Setting up 2 vlans for 2 pixs.

Similar Messages

• How to set up a VLAN for a School Network for student ipads/ipods?

  I work at a small private school that is going to implement about 20 ipads for classes. Students bring their ipods and iphones and are connecting to the existing unsecured wireless access points and are taking up the remaining IP addresses in the DHCP scope. I am running out of IP addresses and was wondering if I could set up a VLAN using the Cisco WRVS4400N for all of these wireless devices the students will be using. I plan to pull out all unsecured wireless AP's and replace with what ever solution we come up with. I will need about 6 access points/routers to cover the entire school. There is not a lot of money for technology and the ipods were donated. I have never set up a VLAN before. Is there an inexpensive way to allow the students with their personal ipads/ipods and the 20 ipads owned by the school to connect to a VLAN to keep from using up our DHCP IP addresses from the server. Thanks in advance. 

  Hi pctiger92!
  The WRVS4400N is now being handled by the Cisco Small Business Support Community.
  For discussions about this product, please go here.

• Vlan for dmz

  Can anyone tell me how to do a simple dmz on my router, its got 2 ethernet interfaces, I have set up a vlan for this on my switches, its for a e-mail server, !!
  Thanks
  Carl

  check out the following link :
  http://www.cisco.com/en/US/products/sw/iosswrel/ps5413/products_feature_guide09186a0080235e23.html

• RV110W - trying to set up 2 VLANS - are there docs / help for this?

  I am trying to set up an RV110W router with 2 VLANs - 1 for guests to the office to just have internet access via wireless and another for employees to be able to access the LAN and internet wirelessly. I have not done anything with VLANs before, so please bear with me.
  I thought this would be simple, but banging my head against the wall with all the terms in the docs:
  http://www.cisco.com/en/US/docs/routers/csbr/rv110w/administration/guide/rv110w_admin.pdf
  port 1 is connected to a wired LAN / unmanaged switch with office PCs. So these machines / nothing on this subnet tag the packets before they get to the router.  This subnet is using 10.10.1.0/24
  Port 2 is connected to an Engenius EAP 300, a wireless access point that can broadcast SSIDs and tie each SSID to a different VLAN.
  SSID1 is called Private and is set to be VLAN 1. There's encryption on this SSID - only office staff would be able to log on.
  SSID2 is called public and is set to be VLAN 10.  There's no encryption on this SSID.
  I know - the router also does this, but where the router is vs. where the wireless is needed, we need to have the Engenius at that remote location.
  I have the RV110W set to give out 10.10.1.0/24 IPs when you connect to the SSID1 / VLAN1
  And it gives out 10.10.10.0/24 IPs when you connect to the public SSID / VLAN10.
  Both get on the internet fine.  The only issue is how to set the VLAN membership for each port / and any other settings so that the wireless devices on VLAN 1 can get to the LAN devices on Port 1.  (and the public / vlan 10 devices on the wireless network to NOT get to the devices on port 1, but i think that's working.
  I played with tagged / untagged / excluded, for the port membership, but either the wireless VLAN 1 devices get blocked from even the web (when port 2 is set to untagged, since they ARE tagged VLAN1) or they can't get to port 1 when set to tagged, since the port 1 devices are all untagged and the reply packets get blocked?
  the doc for this unit talks about inter-vlan routing but doesn't explain what that is.  THe wireless isolation should be turned on for vlan 10, right? We don't want guests to be able to access other guest's machines?
  I saw on page 71 on how to set up the guest network, but that's using the wireless built into the box, not a wireless access point.
  Overall, what I want is:
  VLAN 1: port 2 (with tagged VLAN1 packets) and port 1 (with untagged packets) can pass data between each other and access the internet
  VLAN10: port 2 with tagged VLAN10 packets can only get to the internet.
  Is that doable?
  How?

  thanks.  Still not working
  For the vlan membership page
  when set like this:
             port1         port 2
  vlan1     untagged    untagged
  vlan10  excluded     tagged
  connecting to the vlan1 wireless SSID on port 2, I can't even get an IP address from the router (the dhcp request can't even come through port 2 because it's saying vlan1 packets have to be untagged?
  connecting to the vlan 10 wireless SSID on port 2 gets a DHCP address and can only get to the web, so that's good.
  If I change the membership to:
                    port1 port 2
  vlan1 untagged  tagged
  vlan10 excluded tagged
  connecting to both SSIDs on port 2 will get you a dhcp address, and vlan1 devices can get into port 1, but trying to admin the wireless access device on port 2 or even pinging it, now fails -  'cause the router gatekeeper says if you want to come through port 2, your packets have to be tagged? and the packets from port 1 to port 2 are untagged?
  If I change the membership to:
              port1 port 2
  vlan1   tagged tagged
  vlan10 excluded tagged
  connecting to both SSIDs on port 2 will get you a dhcp address, but replies from the wired PC on port 1 / vlan1  vlan1 can't get back out of port 1 'cause the router gatekeeper says if you want to leave  through port 1, your packets have to be tagged? and the ping reply is coming form a device with untagged packets?  although the devices on vlan1 / port 1 CAN get on the web with their untagged packets.
  the wireless device says it supports 802.1q
  http://www.engeniustech.com/resources/EAP300_DataSheet_v2.1.pdf
  when they say port 2 / vlan 1 tagged, is it saying packets coming in FROM devices on that port have to be tagged? Or packets going TO devices on that port have to be tagged?  or both directions?
  Any advice?

• Setting up a Test Voice VLAN for Lync 2013

  I want to set up a second voice vlan to be a test vlan.
  In the current situation the customer has voice and data running on  vlan1. The customer insist on taking incremental steps to improve QoS. I have advocated separated vlans for voice and data. They just want to move everything (phase 1) to a different
  vlan. They want to see how getting all traffic of vlan 1 will improve there performance. Again, I recommended the best practice, they want to try this approach first.
  I am conducting a pilot test with just one cx600 IP phone. and a single switchport. I created a new vlan99 using VTP.  I configured the switchports on the Cisco 2960-x switch as follows.
  #switchport mode access
  #switchport access vlan 99
  The phone gets its correct vlan id, and pulls its IP from the correct dhcp scope. However the phone displays "connecting with the lync server" for a long time, then "connecting to download its certificates". This takes a long time then fails.
  If I change the switchport back to vlan1 it works fine. What can be the problem? Does the vlan99 need to be defined on the lync server? How many vlans can be supported by Lync 2013?
  Thank you,
  gigiu

  Did you set the VLAN Configuration for Lync Phone Edition?
  You can check the following links:
  http://blog.schertz.name/2011/01/manual-vlan-configuration-for-lync-phone-edition/
  http://www.bricomp.com/blogs/post.cfm/dedicated-voice-vlan-for-lync-devices
  Note: Microsoft is providing this information as a convenience to you. The sites are not controlled by Microsoft. Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. Please
  make sure that you completely understand the risk before retrieving any suggestions from the above link.
  Lisa Zheng
  TechNet Community Support

• Setting Locally Switched VLAN Id for HREAP'd ap's?

  I am using HREAP on a number of AP's to fulfill a need of my end-users to have wireless devices connect to a locally hosted resource on a sites network.  Getting the AP's to operate correctly has not been an issue (for the most part), and getting the "Locally Switched VLAN's" functional was not a problem.  However, when I routinely go back through my AP's to check on them or to look t-shoot an unrelated issue I have noticed that some of the AP's have retained the Locally Switched VLAN mapping (i.e.: WLAN Id=5, Profile Name = test ssid, VLAN Id = 123) and some of them resolve the VLAN Id to 1 (for example).
  Is the anyone that may have experienced this and can offer or point me towards a resolution?
  I am also curious if I can configure the Locally switched vlans directly to my WiSM's instead of to each individual HREAP'd AP?
  BTW: I have a wireless environment of 1242, 1252, and 1142 ap's with WiSM's on a 65xx w/ sup720.
  Thanks for the help.

  I saw similar behavior at a client site running 6.0.181.0 & 6.0.196.0 code, what I found the issue to be was that when you set the native vlan and hit apply the AP took a minute to initate a reboot (or so it appeared) and when I set the VLAN Mappings they weren't actually being applied.
  I found if I set the AP to H-REAP and applied that then waited about 3-4 minutes, then enabled VLAN Support and set Native VLAN, apply that, wait 3-4 minutes, then set my VLAN Mappings that the issue went away.
  Not sure if that's the same issue your running into but it's worth a shot.. I tried tons of things before discovering that pattern.. Incidentally it didn't seem to behave that way in 4.0 code nor does it seem to behave that way in 7.0 code.
  Hope this helps...
  Please rate useful posts.
  Thanks,
  Kayle

• Question about setting vlan for Video Teleconference Equipment

  We recently purchased some Video Teleconference equipment (Product called LifeSize). Initially we had configured a seperate vlan for VTC traffic and when a user needed to move the vtc equipment to a different room for a meeting, we would have to manually go in change the vlan assignment on the switch for that port to the VTC vlan. From my understanding, there is a way to set this up so that anytime the vtc is plugged into any switch port, the port would automatically update to the proper VTC vlan. Is there a way to configure the switch to change the vlan option anytime the VTC equipment is plugged into any switchport? We are using Cisco 3750G series switches. There is an option on the VTC equipment for vlan configuration where we can specify the vlan. However, we we set the vlan, we loose connectivity to the device. If the vlan is preconfigured on the VTC equipment, what is the proper configuration on the switch port?
  Thx in advance for any help given.

  You would need a radius server to do 802.1x authentication. The radius server can associate the vlan you want to use with the authentication. So basically the device connects to the switch port, the device is challenged for credentials by the switch, it responds and then the switch passes the authentication details to the radius server. If the authentication was succesful the radius server can then pass a number of attributes back to the switch one of which is the vlan the port is to be assigned to.
  There is an additional issue with your setup in that generally 802.1x is used to authenticate clients which have an 802.1x supplicant on it but i suspect your equipment won't. So you can configure the mac authentication bypass feature. What happens here is the switch challenges your equipment but there is no response. Once the challenge has timed out you can configure the switch to then use the mac address of the connected device to authenticate it to the radius server.
  Here is the link for configuring 802.1x on the 3750 switch -
  http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_55_se/configuration/guide/sw8021x.html#wp1205506
  Note the restrictions just in case they affect your setup.
  As for the radius server the Cisco version is ACS. There are others but you would need to make sure they supported everything needed.
  Final point. I have never used 802.1x to do dynamic vlan assignment so i can't guarantee anything.
  Jon

• NEED HELP PLEASE Setting up 2 VLANS and a redundant WAN connection

  I have a remote branch office which is actually a huge bar/lounge. The bar wants to enable patrons to access the Internet with their wireless laptops. I want to prevent those patrons from accessing our private network, and also prevent them from traversing our static VPN tunnel back to HQ.
  The bar processes all credit cards via the T1 connection, and this has caused us to lose money every time the T1 goes down while we're open, since there is no WAN redundancy right now.
  Here is my current hardware configuration:
  1) one PIX 501 50-user 3des.
  2.) two Dell 3024
  3.) one Aironet 1100(g) AP.
  Current LAN Network: 10.35.35.0
  (internal employees only, static VPN tunneled to remote HQ network)
  Current Wireless SSID's:
  SSID1=PRIVATESSID
  SSID2=PUBLICSSID (not currently in use, waiting to figure this out)
  Current WAN: one T1 connection.
  WHAT I WOULD LIKE TO DO AND NEED HELP FIGURING OUT:
  #1a) I want to create two separate VLAN's that are able to share the WAN connection, but not be able to "see" each other.
  #1b) These VLAN's would be mapped to their respective SSID's on the AP (PRIVATESSID>10.35.35.0 and PUBLICSSID>192.168.1.0).
  #1c) The 192.168.1.0 network should not be able to traverse the static tunnel between the branch site and HQ.
  #2) I would like to install a backup WAN connection such as a modem 56k dial-up to an ISP or a cable modem to an ISP. In case the primary T1 goes down, I would like the router to automatically dial out over the modem conection and route all Internet bound traffic over that backup WAN connection, until the primary comes back online.
  Question 1:
  I'm assuming I need a router to do the intervlan routing. Could this router also do the on-demand WAN backup dialing to an ISP via analog modem?
  What IOS version and flavor (IP base, IP+, etc.) would I need? What is the cheapest router I can do all that with (i.e. 2620/2621/1720/3600 series)? What WIC's or NM's would I need?
  Question Two:
  I would like to prioritize PRIVATESSID's traffic over PUBLICSSID's traffic, which I know I can do on the access point. Can I do this on the router so that any 10.35.35.0 traffic takes priority over any 192.168.1.0 traffic?
  Question Three
  If the primary T1 WAN connection goes down, I don't want the router to re-route the 192.168.1.0 traffic over the backup 56k dial-up WAN connection. That traffic can wait until the T1 comes back up.
  Any help you can provide would be very much appreciated.

  Assuming your access points can place SSID into separate vlans and support 802.1q trunks then I can attempt to answer your questions. There are seperate secuity issues with both SSID for protection and VLANs for seperation but in your case in may be minimal.
  q1
  Any cisco router that will run 802.1q trunking will work. Since you are looking at older routers you will need IP+ to get it. Even 2610's will support 802.1q on their 10m ethernet at the correct code level but 10m and 802.1q is sorta nonstandard. Since your backup is only 56k you can use the internal modem port as a dial backup. A wic-2a/s will also work if you prefer not to use the modem port. You will need some wic to run your t1 line. If you are planning to leave the t1 on another router it makes the next 2 questions much harder.
  q2
  This is fairly simple and depends on your ios level. "priority queing" is supported on even the older software. I assume you do not control the far end of the t1 line since it sounds as if this goes to a ISP.
  You will need to have them do the QoS since most issues with the internet are inbound and not outbound. You can only control outbound traffic.
  q3
  If the T1 is on the same router then this is fairly simple. You can just put a floating static default route in that will cause the dialer to come up if the the t1 goes down. There is no easy way to protect against the line being up but no traffic passing. This is also why it would be best to have the t1 on the same router. If its not you will need to get very creative to solve this. You could build a GRE tunnel to a remote location and montior the tunnel or run a routing protcol over the tunnel. In the newest software you could use SAA and policy routing to force the traffic over the dialer but the router must support ios 12.4.
  3a. You mentioned a cable modem as a backup. That can be much easier sometimes since it is all routing and no dialer interfaces with nasty modem issues. This does not make the issue of the t1 not on the same router easier.

• Making a vlan for all wireless devices on network

  Hello,
  We connected 4 wireless access points (AP541N-E-K9) to an SG300-10P switch.
  We want to be sure that no wireless clients can alter settings to the network by connecting to any of the networking devices. We also want that no wireless devices (except a few) can connect to computers that are on the wired network.
  I'm new to configuring networking devices so I would appreciate a step by step guidance to set up the switch for this.
  We already added all the MAC-adresses of all the wireless devices (that are allowed to use the wireless network) to the access points.
  Thanks already for your reply.
  Wim

  Wim,
  Look in the administration guide and their are step by step on how to create vlans -page 178
  http://www.cisco.com/en/US/docs/switches/lan/csbms/sf30x_sg30x/administration_guide/78-19308-01.pdf
  After attempting to configure the switch and run into problems you can give us a call @ 1-866-606-1866 and open a support case
  Jasbrayn

• RV082 - Vlans for guest access

  Hello,
  I have an RV082 router which supports port based VLANs.  I have a WAP that I want to use to provide guest internet access which cannot see our production vlan.  I plugged the WAP into port 8 and set the vlan for port 8 to vlan 2.  Here's the part where I'm confused.  I am unable to get an IP address when connecting to the WAP because our DHCP server is a windows box on vlan 1.  So, I tried using the DHCP relay option and entering the ip address of the windows box DHCP server.  I am still not able to retrieve an IP address when connecting to the WAP.  Someone mentioned setting up an ip helper address.  I connected to the CLI of the RV082 but could not figure out the syntax of how to set up the ip helper address.  Any help with any of this would be much appreciated.  I only have about a week to set this up so I have to figure something out.

  Mr. MacKay,
  Since the RV082 don't support vlan tagging, you could get a layer 3 switch and create the vlans there and setup a dhcp relay to a server for the vlan ip addresses.
  Then it would be just setting up static routes in the switch pointing to the router as the default gateway and finally doing routes back from the rv082 for the vlan you created.
  A quick solution would be get a wireless router and set it up by plugging the wan into your network and setting the lan on a totally different ip address scheme.  Then only allow access to the rv082 on that network and deny the rest of the network access to the guest and vice versa.
  Kind of a work around.
  The quickest fix would be getting a vlan aware router like rvs4000 or the wireless version wrvs4400n and if you need dual wan with vlans and wireless you could go with the sa520w.

• VLAN for Idiots - srw2024

  Hi all,
  can anyone post an idiots guide to setting up a VLAN on a srw2024 switch please. I need to configure a VLAN as per the following:
  Switch 1 - ports 7&12 on the switch on their own VLAN (VLAN2)
  Switch 2 - Ports 3&15 on the switch on the same VLAN as above (VLAN2)
  enable all ports to communicate with each other.
  Basically I am setting up a 2nd network that will have a DHCP server and I don't want this to conflict my existing network and DHCP Server.
  I have had a look around these forums but in every post people have already seemed to have created their VLAN.
  Cheers for your help

  ok so here is the way I have currently got my VLAN's setup:
  Switch 2 - 24 port 10/100/1000 Gigabit Switch:
  VLAN ID - 2
  Port Setting tab   - Port G7 set to Trunk
                             Port G8 set to Access
  Ports to VLAN tab - Port G7 set to Trunk & UnTagged
                             Port G8 set to Access & Untagged
  VLAN to Ports tab - Port G7, Mode - Trunk, VLAN - 2U
                             Port G8, Mode - Access, VLAN - 2U
  Switch 3 48 port 10/100 + 4port Gigabit switch:
  VLAN ID - 2
  Port Setting tab   - Port E1 set to Trunk
                             Port E2 set to Access
  Ports to VLAN tab - Port E1 set to Trunk & UnTagged
                             Port E2 set to Access & Untagged
  VLAN to Ports tab - Port E1, Mode - Trunk, VLAN - 2U
                             Port E2, Mode - Access, VLAN - 2U
  I did originally try to setup the trunked ports to be tagged but when I clicked on the save button I got the following error message:
    Line No.   Error Type               Value Diagnostic                  
        1              null                                 Unknown value                   
                                                Might be missing parameters (join5)  in page.   
  And this is why i tried to set the trunked ports to untagged
  thanks

• VLANs for multiple customers on the same switch accessing ISP

  I have multiple customers accessing the Internet from the same ISP through the same SRW 2016.  The switch is set completely at default, with all ports on VLAN 1.  I want to separate all the (3) customers' traffic into 3 VLANs for security, but I want them to still access the ISP through port 1.  Can I do that with this switch?  How would I set port 1 so that all VLANs can send and receive packets through port 1 but still be isolated from each other on the LAN?

  Hi,
  I had a simular situation. In the past I didn't have a VLAN-capable modem/router and just connected the modem as a normal device to the layer2 switch (Cisco 3548XL at that time). In my setup, I gave all separated LAN's its own multi-VLAN port(s) in its own unique VLAN and the modem a single-VLAN port in its own VLAN. Next I made all the ports who needed internet access member of the modem's VLAN. A nmap scan and testing showed me that the seperated LAN's couldn't connect to eachother.
  So, I don't know if i did something stupid (in security way), but it worked like a charm.
  Sorry for my English ;-)

• SGE2010, cant set ip on vlan/port

  Hi
  I have an SGE2010 L3 switch.
  I'm trying to set IP on vlans and ports. But with no luck.
  Switch is crashing every time I'm trying. Been using webgui, telnet, and CLI over telnet.
  Last time I cleaned all config. And logged in webgui, went to "IP Adressing -> IPv4 interface and pushed "add".
  Entered an IP, netmask for port48. (I'm connected on port 1).
  And everyting freezes.
  If I try telnet, I get disconnected. And same if I try CLI over telnet.
  I haven't tried console, because I have wrong console cable to my PC.
  So can anyone please help me?

  Hi Torbjoern, the answer above is correct. This is a classic "problem" and has been persistent for years (it's not a bug). If you need assistance to set vlan IP addresses you can call the small business support. If you're out of warranty for phone support, we can set up a teamviewer and I will help you.
  -Tom
  Please mark answered for helpful posts

• VLANS on PIX do you need physical

  Is there a way around this? I have to basically assign an IP/subnet just for failover for each interface I want to use as vlans.
  I have 2 pix fw in lan based failover mode.
  5 physical interfaces.
  state (failover)
  indside
  outside
  dmz
  dmz2
  I have 4 vlans, 2 each configured on the dmz ints.
  Do you need to use the physical command on the interface given this topology? If not why do I keep receiving messages that my ip address is not configured or failover ip is not configured. This occurs when I do not assign an IP to the phiysical port but do I assign it to the logical and failover is enabled. also I do ot believe these interfaces will be in failover mode unless I use the physical command when using vlans. It seems like I have to us the physical and assign an IP for each physical int.

  There is no interface ... shutdown command in software versions prior to 5.x, so the PIX treats all interfaces as up and active. You must do one of the following for failover to work properly.
  * Upgrade to a 5.x or later release where shutting an interface is an option.
  * Assign an unused IP address/network to each unused interface (and its failover counterpart) and connect it to a hub or switch (each interface pair on its own VLAN).
  Note: Remember that 127.0.0.1 and 0.0.0.0 are not valid IP addresses. Acceptable addresses can be RFC 1918 network addresses, such as 10.x.x.x, 172.16.x.x, and 192.168.x.x.
  check out the following link for more information on configuring vlans on PIX :
  http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/config/bafwcfg.htm#wp1113411

• VLAN for Management Traffic

  Hello Everyone,
  I'm still learning cisco and networks in general but I need to separate management traffic from the regular network.  The switch is a cisco catalyst 5406-E.  My question is do I need to create a new subnet for the VLAN and how would I do that? The commands I have to create a VLAN and add the switch ports are
  Switch(config)# vlan 15
  switch(config-vlan)# name Management
  switch(config)# interface GigabitEthernet2/6
  switch(config-if)# switchport access vlan 15
  Now this creates vlan 15 and adds the GE 2/6 interface to vlan 15.  How do I add it to a new subnet?  Am I going in the right direction?

  In general, if you want to use separated VLAN for management, you can create VLAN + SVI (routed interface of the VLAN) with IP address + some access list on SVI and VTY (“SSH/telnet lines”) for better security.
  Example:
  ==== C4500 – L3 SWITCH CONFIG ====
  //create VLAN 15
  vlan 15
  name MGMT
  //create access list with ip addresses, from which management of all switches with SVI 15 will be accessible
  //Note: this access list (ACL) does not control access to management of L3 switch/router where the ACL is applied on SVI, only to all other switches in VLAN 15 that have default gateway set to ip address 10.0.15.1 (see next step)
  ip access-list extended MGMT_SWITCH
  remark ====ICMP====
  permit icmp any 10.0.15.0 0.0.0.255
  remark ====ADMIN====
  permit ip 10.0.1.0 0.0.0.255 10.0.15.0 0.0.0.255
  remark ====MONIORING-SERVERS====
  permit ip 10.0.100.0 0.0.0.255 10.0.15.0 0.0.0.255
  remark ====NTB-SERVICE====
  permit ip 10.0.200.0 0.0.0.255 10.0.15.0 0.0.0.255
  //create SVI/interface of the VLAN 15, add IP address and assign access list
  //Note: DO NOT assign empty access list to interface, it can make your router inaccessible!
  interface Vlan15
  description MGMT
  ip address 10.0.15.1 255.255.255.0
  ip access-group MGMT_SWITCH out
  //create ACL for VTY line of L3 switch/router; this ACL controls access only to management of L3 switch, access to all other switches with SVI 15 is controlled by previous ACL
  ip access-list standard VTY
  remark ====ADMIN====
  permit 10.0.1.0 0.0.0.255
  remark ====MONIORING-SERVERS====
  permit 10.0.100.0 0.0.0.255
  remark ====NTB-SERVICE====
  permit 10.0.200.0 0.0.0.255
  //assign ACL to vty lines
  line vty 0 4
  access-class VTY in
  ==== OTHER L2-ONLY SWITCHES CONFIG ====
  //create VLAN 15
  vlan 15
  name MGMT
  //create SVI 15
  interface Vlan15
  description MGMT
  ip address 10.0.15.50 255.255.255.0
  //set default gateway/default route to SVI of c4500
  ip default-gateway 10.0.15.1
  //some higher-level switches require use of following CLI parameters instead:
  ip routing
  ip route 0.0.0.0 0.0.0.0 10.0.15.1
  This is just one of many ways to do the management separation.