SGE2000 / SRW208G VLAN questions

So we've got a few SGE2000P's and several more SRW208G's, and it was decided to use a GSM7312 for the core L3 functionality (price was one of the top issues to be taken into consideration, we couldn't find anything else suitable for our needs of features in that range). We just got the GSM7312, before it the entire network was flat
We are going to have multiple VLANs that need to communicate with a few shared resources on one particular VLAN. The one particular VLAN mentioned will have, amongst other things, the DC (doing DNS/DHCP) and our RAS box which is also doing all web filtering, the RAS box is connected directly to our T-carrier line.
as of right now, everything is in 1 VLAN pointing to the RAS box as its gateway. right now all SGE/SRW switches are also pointing to the RAS box as their gateway.
So now that we have L3 functionality in place and can assign IPs to VLANs, am I correct in saying that all SGEs and SRWs should point to the GSM as their default gateway, while the GSM only is pointing to the RAS box as its gateway?
What about pushing DHCP from the DC in 1 VLAN to all the others? I see that both the SGE and the GSM support DHCP relaying- is that what I need to be using? Something doesn't seem right about that to me.. for example. Lets say I have the DC in VLAN 200 (192.168.2.0/24), and clients in both VLAN 300 (192.168.3.0/24) and 400 (192.168.4.0/24). If the switch relays a DHCP broadcast request to the DC, how is the DC going to know from which scope/pool to give the address from? The server would be blind to the fact that the request was relayed at all, much less would it know it was relayed from a node in VLAN 400.
There are a few resolutions in my mind to this problem, but I'm not sure I am barking up any of the right trees.
One thought would be to set specific reservations for DHCP leases by MAC address in the servers DHCP pools (assuming that the destination MAC isn't changed when the switch relays it... I didn't even consider that at all until I just typed this).
Another thought would be to multihome the server and place it into every single VLAN, just to serve DHCP addresses
Another thought would be to buy an 802.1q capable NIC for the server and trunk all VLANs to it.
These last two kind of seem to defeat some of the purpose of VLAN'ing the network because I've once again placed at least 1 server into every layer 2 broadcast domain.
Someone please tell me what simple thing I am overlooking
Solved!
Go to Solution.

Both SGE and SRW switches are layer 2 switches. You use them to create and extend VLANs. For any interconnection you have to use layer 3 functions/routing in the GSM.
The GSM will have an IP address in each VLAN, e.g. VLAN 1 192.168.1.254, VLAN 200 192.168.2.254, VLAN 300 192.168.3.254, etc. The GSM will do the routing between all VLANs. If you want to limit the traffic between VLANs you have to set up filters on the GSM to filter out anything not allowed.
If you want to use your DC for DHCP you configure the DHCP relay function on the GSM and point it to the IP address of the DC. You have to set up several DHCP IP address pools on the DC, one for each VLAN, e.g. one pool with 192.168.2.* addresses for VLAN 200. The DHCP relay in the GSM will add its relay address into the DHCP request, for instance the DC on VLAN 1 would receive a DHCP request via 192.168.2.254. (i.e. the DHCP request will be modified by the relay) Using the relay address the DC is able to identify the address pool to use for assignment. Creating fixed leases for specific MAC addresses won't change a thing in this respect. The lease is only valid if the request came through the according relay IP address...
If you put your internet gateway/RAS box into VLAN 1 and the GSM is the main L3 router, then the default gateway for each VLAN 100,200, etc. would be the GSM address in that VLAN, i.e. default gateway in VLAN 200 would be 192.168.2.254 if that's that IP address of the GSM in VLAN 200. The default gateway on the GSM itself would be the RAS box inside VLAN 1, i.e. any traffic which is not routed into any of the connected VLANs would be sent to the RAS box.
Multi-homing can be a good idea if bandwidth is an issue. Without multi-homing any server traffic will be routed through the GSM. (The internet traffic as well but I guess you won't have a gigabit internet connection thus it won't create a bottleneck here.) With multi-homing the server and the internet gateway is accessible directly in each VLAN. Using a 802.1q NIC would be a good idea to implement this. If you have multiple NICs support 802.1q and teaming you could even bundle multiple NICs to the server to increase bandwidth to the server.

Similar Messages

  • SGE2000 / SRW208G VLAN question

    Greetings,
    Two questions:
    I've set a VLAN and things appear to be working right but I just want to be sure this is how its supposed to work.
    The SGE's come standard with VLAN 100 default, and, of course, management set to 100.
    The SRW's, however, come standard with VLAN 1 default, and, of course, management set to 1.
    I wanted to make everything 'default' for the same # VLAN, be it 100 or 1, I didn't care, but apparently this isn't possible. So instead, I left them as they were. I've configured both with a new VLAN for voice traffic, lets call it 200.
    On the SRW208G only 1 port is an untagged member of VLAN 200, in access mode. ports 2-8 are left as untagged members of VLAN 1, in access mode. the G1 port is set to be an untagged member of VLAN 1, a tagged member of VLAN 200, in trunk mode, with a PVID of 1.
    It is connected to port G1 on the SGE 2000.
    On the SGE2000,  port G1 is set up as a tagged member of VLAN 200, untagged member of 100, in trunk mode, with a PVID of 100.
    So here is my question... the packets that leave the SRW208G on the G1 trunk are either only going to be tagged as 200, or not tagged at all and left as completely standard Ethernet frames, correct? So, while they float around inside the SRW internally, they are assumed to be part of VLAN 1-- but, when they get to port G1 on the SGE2000, it (the SGE) will see that they aren't tagged, and it (the SGE) will assume that since they are untagged they are part of VLAN 100, correct?
     The data seems to be segmented properly when I watch it with tcpdump, I just want to be sure this is how it is intended to be set up before I roll anything out on the live network.
    My second question is, what kind of functionality can I expect if I put the SGE2000 in layer 3 mode? Like, would I be able to route traffic between VLANs from the SGE2000 if one were in Layer 3, and other SGE2000's and SRW208's in layer 2?
    Thanks ahead of time~

    For the SRW switches, I believe it should be set a “general” rather than “trunk”. In general: 
    Accept all types of VLANs – tagged and untagged based on user configuration – In and Out.
    Accepts tagged or untagged packets on ALL user defined VLANs except VLAN 1 – VLAN 1 will only accept untagged traffic 
    For the SGE switches, I have a link that may help set the VLAN settings:  
    http://linksys.custhelp.com/cgi-bin/linksys.cfg/php/enduser/std_adp.php?p_faqid=15389&p_created=1186... 
    I suggest contacting Cisco Tech support to further look into your concern. I believe this unit belongs to the business series devices that Cisco is now supporting. Try to go to this link for the other business series devices and the site where you can get hold of Cisco for support:
    http://forums.linksysbycisco.com/linksys/board/message?board.id=Switches&message.id=4273&query.id=27...

  • The old native vlan question....

    Topic came up during troubleshooting a 3524XL sw.
    I think my understanding of the native vlan concept is wrong.
    I thought on a trunk port (Cisco device) that any packet transversing a trunk link (dot1q trunk that is) has a vlan tag applied on the egress port.  As an untagged packet arrives on the port (prior to being sent out over the trunk), its is tagged with the native vlan (if its not assocated with any other vlan), then sent out the (egress) the trunked port. 
    But lately I have been reading that
    "A native vlan is the untagged vlan on an 802.1q trunked switchport. The native vlan and management vlan could be the same, but it is better security practice that they aren't. Basically if a switch receives untagged frames on a trunkport, they are assumed to be part of the vlan that are designated on the switchport as the native vlan. Frames egressing a switchport on the native vlan are not tagged. This is the definition however more recent switch software often will allow you to tag all of the frames, even those in the native vlan. This gives some added security and allows the CoS bits to be carried between switches even on the native vlan. Let me know if you need further clarification."
    From : https://learningnetwork.cisco.com/thread/8721
    So this tells me that you can have a packet transversing a dot1q link w/o a vlan tag...then when it arrives on the other end its put in the vlan that is on that native vlan question.  Is this correct?
    If so, and a packet can transverse a trunk link w/o a VLAN tag applied, how does a sw detect (ingress) a native vlan mismatch?
    Thanks!

    Hi,
    It's correct, the native vlan is not tagged by default on the trunk link but some platform can make you tag all traffic though even the native vlan.
    The native vlan mismatch is detected through cdp.
    Regards.
    Alain.
    Don't forget to rate helpful posts.

  • SG300-10 VLAN Questions

    My apologies if this has been asked before, but I have some questions regarding the setup of my new switch and network. I have never worked with switches before, so this is quite a learning experience. The picture above describes the current layout of my network. Here is how I have tried to set it up, so far.
    VLAN 1 [Ports 1-4, Untagged, Trunk] (172.16.1.1/24)
    Workstation A (Wired)
    172.16.1.2/24
    Server B (Wired)
    172.16.1.3/24
    VLAN 2 [Ports 5-8, Untagged, Trunk] (172.16.2.1/24)
    Server C (Wired)
    172.16.2.2/24
    Server D (Wired)
    172.16.2.3/24
    Server E (Wired)
    172.16.2.4/24
    Server F (Wired)
    172.16.2.5/24
    VLAN 3 [Ports 9-10, Untagged, Trunk] (192.168.1.1/24)
    Laptop G (Wireless)
    DHCP via Router
    Laptop H (Wireless)
    DHCP via Router
    Laptop I (Wireless)
    DHCP via Router
    Wireless Router
    192.168.1.254/24
    Now, my goal is to have all 3 VLANs be able to talk to each other but also have VLAN 1 access the internet, through the wireless router. In the future I would also like Server B to be able to expose services (http & ssh) to the outside. VLAN 2 shouldn't have internet access at all. I know I can add static routes to the wireless router, if need be. All three laptops, can access the internet through the wireless router, without any problems.
    So my questions are:
    1) Is there anything inherently wrong with the design of this network? If so, what could be changed?
    2) Is VLAN 3 really necessary?
    3) What would I need to do, to get the 3 VLANs communicating with each other?
    4) What should the gateway be, to get VLAN 1 internet access?
    5) What would I need to do, to expose Server B services to the outside?
    6) What static routes do I need to add?
    Thanks in advance!
       Jer

    Hello Jeremy,
    Thank you for your interest and patience.
    You are on the right track here. However, several important changes must be made. Consider the following concepts:
    The concept of a native VLAN. The link between the router and the switch must be part of VLAN 1. Otherwise, information from the router will not be distributed correctly on the switch due to the current PVID of 3.
    The VLAN IP Interface (VLAN IP Address) identifies the subnet for the VLAN. Therefore, thinking of the switch as a router, you are correct that the default gateway for each client should be the respective VLAN interface on the switch. The switch will automatically route between directly connected IP Interfaces and their subnets.
    However, in order for your clients to get to network that the switch doesn't know about, (the internet), there must be a default route to the router.
    Additionally, in order for the router to forward information from the internet back to the VLANs on the switch, the router must know how to reach the different VLANs.
    The folloing linked figure (Fig. 1) describes an appropriate sample setup. See here.
    In this scenario, a SG300-10 is configured with 3 VLANs:
    VLAN 1 - Default VLAN, used for management - 192.168.1.x/24 - Ports 9-10 - 1U - Trunk Mode
    VLAN 2 - Servers - 192.168.2.x/24 - Ports 5-8 - 2U - Trunk Mode
    VLAN 3 - Workstations - 192.168.3.x/24 - Ports 1-4 - 3U - Trunk Mode
    VLAN 1 is used to communicate to the router. Therefore, the following default route must be added to the switch's configuration:
    ip route      0.0.0.0      0.0.0.0      192.168.1.1
    The switch will automatically build the routes between the VLANs local to the switch. Visualize Server C going togoogle.com. Its IP address is 192.168.2.2. Its default gateway should be the VLAN 2 IP Interface on the switch (192.168.2.254 in this example). Because the default route is configured, the switch will forward the internet request to the router. The router will then forward the request to your ISP out the WAN where it will eventually reach Google.
    However, when the request comes back into the router, the router must know to route it to the 192.168.2.x subnet. So, in order for this to work, routes that accomplish the following must be configured on your router:
    Subnet IP               Mask                    Gateway                                              Interface
    192.168.2.1             255.255.255.0        192.168.1.254 (SG-300 IP Interface)         LAN
    192.168.3.1             255.255.255.0        192.168.1.254 (SG-300 IP Interface)         LAN
    As you have already discovered, there are several limitation to using a router that does not support 802.1Q tagging. Chiefly, your clients will not receive either DHCP or DNS automatically from the router. To mitigate this, you can do either of the following:
    Run a DHCP server with multiple DHCP scopes on a device connected to your switch. You can then use Option 82 on the switch to route DHCP requests and DNS info between VLANs on the switch.
    Statically configure IP and DNS information. You could enter Open DNS Servers or Google's DNS servers on your clients.
    Ideally, you would want to use a router that supports 802.1Q tagging. In this figure here (Fig. 2), you can see the VLANconfiguration page for a Cisco RV180W, a very capable and affordable small business router that I highly recommend. Port 1 on the RV180W is configured as a trunk port and carries VLANs 1-3 to the switch. The clients automatically receive IP addresses and DNS information from the correct DHCP pool on the router.
    Do not hesitate to contact us. We are always happy to help.
    All the best,
    -David Aguilar
    Cisco Small Business Support Center
    1-866-606-1866

  • SGE2000 - Dynamic VLAN assignment

    Is it possible to assign VLANs on an SGE2000 using RADIUS?  So far I have been unable to get it to work.  The user authenticates (802.1x), but the switch seems to be ignoring the VLAN assignment.  Any thoughts?

    Is this implementation part of a wireless deployment? The only reason I can think this would be necessary is for a WLC to assign vlan information on the fly. If users are attached directly to the LAN it would seem more likely you would just assign their vlan to that port. You could make every port a trunk port, so when they authenticate, the switchport will know how to talk with their vlan but that still would not work (since pcs don't understand vlan tags) and you would open your network to major security issues.
    If it is part of a wireless deployment, check this out:
    http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml
    I know it does not deal specifically with the SGE model, but if this is your setup then the switching infrastructure is the least of your worries.
    Bill

  • A very odd VLAN question -please help

    Hi,
    We have two subnets 10.1.1.0 and 10.1.2.0 and these subnets are phisically separated. we also have two VLANS, VLAN 2 and 3, please think of the VLAN 2 as the default VLAN 1. strenge, it has been like this when I took over. there is no trunking between these two VLANS. 10.1.1.0 is the main network and all the servers and users arfe on it and 10.1.2.0 is a Dev environment and some development severs are on it.
    I have given an IP address from the maon subnet i.e. 10.1.1.0 to a switch which is used for Dev environment on its SC0 and have assigned it to VLAN 2 but the rest of the 10.1.2.0, i.e. the Dev environment is on VLAN 3. from the main network I cannot ping that IP address (naturally) and I don't know how to build on what we currently have without making major changes and build over time as transparant as possible.
    I am sorry for this very long expalanation.
    I guess I need to know if I can make trunking between these two VLANs, i.e. VLAN 2 (main 10.1.1.0) and VLAN 3 (Dev environment 10.1.2.0) with out needing a router? of if I need a router, how? so that I can build upon it over time.
    well, I have given an IP address from main subnet from VLAN 2 to a swotch which is for VLAN 3 or Dev environment!!! I really didn't know how to do this in order to make it as trasnparant possible to others since I am not in charge of the AD and the servers.
    Please forgive me for my somehow vague explanation and I hope I could have made a question.
    Thanks,
    Masood

    Hi and thanks for responding. Almost all my switches are L2/L3 Cisco CAT switches with two 3560 at the edge with knowledge of public network located between my two border routers and my Firewalls. My main switch is a Cisco CAT 4510 R with is a layer 2 and 3 switch with Cisco IOS and a few 3550s and 3512s around. I also have two CAT 4006s with CAT OS but these aren't my current concern as I know that I need to either use one of these swithes or a router to route between my VLANs. I do have a Cisco Router, a 2621 as my main router with its fa 0/1 is used for my two mian subnets (servers, devices, and users are on these two subnets 10.1.1.0 and 10.1.4.0) and the DHCP server is givng out IPs out of these two private subnets. the other interface on this router fa0/0 is used for 10.1.2.0 which is totally isolated subnets with a bounch of servers on it called Dev Environment. The AD guys want it this way.
    Ok, now, when I take over this network I realized that those people who were looking after this network had created two VLANs, VLAN 2 (acting as the default VLAN 1 actually and used for managemnt of devices too) and VLAN 3 (VLAN 3 is for 10.1.2.0, i.e. the DEv Evironment, so bacically all of my devices, servers and users are on VLAN 2!!! and no trunking.....
    I have provided a Diag of my network topology.
    what I need to do is to find the best way to create a few more VLANs on my main network (10.1.1.0 and 10.1.4.0) and put all the servers on one VLAN; say VLAN 2 and few other segments and ten start to route between them by trunking. My problem is that the AD guys do not want to get involve and do not want (one of them my boss) to do IP renumbering so i need to do this at the L2 (by MAC addrss may be) and then use the router or (I can upgrade my main router to provide more interfaces with more mem and processing power) and use t to route between VLANs. this router is also used to connect us to a remote office where we have our Web Servers hosted via a T1 point-to-point as we are an online business so I need to be very carefull with this mission and have all the server and web Servers at this locations and my remote locations (10.5.1.0) on a same VLAN and then user on different VLANs by segmenting departments.
    Now, you see my delema and the challange that I am facing. how this can be done slowly and gradually. first adding one more VLAN put all the servers on it (also, back interfaces and clustering of servers in mind) and users on another, then, start trunking and see how it works. if all goes well then I can start creating more VLANs and that would be the easy part and point them to the trunk Interface / Link.
    Your thoughts will be greataly apreciated.
    Thx,
    Masood

  • Vlan & Inter Vlan question

    Here is my network layout:
    I have a cable modem connecting to a Linksys WRT54GL (DDWRT) router. Port 1 on the WRT54GL is connect to port 01 on the SG300-10 switch.
    On the SG300-10 I've created two Vlans (Vlan 30 & Vlan 40). I assigned ports 3 & 4 on the SG300-10 to Vlan 30 and ports 5 & 6 to Vlan 40. Vlan 30 has the IP Address 10.10.30.1 and Vlan 40 has an Address of 10.10.40.1. The default Vlan (Vlan1) has an Address of 10.10.20.2. The default gateway (WRT54GL router) has an Address of 10.10.20.1. I have also enable DHCP relay on the switch and enter the command "ip routing". My question is on either vlan if I wanted to setup static addresses for clients would I use the 10.10.20.1 (WRT54GL) address as the default gateway? Also, what additional configurations do I need to make for the Vlans to be able to talk to each other and be able to access the internet?
    Thanks,

    Van,
    Thanks for the reply. The SG300-10 is in layer 3 mode. I have configured the DHCP server accordingly. Here is my setup:
                       cable modem
                              |
                              |
                       linksys wrt54gl (10.10.20.1)
                              |
                              |
                       sg300-10  Vlan1=  10.10.20.2 (manage)
                                      Vlan30= 10.10.30.0 /24 (GW= 10.10.30.1)
                                      Vlan40= 10.10.40.0 /24 (GW= 10.10.40.1)
    You said that for inter-Vlan to work I need to set the clients GW to the switch. Would that be the Vlan's gateway for clients in each vlan? For example if a client was in vlan30 their gw would be 10.10.30.1?
    The clients are not able to access the internet from the vlan. How would I configure the static on the switch for the vlans to be able to access the internet? Would this work:  ip route 0.0.0.0 0.0.0.0 10.10.20.1?

  • Private vlan question

    I am replacing a standard set of switches out with ones that can support PVLAN's. All our switches currently have their ip address on vlan 1 and that is the subnet which the default gateway resides. The second switch acts as a redundant switch and will need the same vlans as the primary. Currently they are etherchanneled together. I want to setup a single private vlan with one isolated vlan and several community vlans. My question is where do I put the IP address? Do I still setup a vlan 1 interface as I have done all along? Or do I put the addrss on the primary private vlan? And I assume I will need to setup a trunk between the two switches, vs. etherchannel?

    Private VLANs provide Layer 2 isolation between ports within the same private VLAN. There are three types of private VLAN ports:
    •Promiscuous—A promiscuous port can communicate with all interfaces, including the community and isolated ports within a private VLAN.
    •Isolated—An isolated port has complete Layer 2 separation from other ports within the same private VLAN except for the promiscuous port. Private VLANs block all traffic to isolated ports except traffic from promiscuous ports. Traffic received from an isolated port is forwarded only to promiscuous ports.
    •Community—Community ports communicate among themselves and with their promiscuous ports. These interfaces are isolated at Layer 2 from all other interfaces in other communities or isolated ports within their private VLAN.
    PVLANS are also knows as secondary vlans, they are always associated to primary vlans so they can communicate to other devices outside their subnet through the default gateway. The management ip address or sc0 if it's CAtOS will always be in primary vlan or if native IOS and it's interface vlan it will always be the primary vlan. so, to answer your question, the management ip address will be in primary vlan.
    –You cannot use the inband port, sc0, in a private VLAN.
    Note: With software release 6.3(1) and later releases, you can configure the sc0 port as a private VLAN port; however, you cannot configure the sc0 port as a promiscuous port.

  • IPS VLAN question

    I am configuring an IPS 4260 in promiscious mode, and have a question about VLAN assignment.  Does the sensing interface need to be in the same VLAN as the switchport you are spanning?  Also does this port need to be a trunk?
    Also If you want to log traffic only and not issue resets, do you just leave the default or do I need to switch anything off?
    Thanks in advance!

    Hi Networker99,
        As long as you aren't using the "encapsulate replicate" command on the SPAN session sending the traffic to the sensor, the traffic will be copied without VLAN tagging information and no additional configuration on the IDS side should be necessary.
    If you want to prevent TCP resets you should either designate an unused port as an alternate TCP reset interface for the promiscuous sensing interface or, alternatively, create a simple Event Action Filter to remove the "TCP Reset" action from all signatures on the sensor.
    Best Regards,
    Justin

  • VTP Vlan question

    Dear,
    This question has been bugging my mind lately, say you configure a switch to put it inside a VTP domain. Let's say the access vlan has to be 8 and voice 10.
    If you preconfigure the ports the switch will auto create the vlan locally to the switch, but when you put in a VTP domain as a client, will it overrride the VLAN's you created.
    Since if you already made the ports a member of vlan 8, and vlan 8 also exists in the VTP domain you will insert the switch in, will it just override your switch settings?
    Kr,

    Disclaimer
    The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
    Liability Disclaimer
    In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
    Posting
    I believe VTP won't override the actual port VLAN setting, but it should override the switch's previously defined VLANs.
    In your example, the ports in VLAN 8 would still be in VLAN 8 as it's also defined to the VTP domain, but suppose VLAN 8 wasn't.  In that case, your VLAN 8 ports wouldn't extend across any trunks, and they might no longer function as a VLAN within the switch itself.

  • RV180 VLAN Question

    My plan is to use VLAN1 for the internal private network and VLAN2 for free public wifi. My question is can I use a PC on VLAN1 to configure/manage my access points? There are no dedicated PCs on VLAN2.
    Sent from Cisco Technical Support iPad App

    Hi Terp,
    I just finished setting up my RV180 with 2 VLANs: VLAN1 and VLAN5. VLAN1 is the management or default VLAN; while VLAN5 is my wireless guest VLAN.
    My VLAN1 is 192.168.1.1. I have set all of the gateway settings according to our companies outside provider (phone and internet). The DNS settings are completed for both primary and secondary servers.
    VLAN1 is where all our data files and office specific stuff is located. VLAN1 can access servers, users, and internet.
    Under Networking>Multiple VLAN Subnets>
    The DHCP Server for VLAN1 is set to NONE.
    My VLAN5 is on ip address range 10.0.0.100-254/255.0.0.0. I have the DHCP Server set for this VLAN.
    I did this so I did not get confused when checking Ipconfigs and now my free wifi users are clearly identified.
    I am using a Cisco WAP321 as my access point. I have this hard wired to port 4 of my router. I do have a managed switch, but it is only on VLAN1 and therefore does not enter the equation.
    I use a static ip address for my WAP in the 192.168.1.xx range. IPv4 Network Settings
    I made sure under Wireless>Networks I made sure I have both VLANs with the same names and for VLAN1 I use the same security key as on the router.
    Also I have Enabled Untagged VLAN on VLAN1 and Management on VLAN1.
    I have DNS proxy enabled, BUT because this unit has a static ip address, I have to set my DNS server settings! This kept my guests from getting internet access for a few days. DON'T FORGET THIS
    Anyway, everything works perfectly now.
    Hope this helps.
    Kaigh Taylor

  • 3550 Switch -Fiber interface VLAN question

    Hello,
    I will deploying two Cisco 3550 Switches and connecting them via a ordinary multimode fiber with GBIC 1000BASE-SX - transceivers installed on each switch. Here is my question: I will be configureing about half of the ports on each of the switches to be in one of two VLANS. I would like to configure the two vlans to run over the single fiber line. Is is possible to configure one fiber port, with the GBIC 1000BASE-SX - transceiver installed, with two vlans and/or subinterfaces each with half of the 1000mb of bandwidth, or will I need to run an additional fiber line connected to the second fiber interface on the 3550 to accomplish this. I really hope not to as I don't have the funds to run a second line at this time. If this configuration is possible could someone please point me to documentation on how to configure this and\or give some advice. Thank you.
    Regards,
    JPS

    Just set up the link as a trunk , this allows you to send as many vlans across that link as you want . On each side just do the following.
    switchport
    switchport trunk encapsulation dot1q
    switchport trunk mode dynamic desirable
    Verify trunk status with the "show int trunk " command.
    More info at http://www.cisco.com/en/US/products/hw/switches/ps5528/products_configuration_guide_chapter09186a00803a9af5.html#wp1200245

  • Wireless VLAN question

    I have two SSIDs on my Cisco 1242 APs.
    On one of the SSIDs i have clients that will constantly broadcast data (required).
    Will the brodcast traffic reach my other SSID? If so, is there a way to avoid it?
    Will creating a separate wireless VLAN on my AP and assigning it to that SSID contain broadcast traffic so it does not flood my other SSID?
    Thank you.

    Broadcast is allowed on the same subnet, so yes, broadcast will affect everyone in that subnet. Creating multiple subnets is what allows you to control the broadcast. Here is a link for autonomous for creating multiple vlan's.
    https://supportforums.cisco.com/docs/DOC-14496
    Sent from Cisco Technical Support iPhone App

  • SF300 Daisy Chain VLAN Question

    OK, this is a complicated setup, and myself and my fellow IT staff have been beating our heads on a wall trying to get this to work, at this point we do not even know if we have this configured right, so any input on this would be most appreciated.
    We are in the process of adding some new buildings to our network via some AirMax wireless bridges.  On the either end of the bridges will be a series of SF300 switches.
    For clarification, here is how our setup will go equipment wise....
    Cisco 3550 Switch -> SF300-08 Switch -> Airmax Bridge ---------- AirMax Bridge -> SF300-08 -> SF300-24
    The 3550 is "inside" our corporate network, from the first SF300-08 to the 2nd SF300-08 will be "outside" our network, and the final SF300-24 will be consiered "inside" our network.
    For all intents and purposes, we are trying to build this out correctly without the AirMax bridges in place at the start since they are just a bridge and should function as a cable once in place.  Since the segment from one SF300-08 to the other will be considered external equipment, we need to have the feed from the 3550 to the SF300-24 as an isolated VLAN through this chain to be able to give the remote office network access.  We want the SF300-24 to think that it is basically trunked directly into the 3550 once all is said with all our internal VLANS available at the opposite end.
    Right now, based on documentation and things we have read in various forums, we have it currently setup as follows :
                       IN                                                                         OUT
    1)                                                                                  3550 dot1q Trunk
    2)  SF300-08 Customer QinQ Trunk (vlan 3000)                  SF300-08 Trunk (vlan 3000)
    3)  SF300-08 Trunk  (vlan 3000)                                      SF300-08 Customer QinQ Trunk (vlan 3000)
    4)  SF300-24 Trunk
    So, we are trunking the 3550 into the SF300 chain, passing the internal information over vlan 3000 while in transport, then coming out the other end on the SF300-24 trunk port.
    Is this in any way remotely correct for what we are trying to do?  I know that if we stuck with all 3550s throughout the chain that we would have some dot1q-tunnel ports configured for an easier setup, but from the limited knowledge I have on these 300 series switches they are not capable of being configured this way, and I may well be totally wrong in that.
    I will be happy to clarify more on certain parts if needed, but with so many pieces of equipment in this chain screenshotting everything would be a hellish mess.
    Any suggestions or input on this would be greatly helpful at this point.

    check the mtu's of the AirMax Bridges, lol... this made us beat our heads for way too long

  • Yet another IAS + 802.1x dynamic vlan question

    hello all
    For the last 18 months or so there's been a steady stream of folks trying to get dynamic assignment of a vlan to a user/group using Microsofts IAS Radius.
    Having searched thru the Netpro archives, I've never found a definitive explaination of how this is done.
    Sure, its almost common knowledge by now that the three attributes 64(Tunnel-Type=vlan), 65(Tunnel-Medium=802) and 81(Tunnel-Private-Group-ID=vlan name) need to be configured on the Radius Server.
    Recently I discovered that IAS on windows 2003 even includes the Radius "tunnel-tag" attribute, so even that can be included now(as =1).
    Still, having done this, and seeing a "debug radius" on a 2950 switch (with newest code) show the the tunnel-tag starts with "01" --- i STIll can't get this darn thing to work.
    Yes, it works for static 802.1x(no vlan assignment) against a XP sp2 client .
    Yes, I included the "aaa authorization network default group radius" statement.
    If I configure a vlan 5 named "Sales" --- nothing works. Not when I configure attribute 81=Sales in IAS, not when I configure "5" in IAS. Heck, I even used hex values--- till I got
    " Attribute 81 6 01000005 " in the debug,
    all sorts of permutations.
    Please Cisco, somebody --- help us out here.
    The fact of the matter is, though ACS is probably the best way to go(it does NAC & FAST), alot of clients say "hey - I've got a perfectly good Radius Server for FREE in Windows".
    Can anybody shed some light on this!

    Here is working IAS settings and switch config:
    Ignore-User-Dialin-Properties 4101 True
    Framed-Protocol 7 PPP
    Service-Type 6 Framed
    Tunnel-Medium-Type 65 802
    Tunnel-Pvt-Group-ID 81 102
    Tunnel-Type 64 VLAN
    Tunnel-Tag 4170 1
    *Note that I have VLAN#, not VLAN name on attribute 81
    aaa new-model
    aaa authentication dot1x default group radius none
    aaa authorization network default group radius none
    aaa accounting dot1x default start-stop group radius
    dot1x system-auth-control
    interface FastEthernet0/1
    switchport access vlan 100
    switchport mode access
    dot1x port-control auto
    dot1x timeout reauth-period 300
    dot1x guest-vlan 997
    dot1x reauthentication
    spanning-tree portfast

Maybe you are looking for