Requirement for Native VLAN on Flexconnect Access Point

Similar Messages

• Configuring ssid and vlans on autonomous access point ?

  here is an a demonstration of how to configure vlans and ssid on a auto-ap , what i dont understand is when i configure the ssid under (interface dot11radio0) and the vlan under that command , why do i need to configure sub-interfaces for the "fastethernet" and the "dot11radio0" if i already configured it under the "interface dot11radio0" , why do i need the "encapsulation dotq x" ? and what is bridge-group ?

  If you want to use multiple SSID with multiple vlan, then you have to configure subinterfaces on Radio interfaces (in both Radio 0 & Radio 1 if you want to use both 2.4GHz & 5GHz band) & Ethernet interfaces.
  AP simply bridge wireless traffic to wired interface using these sub-interfaces. To specify which radio sub-interface traffic to map to ethernet sub-interface, a Bridge-Group number (1-255) is used.
  Bridge-Group 1 always used for native vlan traffic & usually used for AP management.
  HTH
  Rasika
  **** Pls rate all useful responses ****

• FlexConnect Access Point - Wired 802.1X or MAB Authentication

  Hi all,
  We are piloting wired 802.1X but have hit a snag - FlexConnect AP switchport configuration requires the port be configured as trunk, with the native VLAN for management and access VLAN(s) for client data.
  I know 802.1X cannot be configured on trunk port, but how can we configure MAB on trunk ports such as these?
  Otherwise, is there another way we can authenticate these FlexConnect APs on a switch using ISE?
  Thanks in advance.
  Regards,
  Stephen.

  Hi Stephen. You are correct, 802.1x should not be configured on a trunk port. Moreover, you would run into an issue with clients if you are running local switching mode. Here is the flow:
  1. AP, authenticates via MAB and profiling
  2. Client authenticates via PEAP/EAP-TLS, etc
  3. Now the client's traffic is locally switched, thus, the client mac address is showing on the same port where the AP is connected. The NAD (Switch) sees this new mac address and it is expecting it to perform 802.1x or MAB based authentication. The supplicant, however, does not know that and as far it is concerned it was already authenticated.
  So I have ran into this issue in my deployments and you have the following options (listed in preference order):
  1. Eliminate FlexConnect :)
  2. Utilize AutoSmartPorts where:
  - If an AP is connected, then 802.1x configuration is removed, port-security is enabled and locked to a single MAC address and trunk configuration is enabled
  - If the AP is removed, then port is configured as standard access port, port-security is removed and 802.1x is configured
  More info on auto smart ports:
  http://www.cisco.com/c/en/us/td/docs/switches/lan/auto_smartports/15-0_1_se/configuration/guide/asp_cg.html
  3. You can configure the port in a "multi-host" mode where after the first device is authenticated all subsequent devices are allowed on the network.
  Hope this helps!
  Thank you for rating helpful posts!

• Need some advice for AP IOS upgrade (Wireless Access Point 3702 Series) ?

  Hi to all
  I recently purchase a Wireless Access Point (AIRCAP 3702E-E) with 4 antenna, i will use this device like wifi hotspot in my home.
  I would like to upgrade it but i see two kind of AP IOS :
  Lightweight AP IOS Software
  Autonomous AP IOS
  What are the difference ?
  In case of Lightweight AP IOS Software will be the one to choose, i have multiple IOS :
  Wireless Lan, ap3g2-k9w8-tar.152-4.JB4.tar
  Wireless Lan Recovery, ap3g2-rcvk9w8-tar.152-4.JB4.tar
   Someone can tell me what is the difference between these two versions ?
  Best Regards.
  Elrick.

  Hi Elrick,
  Cisco AP AIRCAP3702E is Cisco enterprise unit.  Cisco small business support WAP4410N, WAP121, WAP321, WAP551, and WAP561 AP. However I will answer your questions.
  Lightweight AP ISO you can use it ONLY if you connect AP to wireless controller
  Autonomous AP ISO for manage and modify AP  by it self not required wireless controller.
  Thanks,
  Moh

• Image Recovery for Cisco Aironet 1300 Outdoor Access Point

  We purchased two 1300 APs for outside. There is a new release for the image that we wanted to use so, we have the latest security updates. We downloaded, logged onto the access point just fine, but the image never took. After four hours with a direct connection, it was still going and this morning we came in and it just keep rebooting. Our network guy states it looks like a corrupt image. We can barely do anything and since there is no "mode" button like the earlier models, I have not found anything on web sites or forums to help us reload a good image to the access point. I would appreciate any insight someone has and/or where to look for this. I logged on and downloaded about every manual on the 1300 I could find, but have not found a good way to fix this. Not even the upgrade tool will connect since it just keeps rebooting.

  Hi Bruce,
  Because (as you correctly noted) the 1300 does not have a mode button you could try this method;
  Complete the steps in this section in order to reset Cisco IOS Software-based bridges:
  If the privileged command prompt ap# is available in the CLI, the write erase command and the reload command erase the startup configuration and reset the unit.
  If the GUI is available, choose System Software > System Configuration. Press the Reset to Defaults button.
  Aironet 1300 Series Bridges do not have a MODE button to reset the AP to factory defaults. So, if neither the GUI or CLI is available with sufficient privileges, complete these steps to delete the current configuration and return the entire bridge settings to the factory defaults using the CLI.
  Open the CLI with a Telnet session or a connection to the bridge console port.
  Reboot the bridge by removing and reapplying power.
  Allow the bridge to boot until the command prompt appears and the bridge begins to inflate the image.
  Press ESC when you see lines that are similar to these on the CLI:
  Loading "flash:/c1310-k9kw-7mx.v122_15_ja.200040314-k9w7-mx.v122_15_ja.20040314"
  ...#############################################################################Note: In order to access the boot loader, you must press ESC twice. But this action depends on the terminal-emulation software that you use.
  Messages that are similar to these appear:
  Error loading "flash:/c1310-k9kw-7mx.v122_15_ja.200040314-k9w7-mx.v122_15_
  ja.20040314"
  Interrupt within 5 seconds to abort boot process.
  Boot process terminated.
  The system is unable to boot automatically. The BOOT environment variable needs to
  be set to a bootable image.
  C1310 Boot Loader (C1310-BOOT-M), Version 12.2 [BLD-v122_15-ja_throttle.20040314 100]
  bridge:At the bridge: prompt, issue the dir flash: command in order to view a directory of the Flash file system.
  The directory is similar to this directory:
  bridge: dir flash:
  Directory of flash:/
  2 -rwx 0 env_vars
  5 drwx 384 C1310-k9w7-mx.v133_15_JA.20040314
  3 -rwx 1128 config.txt
  4 -rwx 5 private-config
  3693568 bytes available (4047872 bytes used)
  bridge:Delete or rename the files config.txt and env_vars, and reboot the bridge.
  Note: Do not forget the / character before the filenames.
  bridge: delete flash:config.txt
  Are you sure you want to delete flash:/config.txt (y/n)?y
  File "flash:/config.txt" deleted
  bridge: delete flash:/env_vars
  Are you sure you want to delete "flash:/env_vars" (y/n)?y
  File "flash:/env_vars" deletedIssue the boot command in order to reboot the bridge at the bridge: prompt, or simply power cycle the bridge.
  After the bridge reboots, reconfigure the bridge with the web browser interface, the Telnet interface, or Cisco IOS Software commands.
  Note: The bridge is configured with the factory default values that include:
  The IP address, which is set to receive an IP address with DHCP. If you do not have a DHCP server, you can access the bridge using the default IP address of 10.0.0.1 using HTTP/HTTPS or Telnet. Once you gain access to the bridge via Telnet or GUI, you can modify the IP address of the bridge.
  Note: This default IP address of 10.0.0.1 becomes available only for a short period. So, make sure that you assign your own IP address to the bridge within that period of time.
  The default username and password, "Cisco".
  From this doc;
  http://www.cisco.com/en/US/products/hw/wireless/ps430/products_password_recovery09186a00800949d0.shtml#ca_1310_ser
  One other thing, be careful with the new IOS that you aren't loading a LWAPP Recovery Image. (it almost sounds like what may have happened)
  Hope this helps!
  Rob

• PoE for Cisco 1242AG and 1310G Access Points

  Dear All,
  we purchased a Cisco 1242AG and a 1310G Access Point and in the DataSheet it was specified that these APs support Power-over-Ethernet. The problem is we don't see any RJ-45 port in either AP which could be used for connecting the AP to an PoE Switch. Can you please tell us how we can connect these APs to an 802.11af compatible PowerBridge (by Intermec) ? Thanks.

  Hi Thorsten,
  The 1242 should be good to go but the 1310 is powered quite differently. Have a look;
  AP 1240 Series - Hardware (see diagram)
  http://www.cisco.com/en/US/products/ps6521/products_installation_guide_chapter09186a008079b7f4.html#wp1071972
  Connecting the Ethernet and Power Cables
  http://www.cisco.com/en/US/products/ps6521/products_installation_guide_chapter09186a008079b7f4.html#wp1052781
  1300 Series Power
  Power
  The access point/bridge receives inline power from the Cisco Aironet Power Injector (hereafter called the power injector). Dual-coax cables are used to provide Ethernet data and power from the power injector to the access point/bridge. The power injector is an external unit designed for operation in a sheltered environment, such as inside a building or vehicle. The power injector also functions as an Ethernet repeater by connecting to a Category 5 LAN backbone and using the dual-coax cable interface to the access point/bridge.
  The power injector is available in two models:
  Cisco Aironet Power Injector LR2 standard version (included with the access point/bridge)
  48-VDC input power
  Uses the 48-VDC power module (included with the access point/bridge)
  Cisco Aironet Power Injector LR2T optional transportation version
  12- to 40-VDC input power
  Note The power injector and the power module must not be placed in an outdoor unprotected environment. The power module must not be placed in a building's environmental air space, such as above a suspended ceiling.
  http://www.cisco.com/en/US/products/ps5861/products_installation_guide_chapter09186a008079b93b.html#wp1051840
  Dual coaxial cable to run from the power injector to the 1300. See attached notes:
  Cisco Aironet 1300 Series
  Cisco Aironet 1300 Series Access Point/Bridge Power Injector
  The Cisco Aironet 1300 Series Outdoor Access Point/Bridge Power Injector,converts the standard 10/100 BaseT Ethernet interface that is suitable for weather protected areas to a dual F-Type connector interface for coax cables that are more suitable for harsh outdoor environments. The Power Injector also provides power to the outdoor unit over the same cables with a power discover feature and surge protection. To support longer cable runs from your wireless network switch or router, the Power Injector LR is designed to accommodate up to a 100 meter coaxial cable run plus 100 meters of indoor cat5 cable?enabling total cable runs up to 200 meters. The Cisco Aironet 1300 Series Outdoor Access Point/Bridge ships with the Power Injector LR2 and an AC power supply.
  From this link:
  http://www.cisco.com/en/US/products/ps5861/products_data_sheet09186a008022551d.html
  Cisco Aironet 1300 Series Outdoor Access Point/Bridge Hardware Installation Guide
  Ethernet Ports
  The access point/bridge dual-coax Ethernet ports consists of a pair of 75-ohm F-type connectors, linking the unit to your 100BASE-T Ethernet LAN through the power injector. The dual-coax cables are used to send and receive Ethernet data and to supply inline 48-VDC power from the power injector to the access point/bridge.
  From this link:
  http://www.cisco.com/en/US/products/ps5861/products_installation_guide_book09186a00804d3095.html
  AIR-PWRINJ-BLR2
  F-Type Connectors
  Dual coaxial cable carries full-duplex Ethernet, DC power, and full-duplex console port (RS-232 connection)
  From this link:
  http://www.cisco.com/en/US/products/ps5861/products_data_sheet09186a00802252e1.html
  Hope this helps!
  Rob

• Bandwith required for a concurrent user to access R12

  please tell me the bandwith required by a client to access the EBS R12 concurrently over LAN, WAN ,internet and using a dial-up connection

  <font face="verdana">
  Somewhere i read that,
  Self-Service users - 4 Kbps/Per user
  Forms users - Max of 12 Kbps/Per User
  Reference:
  1. Comparing Bandwidth Requirements between Release 11i and 12
  http://blogs.oracle.com/schan/discuss/msgReader$1637
  Don't forget to read Comments for the above post.
  2. http://www.oracle.com/apps_benchmark/index.html

• 1242AG Wireless Access Point - Cannot Get DHCP IP for BVI1 interface - Multiple SSIDs...

  Hello,
  I am attempting to set up three Cisco 1242AG Wireless Access Points with multiple SSID's. I used the web interface and directions online to set up the two networks I want and at least one of the networks work wirelessly.
  However, I have two problems:
  The first, which is the most important, is that the "management" interface, BVI1, doesn't get an ip address from our DHCP server. I set the VLAN 60 (which you'll see in the documenation below) to be the native VLAN on the device as well as on the switch that the device is connected to as well as other settings in the configeration file below. Because of this, I can only manage the device via the console port which would be a huge pain once all of the devices are mounted.
  The second problem is that I am not sure how to get both wireless networks broadcasting their SSID's. I have to manually type in the SSID for the second wireless network I have which I would prefer I don't have to. Anyway I can enable broadcasting on all of the SSID's?
  Thank you for your time.
  Regards,
  Christopher Koeber
  Using 7916 out of 32768 bytes
  version 12.4
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  service password-encryption
  hostname AP-18.wesleysem.edu
  enable secret {Number Here} {Encrypted Password Here}
  enable password {Number Here} {Encrypted Password Here}
  aaa new-model
  aaa session-id common
  dot11 syslog
  dot11 vlan-name Kresge vlan 20
  dot11 vlan-name Library vlan 30
  dot11 vlan-name Public vlan 60
  dot11 vlan-name Secure_Public vlan 70
  dot11 vlan-name Secure_Seminary vlan 80
  dot11 vlan-name Server_Room vlan 1
  dot11 vlan-name Straughn vlan 40
  dot11 vlan-name Trott vlan 10
  dot11 vlan-name Web_Room vlan 50
  dot11 ssid (Secure) Wesley Campus
  vlan 80
  authentication open
  authentication key-management wpa version 2
  wpa-psk ascii {Number Here} {WPA Key Here}
  dot11 ssid Public
  vlan 60
  authentication open
  mobility network-id 60
  username Cisco password {Number Here} {Encrypted Password Here}
  username admin privilege 15 secret {Number Here} {Encrypted Password Here}!
  bridge irb
  interface Dot11Radio0
  no ip address
  no ip route-cache
  encryption vlan 80 mode ciphers aes-ccm
  ssid (Secure) Campus
  ssid Public
  mbssid
  station-role root
  interface Dot11Radio0.1
  encapsulation dot1Q 1
  no ip route-cache
  bridge-group 254
  bridge-group 254 block-unknown-source
  no bridge-group 254 source-learning
  no bridge-group 254 unicast-flooding
  bridge-group 254 spanning-disabled
  interface Dot11Radio0.10
  encapsulation dot1Q 10
  no ip route-cache
  bridge-group 10
  bridge-group 10 subscriber-loop-control
  bridge-group 10 block-unknown-source
  no bridge-group 10 source-learning
  no bridge-group 10 unicast-flooding
  bridge-group 10 spanning-disabled
  interface Dot11Radio0.20
  encapsulation dot1Q 20
  no ip route-cache
  bridge-group 20
  bridge-group 20 subscriber-loop-control
  bridge-group 20 block-unknown-source
  no bridge-group 20 source-learning
  no bridge-group 20 unicast-flooding
  bridge-group 20 spanning-disabled
  interface Dot11Radio0.30
  encapsulation dot1Q 30
  no ip route-cache
  bridge-group 30
  bridge-group 30 subscriber-loop-control
  bridge-group 30 block-unknown-source
  no bridge-group 30 source-learning
  no bridge-group 30 unicast-flooding
  bridge-group 30 spanning-disabled
  interface Dot11Radio0.40
  encapsulation dot1Q 40
  no ip route-cache
  bridge-group 40
  bridge-group 40 subscriber-loop-control
  bridge-group 40 block-unknown-source
  no bridge-group 40 source-learning
  no bridge-group 40 unicast-flooding
  bridge-group 40 spanning-disabled
  interface Dot11Radio0.50
  encapsulation dot1Q 50
  no ip route-cache
  bridge-group 50
  bridge-group 50 subscriber-loop-control
  bridge-group 50 block-unknown-source
  no bridge-group 50 source-learning
  no bridge-group 50 unicast-flooding
  bridge-group 50 spanning-disabled
  interface Dot11Radio0.60
  encapsulation dot1Q 60 native
  no ip route-cache
  bridge-group 1
  bridge-group 1 block-unknown-source
  no bridge-group 1 source-learning
  no bridge-group 1 unicast-flooding
  bridge-group 1 spanning-disabled
  interface Dot11Radio0.70
  encapsulation dot1Q 70
  no ip route-cache
  bridge-group 70
  bridge-group 70 subscriber-loop-control
  bridge-group 70 block-unknown-source
  no bridge-group 70 source-learning
  no bridge-group 70 unicast-flooding
  bridge-group 70 spanning-disabled
  interface Dot11Radio0.80
  encapsulation dot1Q 80
  no ip route-cache
  bridge-group 80
  bridge-group 80 subscriber-loop-control
  bridge-group 80 block-unknown-source
  no bridge-group 80 source-learning
  no bridge-group 80 unicast-flooding
  bridge-group 80 spanning-disabled
  interface Dot11Radio1
  no ip address
  no ip route-cache
  shutdown
  encryption vlan 80 mode ciphers aes-ccm
  dfs band 3 block
  channel dfs
  station-role root
  interface Dot11Radio1.1
  encapsulation dot1Q 1
  no ip route-cache
  bridge-group 254
  bridge-group 254 block-unknown-source
  no bridge-group 254 source-learning
  no bridge-group 254 unicast-flooding
  bridge-group 254 spanning-disabled
  interface Dot11Radio1.10
  encapsulation dot1Q 10
  no ip route-cache
  bridge-group 10
  bridge-group 10 subscriber-loop-control
  bridge-group 10 block-unknown-source
  no bridge-group 10 source-learning
  no bridge-group 10 unicast-flooding
  bridge-group 10 spanning-disabled
  interface Dot11Radio1.20
  encapsulation dot1Q 20
  no ip route-cache
  bridge-group 20
  bridge-group 20 subscriber-loop-control
  bridge-group 20 block-unknown-source
  no bridge-group 20 source-learning
  no bridge-group 20 unicast-flooding
  bridge-group 20 spanning-disabled
  interface Dot11Radio1.30
  encapsulation dot1Q 30
  no ip route-cache
  bridge-group 30
  bridge-group 30 subscriber-loop-control
  bridge-group 30 block-unknown-source
  no bridge-group 30 source-learning
  no bridge-group 30 unicast-flooding
  bridge-group 30 spanning-disabled
  interface Dot11Radio1.40
  encapsulation dot1Q 40
  no ip route-cache
  bridge-group 40
  bridge-group 40 subscriber-loop-control
  bridge-group 40 block-unknown-source
  no bridge-group 40 source-learning
  no bridge-group 40 unicast-flooding
  bridge-group 40 spanning-disabled
  interface Dot11Radio1.50
  encapsulation dot1Q 50
  no ip route-cache
  bridge-group 50
  bridge-group 50 subscriber-loop-control
  bridge-group 50 block-unknown-source
  no bridge-group 50 source-learning
  no bridge-group 50 unicast-flooding
  bridge-group 50 spanning-disabled
  interface Dot11Radio1.60
  encapsulation dot1Q 60 native
  no ip route-cache
  bridge-group 1
  bridge-group 1 block-unknown-source
  no bridge-group 1 source-learning
  no bridge-group 1 unicast-flooding
  bridge-group 1 spanning-disabled
  interface Dot11Radio1.70
  encapsulation dot1Q 70
  no ip route-cache
  bridge-group 70
  bridge-group 70 subscriber-loop-control
  bridge-group 70 block-unknown-source
  no bridge-group 70 source-learning
  no bridge-group 70 unicast-flooding
  bridge-group 70 spanning-disabled
  interface Dot11Radio1.80
  encapsulation dot1Q 80
  no ip route-cache
  bridge-group 80
  bridge-group 80 subscriber-loop-control
  bridge-group 80 block-unknown-source
  no bridge-group 80 source-learning
  no bridge-group 80 unicast-flooding
  bridge-group 80 spanning-disabled
  interface FastEthernet0
  ip dhcp client update dns
  no ip address
  no ip route-cache
  duplex auto
  speed auto
  interface FastEthernet0.1
  encapsulation dot1Q 1
  no ip route-cache
  bridge-group 254
  no bridge-group 254 source-learning
  bridge-group 254 spanning-disabled
  interface FastEthernet0.10
  encapsulation dot1Q 10
  no ip route-cache
  bridge-group 10
  no bridge-group 10 source-learning
  bridge-group 10 spanning-disabled
  interface FastEthernet0.20
  encapsulation dot1Q 20
  no ip route-cache
  bridge-group 20
  no bridge-group 20 source-learning
  bridge-group 20 spanning-disabled
  interface FastEthernet0.30
  encapsulation dot1Q 30
  no ip route-cache
  bridge-group 30
  no bridge-group 30 source-learning
  bridge-group 30 spanning-disabled
  interface FastEthernet0.40
  encapsulation dot1Q 40
  no ip route-cache
  bridge-group 40
  no bridge-group 40 source-learning
  bridge-group 40 spanning-disabled
  interface FastEthernet0.50
  encapsulation dot1Q 50
  no ip route-cache
  bridge-group 50
  no bridge-group 50 source-learning
  bridge-group 50 spanning-disabled
  interface FastEthernet0.60
  encapsulation dot1Q 60 native
  no ip route-cache
  bridge-group 1
  no bridge-group 1 source-learning
  bridge-group 1 spanning-disabled
  interface FastEthernet0.70
  encapsulation dot1Q 70
  no ip route-cache
  bridge-group 70
  no bridge-group 70 source-learning
  bridge-group 70 spanning-disabled
  interface FastEthernet0.80
  encapsulation dot1Q 80
  no ip route-cache
  bridge-group 80
  no bridge-group 80 source-learning
  bridge-group 80 spanning-disabled
  interface BVI1
  ip address dhcp client-id FastEthernet0
  no ip route-cache
  ip http server
  no ip http secure-server
  ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
  bridge 1 route ip
  line con 0
  line vty 0 4
  end

  I am using a third party DHCP server which is our Windows Domain Controller. I have the ip helper-address set for the native vlan of the Access Point through a layer 3 distribution switch (a Catalyst 4506) that the current switch connects to.
  I didn't see any event on the logs for the AP.
  Let me know if I need to do something else.
  Thanks.

• 1240AG Access Point/Native VLAN/VLAN Problem

  Need to setup several SSID's with different Encryption levels. The access point connects to a plain D-link switch, not able to define a truck on the switch which is causing problems when only one of the SSID's is set for Native VLAN (DHCP server cannot be contacted with the other SSID's).
  Anyway to get around this problem !!!!

  Nope.... you need to be able to define the vlans on the switch. You need a switch where you can configure a dot1q trunck and then you can make this work. Right now, you can only have one.

• Access point VLANS and IP Addresses for RADIUS servers

  Hi, i would like to have my IAS radius server authenticate clients. I have done that, so my question is about routing and VLANS and incorporating into my existing network.
  What VLAN does the access point communicate to the RADIUS server on? I need to tell the access point to communicate on VLAN1, any other VLAN will not goto the radius server. The access point only has one setable ip address through the http config, is this for management or communication with the radius server?
  Thanks in advance,
  Chris

  Hello,
  Would you mind sharing how you configured both the AP and IAS to work together? I'm not finding anything in the Cisco documentation that shows how to do that and I need to use my IAS server to authenticate clients who connect to the inside SSID on my AP.
  By the way, I have successfully configured an AP with two SSIDs - one for guests that connects those clients to the guest VLAN (a DMZ on my PIX), and one for trusted users that connects them to the VLAN for my inside, secure network). If you haven't got that working, I'd be glad to help.

• Access point single VLAN

  Hi all
  I would like to ask about vlan configuration on access point Airone1242.
  Is mandatory connect it into trunk port on the switch ? , i will use only one Vlan through one SSID exept of native vlan.
  I m going to connect it into access port on switch , which is member vlan 63 , and through web menu add attach vlan63 to ssid..
  Is there some mandatory settings which can unfavorably influnece network ?
  Thanks in Advance
  edit : \\ Nobody ?       

  Hi Scott,
  Correct me if im wrong here. What you are saying is even if we dont configure vlan under the ssid but have switch port as vlan 63 by default the wireless client will be based in VLAN 63 ...Is that right?
  For example i have a AP configured as below.
  dot11 ssid 8008
     authentication open
  Since there is no vlan associated with this SSID 8008 my understanding was that this will be placed on vlan 1. Now this is connected to a switch port which has configuration as below.
  int fas 1/0
  switchport mode access
  switchport access vlan 63
  So the question is in this case do we not have a VLAN mismatch (AP on vlan 1 and Switch port on vlan 63) here?
  Regards

• Which access point is better for hospital environments?

  Folks,
  I have a customer in hospital, who requires to have wireless deployed everywhere. The fact is , customer is budget concious, so I designed in such a way to place it in corridors , so that wireless coverage could get inside the rooms, but the doors are fire-proof which blocks RF .
  What are the best practices in deploying AP's in hospital, for eg: is it safe to install AP's next to Medical Imaging Room or other devices which may cause interference
  Which model is suitable for this sort of installation?
  Thanks,
  SID

  Hi SID,
  Please consider in your budget for a Wireless LAN Site Survey. WLAN Site Survey will allow you to better understand WHERE to deploy your AP's and HOW MANY AP's to deploy. When deploying an AP, also bear in mind for AP failures. You can address this issues with either keeping "spare" stocks or putting additional AP's per floor so when an AP would fail, the WLC will calculate and increase the transmission power to cover the loss of an AP.
  In regards to what models to buy, I'd recommend looking at the 1140 or the 1250. These AP's are geared up for Draft N (2.0 Ratified).
  For AP's that are geared up for 802.11N (Draft 2.0):
  Data Sheet Cisco Aironet 1140 Series Access Point
  http://www.cisco.com/en/US/prod/collateral/wireless/ps5678/ps10092/datasheet_c78-502793.html
  Data Sheet Cisco Aironet 1250 Series Access Point Data Sheet
  http://www.cisco.com/en/US/prod/collateral/wireless/ps5678/ps6973/ps8382/product_data_sheet0900aecd806b7c5c.html
  If you are going to choose the 1250, note that the Antennaes are optional. Here's some information regarding them.
  Antenna Product Portfolio for Cisco Aironet 1250 Series Access Points
  http://www.cisco.com/en/US/prod/collateral/wireless/ps7183/ps469/at_a_glance_c45-513837.pdf
  The AP1250, when operating with 2 radio modules on Autonomous IOS, requires a minimum of 18.5 watts (ePoE). So you'll need either a Power Injector or PoE switch that will support enhanced PoE such as the 3560-E or 3750-E.
  Cisco Nurse Connect Solution
  http://www.cisco.com/web/strategy/docs/healthcare/nurse_connect_aag.pdf
  Hope this helps.

• The difference between IEEE802.1Q Native VLAN sub-interface and Physical interface?

  Hello
  I think the following topologies are supported for Cisco Routers
  And the Physical interface also can be using as Native VLAN interface right? 
  Topology 1.
   R1 Gi0.1 ------ IEEE802.1Q Tunneling  L2SW ------ Gi0 R2
  R1 - configuration
  interface GigabitEthernet0.1
   encapsulation dot1Q 1 native
   ip address 10.0.0.1 255.255.255.0
  Topology 2.
  R1 Gi0 ------ IEEE802.1Q Tunneling L2SW ------ Gi0 R2
  interface GigabitEthernet0
  ip address 10.0.0.1 255.255.255.0
   And is it ok to use the physical interface and sub-interface with dynamic routing such as EIGRP or OSPF etc?
  R1 Gi 0 ---- Point to Multipoint EIGRP or OSPF ---- Gi0 R2 / R3 
        Gi 0.20--- Point to Point EIGRP or OSPF --- Gi0.10 R4  (same VLAN-ID) 
  R1 - configuration
  interface GigabitEthernet0
   ip address 10.0.0.1 255.255.255.0
  interface GigabitEthernet8.20
   encapsulation dot1Q 20
   ip address 20.0.0.1 255.255.255.0
  Any information is very appreciated. but if there is any CCO document please let me know.
  Thank you very much and regards,
  Masanobu Hiyoshi

  Hello,
  The diagram is helpful.
  If I am getting you correctly, you have three routers interconnected by a switch, and you want them to operate in a hub-and-spoke fashion even though the switch is capable of allowing direct communication between any of these routers.
  Your first scenario is concerned with all three routers being in the same VLAN, and by using neighbor commands, you force these routers to establish targeted EIGRP adjacencies R1-R2 and R1-R3, with R1 being the hub.
  Your second scenario is concerned with creating one VLAN per spoke, having subinterfaces for each spoke VLAN created on R1 as the router, and putting each spoke just in its own VLAN.
  Your scenarios are not really concerned with the concept of native VLAN or the way it is configured, to be honest. Whether you use a native VLAN in either of your scenarios, or whether you configure the native VLAN on a subinterface or on the physical interface makes no difference. There is simply no difference to using or not using a native VLAN in any of your scenarios, and there is no difference to the native VLAN configuration being placed on a physical interface or a subinterface. It's as plain as that. Both your scenarios will work.
  My personal opinion, though, is that forcing routers on a broadcast multi-access segment such as Ethernet to operate in a hub-and-spoke fashion is somewhat artificial. Why would you want to do this? Both scenarios have drawbacks: in the first scenario, you need to add a neighbor statement for each spoke to the hub, limiting the scalability. In the second scenario, you waste VLANs and IP subnets if there are many spokes. The primary question is, though: why would you want an Ethernet segment to operate as a hub-and-spoke network? Sure, these things are done but they are motivated by specific needs so I would like to know if you have any.
  Even if you needed your network to operate in a hub-and-spoke mode, there are more efficient means of achieving that: Cisco switches support so-called protected ports that are prevented from talking to each other. By configuring the switch ports to spokes as protected, you will prevent the spokes from seeing each other. You would not need, then, to configure static neighbors in EIGRP, or to waste VLANs for individual spokes. What you would need to do would be deactivating the split horizon on R1's interface, and using the ip next-hop-self eigrp command on R1 to tweak the next hop information to point to R1 so that the spokes do not attempt to route packets to each other directly but rather route them over R1.
  I do not believe I have seen any special CCO documents regarding the use of physical interfaces or subinterfaces for native VLAN or for your scenarios.
  Best regards,
  Peter

• Configuring Cisco Access Points 1602i Air-SAP-1602I-Z-K9

  Hi everyone,
  I am having touble configuring cisco access points 1602i. I have configured them and they are broadcasting SSID and clients are able to connect to them, but the only thing which is troublesome is speed. I have 100Mbps bandwidth speed but at access point I am getting speed between 17 to 25. Can anyone please tell me where I am gone wrong.
  I have Juniper Srx210 configured as backbone for providing internet on fiber. Then further I have attached one POE switch (managable). From that switch I have attached 4 access points.
  One more thing,two ports of Juniper is configured as Vlans, one for staff and one for students. I have attached this POE switch to Student Vlan, but haven't configured ports of POE switch as trunk. Please tell me do I have to configure ports as trunk on POE Switch. Is this the cause of slow bandwidth over access points.
  I am also planning to go for Wlan Controller to manage Access points. When I contact my supplier about it, told me the following:
  "You just need to convert the Access points to autonomous mode. Here are    some details, there is no additional charge."
  https://supportforums.cisco.com/message/3889653
  http://www.cisco.com/en/US/docs/wireless/access_point/conversion/lwapp/upgrade/guide/lwapnote.html#wp160918
  http://www.youtube.com/watch?v=QQ_NuxdRhQ4
  https://supportforums.cisco.com/docs/DOC-14960
  I looked at the links but couldn't understand properly. Then I searched over the internet  and found out that
  "a cisco autonomous access point basically runs on its own while a  lightweight access point uses a centralized device called a wireless lan controller to get its configuration.  autonomous access points are managed  individually, while the lightweight access points can be managed centrally.  also, the switchport configurations to support both types of access points will  differ. "
  I didn't understand, why he suggested to go for Wlan controller and to upgrade access points to autonomous mode, when according to above finding, it says that autonomous access points runs individually.
  Please advice.
  I shall be thankfull

  Hello Scott and Leo,
  Thanks for all your help.
  I have managed to install and configure 4 Access points and Now Access points are giving speed between 25 to 45Mbps. Still not enought but it sloving the purpose. Everyone is enjoying their face book. I will soon get the Cisco Wlan Controller as well. I dont know if there is a way to get more speed from these access points. I am ready to buy more equipments if required.
  Anyway, today I need your guys expretise once again. As you know Junipr Srx 210 is configured for fiber internet to provide internet services to school. Now we are changing the building and transfering the line to new building. This time I want to use Cisco router in place of Juniper Srx210. But I need to know what model will support the current configuration for fiber. Would you please tell me what model/series router will be suitable for fiber internet and for implementing other restrictions.
  I am attaching a picture of current jiniper Srx 210 for your consideration.
  I shall be very thankfull to you
  Sarabjit

• Why Native VLAN exists on a Trunk?

  Basically, A Native VLAN carries untagged traffic on a trunk line.
  A trunk line allows mutiple VLAN traffic ( tagged traffic). So Why Native VLAN exists on a trunk.
  Why Native VLAN was created?
  I'm pretty confused up with VLANs.

  Hi,
  The second question - why PC Network adapters support VLAN tags - is actually easier to answer :)
  First of all, with regards to VLANs and frame tagging, there is actually nothing special to support on a network adapter! The VLAN tag itself is in fact stored in the payload of a tagged frame. Even to the most dumb network adapter, a tagged frame looks like any other - Destination MAC, Source MAC, EtherType (set to 0x8100), Payload (holding the rest of the VLAN tag, the original EtherType and the original Payload), and the FCS. Supporting VLANs and frame tags is possible on a purely software level. The fact that network adapters often do have hardware support for VLANs is related to performance reasons: With hardware VLAN support, the tagging, de-tagging, filtering and/or sorting frames based on the VLAN tag value is faster and it allows offloading these operations from the computer's CPU to the network card. However, even if the network adapter did not have any kind of VLAN support, the VLANs could still be implemented purely in the card's software driver.
  Ordinarily, you would not see a common PC send and receive tagged frames. However, there are situations in which even a PC would send or receive a tagged frame. One of reasons is the presence of the Class-of-Service (CoS) bits in a VLAN tag. You surely know that basic Ethernet frame format does not include any kind of priority marking. There is no field in an Ethernet header that would allow you to indicate that this or that frame requires a preferential treatment. VLAN tags, on the other hand, have a 3-bit CoS field that allows you to indicate the priority of the tagged frame. Should a  PC need to send a frame that needs to be explicitly marked as more important than others, it can be done by inserting a VLAN tag into this frame and setting the CoS field to a non-zero value (with 3 bits, the maximum CoS value is 7).
  Another reason for a computer to send and receive tagged frames would be when the computer itself would be intentionally placed into multiple VLANs. For example, the router-on-a-stick performing inter-VLAN routing is not a concept just for dedicated hardware routers. For example, any computer running Linux can be used in place of a Cisco router to perform inter-VLAN routing. Just like on a Cisco router, you would configure the Linux with subinterfaces for each VLAN it should be able to route from and to, assign IP addresses, and voila - you have a cheap and powerful inter-VLAN router. Yet another reason for receiving and sending tagged frames on a computer would be virtualization: You could have a server that runs multiple virtual operating systems in VirtualBox, VMWare, Xen or some other virtualization solution, and you want each of these virtual PCs to have a "separate" network card so that they can not talk to each other when they communicate with the outside world. You would do this again by creating subinterfaces on the physical machine, and bridging the individual virtual PCs with unique subinterfaces so that each virtual PC gets its own subinterface onto which it is bridged. As a result, the communication of individual virtual PCs would be tagged on the physical link depending on what virtual machine was speaking.
  So, while not exactly a typical situation for an ordinary office PC, it is nonetheless quite normal to see a computer being connected to a trunk port. This, however, is always done with the prior knowledge that the computer will indeed need to talk to several VLANs simultaneously and directly. Otherwise there's no need for that.
  Regarding the native VLAN on trunks - well, this is a neverending debate. I wish the native VLAN was never invented but well, it's here so we have to fight with it. Often, it is explained as "the VLAN that will save you if you happen to connect a normal PC to a trunk", and you have asked quite correctly - why on Earth would I want to connect a normal PC to a trunk, if not for reasons stated above? And you would be perfectly right - you wouldn't. The reason for native VLANs is different. If you try to study the IEEE 802.1Q standard you will learn that it does not recognize the terms access port and trunk port. It has no distinction for these port types. Instead, 802.1Q considers each port to be possibly associated with multiple VLANs at once. One of these VLANs is called the Primary VLAN, its number (ID) is called the Primary VLAN ID (PVID), and this VLAN is considered to be the one that is always associated with the port and thus does not need to use tags. Any other VLAN that is in addition associated with the port obviously has to use tags to be distinguishable. From this viewpoint, a port that is associated just with its PVID would be what Cisco calls an access port, and a port that is associated with VLAN IDs other than just its PVID would be what Cisco calls a trunk port, with the PVID being the trunk's native VLAN ID.
  So in the way IEEE defines VLANs and their usage, PVID (= native VLAN ID) is a property of each port, so any implementation that claims compatibility with 802.1Q has to implement the PVID. Cisco decided to have a twist on the understanding of VLANs, and came up with access ports (i.e. ports associated just with their PVID and no other VLAN ID) and trunk ports  (i.e. ports associated with many VLAN IDs including PVID), and so each trunk port must have its PVID - and that is what we call native VLAN and why we need to at least support it - although we do not need to make use of the native VLAN on trunks.
  Quite convoluted.
  Best regards,
  Peter