SA520 two VLAN

Hi
i make two VLAN's on Cisco SA520W ( Firmware 2.1.71 )
a) 192.168.0.x
b) 192.168.2.x
in network configuration -> Available VLANs -> " Inter VLAN Routing Enable " check box ( enable ) on both VLAN's
and in
network configuration > Port VLANs -> all 4 inside ports make : mode trunk , and VLAN Membership both vlan's
But i don't have traffic between vlan's
Can anybody help ??
Valts

Valts,
Tom is correct, the SA520 has four ports on the inside, two will need to be access ports only. One in each VLAN with either PCs or Switches on each of the ports for each subnet. Otherwise all inside ports are Trunk ports and any computer plugged directly into any of the four "Trunkports" on the SA520 will not forward traffic to the SA.
To test you'll need to place one port in Access Mode assigned to each VLAN then plug your PCs one into each port making sure the network cards are assigned IP addresses correctly or by letting DHCP assign them if you have it configured on each VLAN subnet.
Once done this way each PC should be able to ping the other thru the SA520 and Ping each interface assigned to the SA520. Which makes me wonder you did assign the SA520 an IP address on each VLAN subnet?
Hope this helps,
Jon

Similar Messages

Two VLANs on one switch port?

Currently we have the following
Cat 4003 with VLAN trunking turned on to multiple switches. Each port in those exterior switches is assigned to a vlan(we have about 60 different vlans).
What I would like to do is on those exterior switches have two vlans assigned to it.
We'd like to create a single IP Phone VLAN(let's call it 999) that can span our entire enterprise and would have dhcp deployed on it.
Each port is connected to an IP phone which has a 2 port switch in them. One port to the wall, one to the pc.
The switch ports on those phones support vlan tagging
How would setup an exterior switch to access 2 vlans that connect to 2 port switch on an IP phone?

To facilitate ease of deployment, use VTP so that you can centrally create the vlans and propagate to each exterior switch. Now I believe you already do have a layer 3 engine or router that does routing between all these vlans. What switches are used on teh exterior ? This is to find out if voice vlan support is available.
In cat switches, voice vlan is created using command,
set port auxiliaryvlan vlan
In IOS based switches,
int fa0/1
switchport mode trunk
switchport trunk encap dot1q
switchport trunk native vlan
switchport voice vlan
switchport priority cos extend 0
or
int fa0/1
switchport mode access
switchport access vlan
switchport voice vlan
I am not sure about support of voice/aux vlan in 4003. We will have check your other switch models/ software versions to determine support for this command.

How can i use IDSM-2 in inline mode for more than two VLANs?

can i use the IDSM-2 in inline mode to be ips to more than two VLANS
like this or it isn't
intrusion-detection module 5 data port 1 access-vlan 10,20,30,40,50
intrusion-detection module 5 data port 1 access-vlan 100,200
thank u all for your help

The IDSM-2 ports need to be configured as trunk ports with multiple vlans rather than as access ports.
http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps4077/products_configuration_guide_chapter09186a00807517eb.html#wp1068377
And instead of creating an inline interface pair by pairing Gig0/7 with Gig0/8 within the IDSM-2 configuration, you would create inline vlan pairs.
With an inline vlan pair you pair 2 vlans on the same interface.
You can have up to 255 inline vlan pairs on each interface (assumining you keep the total traffic from all of the pairs within the IDSM-2s performance limit of around 500Mbps)
How to create inline vlan pairs:
http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps4077/products_configuration_guide_chapter09186a00807517bb.html#wp1047852
The other aspect you need to be aware of is that not all IOS versions will support configuring the IDSM-2 data ports as trunk ports for inline vlan pairs.
Your best bet is to use 12.2(18)SXF4 or a later version on the 12.2(18)SXF train.
The 12.2(33)SR train does not currently support the trunk feature for the IDSM-2.

Small network, two VLANs, need some guidance

Hello. Big-time newbie here. I have a Cisco 2801 router and a few Cisco SG200-26 switches. I need to configure two VLANs: vlan10 for public wifi access and vlan20 for private staff use. I have fa0/0 configured with IP 192.168.1.2/24. This interface will be connected to an AT&T DSL gateway for Internet service. I have fa0/1 configured with IP 172.16.1.1/16. The goal is to provide Internet access to both VLANs, but no routing between VLANs. I am also enabling a DHCP pool of 172.16.10.0/22 intended for use on vlan10 (public wifi access) and another DHCP pool of 172.16.20.0/24 for vlan20 (private staff). I assume fa0/1 has to be configured for dot1q trunking and connected to a switch port also configured for trunking, yes? I also have WAPs that will need to serve up both VLANs. The WAPs I have are 121 and 2600 series. I assume I will be creating two SSIDs - one for each VLAN, yes?
I am looking to keep this as simple as possible.
What else do I need to consider? thank you in advance for your guidance.

thanks for ur valuable reply.
u r right that whenever we create a new db, oracle always assigns a new dbid. which will be different from the id of backupset db.
kindly explain me steps to perform, whether it is duplicate db case or standby.
how rman will recoganize the backupset.

Creating two vlan in AP 1131

I need to create two vlan data and voice, with SSID, when I create two vlan with 31 for data 103 for voice with two different SSID, what ever vlan I created first is get broadcast, second one is not get broadcast, please let me know what I am missing.
Security is in open mode.

Hi Bala,
Have a look at this recent post from Dan @ Cisco. He nicely addresses this question;
http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Wireless%20-%20Mobility&topic=Security%20and%20Network%20Management&topicID=.ee6e8c0&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40%5E1%40%40.2cd4109c/2#selected_message
Hope this helps!
Rob

Two VLANs on same Switch with NAT problem.

Hello all.
I have few cisco devices at home that i am using to study from. I am using for now on this little setup a 2620XM and a 3500XL Switch. I have two vlans setup on the switch VLan10 and VLan20 using router on a stick. I have setup the inside and outside interfaces. I have the fa1/0 as my outside with a dhcp address of 192.168.1.10. I have also setup my internet router to see networks 172.20.0.0/24 and 172.20.1.0/24. I am able to ping back and forth from 192.168.1.0/24 to both networks. The issue comes when i try to apply NAT. I have tried two different setups and both have failed. I have two ping windows open on my PC on the 192.168.1.0/24 side both hitting vlan 10 and 20. Once i applied either Nat solution i lose ping on one vlan while still pinging the other, but both vlans can't go out to the internet. Below is the NAT solutions i have tried below. Also running config for both router and switch. If anybody can i assist i would really appreciate it.
NAT Solution 1
ip nat pool INET 192.168.1.10 192.168.1.10 netmask 255.255.255.0
ip nat inside source list 1 pool INET overload
access-list 1 permit any
NAT Solution 2
ip nat inside source list 100 interface fa1/0 overload
access-list 100 permit ip any any
Router config
R1#sh run
Building configuration...
Current configuration : 1470 bytes
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname R1
boot-start-marker
boot-end-marker
enable secret
no aaa new-model
ip subnet-zero
ip cef
interface FastEthernet0/0
no ip address
duplex auto
speed auto
interface FastEthernet0/0.5
encapsulation dot1Q 5 native
ip address 172.16.1.6 255.255.255.248
interface FastEthernet0/0.10
encapsulation dot1Q 10
ip address 172.20.0.254 255.255.255.0
ip nat inside
interface FastEthernet0/0.20
encapsulation dot1Q 20
ip address 172.20.1.254 255.255.255.0
ip nat inside
interface Serial0/0
no ip address
shutdown
interface Serial0/1
no ip address
shutdown
interface Serial0/2
no ip address
shutdown
interface Serial0/3
no ip address
shutdown
interface FastEthernet1/0
ip address dhcp
ip nat outside
duplex auto
speed auto
no cdp enable
router ospf 1
log-adjacency-changes
network 172.16.1.0 0.0.0.7 area 0
network 172.20.0.0 0.0.0.255 area 0
network 172.20.1.0 0.0.0.255 area 0
network 192.168.1.0 0.0.0.255 area 0
no ip http server
ip classless
line con 0
exec-timeout 0 0
password
logging synchronous
login
line aux 0
line vty 0 4
exec-timeout 0 0
password
logging synchronous
login
line vty 5 181
exec-timeout 0 0
password
logging synchronous
login
end
Switch Config
SW1#sh run
Building configuration...
Current configuration:
version 12.0
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
hostname SW1
ip subnet-zero
interface FastEthernet0/1
switchport trunk encapsulation dot1q
switchport trunk native vlan 5
switchport trunk allowed vlan 1,5,10,20,1002-1005
switchport mode trunk
interface FastEthernet0/2
interface FastEthernet0/3
interface FastEthernet0/4
switchport access vlan 10
interface FastEthernet0/5
switchport access vlan 10
interface FastEthernet0/6
switchport access vlan 10
interface FastEthernet0/7
switchport access vlan 10
interface FastEthernet0/8
switchport access vlan 10
interface FastEthernet0/9
switchport access vlan 10
interface FastEthernet0/10
switchport access vlan 10
interface FastEthernet0/11
switchport access vlan 10
interface FastEthernet0/12
switchport access vlan 20
interface FastEthernet0/13
switchport access vlan 20
interface FastEthernet0/14
switchport access vlan 20
interface FastEthernet0/15
switchport access vlan 20
interface FastEthernet0/16
switchport access vlan 20
interface FastEthernet0/17
switchport access vlan 20
interface FastEthernet0/18
switchport access vlan 20
interface FastEthernet0/19
switchport access vlan 20
interface FastEthernet0/20
switchport access vlan 20
interface FastEthernet0/21
switchport access vlan 20
interface FastEthernet0/22
switchport access vlan 20
interface FastEthernet0/23
shutdown
switchport trunk encapsulation dot1q
switchport mode trunk
interface FastEthernet0/24
shutdown
switchport trunk encapsulation dot1q
switchport mode trunk
interface GigabitEthernet0/1
interface GigabitEthernet0/2
interface VLAN1
no ip address
no ip directed-broadcast
no ip route-cache
shutdown
interface VLAN5
ip address 172.16.1.1 255.255.255.248
no ip directed-broadcast
no ip route-cache
ip default-gateway 172.16.1.6
line con 0
transport input none
stopbits 1
line vty 0 4
login
line vty 5 15
login
end

You need to change your acl because NAT doesn't usually work with "any" as the source.
I tend to use extended acls so -
access-list 101 permit 172.20.0.0 255.255.255.0 any
access-list 101 permit 172.20.1.0 255.255.255.0 any
and then use your second solution ie. overload on the interface.
If you find you cannot ping between your vlans then you need to modify the above acl to deny traffic between the vlans/IP subnets then permit any as above but it should work without doing that.
Jon

Two VLAN`s on Small Business 200(8ports) and 500 (24ports)

Hello,
Im having troubles enabling two different VLANs on a locally static network.
The entire network is setup with only static ips and no DHCP server or router on this network. The network has just been handling fire units so a central station can watch if the fire units are online.
Now we want to establish a second VLAN on theese switches for other units like security on doors etc. Is this possieble without a router? The two vlans does not need to reach eachother.
I have checked many videoes online and such, but i dont seem to get the interface enabled to two different ip vlans at once.
I have managed to create different vlans, and assigning them to ports. But not defining two different ip subnets on the vlans.
I have also trouble setting the system clock permanently. Everytime i reboot the switch, it seems to be going back to factory, even thou. ive updated firmware to latest and also applied the changes.
Anyway, would much appreciate a answer regarding the vlan configuration.
Thanks
Thomas

Leo has given you some excellent advice ie. you cannot choose a kit list until you have a design. It just doesn't work the other way around. If you don't have the experience to design the solution then you can't really be choosing the kit. Otherwise when you do hire your consultant he might well be constrained by the kit already chosen and you will not get the best solution for your needs.
Please don't take any of this the wrong way. NetPro is a great forum for helping people out with technical and design issues with Cisco equipment but there are times when NetPro is not the best solution and this is one of them. We could each give you a kit list of what we "think" is the best solution but that really should come from the designer.
Jon
Leo - will you please stop losing your points oops, and now they are back again

HP 3800 switch port-security one mac in two VLAN for Cisco IP Phone

Hellow all!
I'm want use port-security for ports on my HP 3800. But PC connected
to network via PC port on Cisco ip phone. For phone used 10 voice VLAN,
for data - 1 VLAN (native). Cisco phone add self mac-address in these
two VLAN. On Cisco Switch 2960 i resolve this for 4 command:
switchport port-security maximum 3
switchport port-security mac-address pc_mac
switchport port-security mac-address ip_phone_mac
switchport port-security mac-address ip_phone_mac vlan voice
How i can add one mac in two VLAN's on HP 3800 Switch?
Sorry for my English, please ^_^
This topic first appeared in the Spiceworks Community

Hi Kuarzo, please reference the following;
https://supportforums.cisco.com/document/116426/how-configure-dynamic-mac-port-security-sx300
https://supportforums.cisco.com/document/116256/how-configure-static-mac-port-security-sx300

Two VLAN's port forwarding to one, problem

Hi all
This is my first ever Cisco router for forgive me, if this is a simple matter, but I have spent the entire weekend trying to figure this out - with no luck.
My employer has provided me with a Cisco 871W router for my homeoffice.
The router is pre-configured with two VLANs and BVIs; VLAN1 (BVI1) and VLAN2 (BVI2) for home and office connection on two different subnets (192.168.1.0 and 192.168.0.0).
My office connection is secured with IPSec or something similar - I have not that much insight in that aspect.
The configuration works for normal internet access (www, mail etc) on both networks, and the tunneling to my workplace works fint too.
My problem is that I would like to open up some ports for gaming etc. on the "home"-part of the configuration, but I cannot seems to get that to work.
The attached configuration is my current running configuration, which contains some of my trials on getting this to work, so it might look a bit odd.
If anyone could help me, I would appreciate it.
Regards
Jesper Lauridsen

Hi,
By the looks of it, you have an extended access list called 'outside_access_in' applied to your outside interface fa4.
You would have to add a rule to this access list allowing the port in question.
You would then need a static NAT entry that would map the port to the internal host.
For instance, if you had a rule to allow port 80 like this:
permit tcp any any eq www
You would also need a NAT entry like this:
ip nat inside source static tcp 192.168.0.10 80 interface FastEthernet4 80
Assuming that 192.168.0.10 was the client PC.

SG300-20 behind firewall with two vlans

Hello,
i have the following network running: see attachment. The switch has two VLANs, one for the 10. network, the other should be for the 192. network. Now i want to access 10.0.1.11 from 192.168.178.1 but i get blocked by the firewall. The switch is now in the 192.network, but i want to connect the 10.* ports directly to the router. I am grateful for every hint.
Best regards,
Rome

I would recommend adding a 2nd vlan interface to your firewall, and enable inter vlan routing on the firewall.
It would be good to set a different network segment between the router and firewall,
It would look something like this.
router --> firewall vlan1 -->switch vlan1 -->192.168.178.x clients
firewall vlan10 -->switch vlan 10 --> 10.0.1.x clients
You don't say what the router or firewall models are, or the subnet masks...
The default gateways for the clients would point to the firewall, and it would do intervlan routing.
Or:
You can do intervlan routing on the switch.
set the switch in layer3 mode (this will factory reset the switch). Set up the 2 client vlans, including dhcp with default gateways for the clients pointing to the switch.
select a different network segment for the firewall to switch connection (say 192.168.180.x)
add a route, rules, and nat statements in the firewall for both networks 192.168.178 and 10.0.1.x.
add a default route in the switch pointing to the firewall.
that would look something like
router - firewall -(192.168.180.x) - switch - vlan 10.0.1.x
\- vlan 192.168.178
This would put the inter vlan routing load on the switch instead of the firewall.
you can also call in to the small business TAC and request assistance 866-606-1866 in US and Canada. These devices come with 1 year free tech support.
Hope this helps,
Dan

Quesiton about PVID , SA520, Native VLAN

Is PVID the same thing as "native vlan"? Can the native VLAN be changed on a SA520? Currently I believe it to be 1, I'd like to change the native VLAN to 10.
I have a scenario where I have a prexisting production LAN of 192.168.1.0/24 . It's a small organization (a church), but they purchased 3 Aironet 1130ag units. They want to have a "private" WLAN that is part of 192.168.1.0/24 , and a guest WLAN of a different subnet (I chose 192.168.20.0/24) . The two should never meet. There will likely never be a guest computer connected via ethernet. Guest computers would always have to connect wirelessly.
I accomplished this to a point.
I left VLAN 1 on the SA520 192.168.75.0/24 subnet as default.I created a VLAN 10 , 192.168.1.0/24 subnet, and I created a VLAN 20, 192.168.20.0/24 subnet.
VLAN Recap:
VLAN 1 , 192.168.75.0/24
VLAN 10, 192.168.1.0/24
VLLAN 20, 192.168.20.0/34
Ports 1-3 of the SA520 are members of VLAN 1, 10, and 20 (cannot remove membership of VLAN1, which is pretty annoying).
The Aironets have been configured correctly.
SSID: Priv is part of VLAN 10
SSID: Pub is part of VLAN 20
Both are secured by WPA, and when I connect, the proper DHCP subnet passes from the firewall through to the wireless client, for each respective SSID.
Ultimately, I'd like the SBS 2003 server to handle DHCP for VLAN 10, and have the SA520 handle DHCP for VLAN 20, but i'll take what I can get.
Here's my challenge:
The original production LAN is connected via an unmanged switch.
I'd like to trunk the unmanaged switch to Port 4 on the SA520. However, since the PVID (native vlan?) of SA520 is 1, and I cannot make Port 4 on the SA520 ony a member of VLAN 10, then anything traffic coming from the unanaged switch will automatically be tagged with VLAN1, correct? Thus causing the already existing production network to start receiving DHCP from the firewall in the 192.168.75.0/24 range.
Any ideas or help on the above?
What I would do if I had a managed switch on the production LAN:
If I had a managed switch on the production LAN, what I think I would do is make one port a trunk port, connect that port to Port 4 on the SA520, then make all the rest of the ports on the managed switch access ports, and members of VLAN 10. Am I on the right track there?
Hiccups when setting up the WAP:
I would have changed the VLAN 1 on SA520 to 192.168.1.0/24 subnet, and only created a second subnet, but there was a challenge with that and the WAP's.
Cannot change the VLAN the dot11radio0 is a part of. There's not encapsulation command.
Could not broadcast the SSID's successfully and secure via WPA unless the SSID's were on VLAN's other than 1. The dot11radio0 would go into a "reset" state.
Could change the VLAN subinterfaces of dot11radio0 were on, for example dot11radio0.10 is a member of VLAN 10. Dot11radio0.20 is a member of VLAN2.
In any event, it's working, but the rest of the infrastructure is the challenge.
Here's one of my WAP configs as an example:
Building configuration...
Current configuration : 2737 bytes
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname WAP2
enable secret 5 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXx
no aaa new-model
no ip domain lookup
dot11 syslog
dot11 ssid CASPRIV
   vlan 10
   authentication open
   authentication key-management wpa
   mbssid guest-mode
   wpa-psk ascii 7 107E1B101345425A5D4769
dot11 ssid CASPUB
   vlan 20
   authentication open
   authentication key-management wpa
   mbssid guest-mode
   wpa-psk ascii 7 132616013B19066968
username Cisco password 7 0802455D0A16
bridge irb
interface Dot11Radio0
no ip address
no ip route-cache
encryption vlan 20 mode ciphers aes-ccm
encryption vlan 10 mode ciphers aes-ccm
ssid CASPRIV
ssid CASPUB
mbssid
channel 6
station-role root
bridge-group 1
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
interface Dot11Radio0.10
encapsulation dot1Q 10
ip address 192.168.1.5 255.255.255.0
no ip route-cache
bridge-group 10
bridge-group 10 subscriber-loop-control
bridge-group 10 block-unknown-source
no bridge-group 10 source-learning
no bridge-group 10 unicast-flooding
bridge-group 10 spanning-disabled
interface Dot11Radio0.20
encapsulation dot1Q 20
ip address 192.168.20.3 255.255.255.0
no ip route-cache
bridge-group 20
bridge-group 20 subscriber-loop-control
bridge-group 20 block-unknown-source
no bridge-group 20 source-learning
no bridge-group 20 unicast-flooding
bridge-group 20 spanning-disabled
interface Dot11Radio1
no ip address
no ip route-cache
shutdown
encryption mode ciphers aes-ccm
ssid CASPRIV
dfs band 3 block
channel dfs
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
interface FastEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
interface FastEthernet0.10
encapsulation dot1Q 10
no ip route-cache
bridge-group 10
no bridge-group 10 source-learning
bridge-group 10 spanning-disabled
interface FastEthernet0.20
encapsulation dot1Q 20
no ip route-cache
bridge-group 20
no bridge-group 20 source-learning
bridge-group 20 spanning-disabled
interface BVI1
no ip address
no ip route-cache
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
bridge 1 route ip
line con 0
line vty 0 4
login local

Hello Paul,
You have a lot going on here so forgive me if I miss something.
PVID is for Primary/Port Vlan ID. It is used to identify the vlan on a port and can be used to change the native vlan of a port. You can change the PVID on port 4 of the SA520 to be vlan 10 if you need to.
The simplest setup would be for you to have your private network all be on the native vlan 1 and set your guest to be on another vlan. All of this would be possible without any problem on the SA520. Unfortunately I do not have much experience with the Aironet APs but they should allow you to continue this configuration onto the wireless network. For assistance with the Aironet APs I would have to refer you to someone more familiar.
I do hope this helps with setting your network.

SA520 Multiple VLAN Subnet Question

I am trying to configure my SA520 with 4 VLANS
VLAN-1 is configured as the default with 192.168.75.1/255.255.255.0 and DHCP Range of 192.168.75.100-254
I thought I could create VLAN 2,3, and 4 with the pattern of 192.168.x.1 and DHCP of 192.168.x.100-254 where x=the VLAN ID
When I do this, strange things seem to occur with connected DHCP clients on those VLANS, and I can not "see" DHCP leased clients in the config screen
The system happily accepted the above config. So after reading the docs -- I noted that VLANS need to exist in the same DHCP scope.
I tried changing VLAN 2,3 and 4 to match the following pattern
VLAN IP = 192.168.75.x/255.255.255.0 with DHCP of 192.168.75.1x0->1x9
I get an error for the VLAN IP address stating that "IP in the same subnet is already configured"
Thoughts?
Firmware .39

Hi Jason,
Before the 1.0.39 firmware, the VLANs required the same subnet. In 1.0.39, you can create your own subnets and DHCP scopes for each VLAN, which in fact is required in 1.0.39. I am not sure if they will show up in the DHCP clients page, but I can look into this.

Connectig an AP1131 act as WGB to AP root with two VLANS and two SSIDs

Someone Knows, if I can connect an AP 1131 configured as WGB to other AP 1131 acting as root with 2 Vlans and 2 SSIDs, and pass all of them to the WGB ethernet port, a mean, passing the traffic from the 2 differents VLANs with two differnts IP range from the ethernet AP root port, to the ethernet WGB port.
Thanks.

Unfortunately it will not play. AP as a WGB can cary only one (native) VLAN. For interconnecting more VLANs you need a full wireless bridge but it cannot be AP11xx.

After Enabling trunking and two VLANs on switchports - clients don't receive IP Addresses

Hello all and thanks for your help and expertise. Here's my scenario:
I have approximately 35 Ruckus APs in a building which has multiple VLANs. The switches are Cisco 3560G. I want to segment the wireless traffic onto a dedicated wireless VLAN (218). I created two scopes in DHCP to service the APs and wireless clients. The APs should get their IP addresses on VLAN 1 (VLAN 1 scope in dhcp.) The clients should get their IP addresses on VLAN 218 (VLAN 218 scope in dhcp). I utilized the following commands to accomplish this goal, unsuccessfully.
Example: on port gi0/5
1 - switchport trunk encapsulation dot1q
2 - switchport mode trunk
3 - switchport mode access
4 - switchport trunk allowed vlan 1,218
Problems: 1) The APs are not getting an IP address on the default or native VLAN 1 unless I configure an IP Helper. Please note we have another building where a consultant set this configuration up (and it works) but I don't see an IP helper set when I check the config for VLAN 1.
2) The wireless clients do not get an IP address on VLAN 218, even if I set an IP helper address. In the other building - there is an IP helper set on VLAN 218 so I'm not sure what I missing or if something else is configured.
I would greatly, greatly appreciate if someone could tell me what I'm missing here. Is there something else I have to do to ensure clients on vlan 1 and 218 are able to obtain dhcp addresses in the config of the switch? Do I have to further configure vlan 1 or 218? I'm enabling the correct encapsulation, trunking the ports, and setting the vlans. What am I missing here relative to APs and clients getting dhcp addresses. Anyway your help is much apprecaited.

You need vlan 218 on all switches and allowed on all trunks that need to pass traffic for that vlan.
You don't have to add it explicitly to STP as it should be run anyway but if you manually set STP priorities for other vlans you should probably do if for this vlan as well.
Shouldn't stop it working though.
If you manually assign a vlan 218 IP to a client can it ping the SVI IP ie. it's default gateway and if so can it ping devices in other vlans ?
Jon

How to route two vlans on two switches that are connected only on one router?

Suppose that any of the trunk links fails or if you want, suppose that there is no link between SW1 (G0/1) and SW2 (G0/1). How can you make computers in Vlan 10 to see computers in Vlan 20 and viceversa?. I tried creating a bridge group on the router for G0/0.10-G1/0.10 and another for G0/0.20-G1/0.20. Then define interface BVI10 and BVI20. Interfaces came up but you can not configure dot1q on them and switches can not see them. Anyways with one interface on the bridge group going down the BVI interface goes down as well so that's not an option. Router should be 10.10.10.1 and 20.20.20.1 and each computer have that as gateway respectively.

Jody thanks very much!
Indeed the encapsulation was done in the sub-interfaces, as posted in the OP you can not [encap dot1q X] on the BVI interface. Even though, the switches didn't established the trunk with the BVI. Anyways using bridge groups is not an acceptable solution because with the failure of any interface of the trunk links in the router, the BVI interface goes down as well.
You said "if I want to handle it at layer 2" How will you do it at layer 3? I though something like HSRP or VRRP but that doesn't apply since it is only one router. Remember, the router must be able to route between vlan10 and vlan20 for computers on both switches in case of one of the trunk link failure.
This is for learning purposes so I started with Packet Tracer but PT doesn't support bridge groups. Then I tried GNS3. I will try with the router in GNS3 with a switch module but I'm not clear. that will be like having a 3rd switch, right? What I mean is that I will not be using routed interfaces between the router and the switches, right?

SA520 two VLAN

Similar Messages

Maybe you are looking for