Setting up a VLAN

Similar Messages

• How to set up a VLAN for a School Network for student ipads/ipods?

  I work at a small private school that is going to implement about 20 ipads for classes. Students bring their ipods and iphones and are connecting to the existing unsecured wireless access points and are taking up the remaining IP addresses in the DHCP scope. I am running out of IP addresses and was wondering if I could set up a VLAN using the Cisco WRVS4400N for all of these wireless devices the students will be using. I plan to pull out all unsecured wireless AP's and replace with what ever solution we come up with. I will need about 6 access points/routers to cover the entire school. There is not a lot of money for technology and the ipods were donated. I have never set up a VLAN before. Is there an inexpensive way to allow the students with their personal ipads/ipods and the 20 ipads owned by the school to connect to a VLAN to keep from using up our DHCP IP addresses from the server. Thanks in advance. 

  Hi pctiger92!
  The WRVS4400N is now being handled by the Cisco Small Business Support Community.
  For discussions about this product, please go here.

• RV110W - trying to set up 2 VLANS - are there docs / help for this?

  I am trying to set up an RV110W router with 2 VLANs - 1 for guests to the office to just have internet access via wireless and another for employees to be able to access the LAN and internet wirelessly. I have not done anything with VLANs before, so please bear with me.
  I thought this would be simple, but banging my head against the wall with all the terms in the docs:
  http://www.cisco.com/en/US/docs/routers/csbr/rv110w/administration/guide/rv110w_admin.pdf
  port 1 is connected to a wired LAN / unmanaged switch with office PCs. So these machines / nothing on this subnet tag the packets before they get to the router.  This subnet is using 10.10.1.0/24
  Port 2 is connected to an Engenius EAP 300, a wireless access point that can broadcast SSIDs and tie each SSID to a different VLAN.
  SSID1 is called Private and is set to be VLAN 1. There's encryption on this SSID - only office staff would be able to log on.
  SSID2 is called public and is set to be VLAN 10.  There's no encryption on this SSID.
  I know - the router also does this, but where the router is vs. where the wireless is needed, we need to have the Engenius at that remote location.
  I have the RV110W set to give out 10.10.1.0/24 IPs when you connect to the SSID1 / VLAN1
  And it gives out 10.10.10.0/24 IPs when you connect to the public SSID / VLAN10.
  Both get on the internet fine.  The only issue is how to set the VLAN membership for each port / and any other settings so that the wireless devices on VLAN 1 can get to the LAN devices on Port 1.  (and the public / vlan 10 devices on the wireless network to NOT get to the devices on port 1, but i think that's working.
  I played with tagged / untagged / excluded, for the port membership, but either the wireless VLAN 1 devices get blocked from even the web (when port 2 is set to untagged, since they ARE tagged VLAN1) or they can't get to port 1 when set to tagged, since the port 1 devices are all untagged and the reply packets get blocked?
  the doc for this unit talks about inter-vlan routing but doesn't explain what that is.  THe wireless isolation should be turned on for vlan 10, right? We don't want guests to be able to access other guest's machines?
  I saw on page 71 on how to set up the guest network, but that's using the wireless built into the box, not a wireless access point.
  Overall, what I want is:
  VLAN 1: port 2 (with tagged VLAN1 packets) and port 1 (with untagged packets) can pass data between each other and access the internet
  VLAN10: port 2 with tagged VLAN10 packets can only get to the internet.
  Is that doable?
  How?

  thanks.  Still not working
  For the vlan membership page
  when set like this:
             port1         port 2
  vlan1     untagged    untagged
  vlan10  excluded     tagged
  connecting to the vlan1 wireless SSID on port 2, I can't even get an IP address from the router (the dhcp request can't even come through port 2 because it's saying vlan1 packets have to be untagged?
  connecting to the vlan 10 wireless SSID on port 2 gets a DHCP address and can only get to the web, so that's good.
  If I change the membership to:
                    port1 port 2
  vlan1 untagged  tagged
  vlan10 excluded tagged
  connecting to both SSIDs on port 2 will get you a dhcp address, and vlan1 devices can get into port 1, but trying to admin the wireless access device on port 2 or even pinging it, now fails -  'cause the router gatekeeper says if you want to come through port 2, your packets have to be tagged? and the packets from port 1 to port 2 are untagged?
  If I change the membership to:
              port1 port 2
  vlan1   tagged tagged
  vlan10 excluded tagged
  connecting to both SSIDs on port 2 will get you a dhcp address, but replies from the wired PC on port 1 / vlan1  vlan1 can't get back out of port 1 'cause the router gatekeeper says if you want to leave  through port 1, your packets have to be tagged? and the ping reply is coming form a device with untagged packets?  although the devices on vlan1 / port 1 CAN get on the web with their untagged packets.
  the wireless device says it supports 802.1q
  http://www.engeniustech.com/resources/EAP300_DataSheet_v2.1.pdf
  when they say port 2 / vlan 1 tagged, is it saying packets coming in FROM devices on that port have to be tagged? Or packets going TO devices on that port have to be tagged?  or both directions?
  Any advice?

• Setting Locally Switched VLAN Id for HREAP'd ap's?

  I am using HREAP on a number of AP's to fulfill a need of my end-users to have wireless devices connect to a locally hosted resource on a sites network.  Getting the AP's to operate correctly has not been an issue (for the most part), and getting the "Locally Switched VLAN's" functional was not a problem.  However, when I routinely go back through my AP's to check on them or to look t-shoot an unrelated issue I have noticed that some of the AP's have retained the Locally Switched VLAN mapping (i.e.: WLAN Id=5, Profile Name = test ssid, VLAN Id = 123) and some of them resolve the VLAN Id to 1 (for example).
  Is the anyone that may have experienced this and can offer or point me towards a resolution?
  I am also curious if I can configure the Locally switched vlans directly to my WiSM's instead of to each individual HREAP'd AP?
  BTW: I have a wireless environment of 1242, 1252, and 1142 ap's with WiSM's on a 65xx w/ sup720.
  Thanks for the help.

  I saw similar behavior at a client site running 6.0.181.0 & 6.0.196.0 code, what I found the issue to be was that when you set the native vlan and hit apply the AP took a minute to initate a reboot (or so it appeared) and when I set the VLAN Mappings they weren't actually being applied.
  I found if I set the AP to H-REAP and applied that then waited about 3-4 minutes, then enabled VLAN Support and set Native VLAN, apply that, wait 3-4 minutes, then set my VLAN Mappings that the issue went away.
  Not sure if that's the same issue your running into but it's worth a shot.. I tried tons of things before discovering that pattern.. Incidentally it didn't seem to behave that way in 4.0 code nor does it seem to behave that way in 7.0 code.
  Hope this helps...
  Please rate useful posts.
  Thanks,
  Kayle

• SGE2010, cant set ip on vlan/port

  Hi
  I have an SGE2010 L3 switch.
  I'm trying to set IP on vlans and ports. But with no luck.
  Switch is crashing every time I'm trying. Been using webgui, telnet, and CLI over telnet.
  Last time I cleaned all config. And logged in webgui, went to "IP Adressing -> IPv4 interface and pushed "add".
  Entered an IP, netmask for port48. (I'm connected on port 1).
  And everyting freezes.
  If I try telnet, I get disconnected. And same if I try CLI over telnet.
  I haven't tried console, because I have wrong console cable to my PC.
  So can anyone please help me?

  Hi Torbjoern, the answer above is correct. This is a classic "problem" and has been persistent for years (it's not a bug). If you need assistance to set vlan IP addresses you can call the small business support. If you're out of warranty for phone support, we can set up a teamviewer and I will help you.
  -Tom
  Please mark answered for helpful posts

• Problems setting up Guest VLAN on Cisco SG 300-28

  Hi,
  I am primarely enquiring whether the setup I have explained below is actually possible, and if so then how I can set this up. I know it isn't the easiest configuration and I need to set this up without purchasing any more equipment if at all possible.
  I have a Cisco SG 300-28 setup with three VLAN's
  VLAN1 (Business) - 192.168.10.0 - Switch IP 192.168.10.254
  VLAN2 (VOIP) - 192.168.20.0 - Switch IP - 192.168.20.1
  VLAN3 (Guest) - 192.168.30.0 - Switch IP - 192.168.30.1
  Default Gateway is 192.168.10.1 (Netgear Router)
  I have a Wireless network setup (Netgear WMS and 2 WAP's) configured with the TWO VLAN's (1 and 3). These go into ports on the Cisco SG 300-28 which are tagged on both VLAN's. The Business wireless worked fine but the guest network didn't reout out to the internet.
  After some troubleshooting I realised the reason the guest wasn't working was because there was no route back from the internet to the router.
  The router I have isn't really ideal, it is a Netgear DGN2200, but I managed to create a static route to 192.168.30.1 with a metric of 2, with 192,168,10.254 being the hop.
  Success, the connection worked, the only problem is that now my guest network can see my business network because the business network is using the static route on my router to route back over to the guest network (due to the limitations of this device I can't do anything about that)
  So basically, what I have is
  Guest network can connect to Business VLAN via switch. I am assuming this is because the router is on the Business VLAN and the default gateway is the router. As they are on the same network the Guest network can inevetably see the business server and network.
  The Business network can get back to the Guest network via the router using my static route I created. The static route is really basic and I can't create a firewall rule on the router to prevent the Business network speaking to guest network because it only has a LAN - WAN firewall and this connection is LAN - LAN.
  What I need is...
  to somehow stop any traffic from the 192.168.30.0 network routing to anything on the 192.168.10.0 network, appart from the router on 192.168.10.1.
  Is this possible? I have this setup on a number of different site, the only difference is I have a CIsco Security Router on these with the VLAN's configured so I don't have this problem. Because I have a rather limited Netgear DGN2200 I am unable to setup the VLAN's correctly and as such I need to see if I can do this on the switch in any way.
  Any assistance would be much appreciated.
  This is my first post by the way so if I missed anything out that would help anybody then please let me know.
  Kind Regards
  David

  Hi David,
  Why not apply a access list to filter incoming traffic into the SG300 switch such as, via command line or GUI.
  Here is an example below, by no means complete, just an example
  Just remember,  we are using reverse masking in the ACE;
  config
  ip access-list extended restrictGuest
  deny ip 192.168.30.0 0.0.0.255 192.168.20.0 0.0.0.255
  deny tcp 192.168.30.0 0.0.0.255 any 192.168.30.1 0.0.0.0 www
  deny tcp 192.168.30.0 0.0.0.255 any 192.168.30.1 0.0.0.0 telnet
  deny ip 192.168.30.0 0.0.0.255 192.168.10.0 0.0.0.255
  permit ip any any
  exit
  interface gigabitethernet1
  service-acl input restrictGuest
  exit
  Don't forget to save the configuration with the following command and respond to the prompt.
  write
  or do it via the GUI method
  Step 1.  Create a ACL name
  step 2, Add the port based ACE which is the filter list,.
  step 3.   Apply or bind the list to a port so that the port can look at and filter pattern matches for traffic ingressing into the switch.  I have given you an example of a ACE list above, you can be more creative in what you deny.
  step 4. Now add or copy the entry to other switch ports.
  Remember to save your configuration change.
  Hope this helps.
  regards Dave

• Setting up a vlan on WLC 2504

  I am setting up a 2504. I would like to set up 1 WLAN to connect directly to an ISP switch to use as a PUBLIC network. I configured port 2 on the 2504, set up interface with an address, then created a WLAN and SSID. (Port 1 is set up as internal and connects to the Catalyst 3850) It seems to work. When I change it to different VLAN ID, it does not work. Although port 2 is directly connected to the ISP device, do I have to make any changes on the catalyst for this to work or am I overlooking something. Thanks.

  Hi,
  Go on below link, it possibly will be helpful for you.
  https://supportforums.cisco.com/discussion/11585281/2504-wlc-and-2-vlans

• How do I set up multiple VLANs on a single switch?

  I have two 3750G-24PS switches and three Huawei S2300 switches. I have configured VLANs (15 nos.) in 3750. Is it possible for me to use those three switches for all VLANs or do I have to use separate switches for each VLAN?

  Got this answer.
  You can have as many as 1024 VLANs on a single switch and you need not create the same on Huawei S2300  switches. Create a VTP domain and specify one switch as server and others as transparent. All the VLANs created on server switch will get replicated to other switches.

• NEED HELP PLEASE Setting up 2 VLANS and a redundant WAN connection

  I have a remote branch office which is actually a huge bar/lounge. The bar wants to enable patrons to access the Internet with their wireless laptops. I want to prevent those patrons from accessing our private network, and also prevent them from traversing our static VPN tunnel back to HQ.
  The bar processes all credit cards via the T1 connection, and this has caused us to lose money every time the T1 goes down while we're open, since there is no WAN redundancy right now.
  Here is my current hardware configuration:
  1) one PIX 501 50-user 3des.
  2.) two Dell 3024
  3.) one Aironet 1100(g) AP.
  Current LAN Network: 10.35.35.0
  (internal employees only, static VPN tunneled to remote HQ network)
  Current Wireless SSID's:
  SSID1=PRIVATESSID
  SSID2=PUBLICSSID (not currently in use, waiting to figure this out)
  Current WAN: one T1 connection.
  WHAT I WOULD LIKE TO DO AND NEED HELP FIGURING OUT:
  #1a) I want to create two separate VLAN's that are able to share the WAN connection, but not be able to "see" each other.
  #1b) These VLAN's would be mapped to their respective SSID's on the AP (PRIVATESSID>10.35.35.0 and PUBLICSSID>192.168.1.0).
  #1c) The 192.168.1.0 network should not be able to traverse the static tunnel between the branch site and HQ.
  #2) I would like to install a backup WAN connection such as a modem 56k dial-up to an ISP or a cable modem to an ISP. In case the primary T1 goes down, I would like the router to automatically dial out over the modem conection and route all Internet bound traffic over that backup WAN connection, until the primary comes back online.
  Question 1:
  I'm assuming I need a router to do the intervlan routing. Could this router also do the on-demand WAN backup dialing to an ISP via analog modem?
  What IOS version and flavor (IP base, IP+, etc.) would I need? What is the cheapest router I can do all that with (i.e. 2620/2621/1720/3600 series)? What WIC's or NM's would I need?
  Question Two:
  I would like to prioritize PRIVATESSID's traffic over PUBLICSSID's traffic, which I know I can do on the access point. Can I do this on the router so that any 10.35.35.0 traffic takes priority over any 192.168.1.0 traffic?
  Question Three
  If the primary T1 WAN connection goes down, I don't want the router to re-route the 192.168.1.0 traffic over the backup 56k dial-up WAN connection. That traffic can wait until the T1 comes back up.
  Any help you can provide would be very much appreciated.

  Assuming your access points can place SSID into separate vlans and support 802.1q trunks then I can attempt to answer your questions. There are seperate secuity issues with both SSID for protection and VLANs for seperation but in your case in may be minimal.
  q1
  Any cisco router that will run 802.1q trunking will work. Since you are looking at older routers you will need IP+ to get it. Even 2610's will support 802.1q on their 10m ethernet at the correct code level but 10m and 802.1q is sorta nonstandard. Since your backup is only 56k you can use the internal modem port as a dial backup. A wic-2a/s will also work if you prefer not to use the modem port. You will need some wic to run your t1 line. If you are planning to leave the t1 on another router it makes the next 2 questions much harder.
  q2
  This is fairly simple and depends on your ios level. "priority queing" is supported on even the older software. I assume you do not control the far end of the t1 line since it sounds as if this goes to a ISP.
  You will need to have them do the QoS since most issues with the internet are inbound and not outbound. You can only control outbound traffic.
  q3
  If the T1 is on the same router then this is fairly simple. You can just put a floating static default route in that will cause the dialer to come up if the the t1 goes down. There is no easy way to protect against the line being up but no traffic passing. This is also why it would be best to have the t1 on the same router. If its not you will need to get very creative to solve this. You could build a GRE tunnel to a remote location and montior the tunnel or run a routing protcol over the tunnel. In the newest software you could use SAA and policy routing to force the traffic over the dialer but the router must support ios 12.4.
  3a. You mentioned a cable modem as a backup. That can be much easier sometimes since it is all routing and no dialer interfaces with nasty modem issues. This does not make the issue of the t1 not on the same router easier.

• Setting up 2 vlans for 2 pixs.

  I have a situation that I was trying to seek some assistance on. At this site, there are 2 Internet connections, 1 T1 and 1 Cable. Right now everything is going out the T1. They would like to add the cable ISP and a PIX 501 for guests and have all the Access Points using the Cable ISP and keep everything internal using the T1 like they are now. The current setup goes like this. T1 -> PIX 515 -> Cisco 4000 series router -> 2950. Would like the add the Cable -> PIX 501 -> 2950 -> AP. I know that I need to configure a VLAN for the wireless on the 2950s, but how would I configure a default route since the default route is being used already for the the other VLAN? I think that I am making this much more difficult than it really is.

  I hope I understand your question taht you want to install two ISP uplink into your pix.
  There is no chance to connect your pix to two ISPs, at same time only one ISP can be used as active. In 7.2 version there is the option for tracking and in this case the second ISP connection can become active.
  You can add maximum three default route, but using the same outside interface, but this is not acceptable for this scenario.
  If you install second PIX, just use in the guest VLAN as default GW the new PIX inside interface and that's all. On 2950 you just use L2 VLAN.
  bye
  FCS
  Please rate me if I helped.

• How set native vlan on a VM in vSphere when using the 1000V?

  Using the vSphere Distr Switch, we set native VLAN per VM by setting the VLAN d to 0.
  How do we set the native VLAN for a VM if the VM is connected to a 1000V? I heard we no longer can use VLAN ID 0?                  

  Same way you would on any Cisco switch.
  Add this command to your Uplink port profile:
  switchport trunk native vlan X
  Keep in mind there is no VLAN 0.  VLAN "0" is just how vmware designates the untagged VLAN.  Valid ranges are 1-4095 according to the standard.
  Regards,
  Robert

• Setting Inter VLAN in the Router.

  Hi,
  I trying to set up inter VLAN on the Cisco 2651XM router. I try to type the IP address on the sub interface but it gives me an error. I need to set up first
  the encapsulation dot1 q. I type encapsulation command but it doesn't recognized.
  This is the version of my router
  Cisco Internetwork Operating System Software
  IOS (tm) C2600 Software (C2600-I-M), Version 12.2(8)T5,  RELEASE SOFTWARE (fc1)
  TAC Support: http://www.cisco.com/tac
  Copyright (c) 1986-2002 by cisco Systems, Inc.
  Compiled Fri 21-Jun-02 08:50 by ccai
  Image text-base: 0x80008074, data-base: 0x80A2BD40
  ROM: System Bootstrap, Version 12.2(8r) [cmong 8r], RELEASE SOFTWARE (fc1)
  Router uptime is 32 minutes
  System returned to ROM by power-on
  System image file is "flash:c2600-i-mz.122-8.T5.bin"
  cisco 2651XM (MPC860P) processor (revision 0x100) with 125952K/5120K bytes of memory.
  Processor board ID JAD07130B30 (708131756)
  M860 processor: part number 5, mask 2
  Bridging software.
  X.25 software, Version 3.0.0.
  2 FastEthernet/IEEE 802.3 interface(s)
  2 Serial network interface(s)
  32K bytes of non-volatile configuration memory.
  32768K bytes of processor board System flash (Read/Write)
  Configuration register is 0x2142
  Do I need to update my cisco IOS if I do what os version I need and how can i download the cisco IOS.

  Thanks for the help. I don't need to change the version. I figure it out already..

• VLAN problems with SG200-8P and Cisco ASA 5505 (Sec Plus license)

  Hi,  I've been pulling my hair out trying to get simple vlan trunking working between these devices.
  Basically, no clients on VLAN 99 (guest) will receive DHCP ip addresses when plugged into the SG200.  I have the SG200<>ASA VLAN trunk configured correctly, as I know it, and I've tried numerous variations (set trunk as general tag/untagged, etc., set the ap port to general tag/untag, etc).   Both AP's work properly when connected to the ASA e0/3 port but either will only pull the "inside" VLAN dhcp address when connected to the SG200 switch
  VLAN 1 - inside (has separate dhcp scope assigned by ASA)
  VLAN 99 - guest (has separate dhcp scope assigned by ASA)
  SG200
  purpose
  ASA 5505 (Sec Plus license)
  purpose
  g2
  Trunk 1UP,99T
  Ubiquiti AP (VLAN 1 works, VLAN 99 does not
  g3
  Access port 99T
  vlan 99 does not work
  g8
  Trunk 1UP, 99T
  < Trunk between switch and ASA >
  Int e0/2
  switchport trunk allowed vlan 1,99
   switchport trunk native vlan 1
   switchport mode trunk
  Int e0/3
  switchport trunk allowed vlan 1,99
   switchport trunk native vlan 1
   switchport mode trunk
  Second ubiquiti AP
  Both VLAN 1 and VLAN 99 clients work properly

  Frustrated - yes.  Confused - maybe not as much, but I could have put some more effort into the overall picture.
  There are two VLANs (1 - native) and (99 - guest).   There is a trunk port between the SG200 and the ASA configured as 1-untagged 99 - tagged.    
  No clients connected to the SG200 on VLAN 99  are able to access the ASA VLAN 99 using either a static VLAN IP address or DHCP.   The problem occurs whether I configure the SG200 with an access port 99-tagged or Trunk port 1UP, 99T or general port 1U, 99UP or any combination thereof.
  Anything connected to the SG200 on the native VLAN works properly.
  Anything connected to the ASA VLANs (1 or 99) works properly
  I have not yet tried to see what the switch is doing with the VLAN tags but I suspect I have some mismatch with the Linksys/Cisco SG200 way of setting up a VLAN and how traditional Cisco switches work.
  I was hoping someone with a working SG200 - Cisco ASA setup could share their port/trunk/VLAN settings or perhaps point me in the right direction.
  SG200 g2 - trunk port (1UP, 99T) -- Access Point
  SG200 g2 - access port (99U)
  SG200 g8 - trunk port (1UP, 99T)  connected to ASA5505  e0/3  
  ASA5505 e0/3  (switchport trunk allowed vlan 1,99,  switchport trunk native vlan 1,  switchport mode trunk)
  Thanks,

• Various questions on uplink profiles, CoS, native VLAN, downlink trunking

  I will be using vPC End Host Mode with MAC-pinning. I see I can further configure MAC-Pinning. Is this required or will it automatically forward packets by just turning it on? Is it also best not to enable failover for the vnics in this configuration? See this text from the Cisco 1000V deployment Guide:
  Fabric Fail-Over Mode
  Within the Cisco UCS M71KR-E, M71KR-Q and M81KR adapter types, the Cisco Unified Computing System can
  enable a fabric failover capability in which loss of connectivity on a path in use will cause remapping of traffic
  through a redundant path within the Cisco Unified Computing System. It is recommended to allow the Cisco Nexus
  1000V redundancy mechanism to provide the redundancy and not to enable fabric fail-over when creating the
  network interfaces within the UCS Service Profiles. Figure 3 shows the dialog box. Make sure the Enable Failover
  checkbox is not checked."
  What is the 1000V redundancy?? I didn't know it has redundancy. Is it the MAC-Pinning set up in the 1000V? Is it Network State Tracking?
  The 1000V has redundancy and we can even pin VLANs to whatever vNIC we want. See Cisco's Best Practices for Nexus 1000V and UCS.
  Nexus1000V management VLAN. Can I use the same VLAN for this and for ESX-management and for Switch management? E.g VLan 3 for everything.
  According to the below text (1000V Deployment Guide), I can have them all in the same vlan:
  There are no best practices that specify whether the VSM
  and the VMware ESX management interface should be on the same VLAN. If the management VLAN for
  network devices is a different VLAN than that used for server management, the VSM management
  interface should be on the management VLAN used for the network devices. Otherwise, the VSM and the
  VMware ESX management interfaces should share the same VLAN.
  I will also be using CoS and Qos to prioritize the traffic. The CoS can either be set in the 1000V (Host control Full) or per virtual adapter (Host control none) in UCS. Since I don't know how to configure CoS on the 1000V, I wonder if I can just set it in UCS (per adapter) as before when using the 1000V, ie. we have 2 choices.
  Yes, you can still manage CoS using QoS on the vnics when using 1000V:
  The recommended action in the Cisco Nexus 1000V Series is to assign a class of service (CoS) of 6 to the VMware service console and VMkernel flows and to honor these QoS markings on the data center switch to which the Cisco UCS 6100 Series Fabric Interconnect connects. Marking of QoS values can be performed on the Cisco Nexus 1000V Series Switch in all cases, or it can be performed on a per-VIF basis on the Cisco UCS M81KR or P81E within the Cisco Unified Computing System with or without the Cisco Nexus 1000V Series Switch.
  Something else: Native VLANs
  Is it important to have the same native VLAN on the UCS and the Cisco switch? And not to use the default native VLAN 1?   I read somewhere that the native VLAN is used for communication between the switches and CDP amongst others. I know the native VLAN is for all untagged traffic. I see many people set the ESXi management VLAN as native also, and in the above article the native VLAN (default 1) is setup. Why? I have been advised to leave out the native VLAN.
  Example:Will I be able to access a VM set with VLAN 0 (native) if the native VLAN is the same in UCS and the Cisco switch (Eg. VLAN 2)? Can I just configure a access port with the same VLAN ID as the native VLAN, i.e 2 and connect to it with a PC using the same IP network address?
  And is it important to trunk this native VLAN? I see in a Netapp Flexpod config they state this: "This configuration also leverages the native VLAN on the trunk ports to discard untagged packets, by setting the native VLAN on the port channel, but not including this VLAN in the allowed VLANs on the port channel". But I don't understand it...
  What about the downlinks from the FI to the chassis. Do you configure this as a port channel also in UCS? Or is this not possible with the setup described here with 1000V and MAC-pinning.
  No, port channel should not be configured when MAC-pinning is configured.
  [Robert] The VSM doesn't participate in STP so it will never send BPDU's.  However, since VMs can act like bridges & routers these days, we advise to add two commands to your upstream VEM uplinks - PortFast and BPDUFilter.  PortFast so the interface is FWD faster (since there's no STP on the VSM anyway) and BPDUFilter to ignore any received BPDU's from VMs.  I prefer to ignore them then using BPDU Gaurd - which will shutdown the interface if BPDU's are received.
  -Are you thinking of the upstream switch here (Nexus, Catalyst) or the N1kV uplink profile config?
  Edit: 26 July 14:23. Found answers to many of my many questions...

  Answers inline.
  Atle Dale wrote:
  Something else: Native VLANsIs it important to have the same native VLAN on the UCS and the Cisco switch? And not to use the default native VLAN 1?   I read somewhere that the native VLAN is used for communication between the switches and CDP amongst others. I know the native VLAN is for all untagged traffic. I see many people set the ESXi management VLAN as native also, and in the above article the native VLAN (default 1) is setup. Why? I have been advised to leave out the native VLAN.[Robert] The native VLAN is assigned per hop.  This means between the 1000v Uplinks port profile and your UCS vNIC definition, the native VLAN should be the same.  If you're not using a native VLAN, the "default" VLAN will be used for control traffic communication.  The native VLAN and default VLAN are not necessarily the same.  Native refers to VLAN traffic without an 802.1q header and can be assigned or not.  A default VLAN is mandatory.  This happens to start as VLAN 1 in UCS but can be changed. The default VLAN will be used for control traffic communication.  If you look at any switch (including the 1000v or Fabric Interconnects) and do a "show int trunk" from the NXOS CLI, you'll see there's always one VLAN allowed on every interface (by default VLAN 1) - This is your default VLAN.Example:Will I be able to access a VM set with VLAN 0 (native) if the native VLAN is the same in UCS and the Cisco switch (Eg. VLAN 2)? Can I just configure a access port with the same VLAN ID as the native VLAN, i.e 2 and connect to it with a PC using the same IP network address?[Robert] There's no VLAN 0.  An access port doesn't use a native VLAN - as its assigned to only to a single VLAN.  A trunk on the other hand carries multiple VLANs and can have a native vlan assigned.  Remember your native vlan usage must be matched between each hop.  Most network admins setup the native vlan to be the same throughout their network for simplicity.  In your example, you wouldn't set your VM's port profile to be in VLAN 0 (doens't exist), but rather VLAN 2 as an access port.  If VLAN 2 also happens to be your Native VLAN northbound of UCS, then you would configured VLAN 2 as the Native VLAN on your UCS ethernet uplinks.  On switch northbound of the UCS Interconnects you'll want to ensure on the receiving trunk interface VLAN 2 is set as the native vlan also.  Summary:1000v - VM vEthernet port profile set as access port VLAN 21000v - Ethernet Uplink Port profile set as trunk with Native VLAN 2UCS - vNIC in Service Profile allowing all required VLANs, and VLAN 2 set as NativeUCS - Uplink Interface(s) or Port Channel set as trunk with VLAN 2 as Native VLANUpstream Switch from UCS - Set as trunk interface with Native VLAN 2From this example, your VM will be reachable on VLAN 2 from any device - assuming you have L3/routing configured correctly also.And is it important to trunk this native VLAN? I see in a Netapp Flexpod config they state this: "This configuration also leverages the native VLAN on the trunk ports to discard untagged packets, by setting the native VLAN on the port channel, but not including this VLAN in the allowed VLANs on the port channel". But I don't understand it...[Robert] This statement recommends "not" to use a native VLAN.  This is a practice by some people.  Rather than using a native VLAN throughout their network, they tag everything.  This doesn't change the operation or reachability of any VLAN or device - it's simply a design descision.  The reason some people opt not to use a native VLAN is that almost all switches use VLAN 1 as the native by default.  So if you're using the native VLAN 1 for management access to all your devices, and someone connects in (without your knowing) another switch and simply plug into it - they'd land on the same VLAN as your management devices and potentially do harm.What about the downlinks from the FI to the chassis. Do you configure this as a port channel also in UCS? Or is this not possible with the setup descrived here with 1000V and MAC-pinning.[Robert] On the first generation hardware (6100 FI and 2104 IOM) port channeling is not possible.  With the latest HW (6200 and 2200) you can create port channels with all the IOM - FI server links.  This is not configurable.  You either tell the system to use Port Channel or Individual Links.  The major bonus of using a Port Channel is losing a link doesn't impact any pinned interfaces - as it would with individual server interfaces.  To fix a failed link when configured as "Individual" you must re-ack the Chassis to re-pinn the virtual interfaces to the remaining server uplinks.  In regards to 1000v uplinks - the only supported port channeling method is "Mac Pinning".  This is because you can't port channel physical interfaces going to separate Fabrics (one to A and one to B).  Mac Pinning gets around this by using pinning so all uplinks can be utilized at the same time.--[Robert] The VSM doesn't participate in STP so it will never send BPDU's.  However, since VMs can act like bridges & routers these days, we advise to add two commands to your upstream VEM uplinks - PortFast and BPDUFilter.  PortFast so the interface is FWD faster (since there's no STP on the VSM anyway) and BPDUFilter to ignore any received BPDU's from VMs.  I prefer to ignore them then using BPDU Gaurd - which will shutdown the interface if BPDU's are received.-Are you thinking of the upstream switch here (Nexus, Catalyst) or the N1kV uplink profile config?[Robert] The two STP commands would be used only when the VEM (ESX host) is directly connected to an upstream switch.  For UCS these two commands to NOT apply.

• Two VLANs on one switch port?

  Currently we have the following
  Cat 4003 with VLAN trunking turned on to multiple switches. Each port in those exterior switches is assigned to a vlan(we have about 60 different vlans).
  What I would like to do is on those exterior switches have two vlans assigned to it.
  We'd like to create a single IP Phone VLAN(let's call it 999) that can span our entire enterprise and would have dhcp deployed on it.
  Each port is connected to an IP phone which has a 2 port switch in them. One port to the wall, one to the pc.
  The switch ports on those phones support vlan tagging
  How would setup an exterior switch to access 2 vlans that connect to 2 port switch on an IP phone?

  To facilitate ease of deployment, use VTP so that you can centrally create the vlans and propagate to each exterior switch. Now I believe you already do have a layer 3 engine or router that does routing between all these vlans. What switches are used on teh exterior ? This is to find out if voice vlan support is available.
  In cat switches, voice vlan is created using command,
  set port auxiliaryvlan vlan
  In IOS based switches,
  int fa0/1
  switchport mode trunk
  switchport trunk encap dot1q
  switchport trunk native vlan
  switchport voice vlan
  switchport priority cos extend 0
  or
  int fa0/1
  switchport mode access
  switchport access vlan
  switchport voice vlan
  I am not sure about support of voice/aux vlan in 4003. We will have check your other switch models/ software versions to determine support for this command.