover capability in which loss of connectivity on a path in use will cause remapping of traffic
through a redundant path within the Cisco Unified Computing System. It is recommended to allow the Cisco Nexus
1000V redundancy mechanism to provide the redundancy and not to enable fabric fail-over when creating the
network interfaces within the UCS Service Profiles. Figure 3 shows the dialog box. Make sure the Enable Failover
checkbox is not checked."
What is the 1000V redundancy?? I didn't know it has redundancy. Is it the MAC-Pinning set up in the 1000V? Is it Network State Tracking?
The 1000V has redundancy and we can even pin VLANs to whatever vNIC we want. See Cisco's Best Practices for Nexus 1000V and UCS.
Nexus1000V management VLAN. Can I use the same VLAN for this and for ESX-management and for Switch management? E.g VLan 3 for everything.
According to the below text (1000V Deployment Guide), I can have them all in the same vlan:
There are no best practices that specify whether the VSM
and the VMware ESX management interface should be on the same VLAN. If the management VLAN for
network devices is a different VLAN than that used for server management, the VSM management
interface should be on the management VLAN used for the network devices. Otherwise, the VSM and the
VMware ESX management interfaces should share the same VLAN.
I will also be using CoS and Qos to prioritize the traffic. The CoS can either be set in the 1000V (Host control Full) or per virtual adapter (Host control none) in UCS. Since I don't know how to configure CoS on the 1000V, I wonder if I can just set it in UCS (per adapter) as before when using the 1000V, ie. we have 2 choices.
Yes, you can still manage CoS using QoS on the vnics when using 1000V:
The recommended action in the Cisco Nexus 1000V Series is to assign a class of service (CoS) of 6 to the VMware service console and VMkernel flows and to honor these QoS markings on the data center switch to which the Cisco UCS 6100 Series Fabric Interconnect connects. Marking of QoS values can be performed on the Cisco Nexus 1000V Series Switch in all cases, or it can be performed on a per-VIF basis on the Cisco UCS M81KR or P81E within the Cisco Unified Computing System with or without the Cisco Nexus 1000V Series Switch.
Something else: Native VLANs
Is it important to have the same native VLAN on the UCS and the Cisco switch? And not to use the default native VLAN 1? I read somewhere that the native VLAN is used for communication between the switches and CDP amongst others. I know the native VLAN is for all untagged traffic. I see many people set the ESXi management VLAN as native also, and in the above article the native VLAN (default 1) is setup. Why? I have been advised to leave out the native VLAN.
Example:Will I be able to access a VM set with VLAN 0 (native) if the native VLAN is the same in UCS and the Cisco switch (Eg. VLAN 2)? Can I just configure a access port with the same VLAN ID as the native VLAN, i.e 2 and connect to it with a PC using the same IP network address?
And is it important to trunk this native VLAN? I see in a Netapp Flexpod config they state this: "This configuration also leverages the native VLAN on the trunk ports to discard untagged packets, by setting the native VLAN on the port channel, but not including this VLAN in the allowed VLANs on the port channel". But I don't understand it...
What about the downlinks from the FI to the chassis. Do you configure this as a port channel also in UCS? Or is this not possible with the setup described here with 1000V and MAC-pinning.
No, port channel should not be configured when MAC-pinning is configured.
[Robert] The VSM doesn't participate in STP so it will never send BPDU's. However, since VMs can act like bridges & routers these days, we advise to add two commands to your upstream VEM uplinks - PortFast and BPDUFilter. PortFast so the interface is FWD faster (since there's no STP on the VSM anyway) and BPDUFilter to ignore any received BPDU's from VMs. I prefer to ignore them then using BPDU Gaurd - which will shutdown the interface if BPDU's are received.
-Are you thinking of the upstream switch here (Nexus, Catalyst) or the N1kV uplink profile config?
Edit: 26 July 14:23. Found answers to many of my many questions...Answers inline.
Atle Dale wrote:
Something else: Native VLANsIs it important to have the same native VLAN on the UCS and the Cisco switch? And not to use the default native VLAN 1? I read somewhere that the native VLAN is used for communication between the switches and CDP amongst others. I know the native VLAN is for all untagged traffic. I see many people set the ESXi management VLAN as native also, and in the above article the native VLAN (default 1) is setup. Why? I have been advised to leave out the native VLAN.[Robert] The native VLAN is assigned per hop. This means between the 1000v Uplinks port profile and your UCS vNIC definition, the native VLAN should be the same. If you're not using a native VLAN, the "default" VLAN will be used for control traffic communication. The native VLAN and default VLAN are not necessarily the same. Native refers to VLAN traffic without an 802.1q header and can be assigned or not. A default VLAN is mandatory. This happens to start as VLAN 1 in UCS but can be changed. The default VLAN will be used for control traffic communication. If you look at any switch (including the 1000v or Fabric Interconnects) and do a "show int trunk" from the NXOS CLI, you'll see there's always one VLAN allowed on every interface (by default VLAN 1) - This is your default VLAN.Example:Will I be able to access a VM set with VLAN 0 (native) if the native VLAN is the same in UCS and the Cisco switch (Eg. VLAN 2)? Can I just configure a access port with the same VLAN ID as the native VLAN, i.e 2 and connect to it with a PC using the same IP network address?[Robert] There's no VLAN 0. An access port doesn't use a native VLAN - as its assigned to only to a single VLAN. A trunk on the other hand carries multiple VLANs and can have a native vlan assigned. Remember your native vlan usage must be matched between each hop. Most network admins setup the native vlan to be the same throughout their network for simplicity. In your example, you wouldn't set your VM's port profile to be in VLAN 0 (doens't exist), but rather VLAN 2 as an access port. If VLAN 2 also happens to be your Native VLAN northbound of UCS, then you would configured VLAN 2 as the Native VLAN on your UCS ethernet uplinks. On switch northbound of the UCS Interconnects you'll want to ensure on the receiving trunk interface VLAN 2 is set as the native vlan also. Summary:1000v - VM vEthernet port profile set as access port VLAN 21000v - Ethernet Uplink Port profile set as trunk with Native VLAN 2UCS - vNIC in Service Profile allowing all required VLANs, and VLAN 2 set as NativeUCS - Uplink Interface(s) or Port Channel set as trunk with VLAN 2 as Native VLANUpstream Switch from UCS - Set as trunk interface with Native VLAN 2From this example, your VM will be reachable on VLAN 2 from any device - assuming you have L3/routing configured correctly also.And is it important to trunk this native VLAN? I see in a Netapp Flexpod config they state this: "This configuration also leverages the native VLAN on the trunk ports to discard untagged packets, by setting the native VLAN on the port channel, but not including this VLAN in the allowed VLANs on the port channel". But I don't understand it...[Robert] This statement recommends "not" to use a native VLAN. This is a practice by some people. Rather than using a native VLAN throughout their network, they tag everything. This doesn't change the operation or reachability of any VLAN or device - it's simply a design descision. The reason some people opt not to use a native VLAN is that almost all switches use VLAN 1 as the native by default. So if you're using the native VLAN 1 for management access to all your devices, and someone connects in (without your knowing) another switch and simply plug into it - they'd land on the same VLAN as your management devices and potentially do harm.What about the downlinks from the FI to the chassis. Do you configure this as a port channel also in UCS? Or is this not possible with the setup descrived here with 1000V and MAC-pinning.[Robert] On the first generation hardware (6100 FI and 2104 IOM) port channeling is not possible. With the latest HW (6200 and 2200) you can create port channels with all the IOM - FI server links. This is not configurable. You either tell the system to use Port Channel or Individual Links. The major bonus of using a Port Channel is losing a link doesn't impact any pinned interfaces - as it would with individual server interfaces. To fix a failed link when configured as "Individual" you must re-ack the Chassis to re-pinn the virtual interfaces to the remaining server uplinks. In regards to 1000v uplinks - the only supported port channeling method is "Mac Pinning". This is because you can't port channel physical interfaces going to separate Fabrics (one to A and one to B). Mac Pinning gets around this by using pinning so all uplinks can be utilized at the same time.--[Robert] The VSM doesn't participate in STP so it will never send BPDU's. However, since VMs can act like bridges & routers these days, we advise to add two commands to your upstream VEM uplinks - PortFast and BPDUFilter. PortFast so the interface is FWD faster (since there's no STP on the VSM anyway) and BPDUFilter to ignore any received BPDU's from VMs. I prefer to ignore them then using BPDU Gaurd - which will shutdown the interface if BPDU's are received.-Are you thinking of the upstream switch here (Nexus, Catalyst) or the N1kV uplink profile config?[Robert] The two STP commands would be used only when the VEM (ESX host) is directly connected to an upstream switch. For UCS these two commands to NOT apply. -
WLC 7.4.110.0 where native vlan and SSID vlan is the same vlan
Hi
We have app. 1500 accespoints in app. 500 locations. WLCs are WiSM2s running 7.4.110.0. The AP are 1131LAPs.In a FlexConnect configuration we use vlan 410 as native vlan and the ssid (LAN) also in vlan 410. This works fine, never had any problems with this.
Now we have started use 1602 APs and the client connection on ssid LAN becomes unstable.
If we configure an different ssid, using vlan 420 and native vlan as 410, everything works fine.
I can't find any recommandations regarding the use of native vlan/ssid vlan
Is there anyone experiencing similar problems? Is this a problem with my configuration or is it a bug wittin 1602 accespoints?
Regards,
Lars ChristianIt is the recomended design to put FlexConnect AP mgt into native vlan & user traffic to a tagged vlan.
From the QoS perspective if you want to enforce WLC QoS profile values, you have to tag SSID traffic to a vlan (other than native vlan) & trust CoS on the switch port connected to FlexConnect AP (usually configured as trunk port)
HTH
Rasika
**** Pls rate all useful responses **** -
Does the dot1q native VLAN need to be defined on the switch?
I understand the issues with using VLAN 1 as the native VLAN on a dot1q trunk. I follow best practices and change the native VLAN to a VLAN that does not carry any other traffic (switchport trunk native vlan x). I usually go a step further and do not define the VLAN in the switch configuration. This way if traffic bleeds into the native VLAN because it is untagged then it cannot go anywhere. So if I use VLAN 999 as the native VLAN, I do not create VLAN 999 on the switch. I’m curious if anyone else does this or if there are any thoughts on whether this is a good or bad practice?
If you are tagging your native VLAN but do not have that VLAN in the vlan database - it makes no difference if the VLAN exists or not in my opinion. All the vlans on your trunks would be tagged anyway.
It seems like a clever idea, but not sure if it provides any benefit. -
Wireless AP native vlan and switch trunk
Hi,
I am unable to ping my ap, i think it is due to the multiple vlan issues, can provide some advise, my config for the ap and switch is as below
AP Config
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname hostname
logging rate-limit console 9
enable secret 5 $1$ZxN/$eYOf/ngj7vVixlj.wjG2G0
no aaa new-model
ip cef
dot11 syslog
dot11 ssid Personal
vlan 2
authentication open
authentication key-management wpa version 2
guest-mode
wpa-psk ascii 7 070E26451F5A17113741595D
crypto pki token default removal timeout 0
username Cisco password 7 1531021F0725
bridge irb
interface Dot11Radio0
no ip address
encryption vlan 2 mode ciphers aes-ccm tkip
ssid Personal
antenna gain 0
stbc
beamform ofdm
station-role root
no dot11 extension aironet
interface Dot11Radio0.2
encapsulation dot1Q 2
bridge-group 2
bridge-group 2 subscriber-loop-control
bridge-group 2 spanning-disabled
bridge-group 2 block-unknown-source
no bridge-group 2 source-learning
no bridge-group 2 unicast-flooding
interface Dot11Radio0.100
encapsulation dot1Q 100 native
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
interface Dot11Radio1
no ip address
encryption vlan 2 mode ciphers aes-ccm tkip
ssid Personal
antenna gain 0
no dfs band block
stbc
beamform ofdm
channel dfs
station-role root
interface Dot11Radio1.2
encapsulation dot1Q 2
bridge-group 2
bridge-group 2 subscriber-loop-control
bridge-group 2 spanning-disabled
bridge-group 2 block-unknown-source
no bridge-group 2 source-learning
no bridge-group 2 unicast-flooding
interface Dot11Radio1.100
encapsulation dot1Q 100 native
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
interface GigabitEthernet0
no ip address
duplex auto
speed auto
interface GigabitEthernet0.2
encapsulation dot1Q 2
bridge-group 2
bridge-group 2 spanning-disabled
no bridge-group 2 source-learning
interface GigabitEthernet0.100
encapsulation dot1Q 100 native
bridge-group 1
bridge-group 1 spanning-disabled
no bridge-group 1 source-learning
interface BVI1
ip address 192.168.1.100 255.255.255.0
ip default-gateway 192.168.1.1
ip forward-protocol nd
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
bridge 1 route ip
line con 0
line vty 0 4
password 7 01181101521F
login
transport input all
end
Switch Port config
interface FastEthernet1/0/10
switchport trunk native vlan 100
switchport mode trunkI will re-check the routing again but could it be some bridging issues ?
interface GigabitEthernet0
no ip address
duplex auto
speed auto
**** unable to put up this command on the giga port
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
I try to put this command on the gigaethernet port but it does not allow me, could this be the bridging issue ? -
Significance of native vlan in switching environment
Folks,
Can someone please tell me the significance of native vlan in switched environment. I mean why do we need it? and why does is it not gettagged by the switches when it is going over a trunk.
Thanksthanks for the response i will make sure that i grade this post. in continuation to our discussion:
Why does daot1q gave a concept like natice vlan? what was the purpose behind it??? why did they think of sending vlan information from 1 switch to the other without tagging it?
Also, in a layer 2 switch. Lets say that i have vlan 1 in shutdown mode, and all ports are in vlan 100, and i creat a int vlan 100, does this vlan automatically become the management vlan, since it has an ip address?
Thanks -
Native Vlan Mismatch on Switch LD connected to
I am running 3 switches each with the same 3 vlans. I also have 2 local directors in failover mode. The primary has interfaces connected to switch one and the secondary has interfaces to switch two. Trunking is disabled on all device ports but enabled on a dedicated fiber connection between the 2 switches
The first vlan is vlan 1 for management
The second is vlan 2 for the gateway side of the local directors
The third is vlan 3 for the server side of the local directors
On the primary switch I am logging CDP messages telling me i have a native vlan mismatch on the 2 local director ports. The secondary switch I dont get these messages.
Any ideas what is going on here and why? Thanks, Art.You mention above " but trunking is enabled on a dedicated fiber connection between the two switches", therefore trunking is enabled.
Because trunked ports need to be assigned to the same native vlan, I would do a "show trunk" and verify that the port used for trunking on each switch, are assigned to the same native vlan, I've seen the mismatch if the are not. That command above is if your switch is using CatalystOS, otherwise, use this command for NativeOS - sh int fast 0/1 switchport and look for the "trunking native mode vlan" number. They must match on each side. To correct the problem, do set vlan 1 4/10 to assign port 4/10 to vlan 1 which, is your management vlan which I assume you've choosen to be your native vlan.
Hope this helps. -
I have a question regarding the default native vlan, I have a cisco based environment and I set vlan XXX on a native on trunk links, I also running Multiple Spanning Tree on my switches & create instances for vlan segregation.
My question is here could I put vlan 1 (default) in any of instance or not?
Thanks & Regards,With MST, it is not running per VLAN spanning tree, it sends all BPDUs via instance 0 which is called the CIST. These frames are sent untagged via the native VLAN. Normally this is VLAN 1 but if you change it to another VLAN then the BPDUs are sent untagged on that native VLAN.
Regarding if to use instance 0 or not, it is often recommended to create as many instances as you need to create the desired topology (usually two) and put your VLANs in those instances. It's a good pratice to map all your VLANs straight away because changing the instance to VLAN mapping makes the MST region become multi region until they all have the same instance to VLAN mapping.
I would keep all VLANs out of instance 0 but it's definitely possible to have VLANs mapped in instance 0 as well.
Daniel Dib
CCIE #37149
Please rate helpful posts. -
Native VLAN on wired switch and wireless AP
On our 3560g switch we have g0/15 set up as a trunk to connect our wireless AP.
Port Mode Encapsulation Status Native vlan
Gi0/15 on 802.1q trunking 35
Port Vlans allowed on trunk
Gi0/15 1-4094
Port Vlans allowed and active in management domain
Gi0/15 1,10-14,18,20,22,30,35
Port Vlans in spanning tree forwarding state and not pruned
Gi0/15 1,10-14,18,20,22,30,35
On my AP I have the native VLAN as 1.
From my reading I found that the AP and the switch port should have the same Native vlan on both ends of the trunk. Well my access point will not work unless the AP trunk is on 1 and the switch is on 35. Any ideas?dot11 ssid guestwifi
vlan 20
authentication open eap eap_methods
authentication network-eap eap_methods
authentication key-management wpa
dot11 ssid nwifi
vlan 35
authentication open eap eap_methods
authentication network-eap eap_methods
authentication key-management wpa
guest-mode
dot11 arp-cache optional
c
bridge irb
interface Dot11Radio0
no ip address
no ip route-cache
encryption mode ciphers aes-ccm tkip
encryption vlan 35 mode ciphers aes-ccm tkip
encryption vlan 1 mode ciphers aes-ccm tkip
encryption vlan 20 mode ciphers aes-ccm tkip
ssid guestwifi
ssid raydonwifi
mbssid
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
channel 2462
station-role root
no dot11 extension aironet
interface Dot11Radio0.1
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
interface Dot11Radio0.20
encapsulation dot1Q 20
no ip route-cache
bridge-group 20
bridge-group 20 block-unknown-source
no bridge-group 20 source-learning
no bridge-group 20 unicast-flooding
bridge-group 20 spanning-disabled
interface Dot11Radio0.35
encapsulation dot1Q 35
no ip route-cache
bridge-group 35
bridge-group 35 block-unknown-source
no bridge-group 35 source-learning
no bridge-group 35 unicast-flooding
bridge-group 35 spanning-disabled
interface Dot11Radio1
no ip address
no ip route-cache
shutdown
encryption mode ciphers tkip
speed basic-6.0 9.0 basic-12.0 18.0 basic-24.0 36.0 48.0 54.0
channel 5200
station-role root bridge
antenna receive right
antenna transmit right
bridge-group 1
bridge-group 1 spanning-disabled
interface FastEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
interface FastEthernet0.1
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1
interface FastEthernet0.20
encapsulation dot1Q 20
no ip route-cache
bridge-group 20
bridge-group 20 spanning-disabled
interface FastEthernet0.35
encapsulation dot1Q 35
no ip route-cache
bridge-group 35
bridge-group 35 spanning-disabled
interface BVI1
ip address 192.168.35.12 255.255.255.0
no ip route-cache
ip default-gateway 192.168.35.1
no ip http server
ip http authentication aaa
ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip radius source-interface BVI1
access-list 111 permit tcp any any neq telnet
snmp-server community home RO
snmp-server enable traps tty
control-plane
bridge 1 route ip
line con 0
access-class 111 in
transport preferred all
transport output all
line vty 0 4
access-class 111 in
transport preferred all
transport input all
transport output all
line vty 5 15
access-class 111 in
transport preferred all
transport input all
transport output all
end -
How one Switch identify the Native vlan mismatch
Dear All,
I am using two cisco L2 switches. Both are connected by a trunk link. Unfortunately I configured different native vlan between two switches. Suddenly I got an error that native vlan mismatch. When I changed the configuration Now it's working fine. My question is that how one switch identify that native vlan mismatch(either by Bpdu, cdp or packet). Please mention which of the following used by switch to identify native Vlan mismatch.
Regards,
SanjibSanjib, Karsten,
It's CDP.
Yes, and STP as well if you run a trunk between the two switches. PVST+ and RPVST+ BPDUs have a TLV in their trailer that carries the VLAN number for which the BPDU was originated. If the BPDU is received in a different VLAN (caused by a native VLAN mismatch), the receiving switch will be able to detect it.
Wireshark 1.12.x will be capable of displaying this TLV field in captured PVST+ and RPVST+ BPDUs. Until 1.12.x is released, you may want to try daily builds from:
http://www.wireshark.org/download/automated/
They already incorporate the enhancement.
Best regards,
Peter -
LAN Switches cannot be accessed by Telnet, SSH or console in native vlan
Hi to all of you:
I do have a question about tagging the native vlan.
In our network we do have about 90 L2 and L3 switches, 2950 the oldest, 2960, 2960S, 3560 PoE, 3750 and 4503E, and we are running VTP, and 43 vlans within the entire network.
our Native VLAN is still vlan 1, and there are many corporative applications running in this vlan.
We have upgraded the IOS for the switches to the latest IOS version about 6 months ago, and after that we started to have issues on the switches, related to accessing the switch, either by telnet, ssh, or even console. However, the switch is still working fine, I mean, doing all bridging and switching traffic.
I have to reset or reload (power cycle) if I want to access the switch.
I have read that having the native vlan can be a problem.
Could you please let me know if you have gone through this problem?
Thanks in advance for your help.
Javier F. Berthin H.Hi Karhtick:
I guess you have the best answer, you suggested the memory command and I am attaching you as result.
Next step should be to downgrade the IOS?, because we did the upgrade just in order to have the latest IOS published by Cisco.
If you need the config please let me know, for complementary comments.
Thanks for your help.
Javier
Core_Toldos#
Core_Toldos#
Core_Toldos#sh processes memory sorted
Processor Pool Total: 57114592 Used: 42061488 Free: 15053104
I/O Pool Total: 12582912 Used: 9397428 Free: 3185484
Driver te Pool Total: 1048576 Used: 40 Free: 1048536
PID TTY Allocated Freed Holding Getbufs Retbufs Process
0 0 56706116 14325484 38372056 0 0 *Init*
197 0 4506712 2363500 1463652 0 0 Auth Manager
0 0 0 0 1443720 0 0 *MallocLite*
0 0 577244636 370831296 916016 12457311 3203234 *Dead*
236 0 532808 46152 507068 0 0 IP ARP Adjacency
303 0 1335768 890528 450448 0 0 ADJ resolve proc
230 0 27640244 15996 378344 10152 0 CDP Protocol
77 0 368260 14413456 377820 0 0 EEM ED ND
102 0 385848 232 362236 0 0 HLFM address lea
404 0 3397428 3069392 334928 0 0 hulc running con
192 0 307492 21604 294808 0 0 HL2MCM
193 0 356552 70624 294744 0 0 HL2MCM
357 0 265100 0 275260 100548 0 EEM ED Syslog
365 0 126849404 86726456 255248 0 0 EEM Server
87 0 569060 274864 244984 0 0 Stack Mgr Notifi
203 0 753032 492440 164316 0 0 DTP Protocol
201 0 737920 526656 159424 0 0 802.1x switch
13 0 505129716 504972016 156620 0 0 ARP Input
Core_Toldos# -
Is it possible to configure AAA and EAPFAST on a 3750G switch to use a vlan other than vlan1 for management/native vlan? We are working with RADIUS on Server 2008.
Hi John,
Yes, you can do that.
On 3750 you can take a look at the feature called 802.1x Authentication with VLAN Assignment:
http://www.cisco.com/en/US/partner/docs/switches/lan/catalyst3750/software/release/12.2_52_se/configuration/guide/sw8021x.html#wp1289244.
Basically, you define on the RADIUS server what VLAN each User (or User Group) you want to assign, then when the user connects the PC to the port, it authenticates and the RADIUS server returns the required attributes for VLAN assignament to the switch. The switch interprets them and changes the switchport to the configured VLAN.
The switch will be a simple man-in-the middle during authentication and only processes the RADIUS Reject (if authe fails) or RADIUS Accept (if authe passes).
The authentication methods like EAP-FAST must be agreed between the RADIUS server (AAA Server) and the PC (AAA supplicant).
If you want to authenticate users based on certificates you have to use either EAP-FAST, EAP-TLS or EAP-TTLS.
The most widely spread (which comes by default on WinXP machines) authentication method is PEAP which uses MS-CHAP (username/password) to authenticate users.
HTH,
Tiago
If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it. -
How to get info over snmp on cisco switch whether native vlan on a port is tagged or not?
Hi!
I want to know which oid(s) should I query to know whether native vlan on trunk port on cisco switch is tagged or not?
I am querying the oid .1.3.6.1.4.1.9.9.46.1.6.3.0 (vlanTrunkPortsDot1qTag) on cisco 3560 (E Series) and I am getting global value. Also, this OID is showing as deprecated. So I query .1.3.6.1.4.1.9.9.246.1.6 (cltcDot1qAllTagged) and its subtree, but no value is returned.
Switch Version is
Cisco IOS Software, C3560E Software (C3560E-UNIVERSALK9-M), Version 12.2(50)SE2Keep in mind that DHCP is a broadcast packet to start. So the AP can only listen in the subnet that it has an IP address for.
Now, for any other subnet you can use the AP for DHCP but you have to have an IP helper address on your L3 pointing back to the AP.
That being said, I wouldn't use the DHCP server on the AP as it is limited. You'd be better off using a Microsoft server or some other device that is designed for DHCP.
HTH,
Steve -
Hi, Can anyone explain how native vlan configuration should be used in UCS? when creating vnic, and checking "trunk", you then select the vlans to be allowed in the trunk, there is also a native vlan radio button beside each vlan. If the Cat 6509 uplink switch is connected to Fabric Interconnect using normal trunk configuration as follows: interface ten5/2 switchport switchport trunk encap dot1q switchport mode trunk with the above config on the Cat6509, assuming default vlan 1 is the native vlan, does that mean that i have to check the native VLAN 1 when configuring the vNIC? Thanks Eng Wee
Hi folks,
Although an old post, still an upto date issue! I've just got round it in my implementation!
Was looking at all sorts of places, but need to ensure that not only is your native vlan set at your switch end (connecting to the FIs) to the iSCSI vlan, also on your relevant vNICs in your service profiles, AND AND AND, needs to be set as the system native VLAN in the LAN tab.
Also to note, you don't need native vlan set the same on other links, so if your storage links 'tag' the iSCSI vlan that will be fine.
Hope this helps.
Rgds
Dominic
Maybe you are looking for
-
Safari 5.0.6 crashing - 'FlashPlayer-10.4-10.5 plugin' error
Like many others, I am having problems with Safari crashing and giving an error related to the FlashPlayer plug-in. I am posting the report below - any help would be appreciated, since none of the other responses on this board were applicable to my s
-
Computer slowed down a lot after downloading Mavericks 10.9.1
Hardware Information: MacBook Pro (13-inch, Late 2011) MacBook Pro - model: MacBookPro8,1 1 2.4 GHz Intel Core i5 CPU: 2 cores 4 GB RAM Video Information: Intel HD Graphics 3000 - VRAM: 384 MB System
-
TS1538 My the new ipad does not appear in itunes, Pls help
My ipad does not appear in Itunes to restore or back up data. Thestatus of my device are: - updated the latest Itunes version 10.6 . - tried to restart Apple Mobile Device in Window but it still doesn't work. - Could not restore in DFU becasue the wi
-
Attaching generated excel file in cfmail
Hi, I've attached the code in which I've generated an excel file from my data, which the user can then open/save on their PC. I now want to attach this excel file to an email (using cfmail) and send it (the task will then become scheduled). How do I
-
Iphone mac contacts and outlook contacts
Can you use on my I phone different calenders, contactlist...as i want to use it with under my Macbook pro contacts and calender, and also under my via microsoft exchange the calender and contacts separetely. please let me know how to do it