Problems setting up Guest VLAN on Cisco SG 300-28
Hi,
I am primarely enquiring whether the setup I have explained below is actually possible, and if so then how I can set this up. I know it isn't the easiest configuration and I need to set this up without purchasing any more equipment if at all possible.
I have a Cisco SG 300-28 setup with three VLAN's
VLAN1 (Business) - 192.168.10.0 - Switch IP 192.168.10.254
VLAN2 (VOIP) - 192.168.20.0 - Switch IP - 192.168.20.1
VLAN3 (Guest) - 192.168.30.0 - Switch IP - 192.168.30.1
Default Gateway is 192.168.10.1 (Netgear Router)
I have a Wireless network setup (Netgear WMS and 2 WAP's) configured with the TWO VLAN's (1 and 3). These go into ports on the Cisco SG 300-28 which are tagged on both VLAN's. The Business wireless worked fine but the guest network didn't reout out to the internet.
After some troubleshooting I realised the reason the guest wasn't working was because there was no route back from the internet to the router.
The router I have isn't really ideal, it is a Netgear DGN2200, but I managed to create a static route to 192.168.30.1 with a metric of 2, with 192,168,10.254 being the hop.
Success, the connection worked, the only problem is that now my guest network can see my business network because the business network is using the static route on my router to route back over to the guest network (due to the limitations of this device I can't do anything about that)
So basically, what I have is
Guest network can connect to Business VLAN via switch. I am assuming this is because the router is on the Business VLAN and the default gateway is the router. As they are on the same network the Guest network can inevetably see the business server and network.
The Business network can get back to the Guest network via the router using my static route I created. The static route is really basic and I can't create a firewall rule on the router to prevent the Business network speaking to guest network because it only has a LAN - WAN firewall and this connection is LAN - LAN.
What I need is...
to somehow stop any traffic from the 192.168.30.0 network routing to anything on the 192.168.10.0 network, appart from the router on 192.168.10.1.
Is this possible? I have this setup on a number of different site, the only difference is I have a CIsco Security Router on these with the VLAN's configured so I don't have this problem. Because I have a rather limited Netgear DGN2200 I am unable to setup the VLAN's correctly and as such I need to see if I can do this on the switch in any way.
Any assistance would be much appreciated.
This is my first post by the way so if I missed anything out that would help anybody then please let me know.
Kind Regards
David
Hi David,
Why not apply a access list to filter incoming traffic into the SG300 switch such as, via command line or GUI.
Here is an example below, by no means complete, just an example
Just remember, we are using reverse masking in the ACE;
config
ip access-list extended restrictGuest
deny ip 192.168.30.0 0.0.0.255 192.168.20.0 0.0.0.255
deny tcp 192.168.30.0 0.0.0.255 any 192.168.30.1 0.0.0.0 www
deny tcp 192.168.30.0 0.0.0.255 any 192.168.30.1 0.0.0.0 telnet
deny ip 192.168.30.0 0.0.0.255 192.168.10.0 0.0.0.255
permit ip any any
exit
interface gigabitethernet1
service-acl input restrictGuest
exit
Don't forget to save the configuration with the following command and respond to the prompt.
write
or do it via the GUI method
Step 1. Create a ACL name
step 2, Add the port based ACE which is the filter list,.
step 3. Apply or bind the list to a port so that the port can look at and filter pattern matches for traffic ingressing into the switch. I have given you an example of a ACE list above, you can be more creative in what you deny.
step 4. Now add or copy the entry to other switch ports.
Remember to save your configuration change.
Hope this helps.
regards Dave
Similar Messages
-
I need create vlans in Cisco SF 300-24 Switch.
Ports 1 to 6 are available for other ports (from 7 to 24).
For examples:
port 7 is available for ports from 1 to 6 but is not available for ports from 8 to 24,
port 8 is available for ports from 1 to 6 but is not available for ports from 9 to 24 and 7,
port 9 is available for ports from 1 to 6 but is not available for ports from 10 to 24 and 7 and 8,
.....(to port 24)
How I can do it?
When I add ports from 1 to 6 to VLAN 12, the ports was automatically removed with VLAN 11(in attachment).Hi Dominik,
Here are the rules for VLANs ..
When you set the switch port interface to access mode, a switch port can be only a member of one untagged VLAN
When you set the switch port interface to trunk mode, a switch port can be a member of only one untagged VLAN but also a member of many Tagged VLANs.
But what you seem to be trying to achieve is use ports 1-7 as unprotected or open ports for ports 8-24 within the switch.
Really seems like something called Priveate Vlan Edge PVE, whereby protected ports will only forward packets to unprotected ports and not other protected ports. .
Here is the definition found in the help text from within the switch.
Protected Port—Select to make this a protected port. (A protected port is also referred as a Private VLAN Edge (PVE).) The features of a protected port are as follows:
Protected Ports provide Layer 2 isolation between interfaces (Ethernet ports and Link Aggregation Groups (LAGs)) that share the same Broadcast domain (VLAN).
Packets received from protected ports can be forwarded only to unprotected egress ports. Protected port filtering rules are also applied to packets that are forwarded by software, such as snooping applications.
Port protection is not subject to VLAN membership. Devices connected to protected ports are not allowed to communicate with each other, even if they are members of the same VLAN.
Both ports and LAGs can be defined as protected or unprotected. Protected LAGs are described in the Configuring Link Aggregation section.
So my steps were
So I am wondering if you really need to configure alot of vlans.
make ports 8-24 protected port
Save the configuration
Clicked to tick the option to protect switch port 8.
That's what we end up with , port 8 is now protected.
Now lets copy the settings from port 8 to ports 9-24, see the circled area below.
now will in the ports you also wish to protect.
Now ports 8-24 are protected ports.
Hosts on these ports will only be able to communicate with hosts on ports 1-7 or switch port 24 onwards, in the case of my switch.
Make sure you save your configuration.
I hope this is what you want.
regards dave -
Configure Voice and Data VLAN in CISCO SF 300 8P
I have a couple of Cisco SF 300 8P and 24 P Switches. I have voice and Data VLAN configured as :
Data VLAN : Default 145.17.59.0/24
Voice VLAN : VLAN 20 172.22.20.0/24
I have different DHCP servers as for Data VLAN we have physical server which is configured for 145.17.59.* IP Scope and Voice VLAN DHCP Server is configured in Gateway router with option 150.
This configuation works fine with other cisco swiches like 2960 and 3750 etc except CISCO SF 300 8P and 24P. I was trying to configure both voice and Data VLAN in these CISCO Switches so that CISCO phone (Model 6941) shold get IP from Voice VLAN and PC should get IP from Data VLAN DHCP Server. I have tried several techniques like LLDP, Port to VLAN Config etc.
Can anyone please guide me/help on this.
Regards,
A K.M.SayeedHi A.K.M., with Cisco phones you should be able to simply set auto voice VLAN to be VLAN20.
voice vlan id 20
You should ensure CDP and/or LLDP are enabled as well. I would check this in web GUI. DHCP for the phones can come from the switch, a DHCP server on a VLAN20 access port or you can use dhcp helper to redirect DHCP to server elsewhere.
If you prefer or have issues with CDP or LLDP you can also program ports as trunks and add tagged VLAN 20 to them. In this scenario you need to insure inter-vlan routing is working and that phones download config file with corrrect VLAN config.
These switches do not run ios so they are similar but different than catalyst switches you referred to.
-- please remember to rate helpful posts -- -
Static VLAN with Cisco SF 300-24 - Configuration
Hello Everyone!
Let me start by saying that i am quite new to cisco equipment.
I have a new Cisco SF 300-24 and try to configure a static VLAN.
What Interface VLAN Mode should I Use? General or Trunk?
I am looking for a step by step instruction.
Any help would be appreciated,
Thanks!
JürgenHello Everyone!
Let me start by saying that i am quite new to cisco equipment.
I have a new Cisco SF 300-24 and try to configure a static VLAN.
What Interface VLAN Mode should I Use? General or Trunk?
I am looking for a step by step instruction.
Any help would be appreciated,
Thanks!
Jürgen -
Trying to set up guest network on cisco 1141N
I would like to have a separate SSID on my autonomous aironet 1141 so that guests in my home can connect to my network without me giving out the password. I am not very experienced with cisco ios so if someone could either point me in the right direction or tell me the commands to run that would be awesome. I don't care whether or not the guest network is on a separate vlan but I would then have to have the ap act as a dhcp server (which i dont know how to do either). I have a basic tp-link switch that I would be able to add a trunk to the access points port but thats about it. My current dhcp server is on windows server 2008 r2. Any help would be appreciated.
I would also like to add that this is a home network in the middle of nowhere and im not too concerned about unauthorized use. This will only be active during parties and family events.It would be best to have multiple vlans to separate the traffic. Here is a doc on creating multiple SSIDs on an autonomous access point.
http://www.cisco.com/c/en/us/support/docs/wireless-mobility/service-set-identifier-ssid/116118-configure-ap-ssid-ios.html
http://www.cisco.com/c/en/us/support/docs/interfaces-modules/security-modules-routers-switches/116586-config-ap-00.html
-Scott -
Hi,
I have a 2960 sw configured for dot1x authentication, the problem is the Guest VLAN and Restricted VLAN didnot work. The switch port was stuck in authenticating status.
The server is Juniper IC4500.
Switch is 2960G, IOS 15.0(1)SE2
the configuration:
aaa new-model
aaa authentication login default local
aaa authentication dot1x default group radius
aaa authorization exec default local
aaa authorization network default group radius
dot1x system-auth-control
dot1x test timeout 30
dot1x guest-vlan supplicant
dot1x critical eapol
interface FastEthernet0/32
switchport access vlan 28
switchport mode access
authentication event fail action authorize vlan 41
authentication event server dead action authorize vlan 41
authentication event server dead action authorize voice
authentication event no-response action authorize vlan 41
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication order mab
authentication port-control auto
authentication timer reauthenticate 300
authentication violation protect
mab eap
dot1x pae authenticator
dot1x timeout quiet-period 5
dot1x max-req 1
dot1x max-reauth-req 1
dot1x max-start 1
spanning-tree portfast
Anyone with experience on this pls help.
Thanks,
hoanghiepforgot to mention that multi-auth do not support actions on either no-response or fail authentication events. So you need to set host-mode to MDA or single host.
Ref:
http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_55_se/configuration/guide/sw8021x.html#wp1454875 -
Setting up Guest wireless in ISE
I am setting up guest wireless in Cisco ISE 1.3. My question is do these guest wireless connections count to the concurrent ISE connections licensing?
Hi Abhishek,
Licenses are counted against concurrent, active sessions and hence guest users would be counted. You can also that in license consumption on ISE.
http://www.cisco.com/c/en/us/td/docs/security/ise/1-3/admin_guide/b_ise_admin_guide_13/b_ise_admin_guide_sample_chapter_0111.html#task_DAB3467E79E84FAEB8F18B775407CB87
Regards,
Kanwal
Note: Please mark answers if they are helpful. -
Hi,
I have configured Guest Vlan in switch port, when i power on PC and i didn't make login, PC after some time goes to Guest Vlan but it didn't acquire an IP address and after some time port goes to unauthorized state and then after some time goes to guest vlan.and so on
I'm using XP sp2 with:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EAPOL\Parameters\General\Global\Suppli
cantModeDWORD Value = 3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EAPOL\Parameters\General\Global\AuthMo
deDWORD Value = 0
Could someone give some help,please.
Thanks
BRThe key here is your AuthMode setting to 0. With this setting, if a connection has already been authenticated with machine-auth, the users credentials will not be used for authentication. The only way I can imagine that the Guest-VLAN even comes up is of you have configured AuthMode = 0 AND then turned off machine-authentication.
As for the Guest-VLAN getting deployed to a port, and how quickly this occurs, it's a function of the tx-period timer on the switch port. Once 3 Identity requests go unanswered, AND if you have Guest-VLAN configured, the port can then be enabled into the Guest-VLAN. DHCP cannot happen until a) 802.1x authorizes a port, or b) the Guest-VLAN is enabled (in which 802.1x authorization will time out).
I have a general question though. What are you looking to accomplish with these specific settings? Based on your registry settings:
*machine-auth should work if you have both 802.1x-user-auth + 802.1x-machine-auth enabled.
*user-auth should work if you have 802.1x-user-auth enabled and 802.1x-machine-auth disabled.
*Guest-VLAN should work if you have 802.1x disabled completely. NOTE: Guest-VLAN should not get deployed in the config, since the supplicant will send EAPOL-Starts, even though you have disabled machine-auth.
Hope this helps. -
RV110W - trying to set up 2 VLANS - are there docs / help for this?
I am trying to set up an RV110W router with 2 VLANs - 1 for guests to the office to just have internet access via wireless and another for employees to be able to access the LAN and internet wirelessly. I have not done anything with VLANs before, so please bear with me.
I thought this would be simple, but banging my head against the wall with all the terms in the docs:
http://www.cisco.com/en/US/docs/routers/csbr/rv110w/administration/guide/rv110w_admin.pdf
port 1 is connected to a wired LAN / unmanaged switch with office PCs. So these machines / nothing on this subnet tag the packets before they get to the router. This subnet is using 10.10.1.0/24
Port 2 is connected to an Engenius EAP 300, a wireless access point that can broadcast SSIDs and tie each SSID to a different VLAN.
SSID1 is called Private and is set to be VLAN 1. There's encryption on this SSID - only office staff would be able to log on.
SSID2 is called public and is set to be VLAN 10. There's no encryption on this SSID.
I know - the router also does this, but where the router is vs. where the wireless is needed, we need to have the Engenius at that remote location.
I have the RV110W set to give out 10.10.1.0/24 IPs when you connect to the SSID1 / VLAN1
And it gives out 10.10.10.0/24 IPs when you connect to the public SSID / VLAN10.
Both get on the internet fine. The only issue is how to set the VLAN membership for each port / and any other settings so that the wireless devices on VLAN 1 can get to the LAN devices on Port 1. (and the public / vlan 10 devices on the wireless network to NOT get to the devices on port 1, but i think that's working.
I played with tagged / untagged / excluded, for the port membership, but either the wireless VLAN 1 devices get blocked from even the web (when port 2 is set to untagged, since they ARE tagged VLAN1) or they can't get to port 1 when set to tagged, since the port 1 devices are all untagged and the reply packets get blocked?
the doc for this unit talks about inter-vlan routing but doesn't explain what that is. THe wireless isolation should be turned on for vlan 10, right? We don't want guests to be able to access other guest's machines?
I saw on page 71 on how to set up the guest network, but that's using the wireless built into the box, not a wireless access point.
Overall, what I want is:
VLAN 1: port 2 (with tagged VLAN1 packets) and port 1 (with untagged packets) can pass data between each other and access the internet
VLAN10: port 2 with tagged VLAN10 packets can only get to the internet.
Is that doable?
How?thanks. Still not working
For the vlan membership page
when set like this:
port1 port 2
vlan1 untagged untagged
vlan10 excluded tagged
connecting to the vlan1 wireless SSID on port 2, I can't even get an IP address from the router (the dhcp request can't even come through port 2 because it's saying vlan1 packets have to be untagged?
connecting to the vlan 10 wireless SSID on port 2 gets a DHCP address and can only get to the web, so that's good.
If I change the membership to:
port1 port 2
vlan1 untagged tagged
vlan10 excluded tagged
connecting to both SSIDs on port 2 will get you a dhcp address, and vlan1 devices can get into port 1, but trying to admin the wireless access device on port 2 or even pinging it, now fails - 'cause the router gatekeeper says if you want to come through port 2, your packets have to be tagged? and the packets from port 1 to port 2 are untagged?
If I change the membership to:
port1 port 2
vlan1 tagged tagged
vlan10 excluded tagged
connecting to both SSIDs on port 2 will get you a dhcp address, but replies from the wired PC on port 1 / vlan1 vlan1 can't get back out of port 1 'cause the router gatekeeper says if you want to leave through port 1, your packets have to be tagged? and the ping reply is coming form a device with untagged packets? although the devices on vlan1 / port 1 CAN get on the web with their untagged packets.
the wireless device says it supports 802.1q
http://www.engeniustech.com/resources/EAP300_DataSheet_v2.1.pdf
when they say port 2 / vlan 1 tagged, is it saying packets coming in FROM devices on that port have to be tagged? Or packets going TO devices on that port have to be tagged? or both directions?
Any advice? -
802.1x Auth-Fail VLAN and Guest-VLan not available
Hi Pros,
Having an issue with an 881 I have recently acquired. I'm wanting to setup a Virtual Office scenario. Everything is working fine except for 802.1x...
I can get the 881 to authenticate things connected to it, but I don't have the options of guest-vlan or auth-fail vlan.
Idea is if the users takes the router home and someone, either accidentally or on pupose, connects an unauthorized Laptop, they stay off the Corp network but can get to the internet still.
I found this link on Cisco's site:
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6660/ps6808/deployment_guide_c07_458259_ns855_Networking_Solutions_White_Paper.html
That link shows them configuring a guest vlan right on the fa0-3 ports of an 881W. I dont have that option on mine. I can only configure 802.1x on the vlan interface. I have 802.1x working, for things that connect to vlan1, but I would like to have a "fallback" setup.
EZVPN_Remote(config-if)#int fa1
EZVPN_Remote(config-if)#dot
EZVPN_Remote(config-if)#dot1?
dot1q
EZVPN_Remote(config-if)#dot1
EZVPN_Remote(config-if)#int vlan1
EZVPN_Remote(config-if)#dot1x ?
default Configure Dot1x with default values for this port
host-mode Set the Host mode for 802.1x on this interface
max-reauth-req Max No.of Reauthentication Attempts
max-req Max No.of Retries
pae Set 802.1x interface pae type
port-control set the port-control value
reauthentication Enable or Disable Reauthentication for this port
timeout Various Timeouts
Any thoughts why I'm seeing this behavior? Feature-set? IOS Version?
EZVPN_Remote#sh ver
Cisco IOS Software, C880 Software (C880DATA-UNIVERSALK9-M), Version 15.1(2)T4, )
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2011 by Cisco Systems, Inc.
Compiled Tue 12-Jul-11 21:02 by prod_rel_team
ROM: System Bootstrap, Version 12.4(22r)YB5, RELEASE SOFTWARE (fc1)
EZVPN_Remote uptime is 6 hours, 1 minute
System returned to ROM by reload at 14:53:21 UTC Thu Oct 13 2011
System restarted at 14:52:47 UTC Thu Oct 13 2011
System image file is "flash:c880data-universalk9-mz.151-2.T4.bin"
Last reload type: Normal Reload
Last reload reason: Reload Command
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
[email protected].
Cisco 881 (MPC8300) processor (revision 1.0) with 236544K/25600K bytes of memor.
Processor board ID FTX153482GK
5 FastEthernet interfaces
1 Virtual Private Network (VPN) Module
256K bytes of non-volatile configuration memory.
126000K bytes of ATA CompactFlash (Read/Write)
License Info:
License UDI:
Device# PID SN
*0 CISCO881-SEC-K9 xxxxxxxx
License Information for 'c880-data'
License Level: advipservices Type: Permanent
Next reboot license Level: advipservices
Thanks in advance!Shamless bump...
-
Dot1X guest vlan authentication issue..Real Challenge!!
Hi Guys!
I would really appreciate if some one could help me find lead on this issue...
My coporate and Quarantine users dosn't get correct VLAN as soon as i enable Guest VLAN feature..all of them go to guest VLAN...
Scenario 1
interface GigabitEthernet3/0/42
switchport mode access
authentication port-control auto
dot1x pae authenticator
dot1x timeout quiet-period 5
dot1x timeout tx-period 5
spanning-tree portfast
Test Workstation behavior
802.1X (Corporate) = VLAN 1
802.1X (Quarantine)= VLAN 20
Non-802.1X (Guest) = UnAouthorized
Conclusion
802.1x authentication is working without the guest VLAN feature
Scenario 2
interface GigabitEthernet3/0/42
switchport mode access
authentication event no-response action authorize vlan 30
authentication port-control auto
dot1x pae authenticator
dot1x timeout quiet-period 5
dot1x timeout tx-period 5
spanning-tree portfast
Test Workstation behavior
802.1X (Corporate) = VLAN 30 GuestVlan
802.1X (Quarantine)= VLAN 30 GuestVlan
Non-802.1X = VLAN 30 GuestVlan
Conclusion
802.1X doesn't work after enabling Guest VLAN feature (no-response)
Some important notes...
1) IOS version = c3750-ipbase-mz.122-50.SE.bin the only IOS which supports 10gig modules...
so i can not test with any other IOS
2) We had older 3750 100Mpbs switches with same config (we copied the config from old switch to new Switch) and the only command which got change automatically due to IOS change is....
dot1x guest-vlan 30 (Old IOS syntax) = authentication event no-response action authorize vlan 30 (New IOS syntax)
so even if you put old command syntax it will get change to new one...
http://www.cisco.com/en/US/docs/switches/lan/catalyst3750e_3560e/software/release/12.2_50_se/configuration/guide/sw8021x.html#wp1176660
Guys please help me.........Just to update you here.......after running some debugs on Swicth i found that....(Scenario-2)
When we connect 8021X enabled PCs (Coporate users) and Boot them...they initially behave like Non-8021X client while booting and during that time switch puts them in guest vlan but when workstation comes to a state (login prompt)where they start communicating like 8021X client.....switch just fails to put them in appropriate VLANs.. may be due to some time out issues.........I feel like i am very close to get the solution but just wondering which timers need to change or may be i am wrong if there is something else need to be put in...........any way i just shared my things with you....
Same Workstations are working fine with old swicthes without any problem...it is windows XP SP3 -
Configuring Guest VLAN on AP541N and UC560
I have a AP541N connected to a UC560. We are currently configured for Wireless Voice and Data. We have added a Guest VLAN, but don't see where in CCA to secure the VLAN from accessing the other other two default VLANs. Any help would be appreciated.
Additional Info:
AP541N-K9-1.7(2)
UC560 15.0(1)XA2, RELEASE SOFTWARE (fc2)
CCA 3.0https://supportforums.cisco.com/docs/DOC-14855
We are experincing the exact same problem in our lab.
There is no way with CCA that the VLANs can be secured. You have to use CLI, howerver once you choose to use CLI for configuration CCA may no longer be used.
Hope this helps.
Terry -
VLAN with Cisco WAP4410N an Cisco SG300-28
Hi,
I am trying to configure my WAP410N with two SSID's on two different VLAN.
SSID 1 should be using VLAN ID 1 and SSID 2 should be using VLAN ID 20
I have a Cisco SG 300-28 switch wich I have configured with to VLAN, ID 1 and 20. ID 20 has port 20 and 21 assigned to it.
I also have a firewall with a DMZ-port and a DHCP server running on the DMZ-port.
Cabling OK.When I connect a PC to port 21 on the switch and my DMZ-port on the firewall to port 20 everything works fine - I get IP from the firewall and i can access internet from the PC with a DMZ adress.
Wireless problem. When I connect to SSID 1 on the AP I get IP from my server on the LAN wich is correct, but when I connect to SSID 2 I get nothing. It seems like the DHCP from the firewall does not travel trough the AP.Although the fact that I'm not getting any adress from my LAN server probely means that I am on the VLAN in some way.
Anyone has any idea?
Regards
MikaelHi David,
Thanks for your answer.
I have tried to set up the wirelesscard with a static IP - it does not work. I can not ping anything execpt myself.
It seems to me that i am on the VLAN 20 when i connect to SSID 2 but I am not able to find VLAN 20 in the switch. It is just as the AP is not attached to any network.
I will look at the DHCP relay options on the switch and try that.
regards
Mikael -
A Chairde,
Am having problems setting up MPLS between a AS5350 and 7609 , I have used commands stated in this link, enable MPLS incrementally on a network.
http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/switch_c/xcprt4/xcdtagc.pdf
The commands below are added to each router, and some troubleshooting.
7609
ip cef distributed
interface Loopback0
ip address 192.168.254.1 255.255.255.255
tag-switching advertise-tags
interface GigabitEthernet3/12
ip address 192.168.230.162 255.255.255.248
mpls label protocol tdp
tag-switching ip
AS5350
ip cef
mpls label protocol tdp
tag-switching advertise-tags
interface Loopback0
ip address 192.168.254.2 255.255.255.255
interface FastEthernet0/0
ip address 192.168.230.161 255.255.255.248
duplex auto
speed auto
mpls ip
h323-gateway voip interface
h323-gateway voip id cnibhco111 ipaddr 192.168.230.129 1719
h323-gateway voip h323-id cnibhco112
h323-gateway voip tech-prefix 71401
h323-gateway voip tech-prefix 0030
h323-gateway voip bind srcaddr 192.168.230.161
ip rsvp bandwidth 64 64
cnibhco112#sh tag-switching tdp neighbor
Peer TDP Ident: 192.168.254.1:0; Local TDP Ident 192.168.230.161:0
TCP connection: 192.168.254.1.49842 - 192.168.230.161.711
State: Oper; PIEs sent/rcvd: 18/23; Downstream
Up time: 00:12:54
TDP discovery sources:
FastEthernet0/0, Src IP addr: 192.168.230.162
Addresses bound to peer TDP Ident:
192.168.100.17 192.168.100.25 159.107.212.49 172.16.8.81
192.168.230.130 192.168.230.77 192.168.230.81 192.168.254.1
192.168.210.6 192.168.127.6 192.168.210.106 192.168.127.66
192.168.127.138 192.168.210.146 192.168.210.142 192.168.210.122
192.168.210.17 192.168.230.140 192.168.230.26 192.168.230.74
192.168.230.10 192.168.230.14 192.168.127.130 192.168.127.142
192.168.230.6 192.168.230.70 192.168.230.34 192.168.210.178
192.168.200.25 192.168.210.126 192.168.232.1 192.168.231.1
192.168.200.17 192.168.210.102 190.168.200.245 190.168.200.225
190.168.201.241 192.168.230.98 192.168.210.14 190.168.201.201
190.168.201.209 192.168.210.162 192.168.210.210 190.168.201.205
192.168.230.38 190.168.200.249 190.168.200.217 190.168.200.253
192.168.230.162
cnibhco112#
cnibhco112#sh tag-switching forwarding-table 192.168.254.1 detail
Local Outgoing Prefix Bytes tag Outgoing Next Hop
tag tag or VC or Tunnel Id switched interface
cnibhco112#traceroute 192.168.254.1
Type escape sequence to abort.
Tracing the route to 192.168.254.1
1 192.168.230.162 0 msec 0 msec *
cnibhco112#traceroute 192.168.230.162
Type escape sequence to abort.
Tracing the route to 192.168.230.162
1 192.168.230.162 0 msec 0 msec *
cnibhco112#Ro,
Thanks for the respone, have been playin, with MPLS for last few hours.
The routing between the loopbacks is now working, can PING 7609 Loopback from AS5350 ,and vice versa. (used static routes).
Having problem with TDP / LDP on routers,
mpls label protocol ldp / tdp command works correctly on both routers, but the
tag-switching tdp router-id Loopback0 force
command works on the 7609, but when I add it onto the AS5350 , the command "mpls ldp router-id Loopback0 force" appears on the startup script.
The opposite is true for the 7609 , you add MPLS LDP command, and TAG-SWITCHING command appears instead.
Any Ideas, as different configs of this leave me with forwarding table with both tags added, but not been able to ping the loopbacks !!!
When I can ping bot loopbacks, the OUTGOING TAG , disapears.....
Problem is LOOPBACK Commands on bot routers default to LDP (AS5350) , or TDP (7609). Any Ideas ...
mpls label protocol tdp
tag-switching tdp router-id Loopback0 force
mpls label protocol tdp
mpls ldp router-id Loopback0 force
cnibhco100#sh tag-switching forwarding-table 192.168.254.2 detail
Local Outgoing Prefix Bytes tag Outgoing Next Ho
tag tag or VC or Tunnel Id switched interface
18 17 192.168.254.0/24 0 Gi3/12 192.168.2
MAC/Encaps=14/18, MRU=1500, Tag Stack{17}
00097CA3293000127FCDBA808847 00011000
No output feature configured
Per-packet load-sharing
cnibhco100#traceroute 192.168.254.2
Type escape sequence to abort.
Tracing the route to 192.168.254.2
1 192.168.230.161 [MPLS: Label 17 Exp 0] 0 msec 0 msec 0 msec
2 192.168.230.162 0 msec 0 msec 0 msec
But no PINGING 192.168.254.2
cnibhco112#sh tag-switching forwarding-table 192.168.254.1 detail
Local Outgoing Prefix Bytes tag Outgoing Next Hop
tag tag or VC or Tunnel Id switched interface
17 18 192.168.254.0/24 1915668 Fa0/0 192.168.230.162
MAC/Encaps=14/18, MRU=1500, Tag Stack{18}
00127FCDBA8000097CA329308847 00012000
No output feature configured
Per-packet load-sharing
cnibhco100#sh tag-switching forwarding-table 192.168.254.2 detail
Local Outgoing Prefix Bytes tag Outgoing Next Ho
tag tag or VC or Tunnel Id switched interface
18 17 192.168.254.0/24 752551 Gi3/12 192.168.2
MAC/Encaps=14/18, MRU=1500, Tag Stack{17}
00097CA3293000127FCDBA808847 00011000
No output feature configured
Per-packet load-sharing
WHEN BOTH LOCAL AND OUTGOING TAG, CANNOT PING EITHER WAY !!!
HAVE LABEL PROTOCOL AND LOOPBACK FORCE on AS5350
HAVE LABEL PROTOCOL ON 7609
WHEN ADD LOOPBACK FORCE on 7609 , CAN PING BOTH LOOPBACKS,
BUT OUTGOING TAG DISAPEARS
cnibhco112#PING 192.168.254.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.254.2, timeout is 2 seconds:
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
cnibhco112#sh tag-switching forwarding-table 192.168.254.1 detail
Local Outgoing Prefix Bytes tag Outgoing Next Hop
tag tag or VC or Tunnel Id switched interface
17 Untagged 192.168.254.0/24 598678 Fa0/0 192.168.230.162
MAC/Encaps=0/0, MRU=1504, Tag Stack{}
No output feature configured
Per-packet load-sharing
cnibhco112#
mpls label protocol tdp
tag-switching tdp router-id Loopback0 force -
How to set up a VLAN for a School Network for student ipads/ipods?
I work at a small private school that is going to implement about 20 ipads for classes. Students bring their ipods and iphones and are connecting to the existing unsecured wireless access points and are taking up the remaining IP addresses in the DHCP scope. I am running out of IP addresses and was wondering if I could set up a VLAN using the Cisco WRVS4400N for all of these wireless devices the students will be using. I plan to pull out all unsecured wireless AP's and replace with what ever solution we come up with. I will need about 6 access points/routers to cover the entire school. There is not a lot of money for technology and the ipods were donated. I have never set up a VLAN before. Is there an inexpensive way to allow the students with their personal ipads/ipods and the 20 ipads owned by the school to connect to a VLAN to keep from using up our DHCP IP addresses from the server. Thanks in advance.
Hi pctiger92!
The WRVS4400N is now being handled by the Cisco Small Business Support Community.
For discussions about this product, please go here.
Maybe you are looking for
-
Earlier, I changed my Apple account details to reflect my new email address. I also changed the password. iCloud seems not to 'know' this. It's service is disabled until I login in. But the default email address shown on the login page is the old ema
-
I'm unknowingly getting logged off.
Okay, I have read through pages of posts, I've even made the 443 change. So far I haven't read anything that has helped. While I am logged onto iChat, I randomly get disconnected but it doesn't show that I have been until I've sent a few messages. Th
-
Is Compressor compatible with the 8-core MacPros+ ATI 4870
Hi everyone, Compressor crashes as soon as it launches, every single time I've tried to open it on my 8-core 2.6GHz Nehalem- ATI Radeon 4870 - 8 Gb RAM system. It seems to be the only component from FCS2 that is not functioning well. Motion 3.02 work
-
Hi We are using obiee11g in linux box.We installead obiee10g same machine again installed OBIEE11g.Now obiee10 and 11g both in same machine. When i moved 10g into 11g.All the report take time to display data.But 10g shows without any delay. Could you
-
Hi everybody, I am wondering if I can back up my files with Time Machine on a CD or DVD instead of an external harddrive. If so, how do I do it? Thank you.